This Processor Agreement is part of the Main Agreement that has been concluded between Dutch Supplements B.V. (Hereinafter: "Dutch Supplements") and a natural person or legal entity (hereinafter: "Buyer"). Together, the Buyer and Dutch Supplements are called the "Parties".
Dutch Supplements is qualified as a processor and the Customer as the controller on the basis of the Applicable Legislation.
In this Processor Agreement the agreements have been laid down with regard to the processing of Personal Data within the framework of the Main Agreement. If the Purchaser has questions about this Processor Agreement, please contact the processor.
In this Processor Agreement a number of terms are used that are indicated with a capital letter. These terms get the meaning as mentioned below:
Data Subject or Relevant Persons: the identifiable natural person whose Personal Data are processed.
Datalek: an infringement of the security of Personal Data that inadvertently or unlawfully leads to the destruction, loss, modification or unauthorized disclosure of or unauthorized access to transmitted, stored or otherwise processed data.
Main agreement: The agreement between the Buyer and Dutch Supplements, on the basis of which the Buyer makes use of the Dutch Supplements work and where also the general conditions of Dutch Supplements apply.
Personal data: all information about an identified or identifiable natural person, who processes Dutch Supplements in the context of the Main Contract for the Customer as the Processing Officer.
Employee (s): the persons authorized by the Parties for the execution of this Processing Agreement and who work under their responsibility.
Sub-processor: any third party that is called in by Dutch Supplements to process Personal Data for Dutch Supplements, without being subject to the direct authority of Dutch Supplements.
Applicable Laws: laws or other (local) regulations, regulations, guidelines or policies, instructions or recommendations from government authorities that apply to the processing of personal data, including any changes, substitutions, updates or other later versions thereof;
Processing: any processing or set of operations relating to Personal Data or a set of Personal Data, whether or not performed via automated processes, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by by means of forwarding, distributing or otherwise making available, aligning or combining, blocking, erasing or destroying data.
Processing agreement: this agreement including considerations, changes and updates.
2. Subject of this Processor Agreement
The purpose of this Processor Agreement is to set out under which conditions Dutch Supplements may process Personal Data on the instructions of the Customer.
The Processor Agreement is an integral part of the Main Contract between the Buyer and Dutch Supplements. The Master Agreement and the Processor Agreement jointly determine the subject and the duration of the Processing.
Parties guarantee to comply with the requirements of the Applicable Legislation regarding the Processing of Personal Data.
3. Obligations of the Buyer as the Processing Officer
The Customer makes the Personal Data available to Dutch Supplements and determines the purpose and means for the Processing. The Customer guarantees that the Processing of the Personal Data, including the collection, takes place in accordance with the relevant Applicable Legislation.
If Employees of the Customer process Personal Data, the responsibility for compliance with the Applicable Legislation falls under the responsibility of the Customer.
Dutch Supplements undertakes to process only Personal Data for the account of the Buyer, with the aim of sending orders and digital information for the Buyer. Processing will only take place on instructions from the Buyer.
Dutch Supplements processes the following types of Personal Data:
- Phone number
For the implementation of the Main Agreement, Dutch Supplements may submit the Personal Data to the following Processes: Collection, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by means of forwarding, combining, blocking, erasing or destroying.
4. Permitted Processing
Dutch Supplements may only process the Personal Data that are strictly necessary for the execution of the Main Agreement. Dutch Supplements has no control over the purpose of the Processing of Personal Data.
Dutch Supplements will only disclose the Personal Data to Employees and / or sub-processors who (necessarily) have access to the Personal Data for the performance of the obligations under the Main Agreement, unless otherwise required by the Applicable Law. Dutch Supplements informs its Employees about the obligations of this Processor Agreement.
If necessary for the execution of Main Agreement, Dutch Supplements can proceed to make backups. The Personal Data on back-ups enjoy the same protection as the original Personal Data.
Dutch Supplements does not process Personal Data outside the European Economic Area (EEA).
The Buyer accepts that Dutch Supplements can use subprocesses in the execution of the Main Agreement. On request, information about sub-processors can be requested by the Processing Officer. The reprocessor can only refuse on the basis of justified reasons.
Dutch Supplements ensures that the same data protection safeguards are agreed with contracted sub-processors, as set out in this Processor Agreement.
Dutch Supplements remains fully responsible towards the Processing Officer for compliance by the Subprocessor with its obligations. Dutch Supplements remains the point of contact for the Customer at all times.
Dutch Supplements is bound to a duty of confidentiality with regard to the Personal Data processed by order of Processing Officer. This duty of confidentiality applies in full to the Employees of Dutch Supplements and to any Sub-processors. The confidentiality obligation also continues after the processing agreement has been terminated.
This obligation of confidentiality does not apply if Dutch Supplements is obliged by the supervisory authority, a legal provision or a court order to communicate this Personal Data, if the information is publicly known and if the data provision takes place on the instructions of the Customer.
7. Safety measures
Dutch Supplements takes the required technical and organizational measures to ensure a risk-adapted level of security so that the Processing complies with the Applicable Legislation and the rights of the Involved Parties are guaranteed.
The level of protection is attuned to the risks, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing.
Dutch Supplements is responsible for applying and / or changing the level of protection if this is deemed necessary or required by law.
If and insofar as the Customer so requests, Dutch Supplements may take additional measures with a view to the security of the Personal Data. Any additional costs are at the expense of the Client, unless otherwise agreed.
8. Reporting a Datalek
If Dutch Supplements establishes a Datalek, we report this immediately and at the latest to the Buyer within 48 hours after the determination. In this notification at least the following is described or communicated:
- The nature of the infringement in relation to personal data, where possible with reference to the categories of Data Subject and the Personal Data in question;
- The likely consequences of the Datalek in connection with Personal Data;
- The measures taken by Dutch Supplements to deal with the Data breach, including, where appropriate, the measures to limit any negative consequences.
Dutch Supplements also informs the Purchaser after a report based on the previous article about the developments concerning the established Datalek.
The Purchaser itself assesses whether the supervisory authority and / or the Data Subjects are informed by him of an existing Datalek.
The parties both bear the costs incurred by themselves in connection with a report to the supervisory authority and / or the Data Subject.
9. Requests from Parties or government bodies
Dutch Supplements assists the Customer to the extent possible with requests from Involved. In the event that a Data Subject addresses such a request to Dutch Supplements, the request will be forwarded to the Customer. Customer will process requests, unless expressly agreed otherwise.
Dutch Supplements assists the Customer to answer requests from government bodies as far as possible.
For the implementation of articles 10.1 and 10.2, the costs incurred by Dutch Supplements will be reimbursed by the Buyer, unless otherwise agreed.
10. Duration and end of the agreement
The Processor Agreement enters into effect at the time when it is accepted by the Customer and is entered into for the duration of the Main Agreement.
Parties can not terminate the Processing Agreement prematurely.
The Processor Agreement ends after and insofar as Dutch Supplements has deleted all Personal Data in accordance with Article 12.4. Dutch Supplements removes backups and copies, subject to deviating legal regulations.
Upon termination of the Main Contract, all processed Personal Data remain available for 30 days. After this period, Personal Data will be permanently deleted.