This Processor Agreement is part of the Cooperation Agreement between Triple I Sourcing Group B.V. and its daughters Inbak B.V., Indusource B.V. and Indupay B.V. (hereinafter: “TISG” or “Processor”) and the natural or legal person with whom TISG enters into an agreement for the supply and use of the TISG services (hereinafter: “Customer” or “Controller”). Together, the Controller and Processor are referred to as the “Parties”.
For the use of the TISG services, the parties have concluded an agreement to which the general terms and conditions of TISG also apply (jointly: “Collaboration Agreement”).
Personal data is processed by TISG on behalf of the Controller for the implementation of the Cooperation Agreement. In accordance with applicable law, the parties enter into this agreement, which sets out their respective rights and obligations with regard to the processing of personal data (the “Processor Agreement”). The Cooperation Agreement and the Processor Agreement jointly determine the subject and duration of the Processing of Personal Data.
The following terms have the meaning as indicated below:
- Involved or involved persons: the identifiable natural person whose personal data is processed.
- Data leak: a breach of the security of personal data that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorized disclosure of or access to data transmitted, stored or otherwise processed.
- Personal data: all information about an identified or identifiable natural person, which TISG processes for the controller in the context of the cooperation agreement.
- Employee(s): the persons authorized by the parties for the execution of this processing agreement and who work under their responsibility.
Sub-processor: any third party engaged by the processor to process personal data on behalf of the processor, without being subject to the direct authority of the processor.
- Applicable law: laws or other (local) regulations, ordinances, guidelines or policies, instructions or recommendations of governmental authorities applicable to the processing of the personal data, including any changes, replacements, updates or other later versions thereof;
- Processing: any operation or set of operations relating to personal data or a set of personal data, whether or not carried out by automated means, such as collecting, recording, organizing, structuring, storing, updating or changing, retrieving, consulting, using, providing by by means of transmission, distribution or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
- TISG undertakes to only process personal data on behalf of the controller in the context of the activities, as described in the cooperation agreement. The cooperation agreement and the processing agreement jointly determine the subject and duration of the processing.
- For the implementation of the cooperation agreement, the continuous development of the IDIL application and to support the controller, TISG may subject the personal data to the following processing operations for the entire duration of the agreement: Store, update or change, consult, use, protect, delete or destroy data.
- TISG processes the following types of personal data:
Names, addresses, places of residence/establishment, e-mail, telephone numbers, IP addresses, location data, device types, GLN/VAT number, contact persons. This personal data relates to the following categories of data subjects:
- Data Controller Customer Relationships.
Rights and obligations of the controller
- The controller makes the personal data available to TISG. The controller determines the purpose and means of the processing. The Controller guarantees that the processing of the personal data, including the collection, takes place in accordance with the relevant applicable Legislation.
- If the employees of the controller process personal data themselves, the responsibility for compliance with the applicable legislation falls under the responsibility of the controller.
- TISG may only process the personal data that are strictly necessary for the execution of the cooperation agreement. TISG has no control over the purpose of the processing of personal data.
- TISG will only disclose the personal data to employees and/or sub-processors who (necessarily) have access to the personal data for the performance of the obligations under the collaboration agreement, unless otherwise required by applicable law.
- TISG does not process personal data at a location outside the European Economic Area other than possible services from Google, iCloud, DropBox, WeTransfer, The Next Ad, Loomly, Facebook, LinkedIn and Twitter.
- The Personal Data on backups enjoy the same protection as the original Personal Data.
- TISG guarantees that its employees only have access to the personal data insofar as this is necessary to perform their tasks in the context of the processing assignment. TISG will inform its employees about the obligations of this processor agreement.
- TISG is entitled to use sub-processors in the performance of its services. Information about sub-processors can be requested by the controller upon request. The controller can only refuse if there are good reasons.
- TISG remains the point of contact for the controller at all times.
TISG guarantees that an agreement is concluded with sub-processors engaged, in which the same data protection guarantees are agreed as set out in this Agreement. Processor remains fully responsible towards the Controller for the sub-processor’s compliance with its obligations.
- In addition, after explicit permission from the controller, personal data can be shared with sub-processors if additional services are used.
- TISG is bound by a confidentiality obligation with regard to the Personal Data that are processed on behalf of the Controller. This duty of confidentiality applies in full to the employees of TISG and to any sub-processors. The confidentiality obligation continues even after the processing agreement has been terminated.
- This confidentiality obligation does not apply if the processor is obliged by the supervisory authority, a legal provision or a court order to provide this personal data, if the information is publicly known and if the data is provided on behalf of the controller.
- TISG takes the appropriate technical and organizational measures required to ensure a level of security appropriate to the risk so that the processing complies with applicable law and the rights of data subjects are safeguarded.
- TISG applies an appropriate level of protection, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing. TISG is responsible for applying and/or changing the level of protection as deemed necessary or required by law.
- TISG is responsible for applying and/or changing the level of protection if this is deemed necessary under applicable law or if requested by the client. Any additional costs will be borne by the client, unless otherwise agreed.
Notification of a data breach
- If TISG discovers a data breach, it will report this to the controller without delay and at the latest within 48 hours after the discovery. This notification shall describe or communicate at least the following:
- The nature of the personal data breach, specifying where possible the categories of data subjects and the personal data concerned;
- The likely consequences of the data breach in relation to personal data;
The measures that TISG takes to tackle the data breach, including, where appropriate, the measures to limit any adverse consequences thereof.
- TISG also informs the controller after a notification based on the previous article about the developments regarding the identified data breach.
- The controller must assess whether it informs the supervisory authority and/or the data subjects about this.
- The parties both bear the costs incurred by themselves in connection with a report to the supervisory authority and/or the person concerned.
Requests from data subjects or government authorities
- TISG will assist the controller to the extent possible with requests from data subjects. In the event that a data subject sends such a request to TISG, TISG will forward the request to the controller, and the controller will further handle the request, unless explicitly agreed otherwise.
- TISG assists the controller to the extent possible to respond to requests from government authorities.
- For the implementation of Articles 9.1 and 9.2, the costs incurred by TISG will be reimbursed by the Controller, unless otherwise agreed.
Information obligation and audit
- TISG makes all information available that is necessary to demonstrate that the obligations under this processor agreement have been and will be complied with.
- The controller has the option to carry out an audit or data protection impact assessment (or have it carried out) at its own expense, at its own expense, at most once a year. TISG provides all necessary cooperation to audits of the controller.
Intellectual property rights
- All intellectual property rights to the personal data and to the databases containing these personal data belong to the controller. These intellectual property rights include copyright and sui generis. TISG only receives a limited right of use to the extent necessary to carry out the agreed processing.
Duration and end of the agreement
- The processor agreement comes into effect the moment the parties conclude the cooperation agreement and is entered into for the duration of the cooperation agreement.
- The parties cannot prematurely terminate the processing agreement.
- The processing agreement ends after and insofar as TISG has erased all personal data in accordance with Article 12.4. TISG removes backups and copies, subject to deviating legal regulations.
- Upon termination of the cooperation agreement, all processed personal data will remain available for three (3) months. The controller is responsible for the timely export of personal data.
- This Processor Agreement is part of the cooperation agreement. The rights and obligations arising from the cooperation agreement and the general terms and conditions of TISG therefore also apply to the processing agreement.
- In the event of any contradictions between the provisions in the processing agreement and the cooperation agreement, the provisions of this processing agreement apply insofar as the provisions specifically relate to the processing of personal data.
- This agreement supersedes any prior or existing understandings between the parties regarding the processing of personal data. This Agreement may only be amended in writing upon joint signature of the parties.
- In accordance with the General Terms and Conditions of TISG, the processing agreement is also subject to Dutch law and disputes are brought before the competent court in Amsterdam; or, at TISG.’s option, the competent court in the place of residence of the controller.