Data Processing Agreement
PARTIES:
1. User, with company details and legal representative as stated in the Agreement, hereinafter referred to as the data controller (“Data Controller”),
and
2. Momice, having its place off business in Amsterdam and registered with the Chamber of Commerce under number 83930175, duly represented in this matter by R. Bremer, CEO, hereinafter referred to as the data processor (“Data Processor”),
hereinafter referred to individually as “Party” and collectively as “Parties”.
WHEREAS:
A. Parties entered into an Agreement;
B. The Data Processor provides a Service, including registration software for the Data Controller under the Agreement;
C. To that end, the Data Processor will, at the Data Controller's instructions, process personal data as described in Annex 1 (“Data”) and the Parties acknowledge that the processing of the Data is subject to the General Data Protection Regulation 2016/679 (“GDPR”);
D. If any terms in this Data Processing Agreement are not defined any further, Parties agree to construe those terms in accordance with the definitions of those terms given in Article 4 of the GDPR;
E. Parties agree that with regard to other definitions, the General Terms and Conditions Momice will apply;
F. Parties wish to lay down the following arrangements in writing in the present Data Processing Agreement.
AGREE AS FOLLOWS:
1. Scope of the Data Processing Agreement
1.1 The Data Controller hereby engages the Data Processor to process the Data described in Annex 1 on the Data Controller's behalf in accordance with the provisions of this Data Processing Agreement, which engagement the Data Processor accepts.
1.2 The Data Processor will only process the Data in accordance with the documented instructions from the Data Controller set out in this Data Processing Agreement and will not process the Data for other purposes or its own purposes, unless Union or Member State law to which the Data Processor is subject, imposes a processing obligation on the Data Processor. In such cases, the Data Processor will inform the Data Controller of that legal requirement before processing that Data, unless said law prohibits such information on important grounds of public interest.
1.3 The Data Processor can under no circumstances be held liable for any damages or other consequences as result of the processing of special categories of personal data (Article 9 GDPR) on behalf of the Data Controller.
1.4 This Data Processing Agreement forms, as well as the General Terms and Conditions Momice, an integral part of the Agreement between Data Controller and Data Processor.
1.5 Where relevant, this Data Processing Agreement will supersede all previous data processing agreements and/or similar agreements between the Parties concerning the Agreement.
2. Allocation of responsibility
2.1 The Data Controller represents and warrants that it has a valid legal basis to process the Data and to engage the Data Processor in relation to such processing of Data. Furthermore, the Data Controller represents and warrants that the processing by the Data Processor is not unlawful and does not infringe any rights of a third party. In this context, the Data Controller indemnifies the Data Processor of all claims and actions of third parties related to the unlawful processing of Data.
2.2 The permitted processing operations shall be semi-automated and performed under the control of the Data Processor. The Data Processor is solely responsible for the processing of Data under the Data Processing Agreement, in accordance with the instructions of the Data Controller and under the (final) responsibility of the Data Controller.
3. Confidentiality and restricted access
3.1 All Data processed within the framework of the Data Processing Agreement by the Data Processor (and/or its sub-processors) on behalf of the Data Controller is subject to a duty of confidentiality. The Data Processor shall bind its employees and/or sub-processors, who will perform processing activities under the Data Processing Agreement, to an obligation of confidentiality.
3.2. The Data Processor will only give the persons in its employment or service access to the Data insofar as that is necessary for performing the Service agreed under the Agreement.
4. No further provision
4.1 Under no circumstances will the Data Processor share Data with or provide Data to third parties, unless the Data Processor has obtained the Data Controller's prior written consent to that end, the Data Controller has instructed the Data Processor to do so, or the Data Processor is required to do so pursuant to a provision of Union or Member State law, in which case the Data Processor will inform the Data Controller of that legal requirement before processing that Data, unless said law prohibits such information on important grounds of public interest.
5. Security measures
5.1 The Data Processor will implement – taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons – appropriate technical and organisational measures (“Security Measures”) to ensure a level of security appropriate to the risk. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Data transmitted, stored or otherwise processed. The Security Measures are described in Annex 2 to this Data Processing Agreement.
5.2 The Parties acknowledge that security requirements change, which means that effective security makes it necessary to conduct frequent evaluations and to regularly improve outdated Security Measures. As such, the Data Processor will periodically evaluate the Security Measures described in Annex 2 and improve them where necessary in order to continue to fulfil the obligations set out in this Article 4. To that end the Security Measures as made available on Data Processor’s website will remain leading.
6. Audit
6.1 The Data Processor will enable the Data Controller to audit the Data Processor's compliance (“Audit”) with this Data Processing Agreement, and the Security Measures referred to in Article 5 and Annex 2 in particular, once per calendar year, provided that the Data Controller shall inform the Data Processor at least two weeks before the Audit.
6.2 The Audit may only take place after:
- the Data Controller has requested (from the Data Processor) the similar audit reports from independent third parties that are already in Data Processor’s possession;
- the Data Controller has reviewed the aforementioned audit reports and can provide legitimate reasons to initiate an audit as mentioned in Article 6.1.
6.3 The Data Processor shall cooperate with the Audit, and provide all information reasonably relevant for the Audit, including supporting data such as system logs and employees, as promptly as possible.
6.4 The Data Controller will bear the costs of the Audit, including the costs that the Data Processor has to make to cooperate with the Audit.
7. Personal data breach
7.1 In the case of a Personal Data Breach, the Data Processor will notify, without undue delay, though not later than fourty-eight (48) hours after having become aware of it, that Personal Data Breach to the Data Controller and will provide the following information: (i) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Data records concerned; (ii) the likely consequences of the Personal Data Breach; and (iii) the measures taken or proposed by the Data Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.2 The Data Processor has a documented procedure in place for handling Personal Data Breaches, which enables the Data Processor to adequately inform the Data Controller about such breaches and to effectively collaborate with the Data Controller to properly address such breaches.
7.3 Notifications made pursuant to Article 7.1 must be addressed to the Data Controller or, where relevant, to one or more of the Data Controller's employees stated in writing while this Data Processing Agreement is in place.
7.4 The Data Processor is prohibited from providing information about personal data breaches to Data Subjects or other third parties, unless the Data Processor has a legal obligation to do so or if the Parties have agreed otherwise in writing. The Data Controller remains the responsible Party for any statutory obligations in respect thereof.
8. Rights of data subjects
8.1 On request of the Data Controller the Data Processor will provide assistance – bearing in mind the nature of the processing and the available information – to the extent necessary to enable the Data Controller to satisfy requests from Data Subjects within the meaning of Chapter 3 of the GDPR. The Data Processor may charge reasonable costs for the aforementioned assistance.
8.2 If such a request is submitted directly to the Data Processor, the Data Processor may inform the Data Subject hereof and will inform the Data Controller accordingly. Under no circumstances will the Data Processor satisfy such requests without the Data Controller's intervention.
9. Cooperating with data protection impact assessments and prior consultation
9.1 Taking into account the nature of the processing and the information available to the Data Processor, the Data Processor will on request assist the Data Controller to the extent necessary and reasonable, in fulfilling its obligations arising from Article 35 (data protection impact assessment) and Article 36 (prior consultation) of the GDPR. The Data Processor may charge reasonable costs for the aforementioned assistance.
10. Sub-processors
10.1 Within the framework of the Agreement and the Data Processing Agreement, the Data Processor is hereby authorised to engage Sub-Processors. The Data Processor shall inform the Data Controller about which Sub-Processors are engaged by the Data Processor, listed in Annex 1. The Data Processor shall inform the Data Controller about any planned change in the used Sub-Processors, in which case the Data Controller has the right to object (in writing, within two weeks and supported by arguments) to the proposed change in Sub-Processors.
10.2 Should the Data Controller object to such change, then the Parties will jointly endeavour to find a reasonable solution. If Parties cannot come to a solution, then the Data Processor is allowed to make the planned change in the used Sub-Processors and the Data Controller is allowed to terminate the Agreement (including the Data Processing Agreement) on the date that the Data Processor will actually make the change in the used Sub-Processors.
10.3 The Data Processor has entered into a sub-data processing agreement that imposes on the Sub-processor the same responsibilities and obligations as are imposed on the Data Processor in this Data Processing Agreement.
10.4 If the Sub-processor fails to fulfil its data protection obligations, the Data Processor will remain fully liable in respect of the Data Controller for the fulfilment of the Sub-processor's obligations.
11. International flow of personal data
11.1 The Data Processor may process Data in countries inside the European Union (EU). In addition, the Data Processor may also transfer the Data to a country outside the EU, provided that the legal requirements as stated in the GDPR for such transfer have been fulfilled. In relation to the aforementioned, the Data Processor is specifically allowed to use the Google Cloud Platform to host its services. Google is Privacy Shield verified and the Data Processor will choose one of Google’s European data centres to be used for hosting Data Processor’s service and storing the Data gathered through that service.
11.2 In case the Data Controller makes use of the Data Processor’s ticket services, the Data Controller agrees that payments for such tickets will be handled by Adyen (see Annex 1), an international payment service provider. This means that Adyen, on behalf of the Data Processor, facilitates payments for the Data Controller. Depending on the chosen payment method, Data may be processed outside the EU (e.g. payments with American Express) to make the payment successful.
12. Liability
12.1 Article 13 of the General Terms & Conditions Momice applies to the liability of Data Processor. The Data Processor is liable for direct damage as result of an attributable failure to perform its obligations under the Data Processing Agreement and unlawful acts. The liability is limited per contract year, to a maximum of two times the total amount of invoiced fees paid by Data Controller over the year in which the damage has arisen.
13. Duration and termination
13.1 This Data Processing Agreement ends automatically as soon as the Agreement ends.
13.2 Thirty (30) days after an Event of the Data Controller has come to an end, the Data Processor will delete all (personal) data relating to this Event from its systems. Within the aforementioned thirty-day period, the Data Controller has the ability to export its (personal) data in Excel format.
13.3 After the expiry of the Agreement, the Data Processor will (depending on the choice of the Data Controller) provide the Data Controller with the opportunity to obtain a copy of the relevant Data (still available on Data Processor’s systems on that point in time) in .CSV format, or delete the relevant Data still available on Data Processor’s systems, unless there is a legal obligation for the Data Processor to retain the data.
14. General provisions
14.1 Changes to this Data Processing Agreement and/or additions to it will only apply if the Parties have recorded them in writing in an addendum to this Data Processing Agreement.
14.2. The Data Processor shall provide its full cooperation in amending and adjusting the Data Processing Agreement in the event of new or changing privacy legislation.
14.3. If it emerges that one or more provisions of this Data Processing Agreement are not legally valid, the remaining provisions of this Data Processing Agreement will retain their full force and effect. The Parties will discuss the invalid provisions and agree on new arrangements that are legally valid and that reflect the purport of the old arrangement as closely as possible.
14.4 In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
a. the Data Processing Agreement;
b. the Agreement;
c. the General Terms and Conditions;
d. additional conditions, where applicable.
14.5 Logs and measurements taken by the Data Processor shall be deemed to be authentic, unless the Data Controller supplies convincing proof to the contrary.
15. Governing law and jurisdiction
15.1 This Data Processing Agreement is governed by Dutch law.
15.2 All disputes relating to this Data Processing Agreement or its performance will be adjudicated by the competent court in Amsterdam.
Annex 1
DATA, DATA SUBJECTS, PURPOSES, RETENTION PERIOD SUB-PROCESSORS
Data | Data subjects | Purposes | Retention period |
First name |
People that are invited by Data Controller to Data Controller’s Event |
Invite and register contacts that could be interested in Data Controller’s Event with the use of Data Processor’s event software |
Until 30 days after an Event |
Sub-processors | |||
Name | Contact details | Purposes | Privacy policy |
Amazon Web Services EMEA SARL |
38, Avenue John F. Kennedy, L-1855 Luxembourg |
Cloud hosting |
aws.amazon.com/privacy/ |
Sendinblue (Commercial registry no. 498019298) |
47, Rue de la Chaussee d’Antin, 75009, Frankrijk |
E-mail service provider for sending and receiving e-mails |
www.sendinblue/legal/privacypolicy |
Adyen N.V. (CoC number 34259528) |
6-50, Simon Carmiggeltstraat, 1011 DJ, Amsterdam |
Payment service provider, processes payments in case User uses the payment ticket services in the Momice tool |
www.adyen.com/legal/terms-and-conditions |
Annex 2
SECURITY MEASURES
Data Processor works in accordance with ISO 27001. All technical and organisational Security Measures taken by the Data Processor are mentioned in Data Processor’s security policy. This security policy is available on Data Processor’s website: https://www.momice/en/information-security-policy.