Data Processing Agreement

Effective date:
April 19, 2023

R. Buijs operating under the name ProductLift (hereinafter: ProductLift) is registered at the Dutch Chamber of Commerce with number 20145923 and is located at Palmstraat 40 (3572TD) in Utrecht (The Netherlands), hereinafter referred to as "Processor".

Article 1 - Definitions

For the purpose of this agreement, the following terms have been given the following meaning:

1. Controller: the Company and/or the Consumer that ProductLift has appointed, has provided projects to ProductLift for Services performed by ProductLift, or to which ProductLift has made a proposal under an Agreement.

2. Service: the provision of software by ProductLift.

3. Agreement: this document, including any annexes, containing the terms and conditions for cooperation between the Parties.

4. Offer: any offer or quotation to the Controller for the provision of Services by ProductLift

5. Services: the Services offered by ProductLift concern the provision of software as well as the development of customized software. There are two ways to purchase the software made available by ProductLift: 1) monthly in the form of a subscription by means of a license 2) by purchasing the Software at once.

6. Parties: ProductLift and Controller hereinafter jointly referred to as: "Parties".

Taking into account that:

  • Controller has instructed Processor to process the personal data of his/her company in the context of the main agreement which is an integral part of this processor agreement;
  • Controller designates the purposes and means to which the conditions stated herein apply;
  • Processor is willing to carry out the processing and is also willing to comply with obligations regarding security and other aspects of the General Data Protection Regulation (“GDPR”), insofar as this is within its power;
  • Processor does not process the personal data for its own purposes;
  • The controller can be regarded as a controller within the meaning of Article 4(7) of the GDPR;
  • Processor can be regarded as a processor within the meaning of Article 4(8) of the GDPR;
  • Where this agreement refers to Personal Data, this refers to personal data within the meaning of Article 4(1) of the GDPR;
  • The parties, also in view of the requirement from Article 28 paragraph 3 of the GDPR, wish to record their rights and obligations in writing by means of this Processor Agreement (hereinafter (“Processing”).

Article 2 - Applicability

1. This Agreement applies to every Offer from ProductLift, every Agreement between ProductLift and the Controller and to every Service offered by ProductLift.

2. Before a (distance) Agreement is concluded, the Controller will be provided with this data processing agreement. If this is not reasonably possible, ProductLift will indicate to the Controller how the Controller can view the data processing agreement.

3. Deviation from this Agreement is not possible. In exceptional situations it is possible to deviate from the general terms and conditions, if and insofar explicitly agreed upon in writing by ProductLift.

4. This Agreement also apply to additional, amended and follow-up orders from the Controller.

5. The data processing agreements of the Controller are excluded.

6. If one or more provisions of this Agreement are partially or wholly invalid or are annulled, the other provisions of this Agreement will remain in force, and the invalid/nullified provision(s) will be replaced by a provision with the same purport as the original provision.

7. Uncertainties about the content, explanation or situations that are not regulated in this Agreement must be assessed and explained in the spirit of these general terms and conditions. The agreements in the Agreement are leading and take precedence over these general terms and conditions.

8. The rights and obligations under the Agreement between the Parties cannot be transferred by the Controller to a third party unless ProductLift grants the Controller explicit and prior permission. ProductLift is free to attach further conditions to this.

9. If reference is made to she/her in these general terms and conditions, this should also be understood as a reference to he/him/are, if and insofar as applicable.

Article 3 - Purpose of the processing

1. Processor undertakes to process Personal Data on behalf of Controller under the conditions of this Processor Agreement. Processing will only take place in the context of the execution of the assignment agreement and this processing agreement within the meaning of Article 28 paragraph 3 GDPR.

2. The Processor is prohibited from processing the Personal Data for a purpose other than the purpose established by the Controller. The purpose of the processing is to provide the services requested by the Controller as described and recorded in the Main Agreement. To this end, the following activities are performed, among other things, the storage of (personal) data by means of hosting and cloud storage as well as the security thereof, making a VPS available, setting up and keeping a network available, and other related activities.

3. The category of data subjects from whom the Personal Data is collected concerns the personal data of the (potential) customers of the Processing Manager, visitors to the website or web application, suppliers, account holders and/or other persons or relations of the Processing Manager with whom the Processor comes into contact if they processed on behalf of the Controller.

4. The category of personal data that can be processed are: contact and name and address details, customer or identification number(s), IP address and other location data, content of e-mails, chat messages, contact forms and other (personal) data that are stored or processed via the services of the Processor.

5. Processor will not process the personal data for any purpose other than as determined by the Controller. The Controller will inform the Processor of the processing purposes insofar as they have not already been mentioned in this Processor Agreement.

6. Processor has no control over the means for processing and storing the personal data. The controller is responsible for determining the purpose of the processing and must clearly record this.

7. Processing will take place manually as well as (semi)automatically.

8. The personal data to be processed on behalf of the Controller remain the property of the Controller and/or the relevant data subjects.

Article 4 - Term of the agreement

1. This Agreement applies to every Offer from ProductLift, every Agreement between ProductLift and the Controller and to every Service offered by ProductLift.

2. This agreement cannot be terminated prematurely.

3. Changes to this agreement as a result of changes in any underlying agreement for services, legislation or regulations or other relevant circumstances are only legally valid if they are added to the Processor Agreement after consultation and with the explicit permission of the parties.

4. This agreement ends by operation of law if the Main Agreement ends.

5. As soon as the agreement has been terminated for any reason and in any way whatsoever, the Processor – at the discretion of the Controller – will return all Personal Data that it holds in original or copy form to the Processing Manager and/or these original Personal Data and any copies remove and/or destroy it within a maximum period of 28 days. Any costs associated with this will be borne by the Controller.

6. Confidentiality, liability and dispute resolution provisions shall remain in full force and effect after termination of this Agreement.

Article 5 - Obligations of the Processor

1. The Processor is obliged to comply with the conditions imposed on the processing of Personal Data on the basis of applicable laws and regulations, in particular the GDPR and the GDPR Implementation Act.

2. The Processor is prohibited from enriching its own database(s) and/or files with any (personal) data from the database(s) of the Controller, except in the event that the Processor provides temporary database(s) and/or files. for the proper processing of the Personal Data. The temporary files are deleted immediately from the moment that these temporary files are no longer needed for processing.

3. The Processor will inform the Controller at its first request about the measures it has taken with regard to its obligations under this Processor Agreement.

4. If the Controller gives instructions to the Processor with regard to the processing of Personal Data, the Processor must follow these instructions if this is necessary for correct processing, except in the event that these instructions are contrary to laws and regulations and any applicable professional and behavioral rules. Only the Controller is authorized to give its exclusive opinion in this regard.

5. All obligations resting on the Processor also apply to persons who process Personal Data under the authority of the Processor (after explicit permission from the Controller), including employees and third parties engaged by the Processor.

6. Processor is responsible for ensuring that only employees and/or third parties have access to the personal data for which access is necessary for the execution of the agreement. The employees and/or third parties work under the responsibility of the Processor.

7. The Controller does not have access to the Personal Data at the Processor. The Processor is obliged to cooperate at the request of the Controller with regard to inspection and audits.

8. This agreement is not transferable, unless expressly agreed otherwise.

Article 6 - Transfer of personal data

1. Subject to the written consent of the Controller, the Processor will not have any Personal Data processed by or on behalf of the Processor or a sub-processor engaged by it, in connection with the performance of the Agreement, transferred to or accessible from countries or international organizations that the European Commission has not yet decided to ensure an adequate level of protection in accordance with applicable privacy regulations. Articles 44 to 50 of the GDPR are complied with at all times. The Processor provides insight into the location(s) at which the processing takes place at the first request of the Controller.

2. If the Processor intends to process Personal Data by a country or international organization for which the European Commission has not yet given permission, the Processor will inform the Controller in writing of this intention. Transfer of Personal Data to another country also includes making the Personal Data accessible from (an entity in) such other country.

Article 7 - Responsibility of the Processor

1. The Processor will perform the activities for the Controller in the context of this agreement as referred to in Article 3.2 of this agreement, as well as other activities as laid down in the Main Agreement.

2. Processor is responsible for the processing of the Personal Data under this Processor Agreement, in accordance with the instructions of the Controller. For the other processing of Personal Data, including in any case, but not limited to, the collection of the Personal Data by the Processing Manager, processing for purposes that have not been reported by the Controller to the Processor, processing by third parties and/or for other purposes, Processor also responsible.

Article 8 - Third parties

Processor's activities can only be outsourced to third parties after explicit prior permission from Controller. The Processor is responsible for these third parties and is responsible and liable for damages for all damage caused to the Controller by the actions of third parties. All obligations under this agreement also apply to this third part-y(-ies), the sub-processor.

Article 9 - Security Measures for Personal Data

1. Processor makes every effort to take sufficient and appropriate organizational and technical measures against any form of unlawful processing with regard to the processing of Personal Data to be carried out by it. The measures that the Processor has taken are:

  • a. Personal data is sent encrypted (Encryption In-Transit);
  • b. Personal data is stored encrypted on the server (Encryption At-Rest);
  • c. Making regular backups;
  • d. Processor provides an authentication and password policy to prevent unauthorized login and ensure strong password use;
  • e. Processor ensures that the production environment is well secured, and that access can only be obtained by authorized and trained personnel to prevent unauthorized access.

2. The security level of the measures must at least meet a level that is not unreasonable in the context of the associated costs, sensitivity of the Personal Data concerned as well as the state of the art and risks. Processor does not guarantee that the security measures it has taken are effective at all times, under all circumstances. In consultation, the parties can take other additional or further security measures.

3. The Processor has its own responsibility to inform itself and/or its employees and third parties to be engaged of all protocols, the (security) policy and other instructions that enable and promote safe processing.

4. Processor is responsible and liable for its part of the processing.

5. If there is a breach in the security of the Personal Data, which can cause damage or have adverse consequences for the protection of the Personal Data, the Processor, the Controller must inform the Processor about this immediately, at least without undue delay, but within 48 hours after the Processor has notified this could reasonably have been aware of. The controller will then inform the Dutch Data Protection Authority and any data subjects as soon as possible about the infringement within 12 hours. The Processor's obligation to report only applies if a data breach has occurred.

6. Pursuant to the Processor's notification obligation, the notification of a breach must consist of at least the following components:

  • the nature of the personal data breach, where possible stating the categories of data subjects and personal data concerned and, approximately, the number of data subjects and personal data registries concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach, as well as the possible cause of the data breach;
  • the measures proposed or taken by the Processor to address the personal data breach, including, where appropriate, measures to limit any adverse consequences thereof.

7. The controller must keep a register of all infringements (including incidents) in accordance with article 33 paragraph 5 GDPR.

8. If a breach of the security of the Personal Data has occurred at the Processor, the Processor is obliged to take appropriate measures at its own expense to prevent future incidents and/or breaches.

Article 10 - Confidentiality

1. Processor and its employees, as well as third parties engaged by Processor, are obliged to maintain the confidentiality of all personal data, sensitive information and/or company data obtained through this agreement. The duty of confidentiality does not apply if the Controller has given explicit and written permission to the Processor to share this data and information with third parties, or if there is a legal obligation to provide the data and information to a third party. After the expiry of this agreement, the parties remain obliged to adhere to this confidentiality obligation. If a party is required to provide information to a third party on the basis of a legal obligation, the providing party is obliged to inform the other party about this in writing without delay, at least within 24 hours.

2. If and insofar as possible, the Processor can refer the relevant (government) body that requests information directly to the Controller. Processor can provide contact information of the Controller in this regard to this (government) body.

Article 11 - Rights of data subjects

1. In the event that the Processor receives a request for inspection from a data subject or an authorized body, the Processor will process this request as soon as possible, but at the latest within 5 working days. If it is not possible to handle the request yourself, the request will be forwarded to the Controller within 5 working days. If requested to do so, the processor must cooperate in the execution of the request. The (reasonable) costs that the Processor must incur for the benefit of the cooperation are for the account of the Controller.

2. The provisions of Article 11.1 apply mutatis mutandis if a data subject wishes to assert other rights such as his/her right to rectification, erasure, right to restriction of processing, right to data portability, right to object and rights in the case of automated individual decision-making, as laid down in sections 3 and 4 of the General Data Protection Regulation.

Article 12 - Liability

1. The Processor is responsible for the processing of the Personal Data and guarantees that the processing is lawful and does not infringe the rights of the data subjects. The Processor is only liable for damage as a result of acts and/or omissions, or non-compliance with laws and regulations by the Processor, but with regard to the direct damage of the Controller.

2. Processor is only liable up to a maximum of once the value of the assignment. All consequential and/or indirect damage is expressly excluded from the Processor's liability.

3. Without prejudice to the provisions of this article, the Processor is liable for damage caused by the processing if this processing does not comply with obligations of the GDPR specifically aimed at the Processor or if the lawful instructions of the Controller have been acted upon.

4. The Processor is not liable for the damage if it can demonstrate that it is in no way responsible for the event causing the damage.

5. Unless fulfillment by the Processor is permanently impossible, the Processor is only liable for an attributable shortcoming in the fulfillment of the (processor) agreement if the Processing Manager has notified the Processor of default in writing without delay, but at the latest within 48 hours, whereby the Processor has been given the opportunity to repair the defect within a reasonable period, and the Processor continues to fail imputably in the fulfillment of its obligations after that reasonable period. The notice of default must be described as completely and in detail as possible, so that the Processor is given the opportunity to respond adequately.

6. The Controller is obliged to specify and explicitly report any claim for compensation against the Processor, on pain of forfeiture of the claim after six (6) months after the claim arose.

Article 13 - Indemnification

1. The Controller indemnifies the Processor against claims, fines and/or periodic penalty payments from or on behalf of the Dutch Data Protection Authority and/or other authorities, where it has been established that the violations fall under the responsibility of the Controller.

2. The Processor can recover the fines and/or periodic penalty payments imposed from the Controller if and insofar as the Processor can be held responsible for the violations of the Controller.

Article 14 - Other

1. If any provision of this agreement is found to be invalid or void, the remaining provisions will remain in full force and effect. The parties will then enter into consultation in order to agree on a new provision with regard to the void or voided provision, whereby the purpose and intent of the void or voided provision will be taken into account as much as possible.

2. The parties will cooperate fully with each other to adjust this agreement and make it suitable for any new or amended privacy legislation.

Article 15 - Dispute resolution

1. This agreement is governed by Dutch law.

2. All disputes that arise between parties that arise from or are related to or relate to this Processor Agreement will be settled by the competent court of the Processor's place of business, namely the Midden-Nederland District Court (location Utrecht).