This processing agreement applies to all forms of processing of personal data that Bratpack ltd, registered with Companies House, under number 07009875, (hereinafter: the “Processor”), performs on behalf of a counter party to whom it provides services (hereinafter: “Processing Officer”), hereinafter collectively referred to as: the “Parties”.
Purposes of processing
- The processor agrees to process personal data on the instructions of the Processing Officer, under the conditions of this Processing Agreement Processing will only take place in the context of the processing of orders and payments for products or services of the Processing Officer, the storage of data from the Processing Officer in the 'cloud', and associated on-line services, the provision and management of the on-line Customer Relation Management package. and/or on-line Content Management System of Processor for the Processing Officer, maintaining telephone contact with clients of Processing Officer for handling complaints and providing service, conducting Public Relations and Marketing Activities for the Processing Officer, sending newsletters commissioned by the Processing Officer, management of the customer administration of the Processing Officer, customer card-related information, making purchasing, customer and behavioural analysis, plus those purposes that are reasonably related or that were further agreed to mutually.
- The personal data processed by the Processor in the context of the activities referred to in the previous paragraph and the categories of the involved of which they originate, are listed in annex 1. The Processor will not process the personal data for any other purpose than as determined by the Processing Officer. The Processing Officer will inform the Processor of the processing purposes insofar as these have not yet been listed in this Processing Agreement. The Processor may, however, use the personal data for quality purposes, such as surveying the data subjects or conducting scientific or statistical studies into the quality of its services.
- The personal data to be processed on behalf of the Processing Officer remain the property of the Processing Officer and/or the relevant involved parties.
Obligations of the Processor
- With regard to the processing operations referred to in article 1, the Processor will ensure compliance with the applicable laws and regulations, including in any case the laws and regulations relating to the protection of personal data, such as the Personal Data Protection Act, and per 25 May 2018 the General Data Protection Regulation.
- The Processor will inform the Processing Officer, on its first request, of the measures it has taken with regard to its obligations under this Processing Agreement.
- The obligations of the Processor arising from this Processing Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.
- The Processor will immediately inform the Processing Officer if, in its opinion, an instruction of the Processing Officer is in conflict with the legislation referred to in paragraph 1.
- The Processing Officer is deemed to take note of its rights and obligations regarding the processing of personal data and to act accordingly.
- The Processor will, insofar as this is within its power, assist the Processing Officer in the implementation of a data protection impact assessment (DPIA).
Transfer of personal data
- The Processor may process the personal data in countries within the European Union. Transfer to countries outside the European Union is not permitted if countries and/or companies do not comply with the GDPR guidelines and fall under the Privacy Shield directive.
Distribution of responsibility
- The authorized processing operations will be carried out by employees of the Processor, within an automated environment.
- The Processor is solely responsible for the processing of the personal data under this Processing Agreement, in accordance with the instructions of the Processing Officer and under the express (final) responsibility of the Processing Officer. The Processor is expressly not responsible for the other processing of personal data, including in any case, but not limited to, the collection of the personal data by the Processing Officer, processing for purposes not reported by the Processing Officer to the Processor, processing by third parties and/or for other purposes.
- The Processing Officer guarantees that the content, the use and the instructions for the processing of the personal data as referred to in this Processing Agreement are not unlawful and do not infringe any third party right.
Engaging external parties or subcontractors
- The Processor may engage external parties in the context of this Processing Agreement, provided that prior written permission is obtained from the Processing Officer;
- The Processing Officer may object if the use of a specific indicated external party is unacceptable.
- The Processor will in any case ensure that these external parties take on at least the same obligations, in writing, as agreed between the Processing Officer and the Processor.
- The Processor guarantees the correct compliance with the obligations arising from this Processing Agreement by these external parties and, in the event of errors by these external parties, is itself liable for all damages as if they had committed the error(s) themselves.
- The Processor will make reasonable efforts to take sufficient technical and organizational measures with regard to the processing of personal data, against loss or any form of unlawful processing (such as unauthorised disclosure, violation, modification or provision of personal data). These measures are tailored to the risk of processing. An overview of these measures and the policy on them are included in Annex 2.
- The Processor does not guarantee that the security is effective under all circumstances. If an explicitly described security measure is missing in the Processing Agreement, the Processor will endeavour to ensure that the security meets a reasonable level, in view of the state of the art, the sensitivity of the personal data and the costs associated with the security.
- The Processing Officer will only make personal data available to the Processor for processing if it has ensured that the required security measures have been taken. The Processing Officer is responsible for compliance with the measures agreed by the Parties.
Security incidents and data leaks
- In the event of a possible data leak, the Processor will inform the Processing Officer within 24 hours after discovery of the data leak, or as soon as possible after the Processor has been informed about this by a sub-processor, as included in Annex 3, so that the Processing Officer can report this, if necessary, to the supervisor.
- The Processor shall keep the Processing Officer informed of new developments surrounding the data leak and the measures taken to limit the size of the data leak, and put a stop to it, and to prevent a similar incident in the future.
- The responsibility for report a data leak to the supervisor and, if necessary, informing the data subject(s) about the data leak, is entirely on the Processing Officer. The Processor shall cooperate, where necessary, with the adequate information of those involved.
- Possible costs incurred to resolve the data leak and to prevent it in the future will be borne by the party who incurs the costs.
Handling requests from those involved
- In the event that a data subject submits a request for the execution of his/her legal rights to the Processor, the Processor will forward the request to the Processing Officer, and the Processing Officer will further process the request. The Processor may inform the involved of this.
- All personal data that the Processor receives from the Processing Officer and/or collects itself in the context of this Processing Agreement, is subject to a confidentiality obligation towards external parties. The Processor will not use this information for any purpose other than for which it was obtained, even when it is converted into such a form, that it is not traceable to the involved.
- This confidentiality obligation does not apply insofar as the Processing Officer has given explicit permission for information to be provided to external parties, if the provision of information to external parties is logically necessary in view of the nature of the assignment and the implementation of this Processing Agreement, or if there is a legal obligation to provide information to an external party.
- The Processing Officer has the right to have audits carried out by an independent external party who is bound to confidentiality in order to check compliance with the security requirements, compliance with the general rules regarding the processing of personal data, and everything directly related to this.
- This audit may take place with a concrete suspicion of abuse of personal data.
- The Processor will cooperate in the audit and provide all information reasonably relevant for the audit, including supporting data such as system logs, and make employees available as soon as possible.
- The findings resulting from the audit carried out will be assessed by the Processor and may be implemented by the Processor at the discretion of the Processor, as the Processor deems fit.
- The costs of the audit will be borne by the Processing Officer.
Liability and penalties
- The liability of the Processor for damage as a result of an attributable shortcoming in the performance of the Processing Agreement, or in tort or otherwise, is excluded. Insofar as the aforementioned liability can not be excluded, this per event (a series of consecutive events counts as one event) is limited to the compensation of direct damage, to a maximum of the amount of the fees received by the Processor for the activities under this Processing Agreement for the month preceding the event causing the damage. The liability of the Processor for direct damage will in total never exceed £ 5 000.00.
Under direct damage is exclusively understood to mean all damage consisting of.
- damage directly caused to property ("property damage");
- reasonable and demonstrable costs to remind the Processor to perform the Processing Agreement (again) properly;
- reasonable expenses to determine the cause and the extent of the damage, for as far as related to the direct damage as intended here;
- reasonable and demonstrable costs incurred by the Processing Officer to prevent or limit the direct damage as referred to in this article.
- The liability of the Processor for indirect damages is excluded. Indirect damage is understood to mean all damage that is not direct damage and therefore in any case, but not limited to, consequential damage, loss of profit, reputation damage, missed savings, loss of goodwill, loss due to business stagnation, damage due to failure to determine marketing objectives, damage related to the use of data or data files prescribed by the Processing Officer, or loss, mutilation or destruction of data or data files.
- The exclusions and limitations referred to in this article shall lapse if and insofar as the damage is the result of intent or deliberate recklessness on the part of the Processor or its management.
- Unless compliance is permanently impossible, the liability of a Party due to an attributable failure to fulfil an obligation from the Framework agreement shall only arise if the Processing Officer informs the Processor forthwith, in writing, with a reasonable deadline for remedying the failure, and the Processor continues to be in default in the fulfilment of its obligation after that term. The notice of default must contain an as complete and as detailed a description as possible of the shortcoming, so that the Processor is given the opportunity to respond adequately.
- Any claim for compensation by the Processing Officer against Processor, that has not been specified and explicitly reported, shall expire by the mere expiration of six (6) months after the claim arose.
- In the event of q violation of the Processor Agreement, the Processor will forfeit an immediately due and payable fine of £ 1 000.00 per violation and £ 50.00 per day that the violation persists, to the Processing Officer.
Duration and termination
- This Processing Agreement is concluded by the signing of the Parties and on the date of the last signing.
- This Processing Agreement is entered into for the duration stipulated in the main agreement between the Parties and, in the absence thereof, in any case for the duration of the cooperation.
- As soon as the Processing Agreement has been terminated, for whatever reason and in any way whatsoever, the Processor will return all personal data that it holds, in the original or copy form, to the Processing Officer, and/or this original personal data and any copies thereof within 12 months, or upon request of the Processing Manager, remove and/or destroy it in a careful and safe manner.
- The Processor is entitled to revise this agreement from time to time. It will notify the Processing Officer of the changes at least three months in advance. The Processing Officer may terminate the agreement at the end of these three months if it does not agree with these changes.
- After termination of this Processing Agreement, obligations that by their nature are intended to continue beyond the end of the agreement will continue to exist, including the reporting of data leaks and the duty of confidentiality.
- The provisions from this Processing Agreement take precedence over the provisions in possible General Terms and Conditions of the Processor, unless a provision in the General Terms and Conditions is explicitly referred to.
- The nullity of any provision in this Processor Agreement does not affect the validity of the other provisions. Annulled or voidable provisions shall be replaced by the Parties, in mutual consultation, with new provisions to be determined, whereby the purpose and intent of the invalid, annulled or destructible provision shall be observed to the extent possible. The Processing Agreement and the implementation thereof are governed by Dutch law.
- All disputes that may arise between the Parties in connection with the Processing Agreement shall be submitted to the competent court in the district in which the Processor is established.
Annex 1: Specification personal data and persons involved
In the context of Article 1.1 of the Processing Agreement, the Processor will process the following (special) personal data on behalf of the Processing Officer:
• NAW data
• Telephone number
• E-mail address
• Visit behaviour
• IP address
• Social media accounts
• Birth dates
• Financial details
• Information filled in on the website and/or web shop and/or app
• Purchase and transaction data
• Information linked to customer and loyalty cards
Of the categories of involved persons:
• Account holders
• Website visitors
• Possible clients
• Pass holders
• App users
• Store, business or event visitors
• Participants in contests
The Processing Officer guarantees that the personal data and categories of data subjects described in this Annex 1 are complete and correct, and indemnifies the Processor against any defects and claims that result from an incorrect representation by the Processing Officer.
Annex 2: Overview with security measures
The Processor has the following technical and organizational measures to protect the personal data against loss or unlawful processing:
TECHNICAL SAFETY MEASURES
Up to date virus scan on all laptops by means of Symantec Endpoint Protection or similar software
Limiting the use of USB sticks for data storage and data exchange
Protection of portable devices like tablets and telephones by means of access codes
Dual verification on critical systems and software where data storage has taken place
Dual verification of software on which users log in
Dual verification on laptops by means of a boot login and user account per employee
Physical protection of laptops within the work environment of the Processor
Encrypted saving of passwords and log-in details of the Processing Officer if necessary
Where possible encrypting communication with third party software (including but not exclusively API link)
ORGANIZATIONAL SAFETY MEASURES
Clean desk policy
Do not leave your laptop unattended without protection
Never leave your laptop in the car
Preventing the storage of documents on staff devices and regular cleaning up of old data on these
Careful removal and destruction of old devices
Annex 3: information to be provided IN THE EVENT OF A DATA LEAK
The Processor will provide all information that the Processing Officer considers necessary to be able to assess the incident. In doing so, the Processor will at least provide the following information to the Processing Officer:
- what the (alleged) cause of the infringement is;
- what the (as yet known and/or expected) consequence is;
- what the (proposed) solution is;
- contact details for follow-up of the report;
- number of persons whose data are involved in the infringement (if no exact number is known: the minimum and maximum number of persons whose data are involved in the infringement);
- a description of the group of persons whose data are involved in the infringement;
- the type or types of personal data involved in the infringement;
- the date on which the infringement took place (if no exact date is known: the period in which the infringement occurred);
- the date and time at which the infringement became known to the Processor or to an external party or sub-processor engaged by it;
- whether the data is encrypted, hashed, or is otherwise incomprehensible or inaccessible to unauthorized persons;
- what measures have already been taken to end the infringement and to limit the consequences of the infringement?