Data Processing Agreement with Savvii
The GDPR legislation prescribes that everyone who wants to host a site containing personal data has to make arrangements with their hosting provider in a so-called processing agreement. This agreement sets out the rights and obligations with regard to the processing of personal data.
We will be happy to help you meet the requirements of the GDPR legislation. This is why we have made a processing agreement available for all our customers. In this agreement, Savvii is the data processor and you are the data controller.
This agreement is not effective by default but requires your express approval. You can give your approval in the Control Panel. Everyone who has not yet given their approval will receive a notice in the Control Panel. If one of your colleagues has already approved the agreement, your approval will not be required anymore and you will not see the notice in the Control Panel.
DATA PROCESSING AGREEMENT
This Data Processing Agreement is an appendix to the agreement concluded between Savvii BV, whose registered office is situated in Nijmegen and which is registered with the Chamber of Commerce under number 58599541 (the “Processor”), and the other party to the agreement (the “Controller”) in the context of hosting of the Controller’s websites, cloud storage of the Controller’s data, and associated online services, plus those purposes that may reasonably be deemed to relate thereto or that are determined by further agreement (“the Purposes”).
Article 1. Purposes of processing
1.1 The Processor shall undertake to process personal data on behalf of the Controller in accordance with the terms and conditions of this Data Processing Agreement. Data shall only be processed in the context of hosting of the Controller’s websites, and associated online services, cloud storage of the Controller’s data, and associated online services, plus those purposes that may reasonably be deemed to relate thereto or that are determined by further agreement.
1.2 The Processor shall process on behalf of the Controller only the (special) personal data that is supplied to the Processor by the Controller in the context of this Data Processing Agreement and that will subsequently be hosted by the Processor.
1.3 The Processor shall not make independent decisions regarding the processing of the personal data for other purposes, including decisions regarding provision of the data to third parties and the period during which the data is stored. The Controller shall retain control over personal data supplied to the Processor in the context of this Data Processing Agreement or other agreements between the Parties, and over the data processed by the Processor in that context.
1.4 The personal data to be processed on behalf of the Controller shall remain the property of the Controller and/or the relevant data subjects.
1.5 The Controller shall be responsible for maintaining records of the processing operations regulated by this Data Processing Agreement. The Controller shall hold the Processor harmless against any claims relating to failure to (duly) comply with the requirement to maintain such records.
Article 2. Obligations of the Processor
2.1 When processing the data in accordance with Article 1, the Processor shall ensure that it complies with applicable legislation and regulations, including, in any event, legislation and regulations in the field of personal data protection, such as the General Data Protection Regulation.
2.2 The Processor shall advise the Controller, upon first request, of the measures that it has taken concerning its obligations under this Data Processing Agreement.
2.3 The obligations of the Processor deriving from this Data Processing Agreement shall also apply to parties that process this personal data on the authority of the Processor, including, but not limited to, employees, in the broadest sense.
2.4 If, in the context of a processing operation, a Data Protection Impact Assessment (DPIA) or prior consultation of the supervisory authority is required, the Processor shall assist the Controller as necessary.
Article 3. Transfer of personal data
3.1 The Processor may process the personal data in countries within the European Union. The personal data shall not be transferred to countries outside of the European Union without the prior written consent of the Controller.
Article 4. Division of responsibility
4.1 For the purposes of the processing operations, the Processor shall make available ICT resources that shall be used by the Controller for the above-mentioned purposes. The Processor shall only perform processing operations in accordance with separate agreements.
4.2 The Processor shall only be responsible for processing the personal data under this Data Processing Agreement, in accordance with the Controller’s instructions and subject to the express (ultimate) responsibility of the Controller. It is expressly agreed that the Processor shall not be responsible for other processing of personal data, including, in any event, but not limited to the collection of personal data by the Controller, processing for purposes of which the Controller has not advised the Processor, processing by third parties and/or for other purposes.
4.3 The Controller warrants that the content and use of the personal data and the instruction to process it as referred to in this Agreement are not unlawful and do not infringe any third-party rights.
Article 5. Engagement of third parties or subcontractors
5.1 The Controller hereby gives the Processor permission to use a third party to process personal data under this Data Processing Agreement, provided that the applicable privacy legislation is observed.
5.2 A list of the third parties used by the Processor can be found in Appendix 1. The Controller shall be entitled to object to any third parties engaged by the Processor. If the Controller objects to third parties engaged by the Processor, the Parties shall consult each other to find a solution to the problem.
5.3. The Processor is committed to the fact that such third parties agree in writing to enforce the same obligations as agreed between the Controller and the Processor in relation to the processing of personal data.
Article 6. Security
6.1 When processing the personal data, the Processor shall implement suitable technical and organisational measures to protect the data from loss or from any form of unlawful processing (e.g. unauthorised access, impairment, alteration or provision of the personal data).
6.2 The Processor shall, in any event, have implemented the following measures:
- Logical access control, using passwords or keys.
- Physical access control measures.
6.3 The Processor cannot guarantee that the security will be effective under all circumstances. If the Data Processing Agreement does not include an explicitly defined security mechanism, the Processor shall make every effort to ensure that the security provided is of a level that is deemed to reasonable in the context of the state of the art, the sensitivity of the personal data and the costs associated with the security measures taken.
6.4 The Controller shall only make personal data available to the Processor for processing if it has ensured that the necessary security measures have been taken. The Controller shall be responsible for ensuring compliance with the measures agreed by the Parties.
Article 7. Duty to notify
7.1 In the event of a data leak (i.e. a security breach that inadvertently or unlawfully leads to the destruction, loss or alteration of or to the unauthorised provision of or unauthorised access to data that has been transmitted, stored or otherwise processed) that relates to the personal data of the Controller, the Processor shall notify the Controller without delay, and, in any event, within 24 hours of the leak being discovered, so that the Controller can decide whether or not it is necessary to notify the data subject(s) and/or the relevant supervisory authority(ies). The Processor shall do its utmost to ensure that the information provided is comprehensive, correct and accurate. The duty to notify shall apply irrespective of the impact of the leak.
7.2 Where legislation and/or regulations so require, the Processor shall assist with notification of the relevant authorities and/or data subjects.
7.3 The duty to notify shall, in any event, include notification of the fact that a leak has occurred, as well as:
- the date on which the leak took place (if an exact date is not known: the period within which the leak took place);
- the (suspected) cause of the leak;
- the date and time that the Processor or a third party or subcontractor engaged by the Processor became aware of the leak;
- whether the data was encrypted, hashed or otherwise made incomprehensible or inaccessible to unauthorised parties;
- the measures planned and/or already taken to plug the leak and to limit the consequences of the leak;
- contact details for follow-up of the notification.
Article 8. Rights of data subjects
8.1 If a data subject submits a request to the Processor asking to access data in accordance with his/her statutory rights , the Processor shall forward the request to the Controller, notifying the data subject accordingly. The Controller will then deal with the request itself.
8.2 If a data subject submits a request to the Controller asking to access data in accordance with one of his/her statutory rights, where requested by the Controller, the Processor shall provide all possible and reasonable assistance. The Processor may invoice the Controller for reasonable costs in this connection.
Article 9. Secrecy and confidentiality
9.1 The Processor shall not disclose to third parties any personal data that the Processor receives from the Controller and/or collects itself in the context of this Data Processing Agreement. The Processor shall not use this information for a purpose other than the purpose for which it has been acquired, even if the data has been converted into a form that cannot be traced to the data subject.
9.2 This duty of confidentiality shall not apply where the Controller has given its express consent to provide the information to third parties, if provision of the information to third parties is logically necessary given the nature of the contract awarded and the implementation of this Data Processing Agreement, or if there is a statutory requirement to provide the information to a third party.
Article 10. Audits
10.1 The Controller shall be entitled to have audits carried out by an independent ICT expert who is bound by a duty of confidentiality in order to verify compliance with all aspects of this Data Processing Agreement.
10.2 Such an audit shall only take place if, having requested and reviewed similar audit reports held by the Processor, the Controller can still provide reasonable arguments to justify an audit initiated by the Controller. An audit of this type will be justified if the similar audit reports held by the Processor fail to provide (sufficient) evidence that the Processor complies with this Data Processing Agreement. The audit initiated by the Controller shall take place two weeks after prior notification thereof by the Controller, and a maximum of once a year.
10.3 On performance of an audit, all reasonable relevant information, including supporting data, such as system logs, and employees shall be made available as soon as possible and, in any event, within a reasonable period of time, a period of a maximum of two weeks being deemed to be reasonable. The Controller shall ensure that the audit causes as little disruption as possible to the Processor’s other activities.
10.4 The findings from the audit shall be analysed jointly by the Parties and, as a result, implemented or otherwise by one of the Parties or by both parties jointly.
10.5 The costs of the audit shall be borne by the Controller.
Article 11. Liability
11.1 The liability of the Processor for loss resulting from an attributable failure in the performance of the Data Processing Agreement, an unlawful act or otherwise shall be excluded. Where the aforementioned liability cannot be excluded, it shall be limited per event (a series of consecutive events shall constitute a single event) to the reimbursement of direct loss, subject to a maximum of the amount of the payments received by the Processor for the work under this Data Processing Agreement during the month prior to the event that gave rise to the loss. The Processor’s liability for direct loss shall never amount to more in total than the amount of the payments received for the work under the Data Processing Agreement during the three months prior to the event that gave rise to the loss.
11.2 Direct loss shall mean exclusively any and all loss consisting of:
- direct loss sustained by material items (“damage to property”);
- reasonable and demonstrable costs incurred in requiring the Processor to duly comply (once again) with the terms and conditions of the Data Processing Agreement;
- reasonable costs incurred in determining the cause and extent of the loss, in so far as they relate to the direct loss referred to here; and
- reasonable and demonstrable costs incurred by the Controller in preventing or limiting the direct loss referred to in this article.
11.3 The liability of the Processor for indirect loss shall be excluded. Indirect loss shall include any and all loss that is not direct loss, including, in any event, but not limited to, consequential loss, loss of profits, loss of savings, reduction in goodwill, loss resulting from business interruptions, loss caused by failure to define marketing objectives, loss associated with the use of data or data files prescribed by the Controller, or loss, mutilation or destruction of data or data files.
11.4 The exclusions and limitations referred to in this article shall cease to apply if and insofar as the loss is the consequence of an intentional act or deliberate recklessness on the part of the Processor or its management.
11.5 Unless performance by the Processor is permanently impossible, the Processor shall only be liable for an attributable failure in the performance the Agreement if the Controller serves the Processor with notice of default in writing without delay, giving the Processor a reasonable period of time to remedy the breach, and the Processor culpably fails to fulfil its obligations within this period. The notice of default shall include as comprehensive and detailed a description of the breach of contract as possible, in order to give the Processor the opportunity to respond appropriately.
11.6 Any claim for compensation by the Controller in respect of the Processor that has not been filed in a specific and explicit manner shall lapse twelve (12) months after the claim arose.
Article 12. Duration and termination
12.1 This Data Processing Agreement shall enter into force on the date on which the Processor is informed of its acceptance by the Controller, and shall continue for the term of the Agreement and, in the absence thereof, for the term of the (further) cooperation.
12.2 As soon as the Data Processing Agreement has been terminated, for whatever reason and by whatever means, the Processor shall return all the personal data in its possession and/or any copies thereof to the Controller or delete and/or destroy them.
12.3 The Processor may invoice the Controller for reasonable costs incurred in returning the personal data and/or any copies thereof.
12.4 The Parties may only amend this Agreement by mutual agreement.
Article 13. Applicable law and settlement of disputes
13.1 The Data Processing Agreement and its performance shall be governed by Dutch law.
13.2 Any disputes that may arise between the Parties in connection with the Data Processing Agreement shall be referred to the competent court for the district in which the Processor has its registered office.
13.3 Logs and measurements performed by the Processor shall constitute conclusive evidence, unless the Controller can provide proof to the contrary.
Appendix 1: List of third parties or subcontractors used
In pursuance of Article 5.1 of the Data Processing Agreement, the Processor will engage the following third parties or subcontractors:
- Amazon Web Services