Data Stations Processing Addendum
Article 1 Definitions
a) Dutch Data Protection Authority: an independent organisation that monitors compliance with the statutory rules for the protection of Personal Data and that advises on new rules;
b) GDPR: The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016);
c) Data Subject: a natural person to whom Personal Data relates within the meaning of Article 4, under 1, of the GDPR;
d) Data Leak: a security breach within the meaning of Article 33 of the GDPR;
e) Third Party: any party not being the Data Subject, the Depositor, DANS, any person directly supervised by the Depositor or DANS who is authorised to process the Personal Data, within the meaning of Article 4, under 10, of the GDPR;
g) Personal Data Breach: a breach of security which accidently or unlawfully results in the deletion, loss, alteration, or unauthorised disclosure of, or access to, data that is transmitted, stored, or otherwise processed, within the meaning of Article 4, under 12, of the GDPR;
h) Task: the task described in Article 2, paragraph 1, of this Processing Addendum and that is performed by DANS on behalf of the Depositor;
i) Personal Data: any information relating to an identified or identifiable natural person (the Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person, within the meaning of Article 4, under 1, of the GDPR;
j) Sub-Processor: the party who, on the instructions of DANS, processes Personal Data for the purposes of the Task for the Depositor;
k) Processing: any operation or set of operations that is performed on Personal Data or on a set of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or deletion, within the meaning of Article 4, under 2, of the GDPR;
i) Processing Addendum: the present agreement, which is part of the Main Agreement;
Article 2 General
1. DANS undertakes, subject to the conditions of this Processing Addendum and the Main Agreement, to process Personal Data on behalf of the Depositor (the “Task”).
2. The provisions of this Processing Addendum will apply to all Processing that takes place in performance of the Main Agreement.
3. DANS will process the Personal Data in a proper and careful manner and in accordance with the provisions of the GDPR and other applicable regulations regarding the Processing of Personal Data.
4. The Processing of Personal Data by DANS will take place only in so far as necessary and within the framework of the Task to be performed pursuant to the Main Agreement.
5. DANS will only allow Third Parties access to the Personal Data in accordance with the Main Agreement.
6. Appendix A specifies the following items:
-the Personal Data that may be processed for performance of the Task;
-the retention period for the Personal Data;
-the Processing allowed;
-an overview of the category/categories of Data Subjects;
-a specification of the security measures that DANS will in any case apply;
-an overview of the recipient/recipients of Personal Data.
7. For the performance of the Task, only the Personal Data that are necessary for the purpose determined by the Depositor can be processed. The Depositor will determine which data are necessary and will ensure that the Personal Data in question are correct, sufficient and not excessive in accordance with Article 5 of the GDPR.
8. Pursuant to Article 3 of the GDPR, the Processing will not fall outside the territorial scope of the GDPR.
9 If, contrary to this Processing Addendum and/or the GDPR and/or other applicable legislation and regulations concerning the Processing of Personal Data, DANS determines the purpose and means of/for the Processing of Personal Data, DANS will be considered to be the Depositor for this Processing.
10 In the event of any conflict between provisions of this Processing Addendum and the Main Agreement, the provisions of the Main Agreement will prevail.
Article 3 Obligation to provide information
1. DANS will inform the Depositor of any future changes in the performance of the Main Agreement, so that the Depositor can monitor compliance with arrangements with DANS. This will include the engagement of Sub-Processors.
2. DANS will inform the Depositor of any questions or complaints from Data Subjects.
3. DANS will inform the Depositor if DANS has received an instruction from the Depositor that contravenes the GDPR or other applicable regulations regarding the Processing of Personal Data.
4. DANS will notify the Depositor immediately if DANS has reason to believe that DANS cannot comply with the Processing Addendum.
Article 4 Obligations of DANS
1. DANS will not retain Personal Data made available to it in the context of the Main Agreement for any longer than is necessary:
a) for the performance of the Main Agreement; or
b) to fulfil a legal obligation to which DANS is subject.
2. DANS will process the Personal Data solely by order of and in accordance with the instructions of the Depositor. DANS will provide its employees with access to the Personal Data in so far as necessary for the performance of this Processing Addendum and the Main Agreement.
3. The obligations of DANS arising from this Processing Addendum will also apply to those who process Personal Data subject to the authority of DANS, including but not restricted to employees and Third Parties engaged, in the broadest sense.
4. Unless provided for in the Main Agreement, DANS will not process the Personal Data for its own benefit, for the benefit of Third Parties, and/or for its own advertising or other purposes unless pursuant to different mandatory legal obligations to which it is subject.
5. DANS will keep a register of its Processing.
6. DANS will cooperate with the data protection officer designated by the Depositor (within the meaning of Article 37 of the GDPR) as soon as the data protection officer requires such in the performance of his or her duties.
Article 5 Obligations of the Depositor
The Depositor will ensure a legitimate basis for the Processing of Personal Data, within the meaning of Article 6 of the GDPR.
Article 6 Use of Sub-Processors
1. The Depositor hereby grants DANS permission for the use of Sub-Processors. DANS will inform the Depositor of intended changes regarding the addition or replacement of Sub-Processors, providing the Depositor with the opportunity to object against such changes prior to the engagement of such Sub-Processor.
2. DANS will conclude the same arrangements with Sub-Processors as those made between the Depositor and DANS in the Processing Addendum. DANS will draw up a written agreement with the Sub-Processor in question that will comprise at least the following obligations for the Sub-Processor:
a) to act in accordance with the present Processing Addendum; and
b) to follow and implement, fully and without any delay, all instructions given by DANS and the Depositor concerning the Processing of Personal Data; and
c) to process Personal Data only in accordance with DANS’s instructions; and
d) not to give access to Personal Data to any Third Party – including any Sub-Processors of Sub-Processors – without the prior written consent of DANS; and
e) to enable DANS and the Depositor to act efficiently, in a timely manner, and in accordance with the requirements set by the GDPR, in the event of a (suspected) Personal Data Breach as referred to in the GDPR.
3. Upon request, the Depositor will receive an overview from DANS regarding the Sub-Processors engaged.
Article 7 Security
1. DANS will put in place appropriate technical and organisational measures to protect Personal Data from being lost and from any form of unlawful Processing, such as, but not limited to:
a) damage to or loss of Personal Data;
b) unauthorised alteration of Personal Data;
c) misappropriation of Personal Data;
d) cognisance of Personal Data by unauthorised persons.
2. Taking account of the state of technology and the cost of implementing them, the measures will guarantee an appropriate level of security in view of the risks associated with such Processing and the nature of the Personal Data being protected.
3. DANS will record the measures in writing and will ensure that the security as referred to in this article complies with the security requirements pursuant to the GDPR.
4. DANS will, upon request, provide the Depositor with written information regarding the security of Personal Data and how it is organised.
5. DANS will inform the Depositor of any substantial change in one or more of the security measures.
6. Adherence to an approved code of conduct as referred to in Article 40 of the GDPR or an approved certification mechanism as referred to in Article 42 of the GDPR may be used as an element to demonstrate compliance with the obligations within the meaning of the present article.
7. Without the Depositor’s prior written consent, DANS will not be permitted to transfer or store Personal Data to/in a country outside the EEA.
Article 8 Obligation to report Data Leaks
1. In the event of a Data Leak, DANS will provide the Depositor without unreasonable delay with the information set out in Appendix B.
2. DANS will take measures to prevent or restrict (further) unauthorised cognisance, modification or disclosure, or any other unlawful Processing and to terminate and prevent in future any breach of security measures, breach of the confidentiality obligation or further loss of confidential information.
3. At the request of the Depositor, DANS will, in so far as possible, assist in informing the competent authorities and Data Subjects.
4. DANS will conclude written arrangements with Sub-Processors regarding the obligation to report possible Data Leaks to DANS, which will enable DANS and the Depositor to comply with obligations in the event of a Data Leak as specified in paragraph 1 of this article.
a) These arrangements will in any case include the obligation that the Sub-Processor will inform DANS of a Data Leak as specified in paragraph 1 of the present article within 18 hours of the initial discovery.
b) The arrangements will in any case include the obligation that the Sub-Processor, at the request of the Depositor, will cooperate with the provision of information to the competent authorities and Data Subjects.
5 The reporting of Data Leaks to the Data Protection Authority and (possibly) Data Subjects will be the responsibility of the Depositor.
Article 9 Obligations regarding Data Subjects
1. DANS will cooperate fully in order to ensure that the Depositor can comply with its statutory obligations in the event that a Data Subject exercises his or her rights pursuant to the GDPR.
2. In the event of a Data Subject making a request to DANS to exercise his or her legal rights, DANS will forward such a request to the Depositor, and the Depositor will deal further with the request. DANS may inform the Data Subject of this.
Article 10 Audit
1. DANS will perform assessments to evaluate whether the security measures in Article 7 of the Processing Addendum are adequate. If requested by the Depositor, DANS will provide a report of this assessment, unless an assessment does not relate to Processing performed by DANS for the Depositor.
2. If the Depositor requests an independent audit, the Depositor and DANS will agree to appoint an independent IT auditor or expert to conduct an audit of DANS’s organisation to determine whether DANS complies with the agreed security measures set out in the Processing Addendum.
a) The frequency of the audit is no more than once every three years.
b) If only public Personal Data are processed, a low risk will be considered to apply and there will be no obligation to conduct an audit.
3. The costs of the audit on request will be borne by the Depositor.
4. If it is determined during an audit that DANS does not comply with the provisions of the Main Agreement and the Processing Addendum, DANS will take all reasonably necessary measures to ensure that it does henceforth comply.
Article 11 Detection requests
1. DANS will inform the Depositor immediately if DANS receives a request or an order from a Dutch or foreign regulator or public authority, or from an investigation, prosecution or national security authority to provide Personal Data (or access to Personal Data).
2. In dealing with such request or order, DANS will comply with all instructions of the Depositor (including the instruction to leave the handling of the request or order wholly or partly to the Depositor) and will provide all reasonably necessary cooperation.
3. If DANS is prohibited by virtue of the request or order from complying with its obligations within the meaning of paragraphs 1 and 2 of this article, then DANS will safeguard the reasonable interests of the Depositor. To that end, DANS will in any event:
a) have a legal check carried out regarding to what extent (i) DANS is legally obliged to comply with the request or order; and (ii) DANS is actually prohibited from fulfilling its obligations towards the Depositor on the basis of the above;
b) cooperate with the request or order only if it is legally obliged to do so and, where possible, object (in court or otherwise) to the request or order or the prohibition on informing the Depositor about it or following the Depositor’s instructions;
c) not provide more or other Personal Data than strictly necessary to comply with the request or order;
d) in situations of transfer of the data to a country outside EEA: investigate the options to comply with Articles 44 to 46 of the GDPR;
e) immediately inform the Depositor as soon as such is permitted.
4. In the present article, “legally” will be taken to refer not only to Dutch but also to foreign legislation and regulations.
Article 12 Duration and termination
1. This Processing Addendum will enter into force on the same date as the Main Agreement and will also terminate simultaneously with the Main Agreement. It will not be possible to terminate the Processing Addendum separately from the Main Agreement.
2. Upon termination, for whatever reason, of the Main Agreement, DANS is required to cooperate with requests of the Depositor to a) provide it with copies of the Personal Data, or b) delete all or part of the Personal Data, in accordance with article 2.5 of the Main Agreement.
3. The Depositor will bear the cost of deletion and/or provision and/or withdrawal of Personal Data. The Depositor may if necessary impose further requirements regarding the manner of provision, including the file format, or deletion.
Appendix A: Specification of Personal Data
Appendix B: Obligation to report Data Leaks
© DANS. R.2.2.2. Version 1.0, June 17, 2022