Data Processing Addendum
Last updated: November 1, 2024
1. Subject
1.1 This Data Processing Addendum ('DPA') supplements the Terms of services (the 'Terms') between the Client and the Provider of the PrivacyDocs services (the 'Services').
1.2 DPA sets out the terms that apply when personal data is Processed by BISOT Advies (the 'Provider'), a company registered in The Netherlands, registration number 91533937 under the Terms.
1.3 The DPA ensures that Processing is conducted in accordance with applicable data protection laws. Any terms not defined in this DPA shall have the meaning assigned to them in EU Regulation 2016/679 (The General Data Protection Regulation, or GDPR) or in the Terms.
1.4 The Client plays the role of 'Controller' and the Provider plays the role of 'Processor', as understood under the EU General Data Protection Regulation 2016/679 ('GDPR').
2. Definitions
2.1 Terms used in this Addendum that have corresponding definitions in the GDPR should be understood according to their GDPR definitions.
3. Processing of personal data by Processor
3.1 As the Client's Processor, the Provider shall process the Client's personal data in accordance with applicable data protection laws in connection with the provision of the Services.
3.2 The Provider processes the Client's personal data only for the purposes of providing the Services according to the Terms.
3.3 The Provider ensures that all of its employees authorized to process the personal data have committed themselves to confidentiality and are under an appropriate statutory obligation of confidentiality.
3.4 The Client shall have sole responsibility for the legality of the personal data and the means by which the Client acquired the personal data.
3.5 The personal data consists of contact details and history of interactions with the PrivacyDocs website. The data subjects consist of individuals who are associated with the Client, such as employees or contractors.
3.6 The personal data processing consists of storing the personal data, making it available to users of the Services via the PrivacyDocs website or through emails, sending emails to the individuals, collecting and storing the history of interactions of the individuals with the website.
4.Subprocessing
4.1 Client acknowledges and agrees that the Provider may share the personal data with its subprocessors to perform parts of the processing necessary to provide the Services.
4.2 Prior to initiating processing by a subprocessor, the Provider will require the subprocessor to adhere to contractual obligations that are substantially the same as those imposed on the Provider under this DPA, including appropriate technical and organizational data security measures.
4.3 The Provider remains liable for its subprocessor's performance under this DPA to the same extent the Provider is liable for its own performance.
5. Security
5.1 The Provider shall in relation to Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
6. Data Subject Rights
6.1 Provider shall assist Client by implementing appropriate technical and organizational measures, insofar as possible, for the fulfillment of Client's obligations, to enable Client to respond to requests to exercise Data Subject rights under applicable data protection laws, including subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data and to comply with information or assessment notices served on the Customer by the relevant Supervisory Authority under data protection legislation.
6.2 To exercise these rights, please contact us via email at info@privacydocs.eu.
7. Personal Data Breach
7.1 The Provider shall notify the Client without undue delay after becoming aware of a personal data breach according to Article 33 of the GDPR.
8. Deletion or return of Client Personal Data
8.1 The Client can obtain a copy of the personal data at any moment, in a self-service manner, using the same tools that are used to enter and manage the personal data by the Client.
8.2 If the Client chooses to stop using the Services, then the Provider will permanently delete all Client data, including the personal data, 90 days after the end of the subscription.
9. Audit rights
9.1 The Provider makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
10. Data Transfer
10.1 The personal data may be transferred outside the European Economic Area (EEA). We ensure that appropriate safeguards are in place to protect the data, such as standard contractual clauses or other legal mechanisms.
11. Language
11.1 The DPA is available in multiple languages. In case of any discrepancies in understanding, the English version shall prevail.
11. Processors
The following processors are used by the Provider to provide the Services: