Attachment 1: Overview of Processing of Personal Data and Processing Purposes Attachment 2: Overview of Security Measures Attachment 3: Process for Reporting Data Breaches and Required Information.
Data Processing Agreement This data processing agreement applies to all forms of processing of personal data carried out by Highbiza B.V., registered with the Chamber of Commerce under number 74654306, hereinafter referred to as the "data processor," on behalf of a counterparty to whom it provides services, hereinafter referred to as the "data controller." It is an integral part of every agreement between Highbiza and its counterparty, along with the general terms and conditions. The data processor and data controller are jointly referred to as the "parties" hereinafter.
Whereas: The parties have entered into an agreement regarding the provision of digital services. In order to fulfill this agreement, personal data is processed. The data controller attaches great importance to the protection of personal data, which is why a number of agreements in this data processing agreement have been established.
- Definitions The terms used herein and above are in accordance with the General Data Protection Regulation and have the following meanings: 1.1. Personal data: any information relating to an identified or identifiable natural person ('the data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. 1.2. Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. 1.3. Data controller: a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law ('controller'). 1.4. Data processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller ('processor'). 1.5. Data subject: an identified or identifiable natural person to whom the processed personal data relates. 1.6. Data processing agreement: this agreement including the attachments ('data processing agreement'). 1.7. Agreement: the main agreement from which this data processing agreement arises. 1.8. Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed ('data breach'). 1.9. Data protection impact assessment: an assessment of the impact of the envisaged processing operations on the protection of personal data, prior to the processing. 1.10. Supervisory authority: an independent public authority responsible for overseeing the application of data protection law, in this case, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
- Establishment, duration, and termination of this data processing agreement 2.1. This data processing agreement is part of the agreement between Highbiza and its customer and will remain in effect for the duration of the agreement. 2.2. In the event that the agreement is terminated, this data processing agreement will automatically terminate. The data processing agreement cannot be terminated separately. 2.3. After the termination of this data processing agreement, ongoing obligations for the data processor, such as reporting data breaches involving the personal data of the data controller, and the obligation of confidentiality, will continue to exist.
- Processing of personal data 3.1. The data processor shall only process personal data on behalf of the data controller and has no authority over the personal data. The data processor shall follow the instructions of the data controller in this regard and shall not process the personal data in any other manner unless prior consent or instructions are given by the data controller. 3.2. Annex 1 specifies the personal data that the data processor will process and the purposes of processing. 3.3. The data processor complies with the law and processes the data in a fair, diligent, and transparent manner. 3.4. The data processor shall not engage any other individuals or organizations in processing the personal data of the data controller without prior written consent, unless necessary for the execution of the task, such as for hosting, management, maintenance, and monitoring purposes. 3.5. When the data processor engages other organizations with permission, these organizations must comply with the requirements stated in this data processing agreement. 3.6. When the data controller receives a request from a data subject who wishes to exercise their privacy rights, the data processor shall cooperate. These rights include the right to access, rectify, supplement, erase or restrict the processing of personal data, and the right to data portability. 3.7. When the data controller requests information, the data processor shall provide the necessary information for conducting a data protection impact assessment. This may be necessary to assess the risks of the processing carried out by the data processor on behalf of the data controller.
- Security of personal data 4.1. The data processor ensures that the personal data is adequately protected. To prevent loss and unlawful processing, the data processor implements appropriate technical and organizational measures. 4.2. These measures are tailored to the risks associated with the processing. An overview of these measures and the related policies is provided in Annex 2. 4.3. The data controller may request a report detailing the implemented security measures and any potential areas of concern or improvement. The costs of this report are borne by the data controller. 4.4. The data controller is entitled to conduct an inspection or audit within the data processor's organization to determine whether the processing of personal data complies with the law and the provisions of this data processing agreement. The data processor shall cooperate with such inspections or audits, including providing access to buildings and databases and making all relevant information available, to the extent reasonable and equitable and without infringing on the rights of others. 4.5. If either party believes that a change in the security measures is necessary, the parties shall engage in discussions regarding such changes.
- Export of personal data 5.1. The data processor shall not allow personal data to be processed by individuals or organizations outside the European Economic Area without prior written consent from the data controller, unless necessary for the performance of the tasks.
- Confidentiality 6.1. The data processor shall maintain the confidentiality of the personal data provided to it unless prevented by a legal obligation. 6.2. The data processor shall ensure that its employees and subcontractors also adhere to this confidentiality by including confidentiality obligations in their (employment) contracts.
- Data breaches 7.1. In the event of a potential data breach, the data processor shall promptly inform the data controller within 24 hours and provide the information specified in Annex 3, enabling the data controller to make any necessary notifications to the supervisory authority. 7.2. Following the notification of a data breach, the parties shall keep each other informed of any new developments regarding the breach and the measures taken to limit and resolve its scope, as well as to prevent similar incidents in the future. 7.3. The data processor shall not independently notify the supervisory authority and/or the data subjects of a data breach, as this responsibility lies with the data controller. 7.4. Any costs incurred in resolving a data breach and preventing future breaches shall be borne by the data controller.
- Liability 8.1. If either party fails to comply with the provisions of this data processing agreement, the other party may hold that party liable for such non-compliance. 8.2. Consequential damages or fines cannot be claimed from the data processor. 8.3. The parties shall not be liable for claims made by data subjects or other individuals and organizations in cases of force majeure.
- Return of personal data and retention period 9.1. Upon termination of this data processing agreement, the data processor shall return the personal data, ensuring the secure and proper destruction of any remaining personal data. 9.2. The personal data processed under this data processing agreement shall be destroyed after the expiration of the statutory retention period and/or at the request of the data controller. A statutory retention period may apply, for example, when the data processor is required to retain the personal data for tax-related purposes.
- Final provisions 10.1. This data processing agreement is an integral part of the underlying agreement. Consequently, all rights and obligations from the agreement shall also apply to this data processing agreement. 10.2. In the event of any inconsistencies between the provisions of the data processing agreement and the agreement, the provisions of this data processing agreement shall prevail. 10.3. Deviations from this data processing agreement shall only be valid if agreed upon in writing by the parties. 10.4. This data processing agreement and the activities performed under it are governed by Dutch law. Deventer, 30 December 2020.
Overview of processing personal data and processing purposes Description of processing activities by the data processor Acting as a digital advisor and supplier to clients in the broadest sense. Including the development of websites and apps, including web applications such as configurators, e-learnings, e-commerce systems, data retrieval systems, middleware, etc. Hosting, managing, maintaining, and monitoring these sites, apps, and web applications. Processing purposes To ensure the technical and functional operation of digital solutions for clients. Data Controller Highbiza, Mr. Geert Jan Hoogeslag, Director. Processed Personal Data All data requested by the data controller and/or necessary for the processing activities and/or processing purposes will be processed. Location of processing activities In general, work is conducted from Deventer or other locations where employees or suppliers are active. Retention Period The data will be retained for as long as necessary for business or organizational reasons and/or the execution of current or anticipated tasks for the client.
Overview of security measures Technical security measures Working with state-of-the-art frameworks and systems, such as Django Python and Oscar. Working from repository systems with pull requests. Secure internet connections. SSL certificates. Secure backups: every hour, every day, with a one-month retention on separate environments from live systems. Unique login codes and passwords (regularly changed). Encrypted email. Two-factor authentication system for password access using htaccess and/or the Google Authenticator app. Support for encryption methods like SHA2. Ping system for uptime (check every 2 minutes) with feedback notification indicating the type of downtime, if applicable, such as SSL error, server error, etc. Options for both dedicated hosting and shared hosting.
Organizational security measures Clean desk policy. No unattended computers. Computers locked with username and password. Privacy provisions in employee contracts. Revocation of access to systems upon employee departure.
Process of reporting data breaches and the information to be provided A data breach is a security incident where personal data may have been lost or unintentionally accessed by unauthorized parties. It includes data that can be linked to individuals, such as but not limited to names, addresses, phone numbers, email addresses, login credentials, cookies, IP addresses, or identifying information of computers or phones.
Where should a security incident be reported? If Highbiza discovers a security incident, immediate contact will be made with the relevant representative of the data controller.
The following information, to the extent possible, will be reported, also for the purpose of notifying the supervisory authority: A summary of the security breach/security incident/data breach (what happened?), including the name(s) of the affected system(s). The types of personal data involved in the security incident, such as but not limited to name, address, email address, IP number, social security number, passport photo, and any other personally identifiable information. The number of individuals whose personal data is involved in the security incident. An estimation of the minimum and maximum number of individuals. Description of the group of individuals whose data is involved. Possible delineation of the affected group, with special attention to data of vulnerable individuals or groups. Whether or not the contact information of the affected individuals is known. The possibility to inform the individuals about the data breach. The cause (root cause) of the security incident. An estimation of the cause of the security incident. The date or period when the security incident occurred.