ARTICLE:

New dashboard feature launched in our app

Read more >

Book a Demo

Processing Agreement

Article 1 Definitions

The terms designated with an initial capital letter in this Processing Agreement shall have the meanings assigned to them in this article. These terms shall primarily be interpreted in accordance with the definitions used in the General Data Protection Regulation (GDPR).

  • Dutch Data Protection Authority (“AP”): the Dutch Data Protection Authority, being the Dutch supervisory authority established as an independent administrative body responsible for supervising the Processing of Personal Data and compliance with Privacy Legislation.
  • Data Subject(s): the natural person(s) to whom Personal Data relates.
  • Security Incident: any development relating to the security of Personal Data of which the Controller should reasonably be aware, including but not limited to any breach of security that leads, accidentally or unlawfully, to the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Personal Data transmitted, stored or otherwise Processed (“Data Breach”).
  • Appendix/Appendices: an appendix to this Processing Agreement forming an integral part thereof.
  • Special Categories of Personal Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a person, or data concerning health, or data concerning a person’s sex life or sexual orientation.
  • Data Protection Impact Assessment (“DPIA”): an assessment carried out prior to Processing to evaluate the impact of intended Processing operations on the protection of Personal Data.
  • Third Party: a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and/or persons authorized under the direct authority of the Controller or Processor to process Personal Data (e.g. employees). This definition also includes a Sub-processor.
  • Service Agreement: the agreement between the Parties regarding the services provided by the Processor to the Controller, of which this Processing Agreement forms a part.
  • Data Protection Officer: an officer responsible for monitoring compliance with Privacy Legislation.
  • Personal Data: any information relating to an identified or identifiable natural person.
  • Privacy Legislation: the GDPR (EU) 2016/679 and other applicable laws.
  • Sub-processor: any Third Party engaged by the Processor.
  • Processing Agreement: this agreement including Appendices.
  • Controller: the party determining the purposes and means of Processing.
  • Processing: any operation performed on Personal Data.
  • Processor: the party processing Personal Data on behalf of the Controller.

Article 2 Subject of this Processing Agreement

This Processing Agreement governs the Processing of Personal Data by the Processor within the framework of the Service Agreement.

The Processor shall Process Personal Data on behalf of the Controller under the conditions of this Processing Agreement. Appendix 1 describes duration, nature, purpose, categories and storage. Appendix 2 describes security measures.

Article 3 Execution of Processing

Both Parties shall process Personal Data properly and carefully in accordance with Privacy Legislation.

The Processor shall only process Personal Data on the documented instructions of the Controller unless required by law.

The Processor shall not use Personal Data for other purposes and shall not process more data than necessary.

The Controller is responsible for determining purpose and legality of processing.

The Processor shall assist the Controller in fulfilling data subject rights and notify within 4 working days upon receiving requests.

Article 4 Security Incidents and DPIA

The Processor shall immediately report any (possible) Security Incident and take measures to mitigate it.

The notification shall include:

  • nature of the incident
  • categories and number of data subjects
  • consequences
  • measures taken

The Controller is responsible for notifying authorities and data subjects.

The Processor shall assist in investigations and DPIA.

Article 5 Third Parties and Sub-processors; Processing within/outside EEA

The Controller authorizes the use of Sub-processors.

The Processor remains fully liable for Sub-processors.

Processing outside the EEA shall only occur under GDPR safeguards.

Article 6 Security of Processing

The Processor shall implement appropriate technical and organizational measures ensuring confidentiality, integrity, and availability.

Security measures are detailed in Appendix 2.

Article 7 Confidentiality

All Personal Data is subject to confidentiality obligations.

The Processor shall ensure that employees and third parties are bound by confidentiality.

Article 8 Information Provision and Audits

The Controller may audit compliance.

The Processor shall provide access to systems and documentation.

Deficiencies must be remedied promptly.

Article 9 Amendments

Parties shall consult on necessary changes.

The Controller may provide additional instructions.

Article 10 Term and Termination

This agreement enters into force with the Service Agreement and ends when data is no longer processed.

The Processor shall return or delete Personal Data within 30 days after termination.

Certain provisions survive termination.

Article 11 Liability

Liability provisions of the Service Agreement apply.

The Processor shall maintain adequate insurance.

Liability shall be proportionate to fault.

Article 12 Applicable Law and Dispute Resolution

Dutch law applies.

Disputes shall be settled by the competent court.

Article 13 Contact Details and Final Provisions

Notifications shall be addressed to:
Jan-Douwe Gaastra – jandouwe@facilitee.com

If provisions are invalid, the remainder remains in force.

Parties shall consult on matters not covered.

In case of conflict, this Processing Agreement prevails over the Service Agreement.

APPENDIX 1 Description of Processing

Purpose:

  • Register personal information of data subjects
  • Facilitate communication

Data subjects:

  • Tenants & Suppliers

Personal Data:

  • Name, address, residence details

Legal basis:

  • Performance of contract

Retention:

  • Until end of agreement

APPENDIX 2 Security Measures

Processor implements:

  • security policy
  • access controls
  • encryption
  • logging
  • backups
  • risk assessments
  • incident response procedures

APPENDIX 3 Sub-processors

Amazon Web Services EMEA S.à r.l., Amsterdam

AWS processes data only as necessary and ensures:

  • access control
  • encryption
  • logging
  • incident response
  • physical security
  • redundancy
  • employee training