Data processing agreement
This data processing agreement is part of the agreement between Pluvo B.V. ("Processor") and the customer ("Controller"), and shall enter into force on the date that you have accepted this data processing agreement. You warrant that you are authorized to enter into this data processing agreement. If you do not have this authority, we request that you do not accept this agreement.
Parties consider the following:
- The Data Controller operates in the field of training/education and uses Processor in that context;
- Processor provides the Service to Data Controller as described in the Agreement, and processes (special) personal data on behalf of Data Controller in that capacity;
- Data Controller is considered a data controller within the meaning of Article 4(7) of the General Data Protection Regulation ("GDPR") with respect to the processing of personal data;
- Processor is considered a data processor within the meaning of Article 4(8) of the GDPR with respect to storing and processing personal data on behalf of Data Controller;
- The Parties wish, in part to comply with Article 28(3) of the GDPR, to establish certain conditions in this Data Processing Agreement that apply to their relationship in connection with the (processing of personal data in connection with) the aforementioned activities for and on behalf of Data Controller.
Agree as follows:
Article 1 Definitions
- In this Data Processing Agreement, the following terms, always written with a capital letter, have the following meaning, whether used in singular or plural:
Annex appendix to the Data Processing Agreement, which is an integral part of the Data Processing Agreement;
Agreement the Pluvo Customer Contract between Data Controller and Processor;
Personal data all data directly or indirectly identifiable to a natural person as referred to in Article 4(1) of the GDPR;
Sub-Processor the subcontractor engaged by Processor who, in the context of this Data Processing Agreement, Processes Personal Data on behalf of Data Controller as referred to in Article 28(4) of the GDPR;
Processing processing of Personal Data as referred to in Article 4(2) of the GDPR;
Data Processing Agreement this agreement, which forms part of the Agreement. - The provisions of the Agreement apply in full to the Data Processing Agreement. To the extent that provisions regarding the processing of personal data are included in the Agreement, the provisions of this Data Processing Agreement take precedence.
Article 2 Data Controller and Processor
- In the context of this Data Processing Agreement, Processor undertakes to Process Personal Data on behalf of Data Controller. An overview of the types of Personal Data, categories of Data Subjects, and the purposes for which the Processing of Personal Data takes place is included in Annex 1.
- Data Controller is liable for the Processing of Personal Data under the Agreement and warrants that the instruction to Process that Personal Data is in accordance with all applicable laws and regulations. Data Controller indemnifies Processor against all claims by third parties, particularly the supervisory authority, which arise in any way from non-compliance with this warranty.
- Processor undertakes to Process Personal Data exclusively for the activities mentioned in this Data Processing Agreement and/or the Agreement. Processor warrants that it will not use the Personal Data Processed in the context of this Data Processing Agreement without the express written consent of Data Controller, unless a legal provision applicable to Processor requires it to do so. In that case, Processor will inform Data Controller in advance of the Processing, unless that legislation prohibits such notification for weighty reasons of general interest.
Article 3 Technical and organizational measures
- The Processor shall assist the Controller, taking into account the nature of the processing and as far as reasonably possible, in ensuring compliance with the Controller's obligations under the GDPR to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures shall guarantee a level of security appropriate to the risks presented by the processing and the nature of the data to be protected, taking into account the state of the art and the costs of implementation. The Processor shall take measures to ensure that personal data is protected against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.
- The technical and organizational measures taken by the Processor are described in Annex 2. By signing this Data Processing Agreement, the Controller acknowledges having been informed of the measures taken by the Processor and agrees to them.
Article 4 Confidentiality
- The Processor shall have its employees who are involved in the execution of the Agreement sign a confidentiality agreement, whether or not included in the employment contract with those employees, which at least includes a requirement for such employees to maintain confidentiality with respect to the Personal Data.
Article 5 Data processing outside the Netherlands
- The transfer of Personal Data by the Processor outside the European Economic Area is only permitted in accordance with the applicable legal obligations.
Article 6 Third Parties and Subcontractors
- The Processor is permitted to use Subprocessors in the context of this Processor Agreement and the Agreement, as listed in Annex 3. If the Processor wishes to engage another Subprocessor, the Processor shall inform the Controller of the intended changes. The Controller shall object to these changes within 5 working days. The Processor shall respond to the Controller's objection within 4 working days.
- The Processor shall contractually oblige each Subprocessor to comply with the confidentiality obligations, notification obligations and security measures regarding the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor Agreement.
Article 7 Liability
- With regard to the liability of the Processor under the Processor Agreement, as well as with regard to the indemnification obligations for the Processor included in the Processor Agreement, the limitations of liability as set out in Article 9 of the Agreement and other provisions shall apply.
- Without prejudice to Article 7.1 of this Processor Agreement, the Processor shall only be liable for damage caused by the Processing if specific obligations under the GDPR addressed to the Processor are not fulfilled or if there has been a breach of the lawful instructions of the Controller.
Article 8 Incidents
- If Processor becomes aware of an incident that may have a significant impact on the security of Personal Data, it will i) promptly notify Controller of the incident and ii) take all reasonable measures to prevent or limit any further violation of the GDPR.
- Processor will, to the extent reasonable, cooperate with Controller and assist Controller in fulfilling its legal obligations with respect to the identified incident.
- Processor will, to the extent reasonable, assist Controller with the reporting obligations relating to the data breach to the supervisory authority and/or the data subject, as referred to in Articles 33(3) and 34(1) of the GDPR. Processor is never required to independently report a personal data breach to the supervisory authority and/or the data subject.
- Processor is not liable for the (correct and/or timely performance of the) reporting obligation incumbent on Controller under Articles 33 and 34 of the GDPR.
Article 9 Assistance to Data Controller
- Processor shall, to the extent reasonably possible, assist Controller in fulfilling its obligations under the GDPR to respond to requests to exercise the rights of a data subject, in particular the right of access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), data portability (Article 20 GDPR), and the right to object (Articles 21 and 22 GDPR). Processor shall promptly forward any complaint or request of a data subject related to the processing of Personal Data to Controller, who is responsible for handling the request. Processor is entitled to charge Controller for any costs associated with its assistance.
- Processor shall, to the extent reasonably possible, assist Controller in carrying out a data protection impact assessment (Article 35 and 36 GDPR).
- Processor shall make available to Controller all information necessary to demonstrate that Processor complies with its obligations under the GDPR. Furthermore, Processor shall facilitate audits, including inspections, by Controller or an auditor authorized by Controller, and shall contribute to such audits as requested by Controller. If Processor believes that an instruction in connection with the provisions of this Article constitutes a breach of the GDPR or other applicable privacy laws, Processor shall immediately notify Controller.
- Processor is entitled to charge Controller for any costs associated with the provisions of Article 9.3.
Article 10 Termination & Miscellaneous
- The specific provisions of the Agreement apply to termination and/or dissolution of this Data Processing Agreement. Without prejudice to the specific provisions of the Agreement, Processor shall, at the first request of Controller, erase all Personal Data or return it to Controller and delete any existing copies, unless Processor is legally required to continue to store (parts of) the Personal Data.
- Controller shall inform Processor adequately about (legal) retention periods applicable to the Processing of Personal Data by Processor.
- Controller declares to be authorized to enter into this Data Processing Agreement.
- The obligations under this Data Processing Agreement that are intended by their nature to survive termination shall remain in force even after the termination of this Data Processing Agreement.
- The choice of law and jurisdiction shall be governed by the provisions of the Agreement.
ANNEX 1 PERSONAL DATA OVERVIEW
Type of personal data:
- Name
- Email address
- Profile picture
- Additional fields added by the data controller themselves
- Progress and score of course materials/evaluations
The data controller determines which personal data is processed. An up-to-date overview of personal data can be consulted at any time by the data controller after logging into their own account of the processor's supplied software.
Purposes for which personal data is processed:
The personal data pertains to natural persons (data subjects) who:
- have a relationship with the data controller (for example, but not limited to: customers, members, students, prospects, donors, guests, employees, consumers, citizens);
- and/or have registered for training courses with the data controller.
The purposes of the processing of personal data are determined by the data controller. Examples of purposes include, but are not limited to: communication, research, legal obligations, execution of agreements with data subjects.
The processing is carried out independently by the data controller or the data subject using the systems of the processor, unless otherwise agreed. Examples of processing include, but are not limited to: collecting, recording, organizing, segmenting, filtering, structuring, storing, emailing (for example, by email or chat), updating or modifying, synchronizing, enriching, analysing, retrieving, consulting, using, sharing, disseminating or otherwise providing, aligning or combining, shielding, deleting or destroying.
ANNEX 2 SPECIFICATION OF SECURITY
Processor takes all technical and organizational security measures that are required under the GDPR and in particular under Article 32 GDPR.
ANNEX 3 SPECIFICATION OF SUB-PROCESSORS
Processor may use the following categories and parties of sub-processors for the processing:
- Email provider https://www.sparkpost.com
- Support software https://www.intercom.com
- Cloud provider https://aws.amazon.com