Data Processing Terms
Data Processing Terms of WESP B.V. ‘s-Hertogenbosch
These Data Processing Terms and Conditions (“Data Processing Terms”) apply to the Processing of Personal Data by WESP in relation to the services as stipulated in Annex 1 of these Data Processing Terms.
These Data Processing Terms serve as the binding contract as meant in Article 28 (3) GDPR and sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and Categories of Data Subjects and the obligations and rights of the Controller and is supplemented by the terms and conditions stated in the agreement (“Contract”) to which these Data Processing Terms apply.
Customer is Controller and WESP Processor with respect to the Processing of Personal Data under the Contract and these Data Processing Terms.
Article 1 Definitions
The terms that have been identified in these Data Processing Terms by a capital letter have the following meaning (words in the singular include the plural and vice versa), or, if not stated below, have the meaning given to it in the GDPR:
1.1 “Data Protection Laws” means all laws and regulations, including but not limited to the GDPR, that are applicable to the Processing of Personal Data under the Agreement.
1.2 “GDPR” means General Data Protection Regulation, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC, to be directly applicable from the 25th of May 2018 onwards in the member states of the European Union.
1.3 “Sub-Processor” means any Processor engaged by WESP.
1.4 “TOMs” means the technical and organizational measures required pursuant to Article 32 GDPR.
Article 2 Personal Data Processing
2.1 Instructions. WESP shall only Process Personal Data in accordance with Customer’s written instructions. Customer shall ensure that all instructions provided by Customer to WESP pursuant to these Data Processing terms and the Agreement will be in accordance with the Data Protection Laws. Customer shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.2 Details of Processing. Annex 1 to these Data Processing Terms sets out certain information regarding the Processing of Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws).
2.2 Compliance to Data Protection Laws. WESP shall comply with the GDPR in the Processing of Personal Data.
2.3 Confidentiality. WESP shall keep the Personal Data strictly confidential and shall not transmit, disseminate or otherwise transfer Personal Data to third parties unless agreed to under Article 3, on written instruction of Customer, for the purpose of the performance of the Agreement or unless required to do so by applicable laws to which WESP is subject. In the latter case, WESP shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest, in which case WESP shall inform Customer within 24 hours after WESP knew or should have known of the legal requirement.
Article 3 Sub-Processors
3.1 Appointment. Customer acknowledges and agrees that WESP may engage third-party Sub-processors in connection with the provision of Services. The list of Sub-processors (Annex 1) may be amended from time-to-time at WESP’s sole discretion, but providing at least two (2) weeks’ notice to Customer.
3.2 Sub-processor obligations. For the purpose of sub-processing, WESP shall enter into written agreements with its Sub-processors, which agreements shall include as a minimum the same obligations as to which WESP is bound to under these Data Processing Terms, and shall in particular include an obligation of the Sub-processor to implement appropriate TOMs to meet the requirements of applicable Data Protection Laws.
3.3 Objection right new Sub-processors. Customer may object to WESP’s use of a new Sub-processor by notifying WESP promptly in writing, but in any case, within two (2) weeks after WESP’s notification. In the event of a reasonable objection, WESP shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the Processing of Personal data by that proposed Sub-processor. If WESP is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the Contract with respect only to those Services which cannot be provided by WESP without the use of the proposed Sub-processor by providing written notice to WESP.
3.4 Liability. WESP shall be liable for the acts and omissions of its Sub-processors to the same extent WESP would be liable if performing the services of each Sub-processor directly under the term of these Data Processing Terms.
Article 4 WESP personnel
4.1 Confidentiality. WESP ensures that its personnel engaged in the Processing of Personal Data under the Agreement are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities. WESP also ensures that it has executed written confidentiality agreements with its personnel engaged in the Processing of Personal Data in regards to the Processing of that Personal Data. WESP ensures that the confidentiality obligations under such written confidentiality agreements survive the termination of the personnel engagement.
4.2 Reliability. WESP shall take all reasonable steps to ensure the reliability of the WESP personnel engaged in the Processing of Personal Data.
4.3 Limitation of access. WESP ensures that WESP’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
Article 5 Data security and inspection
5.1 Security. WESP shall take all technical and organisational security measures which are reasonably required to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons involved.
5.2 Audit. WESP shall allow Customer to conduct an audit of the technical and organisational security measures utilised by WESP for the Processing of Personal Data (the “Audit”). The Audit may be conducted once per calendar year, or any number of times per year in case of reasonable suspicion of breach of the terms of these Data Processing Terms or at the instruction or request of an applicable Supervisory authority, during the regular business hours of WESP. Customer shall give WESP reasonable notice of any Audit to be conducted under this Article 5.2 and shall make (and ensure that each of its mandated Auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the WESP’s premises, equipment, personnel and business while its personnel are on those premises in the course of the Audit. The purpose of the Audit shall be to verify whether Personal Data is Processed by WESP in accordance with these Data Processing Terms and the Agreement (“Purpose”). The Audit will be conducted by an auditor (“Auditor”), who is not a competitor of WESP, selected by Customer who, in the reasonable judgment of Customer, is neutral and possesses the technical knowledge and skills required to conduct the Audit. Customer shall ensure that the Auditor is held to maintain confidentiality with respect to its findings. Solely for the Purpose of the Audit, WESP shall grant the Auditor access to its premises, relevant employees, systems and documents.
5.3 Audit costs. Customer shall pay for all costs, remunerations, fees and expenses in relation to the Audit, except for internal costs made by WESP in relation to the Audit. If the Audit reveals any material non-compliance by WESP, WESP shall reimburse all actual and reasonable costs of Customer in relation to the Audit.
5.4 Audit results. Customer shall provide WESP with a copy of the report of the Auditor. In case the report reveals a default by WESP in the performance of its obligations pursuant to this Agreement or a violation of applicable Personal Data Protection Laws, WESP will promptly cure such default and/or take away the violation and provide Customer with confirmation thereof in writing.
Article 6 Data Subject Requests
6.1 TOMs. Taking into account the nature of the Processing, WESP shall assist Customer by appropriate TOMs, insofar as this is reasonably possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under the GDPR or other applicable Data Protection Laws.
6.2 Data Subject Requests. WESP shall, to the extent legally permitted, promptly notify Customer if it receives a Data Subject Request. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, WESP shall upon Customer’s request provide reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent WESP is legally permitted to do so and the response to such Data Subject Request is required under the GDPR or other Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from WESP’s provision of such assistance.
Article 7 Personal Data breach
7.1 Notification. To the extent as permitted by law, WESP shall promptly, after it becomes aware, notify Customer of any actual or reasonably suspected Personal Data Breach by WESP or its Sub-Processor(s). The notification shall as a minimum include the information as stipulated in Article 28(3) of the GDPR.
7.2 Remedy. To the extent the Personal Data Breach is caused by a violation by WESP or its Sub-processor(s) of the requirements of these Data Processing Terms, the Agreement or applicable Data Protection Laws, WESP shall, taking into account the nature of the Personal Data Breach and the risk of varying likelihood and severity for the rights and freedoms of natural persons involved, at the instruction of Customer make all reasonable efforts to identify and remediate the cause of the Personal Data Breach, to mitigate the risks to the rights and freedoms of natural persons involved and to further assist Customer with any reasonable request in its compliance with Data Protection Laws on Personal Data Breaches.
7.3 Further assistance. To the extent that the Personal Data Breach is not caused by a violation by the WESP or its Sub-processor(s) of the requirements of these Data Processing Terms, the Agreement or applicable Data Protection Laws, WESP shall provide all reasonable assistance, taking into account the nature of the Personal Data Breach and the risk of varying likelihood and severity for the rights and freedoms of natural persons involved, to Customer in Customer’s handling of the Personal Data Breach. Customer shall be responsible for any costs arising from WESP’s provision of such assistance.
Article 8 Data protection impact assessments and prior consultation
WESP shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervisory authorities, which Customer reasonably considers to be required of WESP by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, WESP.
Article 9 Deletion and return
Deletion and return. At the choice of Customer, WESP shall delete or return the Personal Data to Customer after the provisioning of Services under the Agreement related to the Processing of Personal Data has ended.
Article 10 Liability
Each Party and its Affiliates’ liability arising out of or related to these Data Processing Terms (whether in contract, tort or under any other theory of liability), is subject to the liability limitations as agreed in the Contract.
Article 11 Preference over Contract
Except as amended by these Data Processing Terms, the Contract remains in full force and effect. If there is a conflict between the Contract and these Data Processing Terms, the terms and conditions of these Data Processing Terms shall prevail.
ANNEX 1: Description of Processing
This Annex 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
|Subject matter and duration of the Processing of Personal Data||The subject matter and duration of the Processing of the Personal Data are set out in the Contract and these Data Processing Terms.|
|Nature and purpose of the Processing of Personal Data||
|Types of Personal Data||
|Categories of Data Subjects||
|Obligations and rights of Customer||The obligations and rights of Customer are set out in the Contract.|
|Sub-processor (hosting)||WH2A B.V.
3892 DD Zeewolde