1. Dutch Data Protection Authority (DPA): supervisory authority, as defined in Article 4, paragraph 21 of the GDPR.
   1. GDPR: the General Data Protection Regulation..
   2. Data Processor: the party that, as an ICT supplier, processes Personal Data as a processor for its Client within the framework of the performance of the Agreement.
   3. Data Pro Statement: a statement from the Data Processor in which it provides information regarding, among other things, the intended use of its product or service, security measures taken, subprocessors, data breaches, certifications, and the handling of the rights of Data Subjects.
   4. Data Subject (Data Subject): an identified or identifiable natural person.
   5. Client: the party on whose behalf the Data Processor processes Personal Data. The Client can be either the controller or another processor.
   6. Agreement: the agreement between the Client and the Data Processor, based on which the ICT supplier provides services and/or products to the Client, of which the processing agreement forms a part.
   7. Personal Data: all information relating to an identified or identifiable natural person, as defined in Article 4, paragraph 1, of the GDPR, which the Data Processor processes in the context of fulfilling its obligations under the Agreement.
   8. Data Processing Agreement: these Standard Clauses for Processing, which, together with the Data Processor’s Data Pro Statement (or comparable information), constitute the Data Processing Agreement as referred to in Article 28, paragraph 3, of the GDPR.

Article 2.     General

1. These Standard Processing Clauses apply to all processing of Personal Data performed by the Data Processor in connection with the delivery of its products and services and to all Agreements and offers. The applicability of the Client’s processing agreements is explicitly rejected.
   1. The Data Processor may amend the Data Pro Statement, and in particular the security measures contained therein, from time to time to reflect changing circumstances. The Data Processor will notify the Client of any significant amendments. If the Client cannot reasonably agree to the amendments, the Client is entitled to terminate the data processing agreement in writing, with reasons, within 30 days of notification of the amendments.
   2. Data Processor processes the Personal Data on behalf of and on the instructions of Client in accordance with the written instructions of Client agreed with Data Processor.
   3. The Client, or its customer, is the controller within the meaning of the GDPR, has authority over the processing of the Personal Data and has determined the purpose and means of processing the Personal Data.
   4. Data Processor is a processor within the meaning of the GDPR and therefore has no control over the purposes and means of processing the Personal Data and therefore does not make decisions about, among other things, the use of the Personal Data.
   5. The Data Processor implements the GDPR as laid down in these Standard Processing Clauses, the Data Protection Statement, and the Agreement. It is up to the Client to assess, based on this information, whether the Data Processor offers sufficient guarantees regarding the application of appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and that the protection of the rights of data subjects is sufficiently guaranteed.
   6. The Client warrants to the Data Processor that it will act in accordance with the GDPR, that it will adequately secure its systems and infrastructure at all times and that the content, use and/or processing of the Personal Data is not unlawful and does not infringe any rights of a third party.
   7. An administrative fine imposed on the Client by the AP cannot be recovered from the Data Processor, unless there is intent or deliberate recklessness on the part of the Data Processor’s management.

Article 3.     Security

1. 1. The Data Processor shall implement the technical and organizational security measures as described in its Data Pro Statement. When implementing the technical and organizational security measures, the Data Processor has taken into account the state of the art, the costs of implementing the security measures, the nature, scope, and context of the processing operations, the purposes and intended use of its products and services, the processing risks, and the varying likelihood and severity of the risks to the rights and freedoms of data subjects that it could reasonably expect given the intended use of its products and services.
   2. Unless explicitly stated otherwise in the Data Pro Statement, the Data Processor product or service is not designed for the processing of special categories of Personal Data or data relating to criminal convictions or offences.
   3. Data Processor strives to ensure that the security measures it takes are appropriate for the Data Processor’s intended use of the product or service.
   4. In the opinion of the Client, the security measures described provide a level of security appropriate to the risk of processing the Personal Data used or provided by him, taking into account the factors mentioned in Article 3.1.
   5. The Data Processor may make changes to the security measures in place if it deems this necessary to continue to provide an appropriate level of security. The Data Processor will record important changes, for example, in an updated Data Protection Statement, and will notify the Client of these changes where relevant.
   6. The Client may request the Data Processor to implement additional security measures. The Data Processor is not obligated to implement changes to its security measures in response to such a request. The Data Processor may charge the Client for the costs associated with the changes implemented at the Client’s request. Only after the modified security measures requested by the Client have been agreed upon in writing and signed by the Parties will the Data Processor be obligated to actually implement these security measures.

Article 4.     Personal Data Breaches

1. 1. The Data Processor does not guarantee that the security measures are effective under all circumstances. If the Data Processor discovers a Personal Data breach (as defined in Article 4(12) of the GDPR), it will inform the Client without undue delay. The Data Pro Statement (under the data breach protocol) stipulates how the Data Processor informs the Client about Personal Data breaches.
   2. It is up to the controller (Client or its customer) to assess whether the Personal Data Breach notified by the Data Processor must be reported to the Dutch Data Protection Authority (AP) or the Data Subject. Reporting Personal Data Breaches, which must be reported to the AP and/or Data Subjects pursuant to Articles 33 and 34 of the GDPR, remains the responsibility of the controller (Client or its customer). The Data Processor is not obligated to report Personal Data Breaches to the AP and/or the Data Subject.
   3. Data Processor will, if necessary, provide further information about the Personal Data breach and will cooperate in providing the Client with the necessary information for the purpose of notification as referred to in Articles 33 and 34 GDPR.
   4. Data Processor may charge the Client for reasonable costs incurred in this regard at its then applicable rates.

Article 5.     Confidentiality

1. 1. Data Processor guarantees that the persons who process Personal Data under its responsibility are bound by a duty of confidentiality.
   2. The Data Processor is entitled to provide the Personal Data to third parties if and to the extent that provision is necessary pursuant to a court order, a statutory provision or on the basis of an authorised order from a government authority.
   3. All access and/or identification codes, certificates, information regarding access and/or password policies, and all information provided by the Data Processor to the Client that fulfills the technical and organizational security measures included in the Data Pro Statement are confidential and will be treated as such by the Client and disclosed only to authorized employees of the Client. The Client shall ensure that its employees comply with the obligations under this article.

Article 6.     Duration and termination

1. 1. This processing agreement forms part of the Agreement and any new or additional agreement arising from it shall enter into force at the time the Agreement is concluded and shall be concluded for an indefinite period.
   2. This processing agreement will automatically terminate upon termination of the Agreement or any new or additional agreement between the parties.
   3. In the event of termination of the processing agreement, the Data Processor will delete all Personal Data held by it and received from the Client within the period specified in the Data Pro Statement in such a way that it can no longer be used and is no longer accessible (render inaccessible), or, if agreed, return it to the Client in a machine-readable format..
   4. The Data Processor may charge the Client for any costs incurred in connection with Article 6.3. Further agreements on this matter can be laid down in the Data Pro Statement.
   5. The provisions of Article 6.3 do not apply if a legal provision prevents the Data Processor from deleting or returning the Personal Data, in whole or in part. In such a case, the Data Processor will continue to process the Personal Data only to the extent necessary to fulfill its legal obligations. The provisions of Article 6.3 also do not apply if the Data Processor is the controller within the meaning of the GDPR with respect to the Personal Data.

Article 7.     Data Subject Rights, Data Protection Impact Assessment (DPIA) and Audit Rights

1. 1. The Data Processor will, where possible, cooperate with reasonable requests from the Client relating to the rights of Data Subjects invoked by Data Subjects with the Client. If the Data Processor is contacted directly by a Data Subject, they will, where possible, refer them to the Client..
   2. If the Client is obliged to do so, the Data Processor will, upon a reasonable request, cooperate in a Data Protection Impact Assessment (DPIA) or subsequent prior consultation as referred to in Articles 35 and 36 GDPR.
   3. Data Processor can demonstrate compliance with its obligations under the processing agreement by means of a valid Data Pro Certificate or at least an equivalent certificate or audit report (Third Party Memorandum) from an independent expert.
   4. In addition, the Data Processor will, at the Client’s request, provide all further information reasonably necessary to demonstrate compliance with the agreements made in this Data Processing Agreement. If, despite this, the Client has reason to believe that the processing of Personal Data is not taking place in accordance with the Data Processing Agreement, they may, at the Client’s expense, have an audit conducted no more than once per year by an independent, certified, external expert with demonstrable experience with the type of processing carried out under the Agreement. The audit will be limited to verifying compliance with the agreements regarding the processing of Personal Data as set out in this Data Processing Agreement. The expert will be bound by a duty of confidentiality regarding any findings and will only report to the Client any information that constitutes a shortcoming in the Data Processor’s compliance with its obligations under this Data Processing Agreement. The expert will provide the Data Processor with a copy of their report. Data Processor may refuse an audit or instruction from the expert if in his opinion it is in conflict with the GDPR or other legislation or constitutes an unacceptable breach of the security measures he has taken.
   5. The parties will consult with each other as soon as possible about the findings in the report. The parties will follow the proposed improvement measures outlined in the report to the extent reasonably expected. The Data Processor will implement the proposed improvement measures to the extent it deems them appropriate, taking into account the processing risks associated with its product or service, the state of the art, the implementation costs, the market in which it operates, and the intended use of the product or service.
   6. The Data Processor has the right to charge the Client for the costs it incurs in connection with the provisions of this article.

Article 8.     Subprocessors

1. 1. Data Processor has stated in the Data Pro Statement whether, and if so, which third parties (subprocessors) Data Processor uses in the processing of the Personal Data.
   2. Client grants permission to Data Processor to engage other sub-processors to perform its obligations arising from the Agreement.
   3. The Data Processor will inform the Client of any changes to the third parties engaged by the Data Processor, for example, by means of an updated Data Pro Statement. The Client has the right to object to the aforementioned change by the Data Processor. The Data Processor will ensure that the third parties engaged by it commit to the same level of security regarding the protection of Personal Data as the security level to which the Data Processor is bound by the Client under the Data Pro Statement.

Article 9.     Other

These Standard Clauses for Processing, together with the Data Pro Statement, form an integral part of the Agreement. All rights and obligations under the Agreement, including the applicable general terms and conditions and/or limitations of liability, therefore also apply to the Data Processing Agreement.