Processing agreement 2018



  1. Definitions
  2. Creation, duration and dissolvement of this processing agreement
  3. Processing of personal data
  4. Protection of personal data
  5. Exporting personal data 
  6. Confidentiality 
  7. Data leaks
  8. Liability
  9. Return of personal data and storage period
  10. Final provisions

Appendix 1: Overview with processments of personal data and processing purposes
Appendix 2: Overview with security measures
Appendix 3: Process of notification of data leaks and the information to be provided. 

Processing agreement                  

This processing agreement is applicable to all forms of processing of personal data which UWKM, registered to the Chamber of Commerce under number 08167443, hereafter known as 'data processor', performs in the name of a counterparty to which she provides services, hereafter known as 'data controller' and is integrally part of, as well as the general terms and conditions, every agreement between UWKM and her counterparty. 
The data processor and the data controller will hereafter mutually be known as 'parties'. 

Taking into account that:

Parties have an agreement that pertains to the provision of digital services. Personal data is processed for the purposes of this agreement. 

Data controller takes the matter of protecting personal data very seriously, reason why certain agreements are made on this subject in this processing agreement. 

1. Definitions

The hereafter and earlier mentioned terms follow from the General Data Protection Regulation and have the following definitions: 

1.1. Personal data: all information about an identified or identifiable natural person ('data subject'). 
Identifiable is considered to be a natural person that can be directly or indirectly be identified, in particular by reference to an identifier such as a name, identification number, locational data, an online identifier or by one or more elements that are characteristic for the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

1.2. Processing: any operations or sets of operations with relation to personal data or sets of personal data, which may or may not be done by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data. 

1.3. Data controller: a natural or legal person, public authority, agency or other body who/which, alone or jointly with others, determines the purpose and the means of the processing of personal data. Where the purposes and means of such processes are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law ('data controller'). 

1.4. Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller ('processor').

1.5. Data subject: identified or identifiable natural person to which the processed personal data relates. 

1.6. Processing agreement: this agreement including the appendixes ('processing agreement').

1.7. Main agreement: the main agreement from which this processing agreement proceeds.

1.8. Personal data breach: a breach in security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to transmitted, stored or otherwise processed data ('data leak'). 

1.9. Data protection impact assessment: carrying out an assessment, prior to carrying out the processing, of the effect of the intended processing activities on the protection of personal data. 

1.10. Supervising authority: an independent government body responsible for supervising the upholding of the law in relation to the processing of Personal data, i.c. the Dutch Data Protection Authority ('Dutch DPA').

2. Creation, duration and dissolvement of this processing agreement

2.1. This processing agreement comes into effect on the date on which a main agreement is signed with a customer. 

2.2. This processing agreement is part of the main agreement and will be in effect for as long as the main agreement lasts. 

2.3. Should the main agreement end, this processing agreement will end automatically. This processing agreement can not be terminated separately. 

2.4. After termination of this processing agreement, current obligations, such as the reporting of data leaks involving personal data of the controller, and the duty of confidentiality, will continue. 

3. Processing of personal data

3.1. The data processor will only process personal data as commissioned by the data controller and has no say where it concerns the personal data. The data processor follows the instructions of the data controller in this case and may not process the personal data in any other way, unless the data controller has given consent or an instruction in advance. 

3.2. In Appendix 1 is stated which personal data the data processor will process and for which processing purposes. 

3.3. Data processor will uphold the law and process the data in a proper, careful and transparent manner. 

3.4. Without previous written consent, the data processor will not engage other persons or organisations in processing the personal data of the data controller, unless this is essential for the assignment, such as for example for the purpose of hosting, management, maintenance and monitoring. 

3.5. When the data processor engages other organisations, with consent, these will have to meet the requirements that are included in this processing agreement.

3.6. When the data controller receives a request from a data subject whom wishes to exercise his or her privacy rights, the data processor will comply. These rights consist of a request for inspection, improvement, addition, deletion or shielding, objecting against the processing of the personal data and a request towards the transferability of the personal data. 

3.7. When the data controller requests information, the data processor will provide the information that is needed to carry out a data protection impact assessment. This may be needed to estimate the risk of the processing that the data processor carries out in name of the data controller. 

4. Protection of personal data

4.1. Data processor will ensure that personal data is sufficiently secured. To prevent loss and wrongful processing the data processor will take fitting technical and organisational precautions. 

4.2. These precautions are adapted to the risk of the processing activities. An overview of these precautions and the policies thereof are found in Appendix 2. 

4.3. The data controller may request a report in which the security measures taken are written up and the possible issues and/or points of improvement, if any. The costs for such requests will be charged to the data controller. 

4.4. The data controller may carry out an inspection or audit in the organisation of the data processor to determine if the processing of personal data complies with the law and the agreements made in this processing agreement. The data processor will cooperate to such inspections, including providing access to buildings, databases and any and all relevant information, insofar this is appropriate in reasonableness and fairness and does not harm the rights of others. 

4.5. When one of the parties feels that a change in the to be taken security measures is necessary, parties will discuss the adaptations. 

5. Exporting personal data

5.1. The data processor will not have personal data be processed by other persons or organisations outside of the European Economic Area (EEA), without explicit written consent of the data controller, unless this is necessary for the proceedings.   

6. Confidentiality

6.1. The data processor will keep the personal data provided to him secure and secret, unless this is not possible due to mandates by law. 

6.2. The data processor will ensure that his personal and contracted help adhere to this secrecy, by including a confidentiality clause in the (labor)contracts. 

7. Data leaks

7.1. In the event of the discovery of a possible data leak, the data processor will inform the data controller within 24 hours and provide them with the information as is stated in Appendix 3, so that the data controller may notify the Dutch DPA if necessary. 

7.2. After the notification concerning a data leak, parties will keep each other informed on new developments surrounding the data leak and the measures taken to limit the scope and to end the leak and to try and prevent similar incidents in the future. 

7.3. The data processor will not notify a data leak to the Dutch DPA and/or the involved parties, which is the responsibility of the data controller. 

7.4. Possible costs that are made to solve a data leak and to prevent them in the future will be charged to the data controller.  

8. Liability

8.1. If one of the parties fails to comply with the provisions stated in this processing agreement, the other party may hold this party accountable. 

8.2. Consequential damages or fines are not recoverable from the data processor. 

8.3. Parties are not liable for claims from involved parties or other persons and organisations when there is a case of force majeure.  

9. Return of personal data and storage period

9.1. After the termination of this processing agreement the data processor will return the personal data, and any remaining personal data will be destroyed in a careful and secure manner. 

9.2. The personal data that is processed according to this processing agreement, will be destroyed after the expiration date as determined by law and/or at the request of the data controller. A legal storage period is applicable for example when the data processor needs to store the personal data for tax reasons. 

10. Final provisions

10.1 This processing agreement is part of the main agreement. All rights and obligations from the main agreement are therefore also applicable to the processing agreement. 

10.2. With possible contradictions between the provisions in the processing agreement and the main agreement, the provisions from this processing agreement hold. 

10.3. Deviations from this processing agreement are only applicable when parties agree upon such deviations in writing. 

10.4. Dutch law is applicable to this processing agreement and the activities. 

Deventer, 17th of May 2018.

Appendix 1: Overview with processments of personal data and processing purposes

Description processing activities by the processor

  • Performing as digital advisor and supplier for customers in the broadest sense
  • Including building websites and apps, including web applications such as configurators, e-learnings, e-commerce systems, data disclosure systems, middleware etc.
  • Hosting, managing, maintaining and monitoring of these sites, apps and web applications.

Processing purposes

  • Ensuring the technical and content wise functioning of the digital solutions for customers.

Processing manager

  • UWKM, Mr. Geert Jan Hoogeslag, director. 

Processed Personal data

  • All data that the employer requests, and/or that which is essential for the processing activities and/or processing purposes will be processed. 

Location of processing 

  • Normally Deventer is the base of operations, the main establishment of UWKM, or other locations from which employees or suppliers are active. 

Storage period

  • The data will be stored as long as is necessary for business and/or organisational reasons, and/or the fulfillment of the (expected) activities for the customer.       

Appendix 2: Overview with security measures

Technical security measures

  • Working with state-of-the-art programming languages, such as Django Python
  • Working from repository systems with pull requests
  • Secured internet connections
  • SSL certificates
  • Secured back-ups: every hour, every day, with a retention of one month on separated environments from the live environment
  • Unique login codes and passwords (which are changed regularly) 
  • Encrypted email
  • Two-factor authentication system for access passwords with htaccess and/or Google authenticator app
  • Support for encryption methods such as SHA2
  • Ping system for uptime (a check every two minutes) with feedback on which type of downtime when relevant, such as ssl error, server error, etc.
  • Possibilities for dedicated hosting as well as shared hosting.

Organisational security measures

  • Clean desk policy
  • No unmanned computers
  • Locking computers with username and password
  • Privacy policies in employee contracts
  • Denying access to systems upon departure of employees. 

Appendix 3: Process of notification of data leaks and the information to be provided

A data leak is a security incident in which personal data is possibly lost or was unintentionally accessible to third parties. It concerns data that is traceable to these persons, such as, but not limited to, names, addresses, phone numbers, email addresses, login data, cookies, IP addresses or identifiable data from computers or phones.

Where will a security incident be reported? 

If UWKM discovers a security incident, the involved functionary of the employer will be contacted immediately. 

The information that is as complete as possible, will be reported, for the benefit of the Dutch DPA as well: 
  • A summary of the security leak/security incident/data leak (what happened?)
     - With the name/names of the systems involved as well.
  • The types of personal data that are involved in the security incident
    - Such as, but not limited to, name, address, email address, IP number, BSN, passport picture and anything else that can be traced back to a person. 
  • The amount of people of which the personal data is involved in the security incident
    - An estimate of the minimum and maximum amount of people.  
  • Description of the group of people to whom the concerned data belongs
    - Possible demarcation of the involved group, with special attention to data of vulnerable (groups of) people. 
  • Whether or not the contact details of the persons involved are known
    - The possibility to inform the concerned parties of the data leak.
  • The (root) cause of the security incident
    - Estimate of the cause of the security incident. 
  • The date or period on/in which the security incident occurred.