Data processing agreement
Corporate Print is a trade name of EdCornelissen. For all order assignments to EdCornelissen per may 25th 2018 (the day of the coming into force of the GDPR), the undermentioned data processing agreement is considered to be added to the conditions of the agreement, and this data processing agreement comes fully into force.
DATA PROCESSING AGREEMENT
concerning the confidentiality and the processing of personal data
Version: may 14th, 2018
Commissioning company and EdCornelissen, holding office in Heerde, represented by Ed Cornelissen in his capacity of director; Hereinafter referred to as: Contractor
CONSIDERING THAT:
a. Contractor performs activities and/or services for Commissioning company;
b. Commissioning company provides or will provide data for that purpose to Contractor;
c. These data are confidential, at least should be treated confidentially;
d. These data may contain personal data;
e. These data are necessary for Contractor to perform certain agreed activities or services;
f. Parties wish to make agreements about these data.
AGREE THE FOLLOWING:
ARTICLE 1. SUBJECT OF THE AGREEMENT
Subject of the agreement is
(i) the delivery of data by Commissioning company to Contractor,
(ii) making confidentiality agreements on this subject,
(iii) making further agreements if the data also contain personal data.
ARTICLE 2. CONFIDENTIALITY
2.1. The data provided by Commissioning company or on behalf of Commissioning company to Contractor will not be provided to third parties, unless Commissioning company has given written permission, or unless it is necessary for the execution of the agreed activities.
2.2. Contractor ensures that the data are only provided on a need-to-know basis to employees of Parties, and that data are only provided to employees that are responsible for the execution of the agreed activities or services.
2.3. During the period that Contractor holds the data, Contracter must secure the storage of the data adequately. At least at such a level that third parties and employees that are not responsible for the execution of the agreed activities or services, do not have access to the data. This storage also had to comply with relevant regulations, such as the General Data Protection Regulation (GDPR), when personal data are exchanged.
ARTICLE 3. PERSONAL DATA
3.1. If the data also concern personal data, the following terms of this article apply. Contractor is considered by Parties as the “Processor”, and Commissioning company as the “Controller”, as referred to in the General Data Protection Regulation (GDPR).
3.2. Contractor will process the data for the benefit of Commissioning company in the context of the execution of the agreed activities en services, while Contractor is not allowed to process the data received by Commissioning company for his own purposes, other than agreed, and/or to provide the data to third parties.
3.3. Parties will ensure compliance with the applicable laws and regulations, including at least laws and regulations concerning the protection of personal data, such as the General Data Protection Regulation (GDPR).
3.4. Contractor takes appropriate technical and organizational measures to protect personal data against loss or against any form of unlawful processing. Taking the state of the art and the costs of implementation into account, these measures guarantee an appropriate protection level considering the risks that are presented by the processing and the nature of the data to be protected. The measures are also aimed at preventing unnecessary collection and further processing of personal data.
3.5. During the execution of the agreement Commissioning company is at all times entitled to test the abovementioned measures by an independent expert by means of an audit. The costs of this audit will be at the expense of Commissioning company.
3.6. In the context of this agreement Contractor is allowed to make use of a third party, without prior permission of Commissioning company, on the condition that Contractor documents similar agreements with the third party, as contained in this agreement, for example by means of a subprocessor agreement.
3.7. Contractor is not allowed to store and/or host personal data outside of the European Union/European Economic Area.
3.8. If Contractor suspects or has learnt that the personal data of Commissioning company are or have been compromised (security breach), Contractor notifies Commissioning Company whithout unreasonable delay.
3.9. In the case that an involved person addresses a request to Contractor on the subject of access, correction or deletion, Contractor will forward the request to Commissioning company, and Commissioning company will further handle the request. Contractor is allowed to notify the involved person about this.
3.10. At the termination of this data processing agreement Contractor will deliver the personal data back to Commissionig company. The personal data that are processed by Contractor will be erased after expiry of the legal retention period and/or at the request of Commissioning company.
3.11. This data processing agreement comes into force at May 25th 2018. This agreement ends after and insofar Contractor has erased or redelivered all personal data. Neither of Parties can terminate this data processing agreement in the meantime.
3.12. Dutch law is applicable on this agreement. Disputes arising from this agreement are submitted to the competent court in the arrondissement where Commissioning company is based.