EasyAds B.V. processes personal data for a part of its services, for example if an order link is purchased. This Processing Agreement is only applicable when personal data are processed.
EasyAds B.V., registered with the Chamber of Commerce under number 30.210.912 (hereinafter: "Processor") processes data on behalf of the other party (advertiser, customer, user) to whom it provides services (hereinafter: "Processor").
Taking into account that:
- the Processing Agreement was concluded in the context of the provision of the service by the Processor to the Processing Responsible Party, for the purposes of implementing the Agreement;
- The service of the Processor consists of the processing of article and order data of the Processor and personal data of customers of the Processor;
- Processor is hereby designated as Processor within the meaning of Article 4(8) of the AVG;
- Processor is hereby designated as Processor within the meaning of Article 4(7) of the AVG;
- Processor will process personal data within the meaning of Article 4(1) of the General Data Protection Regulation (hereinafter: "AVG") when performing the Agreement, on the instructions of Processor;
- Processor is prepared to fulfil the obligations regarding security and other aspects of the AVG and, until 25 May 2018, the Personal Data Protection Act (hereinafter referred to as "Wbp"), insofar as this is within its power;
- the Wbp and the AVG impose a duty on the Controller to ensure that the Processor provides sufficient guarantees in respect of the technical and organisational security measures relating to the processing to be carried out;
- the Wbp and the AVG also impose a duty on the Controller to ensure compliance with those measures;
- The parties, also in view of the requirement of Article 28(3) of the AVG, wish to lay down their rights and obligations in writing by means of this Processor Agreement (hereinafter "Processor Agreement");
- Where this Processing Agreement refers to provisions of the AVG, until 25 May 2018 the corresponding provisions of the Wbp are meant.
Article 1. Purposes of the processing
1.1 Under the terms of this Processing Agreement, the Processor undertakes to process article, personal and order data on the instructions of the Processing Responsible Party. Processing will take place exclusively within the scope of the Processing Agreement in order to provide the services to the Processing Responsible Party.
1.2 The personal data processed by the Processor in the context of the Agreement will not be processed for any purpose other than as specified by the Processing Responsible Party. The Processing Responsible Party will inform the Processor of the processing purposes insofar as they are not already set out in this Processing Agreement.
1.3 The Processing Responsible Party guarantees that it will keep a register of the processing operations regulated under this Processing Agreement. The Processing Responsible Party will indemnify the Processor against all claims and demands relating to failure to keep the register or failure to do so correctly.
Article 2. Obligations of Processor
2.1 With regard to the processing referred to in Article 1, the Processor shall ensure compliance with the conditions imposed on the processing of personal data by the Processor in its role under the Personal Data Protection Act and the AVG.
2.2 The Processor will inform the Processing Party, at the latter's request and within a reasonable period, of the measures it has taken regarding its obligations under this Processing Agreement.
2.3 The obligations of the Processor arising from this Processing Agreement shall also apply to those who process personal data under the authority of the Processor.
2.4 The processing of personal data by the Processor will never result in the Processor's databases being enriched with data from the data sets of the Processing Responsible Party, unless the data is in aggregated, non-reducible form. In that case, the Processor is permitted to use this data for its own other purposes.
Article 3. Transfer of personal data
3.1 Processor may process the personal data in countries within the European Economic Area (EEA). In addition, Processor may also process personal data outside the EEA, subject to the applicable laws and regulations.
3.2 At the request of the Processing Party, the Processing Party will be informed as soon as possible in which countries, outside the EEA, it processes the personal data.
Article 4. Division of responsibility
4.1 The permitted processing operations will be carried out by the Processor within an automated environment.
4.2 The Processor is solely responsible for processing the personal data under this Processing Agreement in accordance with the instructions of the Processing Responsible Party and under the explicit (final) responsibility of the Processing Responsible Party. The Processor is not responsible for all other processing of personal data, including but not limited to the collection of the personal data by the Processing Responsible Party, processing for purposes not notified by the Processing Responsible Party to the Processor, processing by third parties and/or for other purposes. The responsibility for these processing operations rests exclusively with the Processing Responsible Party.
4.4 The Controller warrants that the required legal basis, such as consent, as referred to in, but not limited to, the Personal Data Protection Act and the Telecommunications Act, is present for the purposes specified in Article 1.1.
4.5 The Controller warrants that the content, use and commissioning of the processing of the personal data referred to in this Processing Agreement is not unlawful and does not infringe any rights of third parties, and that all the additional safeguards applicable to the processing of special personal data, as laid down in the relevant laws and regulations, have been complied with.
as laid down in the relevant laws and regulations. The Processing Party will indemnify the Processing Party against all claims and demands relating to this.
Article 5. Engaging third parties or subcontractors
5.1 The Processing Party hereby authorises the Processing Party to make use of a third party when processing personal data, pursuant to this Processing Agreement, in compliance with the applicable privacy legislation.
5.2 At the Processor's request, the Processor will inform the Processor as soon as possible about the third parties engaged by the Processor. The Processor is entitled to object to any third parties engaged by the Processor. If the Processing Responsible Party objects to any third parties engaged by the Processor, this will render the use of the service offered by the Processor impossible.
5.3 In any event, the Processor shall ensure that these third parties undertake the same obligations in writing as those agreed between the Processing Party and the Processor.
Article 6. Security
6.1 The processor shall make every effort to take appropriate technical and organisational measures in respect of the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorised access, impairment, alteration or disclosure of the personal data).
6.2 The Processor shall make every effort to ensure that the security meets a level which is not unreasonable in view of the state of the art, the sensitivity of the personal data and the costs involved in implementing the security.
6.3 Despite the fact that Processor must take appropriate security measures in accordance with the first paragraph of this article, Processor cannot fully guarantee that the security is effective in all circumstances. However, if there is a threat of or an actual breach of these security measures, Processor will do everything reasonably possible to limit the loss of personal data as much as possible.
6.4 The Processing Responsible Party will only make personal data available to the Processor for processing if it has ensured that the required security measures have been taken. The Processing Responsible Party is responsible for compliance with the measures agreed by the Parties.
6.5 Processor takes all security measures that may reasonably be expected of it to protect its products and/or services, such as:
- Installing (security) updates on a regular basis;
- Using software that provides protection against viruses, malware, etc;
- Securing against "brute force" attacks;
- Provide systems with firewalls where necessary and ACLs where possible;
- All sensitive data is transmitted over secure connections wherever possible;
- Irreversible hashing is used when storing passwords;
Article 7. Duty to report
7.1 In the event of a security breach and/or data leak (which is understood to mean: a breach of security resulting in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to data transmitted, stored or otherwise processed), Processor will make every effort to inform Processing Responsible immediately or, at the latest, within forty-eight (48) hours, following which Processing Responsible will decide whether or not to inform the supervisory authorities and/or data subjects. The Processor shall make every effort to ensure that the information provided is complete, correct and accurate. The duty to report applies regardless of the impact of the leak.
7.2 The duty to report shall in any case include the reporting of the fact that a leak has occurred, as well as:
- the date on which the leak occurred (if no exact date is known: the period within which the leak occurred);
- what the (alleged) cause of the leak is;
- the date and time on which the leak became known to Processor or to a third party or subcontractor engaged by it;
- The number of persons whose data has been leaked (if an exact number is not known: the minimum and maximum number of persons whose data has been leaked);
- A description of the group of persons whose data has been leaked, including the type or types of personal data leaked;
- Whether the data has been encrypted, hashed or otherwise made unintelligible or inaccessible to unauthorised persons;
- the measures planned and/or already taken to plug the leak and to limit the consequences of the leak;
- contact details for the follow-up of the report.
7.3 The Processor shall ensure compliance with any (statutory) notification obligations. If required by law and/or regulations, Processor will cooperate in informing the relevant authorities and/or parties concerned.
Article 8. Right of data subject
8.1 If a data subject makes a request to the Processor to exercise his/her statutory rights, the Processor will forward the request to the Processing Responsible Party and inform the data subject accordingly. Processor will then deal with the request independently.
8.2 If a data subject makes a request to the Processor to exercise one of their legal rights, the Processor will, if the Processor so requires, provide its cooperation to the extent that this is possible and reasonable. Processor may charge Processor reasonable costs for this.
Article 9. Duty of confidentiality
9.1 All personal data that Processor receives from the Processing Party and/or collects itself in the context of this Processing Agreement is subject to an obligation of confidentiality in relation to third parties. Processor shall not use this information for any purpose other than that for which it was obtained, unless it is in such a form that it cannot be traced back to those involved.
9.2 This secrecy obligation will not apply insofar as the Controller has given its express consent to provide the information to third parties, if providing the information to third parties is logically necessary in view of the nature of the assignment given and the performance of this Processing Agreement, or if there is a legal obligation to provide the information to a third party.