Data Processor Agreement
1.1 This Data Processor Agreement (the “DPA“) is entered into between Klasse Software & Webdevelopment BV, Call My Leads, The Netherlands (the “Data Processor”) and the customer (the “Data Controller”) due to the Data Processors’ delivery and services to the Data Controller.
1.2 The Data Controller determines the purposes and methods of the processing of Personal Data (as defined below).
1.3 The Data Processor has agreed to provide the Services (as defined below) on the terms set out in the Agreement (as defined below).
1.4 The Parties wish to supplement the Agreement with this DPA to formalize the terms and conditions applicable to the processing of Personal Data.
1.5 The purpose of this DPA is to secure adequate safeguards with the respect to the protection of privacy and to ensure that the processing of Personal Data is in accordance with the Data Controller’s and Data Processor’s legal obligations.
2.1 For the purposes of this DPA, the expressions set out below have the following meanings:
- Agreement. Means the agreement regarding the Data Processor’s delivery of services and grant of access to the Call My Leads Platform to the Data Controller, consisting of either a formal written agreement or the Data Processor’s applicable Terms & Conditions of Use updated from time to time and published on the Data Processor’s website www.callmyleads.nl.
- Approved Purpose. Means the processing i) required to fulfil the purpose of the Agreement or ii) as otherwise agreed between the Data Controller and the Data Processor in writing.
- Approved Territory. Means the Heroku and Elastic Cloud data centers in the Amazon Web Services (AWS) facilities (eu-west-1) in the EU and Inercom.io’s data centers in Amazon Web Services (AWS) facilities (us-east-1) in the USA. Processing of data outside the above-mentioned Territories requires the Data Controllers prior written consent.
- Data Subject. Means the living individual about whom the Data Controller holds Personal Data.
- Personal Data. Has the same meaning as in Regulation 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Personal Data Breach. Means any loss, destruction, damage, alteration or unauthorized access or disclosure of Personal Data or any other non-conformity with this DPA.
- Services. Means the services to be supplied by the Data Processor under the Agreement.
- Technical Contact Point. Means the parties’ technical representatives, who is deemed to be Frank Bluyssen from Call My Leads and the responsible contact person with the customer.
3.1 This DPA governs the Data Processor’s processing of the Personal Data, which it processes on behalf of the Data Controller to perform its Services under the Agreement. The Data Processor shall process the Personal Data only for the Approved Purpose and in accordance with applicable laws and this DPA.
3.2 The Data Controller retains the formal control of and all ownership and rights to the Personal Data. The Data Processor shall have no rights in or to the Personal Data other than the non-exclusive, revocable and time limited right to process the Personal Data for the Approved Purpose.
3.3 The Data Processor is entitled and obliged to control the data within the term of the Agreement and until any and all data is returned to the Data Controller or properly deleted.
4. APPROVED PURPOSE OF PROCESSING
4.1 The Data Processor shall process the Personal Data only for the Approved Purpose. Any processing of the Personal Data for any other purpose is strictly forbidden and will be considered a material breach of this DPA.
4.2 Categories of Personal Data to be processed under this DPA includes the following categories of data:
- The users’ names and e-mail addresses
- Data entered by users (which cannot be controlled by the Data Controller)
- All legal categories of Personal Data, which is in accordance with the Approved Purpose. The Data Controller is responsible for and warrants that the Personal Data, which the Data Controller’s instructs the Data Processor to process can be lawfully processed by the Data Processor.
5. APPROVED LOCATIONS OF PROCESSING
5.1 The processing of the Personal Data shall only take place in technological environments controlled by the Data Controller, the Data Processor and subcontractors in the Approved Territory. For the avoidance of doubt, processing includes accessing the Personal Data from remote locations.
6. USE OF SUBCONTRACTORS
6.1 The Data Controller accepts that the Data Processor is entitled to use subcontractors. The Data Processor shall ensure that any processing of the Personal Data by a subcontractor complies with the requirements set out under this DPA. This includes verifying that the security measures implemented by the subcontractor ensures at least the equivalent level of protection to that required of the Data Processor under this DPA.
6.2 The Data Processor shall ensure that a data processor agreement is entered into between the Data Processor and any subcontractor before such subcontractor processes any Personal Data.
6.3 At the moment the Data Processor uses the following subcontractors for data processing:
- Heroku: Platform as a Service (PaaS) that runs the hosting infrastructure for CallMyLeads (web hosts and databases).
- Elastic Cloud: Provides cloud-hosted search technology used in the CallMyLeads platform.
- Intercom: Provides functionality for customer support and messaging.
- Any integration through Zapier, Piesync or other API’s in general is the Data Controller’s full responsibility since such agreements are entered into directly between the Data Controller and the specific supplier.
7. PROCESSING OF PERSONAL DATA IN CERTAIN JURISDICTIONS
7.1 Where the processing of Personal Data in Approved Territories does not take place within the European Economic Area or a territory that has been designated by the European Commission as ensuring an adequate level of protection pursuant to the Data Protection Directive of 2016 (or its successor) such processing of Personal Data shall be carried out in accordance with the applicable EU standard clauses for the transfer of Personal Data. Prior to any processing in such territories, the Data Processor shall, as applicable, enter into and/or shall procure that the subcontractor enter into (each a “data importer” under the EU Model Clauses), the EU Model Clauses with the Data Controller (“data exporter” under the EU Model Clauses), in addition to this DPA. In case of conflict between such EU Model Clauses entered into between the parties and this DPA, the EU Model Clauses will prevail.
7.2 The Data Processor is hereby authorized by the Data Controller to enter into the EU model Clauses agreements with any relevant subcontractor on Data Controller’s behalf for the above-mentioned purpose and for any relevant Approved Territory.
7.3 If the Data Controller is required to submit a copy of the executed EU Model Clauses to its local Data Protection Authority, the Data Processor will submit a copy of the executed contract to Data Controller for its submission.
7.4 For the avoidance of doubt, the requirement to ensure that the subcontractors enter into a data processor agreement using the EU Model Clauses where so required under this Section 7, does not relieve the Data Processor from its obligations set out under Section 6, including the obligation to ensure that the security measures adopted by the relevant subcontractor offer at least an equivalent level of protection to the Data Controller and the Data Subjects as the requirements imposed on the Data Processor as set out in this DPA.
8. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
8.1 The Data Processor shall perform its obligations and actions under this DPA with all due skill, care and diligence.
8.2 The Data Processor shall use technical and organizational security measures appropriate to prevent the harm, which might result from any unauthorized or unlawful processing, loss, destruction, damage, alternation to or disclosure of the Personal Data and having regard to the nature of the Personal Data, which is to be protected.
8.3 Should the Data Processor become aware of any non-conformity with the security requirements set out above, either within its own or within the subcontractor’s organization, such non-conformity shall be notified to the Data Controller in accordance with the Personal Data Breach procedure set out in Section 10.
9.1 The Data Processor shall ensure that it and its employees maintain secrecy and security about any and all Personal Data and that the Personal Data is accessed by the Data Processor’s employees on a need to know basis only.
9.2 The Personal Data shall be deemed confidential information belonging to the Data Controller and/or the Data Subject and shall be subject to confidential handling in accordance with the confidentiality undertakings agreed between the parties in this DPA or elsewhere.
10. NOTIFICATION OF PERSONAL DATA BREACH
10.1 If the Data Processor becomes aware of any Personal Data Breach, the Data Processor shall without undue delay and within 24 hours at the latest, notify the Data Controller and fully cooperate to remedy the issue as soon as reasonably practicable. The notice shall contain the following information (if available):
- description of the Personal Data Breach including; the categories and number of Data Subjects concerned; summary of the incident that caused the Personal Data Breach; date and time of the relevant incident; the categories and number of data records concerned and the nature and content of the Personal Data affected;
- description of the circumstances of the Personal Data Breach (e.g. loss, theft, copying);
- description of recommended measures to mitigate any adverse effects of the Personal Data Breach;
- description of the likely consequences and potential risk that the Personal Data Breach may have towards the affected Data Subject(s); and
- description of the measures proposed or taken by the Data Processor and/or the sub-contractor, as applicable, to address the Personal Data Breach.
10.2 Notice must be sent by email to the Data Controller’s Technical Contact Point. The Data Processor’s Technical Contact Point shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller may have.
10.3 Depending of the nature of the Personal Data Breach the Data Controller may be obliged to make a report to the Data Protection Authority in the country it resides. The Data Processor shall at the Data Controller’s request, therefore provide any other information reasonably requested by the Data Controller to comply with the relevant data protection regulation and/or inquiries from the Data Protection Authority.
11. OTHER NOTIFICATIONS
11.1 The Data Processor shall:
- without undue delay and in writing, notify the Data Controller of any planned changes in the technical, organizational or financial aspects of the Data Processor’s provision of the Services or the organization of the Data Processor or its subcontractors and which might have an adverse effect on the Data Processor’s or its subcontractors’ ability or willingness to process the Personal Data in accordance with the instructions of the Data Controller or the requirements set out in this DPA.
- within five (5) calendar days and in writing, notify the Data Controller if it receives: (i) a request from a Data Subject to have access to that person’s Personal Data; or (ii) a complaint or request relating to the Data Controller’s and/or its customers’ obligations under relevant data protection laws.
- without undue delay, notify the Data Controller if it receives a request from the competent data protection authority or other competent governmental body requiring the Data Processor or any of its subcontractors to grant the data protection authority or other applicable governmental body access to Personal Data. Such notice shall wherever possible, and to the extent permitted by applicable laws, be given prior to any disclosure by the Data Processor.
11.2 If the Data Processor is required to or requested by any law, regulation, or government or regulatory body to retain any documents or materials that it would otherwise be required to return or destroy under Section 13, it shall, to the extent permitted by law, notify the Data Controller in writing of that retention, giving details of the documents or materials that it must retain. The Data Processor shall not be in breach of Section 13 with respect to the retained documents or materials; however, Section 9 shall continue to apply to them.
11.3 Any notifications shall be deemed delivered when submitted via email to the Data Controller’s Technical Contact Point. The Data Processor’s Technical Contact Point shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller might have.
12. BREACH OF AGREEMENT
12.1 The Data Processor shall ensure that any material breach is remedied as soon as possible.
12.2 Notwithstanding the above, the Data Controller can with immediate effect instruct the Data Processor to suspend or terminate any further processing of the Personal Data upon the occurrence of any material breach of this DPA.
13. OBLIGATION TO DELETE DATA
13.1 Personal Data shall not be stored for a longer period than it is necessary to carry out the original purpose for the processing.
13.2 The application permits the Data Controller to migrate Personal Data held by the application and the Data Controller agrees to migrate any and all Personal Data prior to termination of the Agreement. The Data Processor shall use reasonable commercial endeavors to permit the Data Controller to use the migrate function until expiry of the Agreement. Where the Agreement is terminated with immediate effect due to the Data Controller’s breach of this DPA, the Data Processor shall use reasonable commercial endeavors to permit the Data Controller to use the migrate function in the period of 10 days after such termination.
13.3 The Data Processor is not obligated to store any of the Data Controller’s Personal Data after expiry of the Agreement. The Data Processor shall no later than 30 days after expiry of the Agreement effectively delete all Personal Data. For the purposes of this provision to effectively delete shall mean that the data is deleted in accordance with best practice industry standards so that Personal Data cannot be reconstructed using any known technology.
13.4 Without limiting the aforementioned, at any given time during the term of this DPA the Data Processor shall effectively delete Personal Data to the extent requested by the Data Controller’s Technical Contact.
14.1 This DPA is entered into when the Data Controller accepts this DPA. However, the provisions of this DPA will not become applicable before 25 May 2018. This DPA will remain in force until the Agreement is terminated and the Data Processor is no longer processing data on behalf of the Data Controller.
15. SURVIVAL OF CLAUSES
15.1 Any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after termination of this DPA shall remain in full force and effect.
15.2 To the extent the Data Controller needs to respond to enquiries from Data Protection Authorities or Data Subjects concerning how Personal Data has been processed under the Agreement and this DPA, the Data Processor shall provide necessary assistance also after the expiry of this DPA.
15.3 For the avoidance of doubt the secrecy and security obligations set out in Section 9 herein, including the employees’, consultants’ etc. obligation to keep Personal Data secret, shall survive the expiry or termination of this DPA.
16. CHOICE OF LAW AND DISPUTE RESOLUTION
16.1 This DPA shall be governed by and construed in accordance with the laws of Denmark. Any dispute, controversy or claim arising out of or in connection with this DPA shall be subject to the exclusive and final jurisdiction of the courts of The Netherlands.
16.2 In the event that the Data Controller is located in a jurisdiction where judgments rendered by the above mentioned courts cannot be enforced, any dispute, controversy or claim arising out of or in connection with this DPA shall be exclusively and finally settled by arbitration in accordance with the Arbitration Rules of The Netherlands Institute of Arbitration. The arbitral tribunal shall be composed of one arbitrator, who shall be appointed in accordance with the above arbitration rules. The language to be used in the arbitral proceedings shall be English.