Processing Agreement | Rinkel B.V.
Version: VONLEN_1.0 Date: 17 May 2022
This Processing Agreement forms an integral and inseparable part of the arrangements agreed between the parties and of the services provided by Rinkel B.V. (the "Agreement"). This Processing Agreement is therefore also subject to Rinkel B.V.'s General Terms and Conditions.
The User is given the opportunity to enter into the following processing agreement with Rinkel B.V. during the registration process or through acceptance in My Rinkel (https://my.rinkel.com)
hereinafter referred to individually as a "Party" and collectively as the "Parties";
Clause 1. General
1.1 The Processor undertakes to process personal data on the Controller's instructions in accordance with the terms of this Processing Agreement. Data will only be processed for the purpose of performing the Agreement and for reasonably related purposes or for purposes to be determined subject to further consent, and solely on the basis of the Controller's instructions. The Controller will inform the Processor in writing of any processing purposes not already specified in the Agreement or this Processing Agreement.
1.2 In performing the Agreement, the Processor will process all personal data that may be stored when use is made of the Services. This involves the following types of personal data:
i) Name and address details;
ii) Email address;
iii) User's telephone number(s);
iv) Telephone number(s) of the User's customers;
v) IP address;
vi) (Bank) account number.
1.3 The Processor has no control over the purposes and means of personal data processing. The Processor will not independently take any decisions in terms of receiving or using the personal data, sharing the personal data with third parties, or the period during which such data is to be retained.
Clause 2. Division of responsibilities
2.1 The permitted processing activities will be carried out under the Processor's control in a (semi-)automated environment.
2.2 The Processors' responsibility is limited to processing the personal data under the terms of this Processing Agreement, in accordance with Controller's the written instructions and explicitly under the Controller's (ultimate) responsibility.
2.3 The Processor is explicitly not responsible for any other personal data processing activities, including but not limited to the collection of personal data by the Controller, processing for purposes not notified by the Controller or the Processor, and/or processing activities performed by third parties engaged by the Controller. Responsibility for such processing activities lies with the Controller.
2.4 The Controller guarantees that the content and use of the persona data and the instructions for processing the data as referred to in this Processing Agreement are not unlawful and do not infringe any rights of third parties, and it indemnifies the Processor against any and all claims arising in this regard.
2.5 If a data protection impact assessment or prior consultation with the supervisory authority is required for any new processing activity under this Processing Agreement, the Processor will cooperate to the extent possible. The Processor may charge the Controller a reasonable amount in this regard.
2.6 If legally required and necessary, the Processor will cooperate with any investigation by the Dutch Data Protection Authority into any processing carried out under this Processing Agreement. The Processor may charge the Controller a reasonable amount in this regard.
2.7 The Processor's obligations arising from this Processing Agreement also apply to anyone processing personal data under the authority of the Processor, including without limitation the Processor's employees.
Clause 3. Security
3.2 Due to the nature of the Internet and technology, the Processor does not guarantee that the security measures will be effective under all circumstances.
Clause 4. Subprocessors
4.1 The Controller authorises the Processor to use subcontractors (subprocessors) for the purpose of processing personal data under this Processing Agreement, subject to applicable privacy laws. The Processor will inform the Controller at its request of the identities of the subprocessors it is using.
4.2 If the Processor intends to engage new subprocessors for the purpose of processing personal data, the Processor will notify the Controller in advance, if reasonably possible.
4.3 The Processor must in any event ensure that the subprocessors accept in writing similar obligations to those agreed between the Controller and the Processor.
Clause 5. Data transfers
5.1 The Processor may process the personal data in countries within the European Economic Area (EEA). The Processor may also transfer the personal data to countries outside the EEA, provided that applicable legal requirements are met.
5.2 The Processor will inform the Controller at its request of the names of the country/countries to which it is to transfer the personal data.
Article 6. Audits
6.1 The Controller may instruct an independent third-party expert bound by a confidentiality obligation to perform audits to monitor compliance with the arrangements set out in this Processing Agreement and any related matters.
6.2 Any audit will be carried only after the Controller has requested access to and reviewed relevant reports available from the Processor and has put forward reasonable arguments justifying the audit. An audit is justified if the reports available from the Processor provide insufficient or no evidence of compliance with this Processing Agreement.
6.3 An audit initiated by the Controller will take place no earlier than four weeks after prior notice being given and no more than once every calendar year.
6.4 The Processor will cooperate with the audit and make available all such information as may reasonably be relevant to it.
6.5 The audit findings will be reviewed by the Parties in consultation with each other. Any changes prompted by the findings will be implemented by either Party or by both Parties acting jointly.
6.6 All costs incurred for the audit, including any costs incurred by the Processor, will be borne by the Controller.
Clause 7. Duty to notify
7.1 The Processor will notify the Controller of any personal data breach as referred to in Article 33 of the GDPR within 48 hours. The Processor must make every effort to ensure that the information provided is complete, correct, and accurate.
7.2 If required by applicable laws and/or regulations, the Processor will assist in notifying the relevant authorities and/or data subjects. The Controller will decide whether or not to notify the supervisory authorities and/or data subjects. The Controller is and remains the party responsible for complying with any statutory and other notification requirements.
7.3 This notification requirement in any event includes reporting the fact that there has been a data breach and, in so far as information is available:
i) what the (alleged) cause of the breach is;
ii) contact details for following up on the report;
iii) approximate number of data subjects and personal data records concerned;
iv) the (likely) consequences of the data breach;
v) the (proposed) solution; and
vi) any measures that have already been taken.
Clause 8. Requests from data subjects
8.1 If a data subject submits a request to the Processor regarding their personal data, the Processor will forward the request to the Controller and the Controller will then handle the request. If the Processor's cooperation is required for the handling of the request , the Processor will provide its reasonable cooperation. Any costs reasonably incurred or to be incurred by the Processor in connection with such cooperation will be reimbursed by the Controller.
Article 9. Confidentiality
9.1 Any personal data that the Processor obtains from the Controller and/or collects itself under this Processing Agreement is subject to a duty of confidentiality vis-à-vis third parties.
9.2 This confidentiality obligation does not apply if the Controller has explicitly consented to such information being disclosed to third parties, if disclosing such information to third parties is logically necessary in view of the instructions issued and the performance of this Processing Agreement, or if there is a legal obligation to disclose such information to a third party.
Clause 10. Term and end
10.1 This Processing Agreement commences on the date of signature by the Parties and will continue to apply for the duration of the Agreement or otherwise for the duration of their continued collaboration.
10.2 Where necessary, the Parties will cooperate fully in having this Processing Agreement adjusted to comply with any new or amended privacy laws and regulations.
10.3 If the Agreement terminates, this Processing Agreement will also terminate by operation of law.
10.4 Prior to expiry or termination of the Agreement, or within 30 days of expiry or termination of the Agreement, the Controller may make further arrangements with the Processor as to what should happen to any personal data of the Controller which the Processor may still hold. At the Controller's request, the Processor will either destroy the personal data processed by it, or return the data to the Controller (in original or copy format). The Processor may charge costs to the Controller for this purpose at the Processor's usual rates.
10.5 If the Controller fails to indicate, within 30 days of expiry or termination of the Main Agreement, that it wishes to make further arrangements with the Processor regarding the return or destruction of the personal data, then the Processor is entitled to destroy the personal data as of the 31st day after the Agreement has ended.
Signed on behalf of Rinkel,
Mr J. van Vierzen
CEO Rinkel B.V.