Data Processing Agreement

If PLTFRM processes Personal Data in the performance of the Service, the General Terms and Conditions apply to this as well and with priority. Capitalised terms used in this Data Processing Agreement, both singular and plural, will have the meaning defined in Article 1 of this Data Processing Agreement or the meaning ascribed to them by the AVG (Algemene Verordening Gegevensbescherming).

Article 1 Definitions

a. (PLTFRM) PLTFRM B.V. has its registered office in Utrecht and is listed in the trade register of the Chamber of Commerce under number 82272468;

b. (General Terms and Conditions) the general terms and conditions of PLTFRM (available at: www.pltfrm.nl/conditions).

c. (Article) an article of this Data Processing Agreement;

d. (Data Processing Agreement) the agreement in which PLTFRM and the Customer have made arrangements for the processing of personal data;

e. (AVG) the Regulation (EU) 2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);

f. (Personal data) any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

g. (Processing) an operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

h. (Customer) the natural person or legal entity that has concluded an Agreement with PLTFRM;

i. (Data Subject) an identified or identifiable natural person to whom a Personal Data relates;

j. (Third Party): The natural person(s) and/or legal entity(ies) not involved as a contracting party in the relevant Agreement is a third party in relation to those contracting parties;

k. (Personnel) employees, freelancers, self-employed persons without staff and/or auxiliary persons hired in by PLTFRM from a third party, who are deployed by PLTFRM for the benefit of the Customer and/or perform work for the Customer;

l. (Agreement): the (framework) agreement between PLTFRM and Customer on the basis of which PLTFRM performs the Service for the Customer;

m. (Framework Agreement) A written agreement between PLTFRM and a Customer for the provision of one or more services that is valid for a specific period, is fixed at a predetermined rate and is entered into under the General Terms and Conditions and any additional terms and conditions to be determined.

Article 2 Purposes of Processing

  1. PLTFRM undertakes to process Personal Data under the authority of the Customer under the terms of this Data Processing Agreement.
  2. Processing by PLTFRM will take place only in the context of PLTFRM's services as referred to in the Agreement and for purposes that are reasonably related to them or that are determined by further agreement, all this subject to deviating statutory obligations.
  3. Customer will inform PLTFRM of the processing purposes. PLTFRM will not process the personal data for any purpose other than that stipulated by Customer.
  4. If Customer issues a new order to PLTFRM and PLTFRM processes Personal Data from (data subjects of) Customer in the context of this order, this Data Processing Agreement will also apply to it.

Article 3 Obligations of PLTFRM

  1. With regard to the Processing of Personal Data, as referred to in this Data Processing Agreement, PLTFRM will ensure that it complies with the applicable legislation and regulations, including the AVG.
  2. PLTFRM will, at the Customer's first request, inform the Customer of the measures it has taken in respect of its obligations under this Data Processing Agreement.
  3. PLTFRM's obligations under this Data Processing Agreement also apply to those who process Personal Data under PLTFRM's authority, including but not limited to Personnel.
  4. PLTFRM will, to the extent within its power, provide assistance to Customer for the purposes of conducting data protection impact assessments (DPIAs). PLTFRM may charge Customer its usual rates for this.
  5. PLTFRM will keep a register of all categories of processing activities it carries out for the Customer under this Data Processing Agreement. PLTFRM will allow Customer to inspect this at his request.

Article 4 Transfer of personal data

  1. PLTFRM may process the Personal Data in countries within the European Union. In addition, PLTFRM may transfer the Personal Data to a country outside the European Union, provided that this country guarantees an adequate level of protection and it complies with the other obligations incumbent on it under this Processor Agreement and the AVG.
  2. PLTFRM will notify Customer of the country or countries concerned. PLTFRM guarantees that, in view of the circumstances affecting the transfer of the personal data or a category of data transfers, an adequate level of protection exists in the case of countries outside the European Union.
  3. In particular, when determining an adequate level of protection, PLTFRM will take into account the duration of the intended processing, the country of origin and the country of final destination, the general and sectoral rules of law in force in the country concerned, the rules of professional conduct and the security measures which are observed in those countries.

Article 5 Division of responsibility

  1. PLTFRM is solely responsible for the Processing of Personal Data under this Data Processing Agreement, in accordance with Customer's instructions and under the express (final) responsibility of Customer. PLTFRM is expressly not responsible for other Processing of Personal Data, including in any case, but not limited to, the collection of the Personal Data by Customer, Processing for purposes not notified by Customer to PLTFRM, Processing by third parties and/or for other purposes.
  2. Customer guarantees that the content, use and assignment of the Processing of Personal Data as referred to in this Data Processing Agreement are not unlawful and do not infringe any right of third parties, and expressly that they comply with the applicable legislation and regulations, including in any case the legislation and regulations in the field of personal data, such as the AVG. Customer will also ensure compliance with these laws and regulations in line with this Data Processing Agreement. Customer will indemnify PLTFRM against all claims, fines and other claims by third parties, including but not limited to fines imposed by the Personal Data Authority, and any resulting damage in relation to a breach of this guarantee.

Article 6 Engagement of third parties or subcontractors

  1. PLTFRM is entitled to make use of third parties in the context of Processing under this Data Processing Agreement, provided that this is notified to Customer in advance. Customer may object if the use of a specific notified third party is unacceptable to it.
  2. PLTFRM will in any event ensure that these third parties undertake in writing at least the same duties as those incumbent on PLTFRM under this Data Processing Agreement.

Article 7 Security

  1. PLTFRM will make every effort to take sufficient technical and organisational measures on the basis of the AVG and in particular on the basis of Article 32 AVG.
  2. PLTFRM has taken at least the following measures:
    a. a secure internal network;
    b. physical measures for access security;
    c. organisational measures for access security;
    d. logical access control, using personal access badges and strong passwords;
    e. Random checking of compliance with the policy;
    f. purpose-bound access restrictions
    g. encryption of digital files containing personal data
    h. security of network connections via Secure Socket Layer (SSL) technology
    i. control of authorisations
  3. If there is no security as expressly described in the Data Processing Agreement, PLTFRM will make every effort to ensure that the security meets a level that is not unreasonable in view of the state of the art, the sensitivity of the Personal Data and the costs involved in implementing the security.
  4. Customer will only make Personal Data available to PLTFRM for Processing if it is satisfied that the required security measures have been taken. Customer is responsible for compliance with the measures agreed by the parties.

Article 8 Duty to report

  1. Customer is at all times responsible for reporting a security breach and/or data leak (which is understood to mean: a breach of the security of Personal Data that leads to a risk of adverse effects, or has adverse effects, on the protection of Personal Data) to the supervisory body and/or those involved.
  2. To enable Customer to comply with this statutory duty, PLTFRM will notify Customer of the security breach and/or data leak within 48 hours of it becoming known to it.
  3. PLTFRM is not obliged to inform Customer of a data leak within the period referred to in the previous paragraph if it is clear that the data leak does not pose a risk to the rights and freedoms of natural persons. PLTFRM will, however, inform Customer of the data leak that does not pose a risk to the rights and freedoms of natural persons, in order to enable Customer to document all data leaks in accordance with Article 33.5 of the AVG.
  4. The duty of notification includes in any case the reporting of the fact that there has been a data leak. In addition, the duty to report includes:
    a. the nature of the breach in relation to Personal Data, where possible indicating the categories of data subjects and personal data registers concerned and, approximately, the number of data subjects and personal data registers concerned
    b. the name and contact details of the Data Protection Officer or other contact point where further information can be obtained
    c. the likely consequences of the breach in relation to Personal Data;
    d. the measures proposed or taken by PLTFRM to address the Personal Data breach, including, where appropriate, the measures to mitigate any adverse effects.
  5. PLTFRM will, in accordance with Article 33.5 of the AVG, document all data breaches, including the facts about the Personal Data breach, its consequences and the corrective measures taken. Upon request PLTFRM will allow Customer to inspect this.
  6. Customer will determine, and is responsible for, the choice of whether to report a data leak discovered at PLTFRM to the supervisory authority and/or to the parties concerned.

Article 9 Storage periods

  1. Customer is responsible for determining the storage periods relating to the Personal Data and will inform PLTFRM of them if necessary.
  2. PLTFRM will delete the Personal Data within thirty (30) days of the end of the Data Processing Agreement or transfer it to it, at Customer's discretion, unless the Personal Data must be retained for a longer period, such as in the context of PLTFRM's legal or other obligations, or if Customer requests that Personal Data be retained for a longer period and PLTFRM and Customer reach agreement about the costs and other conditions of this longer retention, the latter without prejudice to Customer's responsibility to observe the statutory retention periods. Any transfer to the Customer will take place at the Customer's expense at the reasonable prices applicable at that time.
  3. PLTFRM will, insofar as necessary, inform all sub-processors involved in Processing Personal Data of a termination of the Data Processing Agreement and will instruct them to act as stipulated in the previous paragraph.
  4. The Customer shall itself take care of a back up of the Personal Data, unless the parties have expressly made agreements to the contrary.

Article 10 Processing of data subject requests

In the event that a data subject makes a request to PLTFRM to exercise his/her statutory rights, PLTFRM will forward the request to Customer, and Customer will deal with the request further. PLTFRM may inform the data subject accordingly.

Article 11 Secrecy and confidentiality

  1. All personal data that PLTFRM receives from Customer and/or collects itself in the context of this Data Processing Agreement is subject to a duty of confidentiality towards third parties. PLTFRM will not use this information for any purpose other than that for which it was obtained, not even if it is presented in such a form that it cannot be traced back to Data Subjects.
  2. This duty of confidentiality does not apply insofar as Customer has given express permission to provide the information to Third Parties, if providing the information to third parties is logically necessary in view of the nature of the assignment given and the performance of this Data Processing Agreement, or if there is a statutory obligation to provide the information to a third party.

Article 12 Audit

  1. Customer shall have the right to have audits carried out by an independent Third Party who is bound by secrecy to verify compliance with all points of the Data Processing Agreement, and everything directly related to it.
  2. This audit may take place in the event of a concrete suspicion of misuse of Personal Data.
  3. PLTFRM shall co-operate with the audit and shall make all information reasonably relevant to the audit, including supporting data such as system logs, and Personnel available as soon as possible.
  4. The audit of Customer will always be limited to the systems of PLTFRM used for the processing operations. Customer will keep the information found during the audit confidential and will only use it to check PLTFRM's compliance with the obligations of this Data Processing Agreement and will delete the information or parts of it as soon as possible. Customer guarantees that any engaged third parties will also comply with these obligations.
  5. The findings of the audit will be assessed by the Parties in mutual consultation and, as a result, may or may not be implemented by one or both Parties jointly.
  6. The costs of the audit will be borne by Customer, unless the findings of the audit show that PLTFRM has not complied with the provisions of the Data Processing Agreement and this non-compliance is not trivial. In this case the costs will be borne by PLTFRM.

Article 13 Liability

  1. Customer bears, among other things, responsibility and is therefore fully liable for (the stated purpose of) the Processing, the use and content of the personal data, the provision to PLTFRM and to third parties, the duration of storage of the personal data, the method of processing and the means used for this purpose.
  2. For the liability of the Parties under the Data Processing Agreement, see Article 10 of the General Terms and Conditions.

Article 14 Duration and termination

  1. This Data Processing Agreement is entered into for the term specified in the (Framework) Agreement between the Parties and, in the absence thereof, in any event for the duration of the cooperation.
  2. As soon as the Data Processing Agreement is terminated, for whatever reason and in whatever way, PLTFRM will - at Customer's discretion - return to Customer all Personal Data present in its possession in original or copy form, and/or remove and/or destroy this original Personal Data and any copies thereof.
  3. The parties will amend the provisions of this Data Processing Agreement in line with amended or supplemented regulations, additional instructions from the relevant authorities and progressive insight into the application of the AVG (for example, through, but not limited to, case law or reports), the introduction of standard provisions and/or other events or insights that make such an amendment necessary.
  4. If the Parties have already included provisions regarding the Processing of Personal Data and related provisions in any other agreement concluded with each other, including the Assignment, the provisions of this Data Processing Agreement will apply in the event of any conflict between the provisions of that agreement and this Data Processing Agreement, unless expressly agreed otherwise.