Data Processing Agreement

PARTIES: 

LEGALLY REGISTERED NAME OF COMPANY, incorporated under the laws of the [Country], having its principal place of business at [Address], ([Zipcode]) [City], the Netherlands, registered in the [City] Trade Registry under number [Register number] is the Controller (“Company”);

and

GoodUp B.V., a private company with limited liability organized and existing under the laws of the Netherlands, having its corporate seat in Amsterdam and its official address at ‘s-Gravenhekje 1 A, (1011 TG) Amsterdam, the Netherlands, registered with the Trade Register of the Chamber of Commerce under number 34295254 is the Processor (“Supplier”).

WHEREAS:

(A) Under this data processor agreement or a services agreement, Supplier will process personal data; and

(B) Company and Supplier wish to formalise the terms and conditions applicable to the processing of personal data in this agreement.

THE PARTIES HAVE NOW AGREED AS FOLLOWS:

1. DEFINITIONS

1.1 Terms with a capital in this Agreement are definitions and are ascribed in Annex A. All terms in this Agreement not defined in Annex A, but defined in the Data Protection Legislation will have the meaning as assigned thereto in the Data Protection Legislation. 

2. INSTRUCTIONS 

2.1 Supplier will be considered as a data processor for the processing of Personal Data. 

2.2 At any time, Supplier guarantees that it complies with the Data Protection Legislation and enables Company to comply with such Data Protection Legislation regarding the Personal Data.

2.3 Supplier will only process Personal Data:

a) for the provision of the Services; 

b) on documented instructions from Company, including, but not limited to, the instructions as set out in Annex B; or 

c) if required to do so by Union or Member State law to which the Supplier is subject. In that case, Supplier must notify Company of that legal requirement before the processing, unless those laws prohibit such notification. 

2.4 Supplier must immediately inform Company if, in Supplier’s opinion, an instruction of Company infringes this Agreement or the law.

3. SECURITY 

3.1 Without prejudice to any applicable security requirements agreed upon by Parties in the Services Agreement, Supplier must take appropriate technical and organisational measures and frequently carry out updates to said measures to protect the Personal Data in accordance with the Data Protection Legislation. These measures will include, but not be limited to, the measures under Annex C.  

4. SUBCONTRACTORS 

4.1 Supplier may only engage a Subcontractor provided that the Supplier complies with this clause 4 and any other provision in this Agreement that applies to subcontracting. 

4.2 Supplier shall choose any Subcontractor diligently with special attention to its good standing and experience with the provision of the subcontracted services and the suitability of its technical and organisational measures. The Supplier remains responsible for any acts or omissions of its Subcontractors in the same manner as for its own acts and omissions hereunder.

4.3 Supplier must obligate all Subcontractors to comply with the same obligations Supplier has under this Agreement.

5. CONFIDENTIALITY 

5.1 Supplier guarantees that it will treat all Confidential Information confidential. Supplier is not authorised to disclose Confidential Information in any way to any Third Party other than Subcontractors, except if (i) specifically approved in writing by Company or if this is otherwise permitted under this Agreement (e.g. clause 7 assistance) or (ii) if required by law or any competent authority, or (iii) if said information has become part of the public domain without violation of this Agreement. 

5.2 Supplier may only disclose the Confidential Information to its employees or Subcontractors insofar this is necessary to perform the Services, provided the confidentiality obligations contained herein are imposed on said parties. 

6. NOTIFICATION OF INCIDENTS 

6.1 Supplier must without undue delay notify Company in the event of an Personal Data Breach or any other incident which has to be notified by Company to the Regulators according to the law (an “Incident”) as further specified in Annex A. Supplier must provide all reasonable cooperation with Company and follow any reasonable Company instructions in order to enable Company to properly investigate, respond to, or follow up on Incidents.

7. ASSISTANCE 

7.1 Supplier must assist Company as far as reasonably possible to ensure Company’s compliance with the Data Protection Legislation, including but not limited to requests related to:

(a) a complaint, inquiry or a request of a natural person with regard to the processing of Personal Data by Supplier;

(b) an investigation or seizure of Personal Data by government officials or other kind of individuals, or any indication thereof;

(c) Privacy Impact Assessments (PIA’s) or other risk assessments required by law, including updates thereof. 

In the event of 7.1 (a) and (b) Supplier must also inform Company without undue delay.

7.2 Supplier is not allowed to cooperate with the persons, officials or individuals in the meaning of clauses 7.1 (a) and 7.1 (b), unless i) it has obtained Company’s prior authorization, or ii) if cooperation without such notification is required by applicable law. 

If Supplier is required to cooperate without Company’s authorization, it will inform Company without undue delay and still ensures to the extent possible:

(a) the security and confidentiality of the Personal Data; and 

(b) that disclosure of the Personal Data remains restricted to the necessary minimum, including that anonymization techniques are applied as far as possible.

8. INTERNATIONAL DATA TRANSFERS

8.1 Supplier will not transfer Personal Data out of any country or territory without informing the Company in advance, nor require Company to make such a transfer, except: 

(a) between member states of the European Economic Area (EEA); or 

(b) to any country or territory outside the EEA with the prior written consent of Company. 

8.2 If Company so requests in writing at any time in relation to international data transfers outside of the EEA, Supplier must or, if applicable, must procure that a Subcontractor will promptly enter into an agreement with Company in the form of the then applicable standard contractual clauses approved by the European Commission for the transfer of personal data outside the EEA in such manner as Company may reasonably stipulate. 

9. AUDIT RIGHTS

9.1 Supplier must allow Company, or any external auditor mandated by Company, to, within business hours and with reasonable notice and at Company’s costs, review Supplier’s compliance with this Agreement, including but not limited to the technical and organisational measures to protect the Personal Data. Supplier will provide reasonable cooperation requested by Company or its mandated auditors to perform such review. At Company’s first request, Supplier will make available its data processing facilities or premises, systems, data, documents and staff, to the extent these are relevant for such review. 

10. RETENTION  

10.1 Supplier will retain the Personal Data for the retention period as set out in Annex B. 

10.2 Unless agreed otherwise in writing, Supplier will, at Company’s choice and as specified by Company, return or delete all Personal Data and delete all (copies and back-ups of) electronically filed Personal Data, and confirm in writing to Company that all Personal Data have been returned and deleted. 

Supplier will do so: 

(a) immediately after expiration of the retention period under clause 10.1; or 

(b) upon Company’s written request thereto; or 

(c) within 14 calendar days after termination of this Agreement,

in each event unless Union law or Member State law require longer storage of the Personal Data.

11. LIABILITIES AND INDEMNIFICATIONS

11.1 Each Party is liable for its obligations set out in this Agreement and in applicable Data Protection Legislation. Any liability arising out of or in connection with a violation of the obligations of this Agreement or under applicable Data Protection Legislation, shall follow, and be governed by, the liability provisions set forth in, or otherwise applicable to, the Services Agreement, unless otherwise provided within this Agreement. If the liability is governed by the liability provisions set forth in, or otherwise applicable to, the Services Agreement, for the purpose of calculating liability caps and/or determining the application of other limitations on liability, the liability occurring under this Agreement shall be deemed to occur under the Services Agreement.

11.2 Supplier indemnifies and holds harmless Company against all claims, actions, liabilities, losses, damages and expenses incurred by Company which arise directly or indirectly out of or in connection with a breach of this Agreement or Data Protection Legislation by Supplier or any Subcontractors.

12. TERM AND TERMINATION

12.1 This Agreement will be effective from the date as mentioned on the signature page.

12.2 This Agreement will terminate by operation of law if i) Supplier no longer has access to or otherwise processes Personal Data, or ii) the Services Agreement terminates. 

12.3 Termination or expiration of this Agreement will not discharge Supplier from its confidentiality obligations under clause 5 and not of its obligations to return and/or delete Personal Data under clause 10, nor any other obligations which by their nature are meant to survive termination. 

13. MISCELLANEOUS

13.1 Amendments and additions to this Agreement and the relevant annexes thereto will only be valid and binding if these amendments and additions are agreed in writing and have been (digitally) signed by both parties.

13.2 The rights and obligations of any Party under this Agreement are not transferable and cannot be encumbered without the prior written approval of the other Party. 13.3 This Agreement is governed by the laws of the Netherlands. The competent courts of Amsterdam will have exclusive jurisdiction.