Data Processing Agreement
Hooray B.V. Data Processing Agreement
This Data Processing Agreement applies to all forms of personal data processing that Hooray, listed in the Commercial Register of the Dutch Chamber of Commerce, entry number 71997288 (hereinafter referred to as the “Processor”) carries out for the benefit of the other party to which it provides services (hereinafter referred to as the “Controller”) under the contract concluded between the parties (hereinafter referred to as the “Underlying Contract”).
1. Purposes of processing
- The Processor agrees to process personal data on the Controller’s behalf subject to the terms and conditions of this Data Processing Agreement. Processing will take place exclusively with a view to managing the Controller’s bookkeeping and accounting and other records, in addition to those purposes that are reasonably related to this or that are specified by further agreement.
- The personal data processed by the Processor for the purposes of the activities referred to in the previous paragraph and the categories of data subjects from whom it comes can be found in Schedule 1. The Processor will not process the personal data for any other purpose than that laid down by the Controller. The Controller will advise the Processor of the processing purposes in so far as they have not previously been set down in this Data Processing Agreement.
- The personal data to be processed on the Controller’s behalf remains the property of the Controller and/or the data subjects concerned.
2. Processor’s obligations
- With regard to the processing operations referred to in Article 1, the Processor will be responsible for complying with the relevant legislation and regulations, which in any event include the legislation and regulations in the area of personal data protection, such as the General Data Protection Regulation (GDPR).
- The Processor will inform the Controller, at the latter’s request, about the measures it has taken regarding its obligations under this Data Processing Agreement.
- The Processor will ensure that its employees have access to the personal data. The Processor will restrict the access of employees to those employees for whom the access is necessary for their duties, access being restricted to personal data that these employees need for their duties. The Processor will also ensure that the employees who have access to the personal data have received full and proper instruction on how to handle personal data and that they are familiar with the responsibilities and statutory duties.
- The Processor will inform the Controller immediately if it believes an instruction given by the Controller conflicts with the legislation referred to in paragraph 1.
- The Processor will, in so far as it is within its power, support the Controller in carrying out data protection impact assessments.
- The Processor will keep a register in accordance with Article 30 of the GDPR of all categories of processing activities it carries out for the Controller under this Data Processing Agreement.
3. Transfer of personal data
- There may be times when the Processor has to engage third parties when performing the Underlying Contract to process certain personal data under our supervision and responsibility. These third parties are mainly located in the European Economic Area (EEA). A number of third parties may be located in countries outside the EEA, such as the United States, where an appropriate level of protection for your personal data, as is offered in the EEA, may not apply. To protect the processing of personal data and to fulfil statutory duties, the Processor will only engage those third parties as subprocessors that offer sufficient guarantees with regard to the application of suitable technical and organisational security measures. The Processor will conclude a data subprocessing agreement with these third parties, with a view to providing sufficient protection in respect of the processing of personal data. These third parties may not then process the personal data in any other way than that for which the Processor has given instructions.
4. Division of responsibility
- The Processor will provide ICT equipment for the processing operations that is to be used by the Controller for the aims referred to above. The Processor will only carry out processing operations itself on the basis of separate agreements.
- The Processor is responsible solely for the processing of the personal data under this Data Processing Agreement, in accordance with the Controller’s instructions and subject to the Controller’s express (final) responsibility. The Processor is expressly not responsible for the other personal data processing operations, which in any event include, but are not limited to, the collection of the personal data by the Controller, processing operations for purposes not reported to the Processor by the Controller and processing operations by third parties and/or for other purposes.
- The Controller guarantees that the content and the use of the personal data and the instructions for its processing, as referred to in this Data Processing Agreement, are not unlawful and do not breach any third-party right.
5. Engaging third parties
- The Processor is entitled to engage other processors (subprocessors) to carry out certain activities arising from the Underlying Contract, for example if these subprocessors have specialist knowledge or equipment that the Processor does not have or that is necessary for the performance of the Underlying Contract. If the engagement of subprocessors means they will process personal data, the Processor will impose the obligations under this Data Processing Agreement on these subprocessors (in writing). If the Controller so demands, the Processor will inform the Controller of envisaged changes regarding the addition or change of subprocessors. The Controller can object to such changes on reasonable grounds. In some cases this may mean that the Processor must terminate the Underlying Contract. Whether a contract must be terminated for this reason is at the exclusive discretion of the Processor
- The Processor guarantees proper compliance with the obligations under this Data Processing Agreement by these third parties and in the event of errors by these third parties is itself liable for all damage as if it has itself made the error or errors.
- The Processor will endeavour to take sufficient technical and organisational measures with regard to the personal data processing operations to be performed, against loss or against any form of unlawful processing (such as unauthorised inspection, impairment, alteration or distribution of the personal data).
- The Processor does not guarantee that its security is effective in all circumstances. If a security feature expressly set down in this Data Processing Agreement is missing, the Processor will endeavour to ensure the security is of a level that, having regard to the state of the art, the sensitivity of the personal data and the costs associated with implementing the security, is not unreasonable.
- The Controller will only provide the Processor with personal data for processing if it has satisfied itself that the required security measures have been taken. The Processor is responsible for compliance with the measures agreed by the Parties.
7. Obligation to report
- The Processor must notify the Controller if a data leak occurs (which means a breach of security that by accident or unlawfully leads to – or it cannot reasonably be ruled out that it may lead to – the destruction, loss, alteration or unauthorised distribution of or the unauthorised access to transmitted, stored or otherwise processed personal data).
- The Processor aims to do this within 48 hours of discovering this data leak or as soon as possible once the subprocessors have informed it thereof. In so doing the Processor will provide the Controller with the information it reasonably needs to make – if necessary – an accurate and complete report to the Dutch Data Protection Authority and if necessary the data subject or subjects in the context of the Obligation to Report a Data Leak or the Processor will forward the report from the subprocessor to the Controller. The Controller must also at all times be kept informed of the measures taken by the Processor, or the subprocessor, as a result of the data leak.
- The reporting of data leaks to the Dutch Data Protection Authority and (any) data subject or subjects is at all times the Controller’s own responsibility, as is keeping a register of data leaks.
8. Duty of confidentiality
- The Processor will keep the personal data provided confidential, unless this is impossible because of a statutory duty or the Controller has given express consent to provide the information to Third Parties or if the provision of the information to Third Parties is logically necessary in view of the nature of the contract awarded and the performance of this Data Processing Agreement.
- If the Processor must provide personal data under a statutory duty, the Processor will verify the basis of the request and the identity of the person requesting it and the Processor will immediately inform the Controller in this regard, before providing the data. Unless statutory provisions prohibit this.
- The Processor will ensure that its employees and subprocessors maintain this confidentiality by including a duty of confidentiality in the contracts (of employment).
- This provision will continue after this Data Processing Agreement, for whatever reason, has ended.
9. Handling requests from data subjects
- In the event that a data subject sends the Processor a request to exercise his or her statutory rights (Articles 15-22 of the GDPR), the Processor will forward the request to the Controller and the Controller will take the matter forward. The Processor may inform the data subject thereof.
- The Controller has one’s per year the right to have audits carried out by an independent third party that is bound by confidentiality to verify compliance with every aspect of the Data Processing Agreement, and everything directly connected with it.
- Only if there is a concrete suspicion of abuse is the Controller entitled to have an audit carried out more than once a year.
- The Processor will cooperate with the audit and provide all the information reasonably relevant for it, including supporting data such as system logs, and employees as promptly as possible.
- The findings resulting from the completed audit will be assessed by the Parties in joint consultation and, as a result, will or will not be implemented by one of the Parties or both Parties together
- The costs of the audit will be borne by the Controller.
- The Parties expressly agree that the provisions of the Underlying Contract with Hooray B.V.’s associated General Terms and Conditions apply with regard to liability.
12. Term and termination
- This Data Processing Agreement is concluded by acceptance by the Controller by means of a separate explicit statement of approval when entering into the Underlying Assignment. This Data Processing Agreement takes effect on the same date as the Underlying Assignment. A copy of the agreed Data Processing Agreement will be made available by the Processor electronically to the Controller.
- This Data Processing Agreement is concluded for the term stated in the Underlying Contract between the Parties and failing this in any event for the duration of the collaboration.
- After termination or expiration of this Data Processing Agreement, the Processor will delete all Personal Data within a period of 90 days, unless the Parties have agreed on a paid inspection license for the duration of the legally applicable retention periods before the end of this Data Processing Agreement, after which the Processor will still delete the Personal Data. In the event of a temporary inspection license, this Data Processing Agreement will be continued equal to the duration of the inspection license.
- The Controller remains responsible at all times – both during the term of this Processor Agreement and during any subsequent inspection license as referred to in the previous paragraph – for monitoring the statutory retention periods, as well as for supervising the removal of the Personal Data concerned. Controller indemnifies Processor against all costs and damage in connection with any shortcoming under this article 12.4.
- The costs of collecting and transferring personal data on the termination of the Underlying Contract are for the Controller’s account. The same applies to the costs of destroying the personal data. If the Controller so wishes, the Processor will provide a cost estimate for this in advance.
- The Processor is entitled to revise this Data Processing Agreement from time to time. It will give the Controller notice of the changes a minimum of one month in advance. The Controller may give notice to terminate with effect from the end of this month if it cannot agree to the changes.
- The Parties are not permitted, except by written agreement, to transfer this Data Processing Agreement and the rights and the obligations connected with it to a third party.
14. Additions and amendment
- Additions and amendments to this Data Processing Agreement are only valid if they have been set down in writing. The term “in writing” includes changes communicated by email, followed by an agreement by email from the other party or some other method of acceptance, whether or not effected electronically.
- A change in the processed personal data or in the reliability requirements, the privacy regulations or the requirements of the Controller may be reason to supplement or to change this Data Processing Agreement. If this leads to significant changes in the Underlying Contract or if the Processor is unable to provide a suitable level of protection, this may be reason for the Parties to terminate the Underlying Contract.
- The Controller will give every assistance to updating this Data Processing Agreement and making it suitable for any new privacy legislation, such as the Dutch Data Protection (Implementation) Act.
15. Final provisions
- This Data Processing Agreement is governed by Dutch law and the Dutch courts are competent to hear all disputes arising from or connected with this Data Processing Agreement.
Schedule A. Summary of processing operations
This Schedule sets out the processing operations carried out by the Processor on behalf of the Controller in further detail.
The Processor processes data of the Controller’s workers for the Controller, with the aim of managing and automating the Controller’s HR administration. The Processor provides
the Controller with the opportunity to store, manage and download data and to view reports relating to HR administration. The following Data Subject information may be involved:
- Name and address details
- Telephone number
- Email address
- Citizen service number
- Job title
- Date of birth
- Marital status
- Financial information
- IP addresses
Of the categories of data subject:
- Contact persons for emergency
The Controller guarantees that the personal data and categories of data subject described in this Schedule A are complete and correct, and indemnifies the Processor against any errors and claims resulting from an incorrect representation by the Controller.
Schedule B. Summary of subprocessors and subprocessor categories
Not every subprocessor comes into contact with the same (amount of) personal data. As much data minimisation as possible is done in each environment.
Subprocessors in use:
- ActiveCampaign – CRM (www.activecampaign.com)
- Pipedrive – CRM (www.pipedrive.com)
- MoneyBird – bookkeeping (www.moneybird.nl)
- Stripe – payment service provider (www.stripe.com)
- GitLab – development environment (www.gitlab.com)
- Intercom – support (www.intercom.com)
- Slack – internal communication (www.slack.com)
- Zapier – interface between described tools (zapier.com)
- Google – Google Calendar, Google drive, Google Mail, Google Analytics (www.google.com)
- Adverteren op Facebook (www.facebook.com), Linkedin (www.linkedin.com), Bing/Microsoft (www.bing.com), Google Adwords (www.google.com)
- Oxillion – hosting (www.oxillion.nl)
- Microsoft Azure – cloud hosting (azure.microsoft.com/)
- Calendly – planning tool (www.calendly.com)
- Microsoft Azure – cloud hosting (azure.microsoft.com/)
- Amazon AWS (aws.amazon.com)
- ChartMogul (www.chartmogul.com)
Subprocessor categories that Hooray B.V. may use in the future, in accordance with Article 5.:
- Hosting providers & Cloud platforms