Data to Value is a trade name of Data to Value B.V. registered with the Chamber of Commerce under number 81991428 with a head office on Van Leeuwenhoekpark 1, 2611DW, Delft, The Netherlands.
1.1 In these Data Processing Terms, in addition to the terms as used in the current applicable laws on the protection of personal data (data subject, process, etc.), the following terms are used, always written with a capital letter, with the following meaning regardless whether they are used in the plural or singular:
Agreement: the agreement(s) concluded between the Controller and the Processor to which these Data Processing Terms are a supplement;
Appendix: appendix to these Data Processing Terms that forms an inextricable part of these Data Processing Terms;
Applicable Law: as from 25 May 2018, the General Data Protection Regulation (the ‘GDPR’) and associated applicable national regulations (the “UAVG”) ;
Breach: breach of security that inadvertently or unlawfully leads to the destruction, loss, alteration or unauthorised issuance of unauthorised access to Personal Data that has been forwarded, stored or otherwise processed;
Controller: the client referred to in the Agreement, within these terms being responsible for the processing of its personal data within the meaning of Article 28 of the General Data Protection Regulation;
Data Processing Terms: these terms, being a supplement to the Agreement;
Google 360: Google Analytics 360 service, Google Optimize 360 services and/or Google Tag Manager 360;
Data to Value: services purchased by the Controller from Data to Value B.V. insofar as they do not fall within the scope of Google 360;
Parties: Processor and Controller together;
Personal data: the personal data as referred to within the meaning of the Applicable Law that is processed under the Agreement by the Processor on behalf of the Controller;
Processor: Data to Value B.V., in these terms being the processor of personal data of Controller, within the meaning of the applicable legislation on the protection of personal data, insofar as the former is processing data on behalf of the latter, without being subject to its direct authority, and the Controller determines the purposes and (essential) means of the processing, on the understanding that details of the means can be determined by the Processor in view of its expertise in the matter.
2 Performing processing
2.1 The Processor shall process Personal Data solely on the basis of written instructions from the Controller (including the assignment as expressed in the Agreement) or when there is a legal obligation on the Processor to do so (including processing that is necessary by virtue of a court order, an order given by the competent authority, an authorised instruction given by or a lawful request from the relevant supervisor, such as the Personal Data Authority). The above is without prejudice to the responsibility of the Controller to ensure that its instructions are in accordance with the applicable legislation. Should these instructions result in extra work (and costs) for the Processor and have possible consequences for an agreed time schedule, Parties must first reach agreement on said extra work (and costs) and consequences.
2.2 The Processor shall process the Personal Data in a proper and meticulous manner in accordance with the Applicable Law and as further specified in the Agreement and these Data Processing Terms.
2.3 If and insofar as the Controller uses Data to Value, the processing purpose(s), the categories of Personal Data and the data subjects as defined and specified by the Controller, and the processing operations as specified by the Processor and the categories of employees involved therein as included in Appendix A at the end of these Data Processing Terms, shall apply to the processing operations performed.
2.4 The Controller is responsible for the accurate and complete provision of Personal Data. The Controller is also obliged to check processed Person Data for accuracy and completeness.
2.5 The Controller guarantees the Processor that the processing assigned to the latter is not unlawful and does not infringe the rights of data subjects, and that the Personal Data has been obtained in a manner that complies with the applicable legal provisions, in particular those arising from the Applicable Law.
2.6 The Processor shall not, unless necessary pursuant to the Agreement or with the prior written consent of the Controller, and provided that the applicable legal requirements are met, store Personal Data in or forward Personal Data to states outside the European Economic Area. The Processor shall inform the Controller of the storage location(s) immediately on the latter’s request.
2.7 The Processor shall, when reasonably within its sphere of influence and taking account of the nature of the Processing, implement appropriate technical and organisational measures to assist the Controller for as far as is possible in fulfilling its legal obligations pursuant to the Applicable Law, more specifically the rights of data subjects, such as (i) the right of data subjects to obtain a copy of or otherwise gain an insight into their processed Personal Data, whereby the protection of the personal data of others is guaranteed, as well as the confidentiality of other data that is by its nature confidential, (ii) to delete, correct, supplement or block personal data, and/or (iii) to demonstrate that personal data has been deleted or rectified, (iv) to record that, when the Controller is of the opinion that the personal data is accurate, the fact that the data subject considers his or her personal data to be inaccurate and/or (v) to enable data subjects to exercise other rights pursuant to the applicable prevailing protection of personal data legislation. The Processor is entitled to charge any reasonable costs involved to the Controller.
2.8 These Data Processing Terms form an integral part of the Agreement and the provisions therein apply in full to the Data Processing Agreement; when there is a discrepancy between a provision in these Data Processing Terms and a provision in the Agreement then the provision in these Data Processing Terms shall prevail over the provision in the Agreement.
3 Security of personal data
3.1 The Processor shall take appropriate technical and organisational security measures, which in view of the current state of the art and the costs involved correspond to the apparent nature of the Personal Data and the assignment for which the data is processed, to protect the Personal Data against loss or unlawful processing as referred to in Article 32 of the GDPR.
3.2 The Controller shall, without undue delay, inform the Processor of any instruction or other communication issued by any competent authority (such as the Dutch Data Protection Authority) pertaining to the Personal Data.
4.1 The Controller is entitled to audit the Processor’s compliance with its obligations pursuant to these Data Processing Terms. The Processor shall provide the Controller with the opportunity to do so once a year, on request. The parties shall jointly determine the date, time and scope of the audit. In addition to the above, the Controller is – on a date, time and within a scope of the audit to be determined in joint consultation – entitled to audit the Processor’s compliance with its obligations under these Data Processing Terms more than once a year when, and to the extent that, the Controller has a demonstrably well-founded (concrete) suspicion that the Processor is not in compliance.
4.2 The Processor shall, in all reasonableness and with reimbursement of its costs, cooperate with the audit referred to in Article 4.1.
4.3 The costs of the audit referred to in Article 4.1 shall be for the account of the Controller, unless and to the extent that the aforementioned audit reveals that the Processor has failed imputably in its obligations under these Data Processing Terms, in which case the Processor shall bear the reasonable actual costs of the audit as based on the submission of the underlying invoices.
4.4 When conducting the audit referred to in Article 4.1, the Controller shall be assisted by an independent auditor who is certified to audit compliance with the GDPR. Before the audit the auditor will need to be prepared to sign a confidentiality agreement in this respect.
4.5 The audit (including the documentation and other data relating to the audit) and its results shall be treated as confidential by the Controller and the external auditor as referred to in Article 4.4, and may only be disclosed to a third party in any manner with the prior consent of the Processor, which will not withhold consent on unreasonable grounds. Consent is not required when disclosure to a third party is based on a statutory obligation and/or a lawful request from a competent authority.
4.6 The Controller shall ensure that the audit is conducted in such a way that causes the Processor as little inconvenience as possible, and on the conditions that guarantees are in place for the protection of third party personal data and the confidentiality of third party data that is inherently confidential. The Controller shall ensure that the scope of the audit is limited to the investigation that is necessary to determine, on the basis of objective criteria, whether the Processor fulfils its obligations under these Data Processing Terms.
4.7 The Controller shall make a complete and unaltered copy of the audit results available to the Processor, as soon as possible, in a durable form that is readily readable for the Processor, insofar as the audit results relate to the Processor (and any of its sub-processors).
4.8 After the audit the Controller and the Processor shall enter into consultations to determine whether, and if so to what extent, adjustments to the organisational and security measures are necessary to comply with the protection of personal data legislation prevailing at that time and how the costs thereof shall be apportioned between them.
4.9 The Parties shall, after receiving an order or a binding or other instruction from the competent supervisor (such as the Dutch Data Protection Authority) to make adjustments to the organisational and security measures, enter into consultations to implement the measures required to comply with the instruction and to determine how the costs thereof shall be apportioned between them.
4.10 In the event of an amendment of the applicable protection of personal data legislation the Parties shall enter into consultations as soon as possible to make any adjustments to the organisational and security measures and/or these Data Processing Terms required as a result of the amendment and to determine how the costs thereof shall be apportioned between them.
5.1 The Processor is obliged to maintain the confidentiality of the Personal Data provided to it by the Controller except when, and to the extent that, this is necessary as a result of the assignment as laid down in the Agreement (including these Data Processing Terms), as a result of an additional written instruction from the Controller or of a statutory obligation (including the need for processing by reason of a competent court order, an order given by the competent authority, a competent instruction given or a lawful request from the relevant supervisor, such as the Dutch Data Protection Authority) or when prior written consent has been obtained from the Controller.
5.2 The Processor shall ensure that every person acting under its authority is obliged to maintain confidentiality of the personal data of which he / she is cognizant in accordance with the provisions of the foregoing paragraph.
6 Security Incidents (Duty to Report Data Leaks)
6.1 Should the Processor discover a Breach then the Processor shall i) without undue delay after the discovery inform the Controller in accordance with the Applicable Law; and ii) implement reasonable measures in accordance with the provisions of Article 3 to prevent or limit (further) Breach.
6.2 The Processor shall, taking account the nature of the processing and the information at its disposal, support the Controller, in all reasonableness and fairness, and keep it informed of (new developments with regard to) the Breach.
6.3 The notice given to the Controller shall at least include the nature of the Breach, the categories of personal data concerned and the measures that the Processor has taken or proposes to take to remedy or minimize these consequences. Notice shall be given by email/phone/ SMS as provided for in the Agreement.
6.4 The Processor shall, where necessary, assist the Controller in adequately informing the supervisor(s) and the parties involved of the security incident in question in accordance with the relevant provisions of the Applicable Law.
6.5 The Parties shall, without prejudice to the provisions of Article 5.1 and to the extent necessary for legal defence, treat any Breaches as strictly mutually confidential and shall report Breaches solely to the supervisor(s) and any data subject(s) in accordance with the provisions of the Applicable Law.
6.6 Informing the Controller of a Breach does not constitute acknowledgement of fault or liability on the part of the Processor with regards to the Breach.
7 Use of sub-processors
7.1 The Processor is, within the framework of these Data Processing Terms, entitled to make use of the services of sub-processors within the European Economic Area, as well as of third parties in states which the European Commission has determined offer an adequate level of protection. The Processor shall, when so requested, immediately give the Controller information about the identity and location of the sub-processors it has engaged.
7.2 The Processor shall not be permitted to pass on and/or store the Personal Data (or have it stored) in countries outside the European Economic Area, unless the Processor has received express prior written permission from the Controller and this is permitted under applicable (European) privacy regulations, for example because the country concerned offers an adequate level of protection, subject to the other provisions of these Data Processing Terms.
7.3 If and insofar as the Controller uses Data to Value, the Controller hereby grants its prior consent for the deployment of, and transfer to, the sub-processors listed in Appendix C in accordance with the conditions set out in Article 7.2 of these Data Processing Terms.
7.4 If and insofar as the Controller uses Google 360, the Controller hereby grants its prior consent for the deployment of, and transfer to, the sub-processors listed in Appendix C in accordance with the conditions set out in Articles 7.2 and 7.3 of these Data Processing Terms.
7.5 The Processor shall impose the same obligations on a sub-processor it engages that are imposed on it under these Data Processing Terms, unless a data processing agreement (EU model contracts and/or standard contractual clauses decision of the EC) must be concluded directly between this third party and the Controller with regard to the processing concerned.
8.1 The Controller shall bear the full responsibility, and for that reason is fully liable, for the stated purpose of processing, the content of the Personal Data entered or otherwise supplied by it or on its behalf, its instructions, including the provision to third parties, the duration of the retention of the Personal Data, the manner of processing and the means used thereto, except for and in so far as any acts or omissions attributable to the Processor are concerned.
8.2 The Processor is liable, for whatever reason and on whatever legal basis, insofar as and to the extent that the parties have so agreed in the Agreement (of which these Data Processing Terms form an integral part). Insofar as claims ensue from several legal relationships between the parties as a result of the same or a connected body of facts, there shall be no question of cumulation of claims.
8.3 An administrative fine imposed by the competent supervisor (such as the Dutch Data Protection Authority) on the Controller may never be recovered from the Processor when the competent supervisor has taken account of the degree to which blame can be attributed between the parties in the imposition of the administrative fine and has imposed the fine(s) on the Parties or one of the Parties accordingly.
9 Duration and consequences of termination (retention period)
9.1 The term of these Data Processing Terms shall be the same as the term of the Agreement as from the date on which it is signed by both Parties. If the Agreement ends, the applicability of these Data Processing Terms shall end ipso jure. The applicability of these Data Processing Terms cannot be terminated prematurely independently of the Agreement.
9.2 These Data Processing Terms may only be amended by written agreement of Parties.
9.3 In the event that any provision of these Data Processing Terms is declared null and void or is annulled, or if it appears that an amendment to (a provision of) these Data Processing Terms is necessary for compliance with the applicable laws and privacy regulations on account of changed circumstances, the other provisions shall remain in full force and effect. Parties shall then lay down a new provision to replace the void/annulled provision or amend these Data Processing Terms in such a way as to bring it in line with the applicable legislation and privacy regulations, whereby the purport of the void/annulled provision shall be taken into account as much as possible.
9.4 Obligations which are inherently intended to continue after the applicability of these Data Processing Terms has been terminated shall remain in force. These stipulations include those under the provisions on confidentiality, liability and applicable law.
9.5 Following the expiry of the term of these Data Processing Terms the Processor shall, without undue delay, except with respect to a differing statutory obligation, at the Controller’s discretion: (a) at the request and expense of the Controller, cooperate in returning to the Controller the Personal Data as stored on the system of the Processor or under control of the Processor within a reasonable period after the termination of the Agreement; (b) at the request and expense of the Controller, delete the Personal Data as stored on the system of the Processor or under control of the Processor as soon as possible; (c) delete existing copies. The Controller shall notify the Processor of its choice in writing and in due time before the end of the Agreement, unless this cannot reasonably be expected of the Controller, in which case the request, thus motivated, must have been received by the Processor no later than two calendar weeks after the end of the Agreement.