DATA PROCESSOR ADDENDUM

Last modified: March 22, 2024

Whereas:

• The Controller and the Processor concluded an Agreement regarding the provision of services, of which this Processor’s Addendum is a part;
• Where the personal data processing is concerned, the Controller classifies as a controller within the meaning of Section 4(7) of the General Data Protection Regulation (Algemene Verordening Gegevensbescherming) (“GDPR”);
• Where the personal data processing is concerned, the Processor qualifies as a processor within the meaning of Section 4(8) GDPR;
• The Parties – partly in implementation of the provisions of Section 28(3) GDPR- wish to document a number of conditions in the present processor’s agreement which apply to their relationship in the context of the aforesaid activities on the instructions and for the benefit of the Controller.

 

Declare that they have agreed as follows:

Definitions

In this Processor’s Addendum, capitalized words and expressions, whether in single or plural, have the meaning specified as set out below:

“Annex” means appendix to this Processor’s Addendum which forms an integral part of it;

“Agreement” means the agreement concluded between the Controller and the Processor with regarding the provision of the Service (as defined in the Agreement);

“Personal Data” means all information relating to an identified or identifiable natural person as referred to in Section 4(1) GDPR;

“Process” means as well as conjugations of this verb: the processing of Personal Data as referred to in Section 4(2) GDPR;

“Processor’s Addendum” means the present addendum;

“Sub Processor” means the sub-contractor hired by the Processor that Processes Personal Data in the context of this Processor’s Addendum on behalf of the Controller, as referred to in Section 28(4) GDPR. All affiliates of Processor will be considered as a Sub Processor.

The provisions of the Agreement apply in full to this Processor’s Addendum. In case provisions with regard to the Processing of Personal Data are included in the Agreement, the provisions of this Processor’s Addendum prevail.

Purpose of the Personal Data Processing

The Controller and the Processor have concluded the present Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes of Processing, is included in Annex 1. 

The Controller is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation. Controller will indemnify and hold harmless Processor against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee. 

The Processor undertakes to Process Personal Data only for the purpose of the activities referred to in this Processor’s Addendum. The Processor guarantees that it will not use the Personal Data which it Processes in the context of this Processor’s Addendum for its own or third-party purposes without the Controller’s express written consent, unless a legal provision requires the Processor to do so. In such case, the Processor shall immediately inform the Controller of that legal requirement before Processing, unless that law prohibits such information on import grounds of public interest.

Technical and organizational provisions

The Processor will, taking into account the nature of the Processing and insofar as this is reasonable possible, assist the Controller in ensuring compliance with the obligations pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. The Processor will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing. 

Processor will provide a document which describes the appropriate technical and organizational measures to be taken by the Processor. This document will be attached to this Processor’s Addendum as Annex 2. Controller represents it has assessed these technical and organizational measures to be appropriate within the meaning of the law.

Confidentiality

The Processor will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.

Personal Data Processing outside Europe

The Processor will only be permitted to transfer Personal Data outside the European Economic Area if this is done in compliance with the applicable statutory obligations, therefore if:

(i) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 GDPR that covers the onward transfer, or:

(ii) the transfer is based on appropriate safeguards pursuant to Articles 46 or 47 GDPR with respect to the processing in question, or:

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings, or:

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Sub-processors

The Processor is entitled to outsource the implementation of the Processing on the Controller’s instructions to Sub-processors, either wholly or in part, which parties are described in Annex 3. In case the Processor wishes to engage Sub-processors, the Processor will inform Controller of any intended changes concerning the addition or replacement of other processors. The Controller will be able to object to such changes within 10 working days. The Processor will respond to the objection within 10 working days.

Processor obligates each Sub-processors to contractually comply with the confidentiality obligations, notification obligations and security measures relating to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor’s Addendum.

With regard to the sub-processing by the parties described in Annex 3, Controller agrees:

• That data transfer will take place to these sub-processors, based on one of the mechanisms mentioned in article 6;
• That, with regard to the sub-processors providing public cloud services, Processor signs the standard legal agreements (including data processing agreements) provided by these sub-processors, which may be amended from time to time (Public Provider Contracts, or PCP’s);
• To the contents of such PCP’s and to the Data Transfer Impact Assessment with regard to this data-transfer or the use of this PCP;
• To be bound by the PCP, which is therefore considered to be incorporated in this DPA
• That the Processor may invoke the PCP against Controller and/or, if applicable, to Controller’s suppliers and/or customers;

Liability 

With regard to the liability and indemnification obligations of Processor under this Processor’s Addendum the stipulation in the Agreement regarding the limitation of liability applies. 

Without prejudice to article 7.1 of this Processor’s Addendum, Processor is solely liable for damages suffered by Controller and/or third party claims as a result of any Processing, in the event the specific obligations of Processor under the GDPR are not complied with or in case the Processor acted in violence of the legitimate instructions of the Controller.

Personal Data Breach 

In the event the Processor becomes aware of any incident that may have a (significant) impact on the protection of Personal Data, i) it will notify the Controller without undue delay and ii) will take all reasonable measures to prevent or limit (further) violation of the GDPR.  

The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.

The Processor will, insofar as reasonable, assist the Controller with the Controller’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR. Processor is never held to report a personal data breach with the Data Protection Authority and/or the data subject.

Processor will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR. 

Cooperation

The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Section 15 GDPR), rectification (Section 16 GDPR), erasure (Section 17 GDPR), restriction (Section 18 GDPR), data portability (Section 20 GDPR) and the right to object (Section 21 and 22 GDPR). The Processor will forward a complaint or request from a data subject with regard to the Processing of Personal Data to the Controller as soon as possible, as the Controller is responsible for handling the request. The Processor is entitled to charge any costs associated with the cooperation with the Controller. 

The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).

The Processor will provide the Controller with all the information reasonably necessary to demonstrate that the Processor fulfills its obligations under the GDPR. Furthermore, the Processor will – at the request of the Controller – enable and contribute to audits, including inspections by the Controller or an auditor that is authorized by the Controller, provided Parties reach prior written agreement on the cope of such audit. In case the Processor is of the opinion that an instruction relating to the provisions of this paragraph infringes the GDPR or other applicable data protection legislation, the Processor will inform the Controller immediately. The Processor is entitled to charge any possible costs with the Controller.

Termination and miscellaneous

With regard to the termination under this Processor’s Addendum the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, the Processor will, at the first request of the Controller, delete or return all the Personal Data, and delete all existing copies, unless the Processor is legally required to store (part of) the Personal Data. 

The Controller will adequately inform the Processor about the (statutory) retention periods that apply to the Processing of Personal Data by the Processor. 

The obligations laid down in this Processor’s Addendum which, by their nature, are designed to continue after termination will remain in force also after the termination of this Processor’s Addendum.

The choice of law and competent court comply with the applicable provisions of the Agreement. 

ANNEX 1 OVERVIEW PERSONAL DATA

TYPE OF PERSONAL DATA:

PaymentInformation ShopperEmailAddress Contact Info Confidential – GDPR

Emailings CustomEmailAddress Contact Info Confidential – GDPR

Emailings EmailTypeCode Contact Info Confidential – GDPR

AirplayAccounts EmailAddress Contact Info Confidential – GDPR

Addresses City Contact Info Confidential – GDPR

Addresses Street Contact Info Confidential – GDPR

Addresses ZipCode Contact Info Confidential – GDPR

Companies EmailAddress Contact Info Confidential – GDPR

PersonArchives Addresses Contact Info Confidential – GDPR

PersonArchives DateOfBirth Date of Birth Confidential – GDPR

PersonArchives EmailAddress Contact Info Confidential – GDPR

PersonArchives Emails Contact Info Confidential – GDPR

PersonArchives ExtraEmailAddressesJson Contact Info Confidential – GDPR

PersonArchives Firstname Name Confidential – GDPR

PersonArchives IpAddress Networking Confidential – GDPR

PersonArchives Lastname Name Confidential – GDPR

PersonArchives PhoneNumbers Contact Info Confidential – GDPR

Persons DateOfBirth Date of Birth Confidential – GDPR

Persons EmailAddress Contact Info Confidential – GDPR

Persons ExtraEmailAddressesJson Contact Info Confidential – GDPR

Persons Firstname Name Confidential – GDPR

Persons IpAddress Networking Confidential – GDPR

Persons Lastname Name Confidential – GDPR

Persons Loyalty ID Contact Info Confidential – GDPR

Persons GenderCode Name Confidential – GDPR

CATEGORIES OF DATA SUBJECTS:

• Users of the controller, or Customers or partners in the chain of the controller

PURPOSES OF PROCESSING: 

• Use of Subscription Services 

ANNEX 2 SPECIFICATION OF THE SECURITY MEASURES  

1. the management of powers and authorizations of employees, to prevent unauthorized access to information;
2. measures in case the confidentiality of the Personal Data is damaged;
3. measures in case of calamities;
4. measures to prevent viruses, threats and technical vulnerabilities;
5. taking the necessary measures to prevent security breaches as referred to in the applicable privacy regulations;
6. the use of servers that are only accessible via secure connections;
7. the ability to repair the availability of and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
8. a procedure for testing, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the security at regular intervals.

ANNEX 3 OVERVIEW OF SUB PROCESSORS 

 

Google Ireland Ltd

Hetzner Online GmbH