Data Processing Agreement (EU) – Default
Version 1.1 – 15 November 2020
This Data Processing Agreement applies to the processing of Personal Data that Zaurus B.V. – located at Comeniusstraat 5 in Alkmaar, registered in the Trade Register of the Chamber of Commerce under number 72991941 and legally represented by Niels Greidanus, CEO – (hereinafter: “Processor”) performs on behalf of the other party to whom it provides services (hereinafter: “Company”).
- The Processor offers a communication platform aimed at the healthcare sector that the Company wishes to use;
- The Company wishes to have certain forms of processing carried out by the Processor, whereby the Company indicates the purpose and means;
- The Parties seek to implement a Data Processing Agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR);
- The Parties wish to record their rights and obligations in writing, partly in view of the requirement from Article 28 paragraph 3 GDPR.
It is agreed as follows:
1.1. In this Data Processing Agreement, the following capitalized terms mean the following:
Means this Data Processing Agreement and all schedules.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
c) Data Processing Agreement
d) Data Protection Officer
Appointed person within an organization that ensures that the organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as Data Subjects) in compliance with the applicable data protection rules.
e) Data Subject
An identified or identifiable natural person.
The natural person involved by the Parties for the implementation of this Data Processing Agreement, who works for one of the Parties.
i a complaint or (information) request from a Data Subject regarding the processing of Personal data by the Processor;
ii an investigation into or seizure by government officials of the Personal Data or a suspicion that this will take place;
iii a breach in relation to Personal Data;
iv Any unauthorized access, deletion, mutilation, loss or any other form of unlawful processing of the Personal Data.
Written or electronically sent designation from the Company to the Processor within the framework of its powers as formulated in this Data Processing Agreement or in the Agreement(s).
Instructions are provided by and to the contact persons of the parties as set out in Appendix 4.
Company or Processor.
Company and Processor.
k) Personal Data
All information about an identified or identifiable natural person.
A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a Company.
Means any person appointed by the Processor to process Personal Data on behalf of the Processor in connection with the Agreement.
n) Third Party
A person or group besides the two primarily involved in a situation.
1.2. The aforementioned and other terms are interpreted in accordance with the GDPR.
1.3. If, in this Agreement, certain standards are mentioned, this always refers to the most current version thereof. If the relevant standard is no longer maintained, the most recent version of the logical successor to the relevant standard should be read instead.
2. Subject and assignment of this Agreement
2.1. This Processor Agreement applies to the processing of Personal Data in the context of the performance of the Agreement (s).
2.2. In accordance with Article 28 of the GDPR, the Company gives the Processor an order and instructions to process Personal Data on behalf of the Company. The instructions of the Company may be further described in, among other things, this Agreement and the Principal Agreement.
2.3. The Parties conclude the Agreement(s) to use the expertise that Processor has with regard to processing and securing Personal Data for the purposes arising from the Agreement (s) and further described in this Agreement. Processor guarantees that he is qualified for this.
2.4. Processor will immediately notify the Company if it finds that a processing order violates applicable laws and/or regulations or if the Processor can no longer comply with the Agreement.
2.5. This Agreement is an inseparable part of the Agreement(s). Insofar as the provisions of the Agreement conflict with the provisions of the Principal Agreement, the provisions of this Agreement will prevail.
3. Implementation of processing and provision
3.1. Processor guarantees that it will only process Personal Data on behalf of Company if:
a) this is necessary for the execution of the Principal Agreement; or
b) the Company has given further written instructions to that effect.
3.2. In the context of the provisions of the first paragraph of Article 3 under a), the Processor will only process the Personal Data specified in Annex 1 in the context of the nature and purposes of the processing described in that Annex.
3.3. Processor will follow all reasonable instructions from the Company in connection with processing Personal Data.
3.4. Processor will reject all requests with regard to the provision of Personal Data that have no legal binding, unless otherwise agreed in writing with the Company.
3.5. Without prejudice to the provisions of the first paragraph of this article 3, the Processor is permitted to process or provide Personal Data if a statutory regulation (including judicial or administrative orders based thereon) obliges it to process or provide it. In that case, the Processor shall notify the Company of the intended processing or provision and the statutory requirement to the processing or provision, unless such legislation prohibits such notification for important reasons of public interest. Processor will enable the Company, if possible, to defend themselves against this mandatory processing or provision and otherwise limit the processing or provision required to what is strictly necessary.
3.6. Processor will demonstrably, properly and carefully process Personal Data and in accordance with its obligations as Processor under the GDPR and other laws and regulations. The Processor keeps, in this specific context, a register of its processing operations. Processor can provide a copy of this register at any given time.
3.7. If the service provided by the Processor implies the processing of health data or other special Personal Data, the Processor guarantees that it will not act in violation of any applicable US or European health legislation.
3.8. Processor guarantees that the Employees involved have signed a confidentiality agreement and allows the Company to inspect these confidentiality agreements on request.
4. Transfer to third countries
4.1. Processor is only entitled to transfer Personal Data to a third country or international organization if the Company has given prior, specific consent for this, unless a European Union or Member State law applicable to Processor requires Processor to process. In that case, the Processor will notify the Company in writing of this provision prior to the processing, unless that legislation prohibits such notification for important reasons of public interest.
4.2. If, after consent of the Company, Personal Data is passed on to third countries outside the European Economic Area (“EEA”) or to an international organization as referred to in Article 4 paragraph 26 GDPR, then the Parties will ensure that this only takes place in accordance with legal regulations and any obligations resting on the Company in this regard. If data is transferred to a third country or an international organization, this is indicated in Annex 1 to this Agreement, including a list of the countries where, or international organizations by whom, the Personal Data are processed. It also indicates how the conditions on the basis of the GDPR for transfer of Personal Data to third countries or international organizations have been met.
5. Security of Personal Data and control
5.1. Processor will demonstrably take appropriate and effective technical and organizational security measures, which (given the current state of the art and the associated costs) correspond to the nature of the Personal Data to be processed (specified in Appendix 1), in order to protect the Personal Data against loss, unauthorized knowledge, mutilation or any form of unlawful processing, as well as to guarantee the (timely) availability of the data. In any case, the measures include:
a) measures to ensure that processes and systems are designed in such a way that collection and processing of Personal Data (including use, provision, retention, transfer and deletion) is limited to what is necessary for the purposes of the processing (‘privacy by design’ and ‘privacy by default’);
b) measures to ensure that only authorized Employees have access to the Personal Data for the purposes mentioned in the Agreement;
c) measures to protect Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access of disclosure;
d) Measures to identify vulnerabilities with regard to the processing of Personal Data in the systems used to provide services to the Company;
e) the other measures agreed by the Parties as set out in Appendix 2.
5.3. At the Company’s first request, the Processor will submit a valid certificate issued by an independent and expert third party, which shows that Processor complies with the obligations under this article.
5.4. In addition to the foregoing paragraphs, the Company has the right at all times, in consultation with the Processor and subject to a reasonable term, to check (or have checked by means of an audit performed by an independent certified external experts) whether the Processor complies with applicable laws and regulations regarding the processing of Personal Data, the Agreement(s) and this Agreement, including the technical and organizational security measures taken by the Processor:
a) The Parties may agree in mutual consultation that the audit will be carried out by an external expert to be engaged in consultation with the Company, who will issue a Third-Party statement;
b) The auditor provides the audit report only to the Parties;
c) The Parties make mutual agreements about how to deal with the results of the audit;
d) The Parties can agree in mutual consultation that, on the basis of a valid (inter) nationally recognized certification or an equivalent means of control or evidence, an audit already carried out and a Third-Party statement issued from it can be used. In that case, the Company will be reactively informed about the results of the audit;
e) The Parties agree that the costs of this audit will be borne by the Company, unless the audit reveals (major) defects that can be attributed to the Processor. In that case, the parties will consult on the division of the costs of the audit.
5.5. The Parties recognize that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvement of outdated security measures. The Processor will therefore periodically evaluate the measures as implemented on the basis of this article and, where necessary, improve the measures to continue to comply with the obligations under this article. The foregoing is without prejudice to the Processor’s authority to take additional measures or have them taken if necessary.
6. Monitoring, information obligations and incident management
6.1. The Processor will actively monitor possible vulnerabilities regarding the security of information and report any vulnerabilities that affect the security of information to the Company.
6.2. As soon as an Incident occurs, has occurred or could occur, the Processor is obliged to inform the Company immediately, at least within 48 hours after the occurrence of the Incident, providing all relevant information about:
a) the nature of the Incident;
b) the (possibly) affected Personal Data;
c) the identified and likely consequences of the Incident; and
d) the measures that have been or will be taken to resolve the Incident or to limit the consequences/damage as much as possible.
6.3. Processor is, without prejudice to the other obligations in this article, obliged to take measures that can reasonably be expected of him to repair the Incident as soon as possible or to limit the further consequences as much as possible. Processor will consult with the Company without delay in order to make further agreements about this.
6.4. Processor will cooperate with the Company at all times and will follow the instructions of the Company and enable the Company to conduct a proper investigation into the Incident, formulate a correct response and take appropriate follow-up steps with regard to the Incident, including:
a) informing the Dutch Data Protection Authority (AP) and/or the Data Subject as determined in Article 5.8.
b) informing patients, the HHS Office for Civil Rights and, if necessary, the media as determined in Article 5.8.
6.5. Processor will at all times have written procedures in place that enable it to provide the Company with an immediate response to an Incident, and to work effectively with the Company to handle the Incident. Processor will provide the Company with a copy of such procedures if the Company requests this.
6.6. Notifications made in relation to article 5.2 are immediately addressed to the Company or, if relevant, to Employees of the Company. If the Company has appointed a Data Protection Officer (DPO), reports will be sent to the DPO.
6.7. Processor is not permitted to provide information about Incidents to Third Parties, except if the Processor is legally obliged to do so or the Parties have agreed otherwise.
6.8. If the Parties have agreed that the Processor maintains direct contact with authorities or other Third Parties in relation to an Incident, the Processor will keep the Company continuously informed in order to make further agreements about this.
7. Cooperation obligations
The GDPR and other (privacy) legislation assigns certain rights to the Data Subject. Processor will fully and timely cooperate with the Company in the fulfillment of the obligations resting on the Company with regard to, but not limited to:
7.1. Fulfilling (as far as reasonably possible) the obligation of the Company to comply with requests for the Data Subject’s rights laid down in GDPR within the legal deadlines, such as a request for access, correction, addition, deletion or protection of Personal Data.
7.2. Performing checks and audits as referred to in Article 5, paragraph 4 of this Agreement.
7.3. Carrying out a data protection impact assessment (DPIA) and any mandatory prior consultation with the Dutch Data Protection Authority (‘Autoriteit Persoonsgegevens’).
7.4. Compliance with requests from the Data Protection Authorities or other applicable government agencies.
7.5. Preparing, assessing and reporting Incidents, as referred to in Article 6 of this Agreement.
7.6. A complaint or request from a Data Subject or a request or investigation from Data Protection Authorities with regard to the processing of the Personal Data, will be forwarded by the Processor, to the extent permitted by law, without delay to the Company, who is responsible for handling the request.
7.7. Parties do not charge each other any costs for cooperation that is reasonably provided. In the event that one of the Parties wishes to charge costs, this Party shall notify the other Party thereof in advance.
8. Engaging Sub-processors
8.1. During the term of this Agreement the Processor will inform the Company of a proposed addition of a new Sub-processor or change in the composition of the existing Sub-processors. The Processor is given the opportunity to object to these changes within a reasonable period of time.
8.2. Processor will not outsource its activities that consist of the processing of Personal Data or require that Personal Data be processed to a Sub-processor without the prior consent of the Company. The foregoing does not apply to the Sub-processors listed in Appendix 1.
8.3. The Processor ensures that any Sub-processors that create, receive, maintain, or transmit protected health information on behalf of the Company agree to the same restrictions, conditions, and requirements that apply to the Company with respect to such information. The Processor will record these Sub-processor agreements in writing and will monitor compliance with them by the Sub-processor . Processor will provide the Company with a copy of the agreement(s) concluded with the Sub-processor upon request.
8.4. Notwithstanding the consent of the Company to engage a Sub-processor who (partially) processes data on behalf of the Processor, the Processor remains fully liable to the Company for the consequences of outsourcing work to a Sub-processor. The consent of the Company for the outsourcing of activities to a Sub-processor does not affect the fact that permission is required for the development of Sub-processors in a country outside the European Economic Area in accordance with Article 4 of this Agreement.
9.1. Parties are each responsible and liable for their own actions.
9.2. Any limitation of liability in the Agreement applies mutatis mutandis to this Agreement, provided that:
a) any (implicit or explicit) exclusions of liability for loss and/or mutilation of Personal Data are excluded;
b) any (implicit or explicit) exclusions of liability for fines imposed by the Dutch Data Protection Authority or another supervisory authority that are directly related to an attributable shortcoming on the part of the Processor, or an act attributable to or negligent to the Processor, are excluded.
9.3. Processor indemnifies the Company for all claims, actions, claims of Third Parties, as well as fines of the US and European Data Protection Authorities, that result directly from an attributable shortcoming by Processor and/or its subcontractors/Sub-processors in the fulfillment of its obligations under this Agreement and/or any violation by Processor and/or its subcontractors/Sub-processors of applicable law regarding the processing of Personal Data.
9.4. As far as the Parties are jointly and severally liable towards Third Parties or are jointly fined by the US or European Data Protection Authorities, they are each obliged towards each other, each for the part of the debt that concerns them in their mutual relationship.
9.5. Insofar as the Agreement does not contain a limitation of liability for the Company, the limitation for Processor included in paragraph 2 also applies to the Company.
9.6. Any limitation of liability will also lapse for the Party concerned in the event of intent or gross negligence on the part of the Party concerned.
9.7. Parties ensure adequate liability coverage.
10.1. The costs of processing data inherent in the normal performance of the Agreement are deemed to be included in the fees already payable under the Agreement.
10.2. Any support or other additional service that Processor is required to provide under this Agreement, or that is requested by Company, including any requests for additional information, will be charged to Company in accordance with the rates specified in Appendix 3.
10.3. The preceding provision does not apply if the work is related to a shortcoming of the Processor under this Agreement. In that case, the work will be performed free of charge (without prejudice to the Company’s right to recover the actual damage suffered from the Processor).
11.1. Confidential information means all information of any kind, including technical, commercial, know-how, plans, drawings, reports, computer data and archives, exchanged by the Parties in any way, and which is expressly or indirectly marked as confidential.
11.2. It is expressly agreed that the following information is not confidential information:
- Information of which the Parties were already aware, and which is not classified as confidential or of which the confidential nature cannot be assumed;
- Information that has come into the public domain or is known to the public;
- Information that is disclosed by a Third Party without there being an error or breach of this Agreement or of a duty of confidentiality;
- Information for which written permission for disclosure is given by the issuing Party.
11.3. In the event that part or elements of the information falls under one of the above exceptions, the information in its entirety remains under the protection of this Agreement.
11.4. The Parties undertake to treat the confidential information confidentially during the term of the Agreement(s) and after the end of the Agreement(s).
11.5. As such, no confidential information may be disclosed to a Third Party without the written consent of the Party that provided the confidential information.
12. Duration and termination
12.1. This Agreement takes effect after the online ordering process has been successfully completed and the first invoice has been paid in full. The duration of this Agreement is equal to the duration of the underlying Agreement(s), including any extensions thereof.
12.2. After it has been signed by both Parties, the Agreement forms an integral and inseparable part of the Principal Agreement. Termination of the Agreement, on whatever ground (termination/ dissolution), means that the Agreement is also terminated on the same ground (and vice versa), unless the Parties agree otherwise.
12.3. Obligations which by their nature are intended to continue (even after termination of this Agreement) will continue to apply after termination of this Agreement. These provisions include, for example, those arising from the provisions on confidentiality, liability, dispute resolution and applicable law.
12.4. Each of the Parties is entitled, without prejudice to what is stipulated in the Agreement, to suspend the implementation of this Agreement and the related Principal Agreement, or to dissolve it without judicial intervention with immediate effect, if:
a) the other Party is dissolved or otherwise ceases to exist;
b) the other Party demonstrably (seriously) fails in the fulfillment of the obligations arising from this Agreement and that attributable failure has not been remedied within 30 days after a written notice of default to that effect;
c) a Party is declared bankrupt or applies for a moratorium.
12.5. Given the dependence of the Processor as well as the continuity risk in case of security incidents and calamities (such as bankruptcy), the Processor declares to be willing to make additional agreements with the Company to reduce such risks. These additional agreements may include:
a) making agreements about periodically returning or processing the data processed by the Processor to a Third Party; and/or
b) entering into an agreement with a Third Party that the Third Party concerned undertakes jointly and severally to guarantee the fulfillment of the Agreement; and/or
c) entering into a (tri-partite) agreement with a Third Party that aims to provide the Third Party in question with (all the time) all the necessary information to (where applicable) provide (part of) the information under the Agreement.
12.6. Company is entitled to dissolve this Agreement immediately if the Processor indicates that it is no longer able to meet the requirements that are imposed on processing of the Personal Data on the basis of developments in the law and/or case law.
12.7. Processor must inform the Company in advance and in a timely manner of an intended takeover or transfer of ownership.
12.8. Processor is not permitted to transfer this Agreement and the rights and obligations associated with this Agreement to a Third Party without the express and written consent of the Company.
13. Retention periods, return and destruction of Personal Data
13.1. Company will adequately inform the Processor about (legal) retention periods that apply to the processing of Personal Data by the Processor. Processor does not store Personal Data longer than strictly necessary, including the legal retention periods or any agreement made between the Parties about retention periods as laid down in appendix 1.
13.2. Under no circumstances will the Processor keep the Personal Data longer than until the end of this Agreement. Company determines whether, and, if so, for how long data must be retained.
13.3. Upon termination of the Agreement, or if applicable at the end of the agreed retention periods, or at the written request of the Company, the Processor will irrevocably destroy the Personal Data or have it returned to the Company possibly at reasonable costs, at the discretion of the Company. At the request of the Company, the Processor will provide proof that the data have been irrevocably destroyed or deleted. Any return of data will take place electronically in a generally accepted, structured and documented data format.
14. Intellectual property rights
Insofar as the (collection of) Personal Data is protected by any intellectual property right, the Company gives permission to the Processor to use the Personal Data in the context of the execution of this Agreement.
15. Final provisions
15.1. The considerations form part of this Agreement.
15.2. In the event of nullity or voidability of one or more provisions of this Agreement, the other provisions remain in full force.
15.3. In all cases not provided for in this Agreement, the Parties will decide in mutual consultation.
15.4. This Agreement is governed by the laws of the Netherlands.
15.5. Parties will endeavor to resolve conflicts by mutual agreement. This includes the option to end the dispute by means of mediation or arbitration to be determined in mutual consultation.
15.6. Disputes about or in connection with this Agreement will only be submitted to the court or arbitrator(s) designated for that purpose in the Agreement.
Appendix 1: Specification of Personal Data and Data Subjects
Personal data of users of Company
The Processor will, in the context of Article 1.1 of the Agreement, process the Personal Data shown below on behalf of the Company.
This Agreement is an annex to the following agreements and relates to the following processing of Personal Data:
Appendix 2: Description of further security measures
Information provision and privacy are essential for the continuity of the business operations of Processor and its customers. In our daily work we depend on the availability of reliable information. Our organization and our information provision are exposed to threats, whether deliberate or not. These threats make it necessary to take targeted measures to reduce the risks to an acceptable level. The sections below list some of the measures we have taken.
Zaurus B.V. is certified by BSI for the ISO 27001: 2013 (and the Dutch NEN 7510: 2017) standard. Our statement of applicability and our certificates are available on request from our Chief Information Security Officer via firstname.lastname@example.org
- Description of the measures to ensure that processes and systems are designed in such a way that the collection and processing of Personal Data (including use, provision, retention, transfer and erasure) is limited to what is necessary for the purposes of the processing (‘ privacy by design ‘and’ privacy by default ‘).
- Policy “Developing safely”.
- Performing DPIAs prior to new projects and new features that have a significant impact on the processing of Personal Data.
- Appointment of a Data Protection Officer who is also included in discussions about new features to be developed.
- Testing policy where developers check each other’s work (i.e. peer review) and provide constructive feedback.
- Pen tests that extensively test the system on how Processor handles the processing of Personal Data.
- Data processing agreements with companies in which agreements are made with regard to the processing.
- Data processing agreements with sub-processors in which Processor makes agreements under which conditions Personal data may be processed.
- Description of the measures to ensure that only authorized personnel have access to the processing of Personal Data.
- Processor has set up user profiles that determine who has which rights in which position.
- Changes in rights are assessed by management via change forms and go through a formal approval process.
- The CISO checks the allocation of rights several times a year.
- Processor adheres to the principle that no one should be authorized to control an entire cycle of actions in an information system such that availability, integrity or confidentiality can be compromised. If this is nevertheless necessary, all actions and times in the process are recorded by means of an audit trail.
- Administrative tasks are performed only when logged in as an administrator, normal usage tasks only when logged in as a user.
- During the year, Processor pays a lot of attention to transferring knowledge to Employees in the areas of privacy and information security.
- Backups are made every day and stored redundantly in two different locations.
- DTAP development street, where a distinction is made between environments with and without Personal Data.
- Description of the measures to protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure.
- Information is classified. The necessary security measures are determined on the basis of the classification.
- Incidents procedure: there is an incident procedure for actively reporting potential and current risks with regard to personal data and its security and privacy.
- Processor uses Microsoft OneDrive to store organizational data, so that this data is not stored locally, but is stored on a secure server.
- Password manager: we use a password manager to store our passwords securely.
- Virus Scanner: Virus scanner is mandatory on all company property and BYODs.
- HD Encryption: All corporate-owned hard drives and BYODs are encrypted, so data cannot be retrieved from the hard drive if the devices are lost.
- Logging: Log data is frequently checked for irregularities and details.
- Pentest: Processor frequently undergoes a pentest by leading parties (such as Deloitte) to test it for information security and privacy.
- Description of the measures to identify vulnerabilities with regard to the Processing of Personal Data in the systems that are used to provide services to the Company.
- A Data Protection Impact Assessment (DPIA) is performed periodically. We also periodically inform our Employees about data security and the handling of privacy-sensitive information.
- Processor periodically reports to the Company on the measures taken by Processor with regard to the technical and organizational security measures taken and any points for attention therein.
- Logging: Log data is frequently checked for irregularities and details.
- Pentest: Processor frequently undergoes a pentest by leading parties (such as Deloitte) to test it for information security and privacy.
Appendix 3: Specification of rates
Consultancy: 150,- euro per hour
- Advice and project support;
Support: 125,- euro per hour
- Implementation support;
- Integration support;
- Chatbot development.
Appendix 4: Contact details
This appendix contains the contact details of the Data Protection Officer of Zaurus B.V. who can be contacted with any questions/comments regarding privacy.
Primary point of contact
Data Protection Officer – Zaurus B.V.
Telephone: +31 (0)72-2029123
Secondary point of contact
CEO – Zaurus B.V.
Telephone: +31 (0)72-2029123