Privacy and Data Processing
The provisions contained in this chapter ‘Privacy and Data Processing’ apply alongside the General Provisions of these general terms and conditions if the supplier processes data of any kind (and whether or not elaborated further in one of the other chapters of the general terms and conditions) concerning the client.
Art. 6 Privacy and data processing
6.1 The processing of personal data take place as part of the performance of an Agreement concluded and/or to be concluded between the Parties so that the Supplier is able to deliver the Services to the Client, including the purposes reasonably associated with this or which are stipulated through further agreement. This relates to all personal data of the Client’s customers and the Client’s employees that are processed by the Supplier.
6.2 The Supplier will not process the personal data for any purpose other than those agreed between the Parties. The Client will inform the Supplier of the processing purposes in so far as these are not already specified in the Agreement or in these General Terms and Conditions.
6.3 Apart from the rights and obligations which are assigned to the Supplier under the Agreement in connection with the processing of personal data, all rights and obligations relating to the personal data will be retained by the Client and/or the data subjects concerned. The Supplier only acts in accordance with the Client’s instructions and under the express (final) responsibility of the Client.
6.4 The Client guarantees that the content, the use and the instruction to process the personal data are not unlawful and do not infringe any rights of third parties, and indemnifies the Supplier against all claims in this regard.
6.5 In executing the Agreement the Supplier will comply with the applicable laws and regulations relating to the protection of personal data, such as the General Data Protection Regulation (GDPR). The Client will also always comply with its own obligations under the applicable laws and regulations. The Client has the right to audit the compliance with the agreements concerning data processing at the Supplier once a year, after giving reasonable notice, without disrupting the Supplier’s business processes and at the Client’s own expense.
6.6 The Supplier may process the personal data in countries within the European Union. The Client also grants the Supplier permission to process personal data outside the European Union in accordance with the applicable laws and regulations.
6.7 The Supplier makes use of sub-processors, details of whom are available on request and for which the Client hereby grants permission. In the event of new sub-processors the Supplier will notify the Client of this. The Client has the option to object in writing.
6.8 The Supplier’s obligations arising from the Agreement or these General Terms and Conditions also apply to those persons who process personal data on behalf of the Supplier or under the Supplier’s supervision. The Supplier will thereby arrange the correct authorisations.
6.9 The Supplier will strive to take appropriate technical and organisational measures with regard to the processing of personal data to be performed in order to counter loss or any form of improper processing (such as unauthorised access, corruption, modification or provision of the personal data).
6.10 If a data subject wishes to exercise one of his legal rights and addresses this request to the Supplier, the Supplier will forward this request to the Client, and the Client will deal with the request independently. The Supplier may inform the data subject of this.
6.11 In the event of a data leak, the Supplier will make every effort to inform the Client about this without delay following its discovery, or within no more than forty-eight (48) hours after discovery, whereupon the Client will determine whether or not it will inform the relevant regulator and/or data subjects. The Supplier will thereby provide the Client with all the information available to the Supplier. The Client is and remains responsible for compliance with any legal obligations with regard to the obligation to notify. If the laws and/or regulations require it, the Supplier will assist with informing the relevant competent regulator and possible data subjects.
6.12 The Supplier must only notify the Client if a data leak has actually occurred, and not if there was merely a (theoretical) vulnerability.
6.13 The Supplier will keep the personal data to be processed on behalf of the Client strictly confidential, unless agreed otherwise between the Client and the Supplier, or if any legal obligation prevents the Supplier from doing so.
6.14 Where possible and reasonable, the Supplier will assist the Client in implementing a data protection impact assessment.
6.15 Following the end of the agreement, the Supplier will remove or return the personal data processed on behalf of the Client, at the Client’s discretion, unless this is prevented by applicable legislation.