Data Processing Agreement
This Data Processing Agreement applies to all subscriptions to one of the services provided by DifferentLab B.V.
Version: 20 May 2018
- Under the ‘ShiftBase’ brand name, DifferentLab B.V. processes personal data for and on the instruction of its client on account of the client having taken out a (direct or indirect) software subscription (user agreement) with DifferentLab B.V.
- DifferentLab B.V.’s service consists in providing a standard application with the associated standard services (software as a service), hereinafter: ‘the application’. In this context, DifferentLab B.V. has made a data processing agreement part of the terms and conditions for the application.
- DifferentLab B.V. is designated as the ‘processor’ of personal data as specified in the General Data Protection Regulation (hereinafter: ‘GDPR’), while the client is the ‘controller’ as specified in the GDPR.
- This data processing agreement (hereinafter: ‘Data Processing Agreement’) records arrangements between DifferentLab B.V. and its client in relation to DifferentLab B.V.’s operations as the processor of personal data in the provision of the agreed services, i.e. the use of the application and the associated services.
- DifferentLab B.V. (hereinafter: ‘Processor’) and the client (hereinafter: ‘Controller’) mutually agree to comply with the General Data Protection Regulation (GDPR). Terms used in this Data Processing Agreement are defined as in the GDPR.
Article 1. Processing purposes
- The Processor agrees to process the personal data entered by the Controller in line with the terms and conditions of this Data Processing Agreement on the Controller’s instruction. The Processor will only process the personal data entered by the Controller for and on the instruction of the Controller and for the purpose of performance of the agreement: processing will only take place for the processing of the data of the Controller’s employees and/or other personal data entered in the application and associated (online) services by the Controller, plus any further purposes that can in all reasonableness be deemed to relate to that or that are designated as legitimate purposes with the Controller’s consent. The Processor’s activities include application management in the broadest sense of the concept (technical management, database management, making back-ups), hosting, messaging, and help desk services.
The type of personal data needed to be able to use the application are:
– persons’ first and last names
– persons’ email addresses
The application offers various possibilities to record other kinds of personal data, including sensitive data. The Controller is aware that the Processor will then process such data. The Controller is responsible for assessing whether the purpose and nature of processing operations is in line with the Processor’s service, as well as for informing and seeking possible consent from data subjects for the processing of such data or for having such data processed.
- The Processor can neither be held responsible nor be held liable for the processing of personal data, including, but not restricted to, the collection of personal data by the Controller, processing operations for purposes of which the Processor has not notified the Controller, processing operations by third parties and/or for purposes other than those for which the application is intended.
The Controller guarantees that the content, use and instruction to process personal data as specified in this Data Processing Agreement is not unlawful or does not infringe on the rights of third parties. The Controller guarantees that personal data can be processed based on a legitimate ground specified in the GDPR.
- The Processor agrees not to use the personal data for any purpose other than the purposes established by the Controller. The Controller agrees to notify the Processor of any processing purposes that are not already specified in this Data Processing Agreement. The Processor agrees not to add, modify, or delete data without a specific order to that effect from the Controller. Such an order can be submitted through a request or in the application.
- The Processor collects anonymised data on the use of the application. The anonymised data will be used solely for the purpose of improving the application. The Processor shall not use collected statistical data for commercial purposes.
- Personal data processed for the Controller will remain the property of the Controller and/or data subjects in question.
Article 2. The Processor’s obligations
- With respect to the processing operations specified in Article 1, the Processor shall see to compliance with current legislation and regulations, including at least legislation and regulations in the area of personal data protection, under observance of the provisions of this Data Processing Agreement.
- The Processor has no say over the processing purpose and means, and is therefore not authorised to decide on the use of personal data, the transmission of personal data to third parties, and the time period for storage of personal data. The Processor agrees not to transfer the data to third parties or to process the data for other purposes, except when the Processor has to comply with legal requirements to the contrary.
- The Processor agrees to inform the Controller, at the Controller’s request to that effect, on the measures the Processor has taken with respect to its obligations under this Data Processing Agreement.
- The Processor’s obligations under this Data Processing Agreement also apply to any parties processing personal data on the Processor’s behalf, including, but not restricted to, employees in the broadest sense of the word.
Article 3. Transfer of personal data
- The Processor is only allowed to process or have a third party process personal data in a non-EU country after having taken adequate legal/contractual measures. The Processor agrees to only use third parties that verifiably, fully, and without exception comply with the GDPR and possible other applicable legislation and regulations. The Processor is not allowed to process Data in a third country outside the European Economic Area (EEA) that does not offer an adequate level of security as specified in the GDPR.
The Processor agrees to only use third parties as a sub-processor if such third parties are bound by provisions similar to those in this Data Processing Agreement. The Processor at least guarantees that such third parties will comply with the Controller’s instructions, will be held to confidentiality, and will take the required security measures with respect to data processing.
The Processor will keep a list of the subprocessors it uses, for which the password is available on request.
The Processor agrees to not have any new sub-processors process data without giving the client advance notice thereof. The Controller may lodge an objection with the Processor against the Processor using the new sub-processor. The Processor agrees to handle such objections at board level. If the Processor still wants to have the new sub-processor process data, the Controller will be authorised to terminate the user agreement for the application with immediate effect.
Article 4. Protection
The Processor will endeavour to take adequate technical and organisational measures with respect to the performance of processing operations of personal data to protect personal data against loss or any form of illegitimate processing (such as unauthorised access, corruption, modification, or disclosure of personal data).
Permitted processing operations will be performed by the Processor’s employees within an automated environment.
The Processor will at all times ensure that:
i. Unauthorised persons and employees of the Processor who have not been assigned by the Processor to process personal data (hereinafter jointly referred to as ‘Unauthorised persons’) cannot access the equipment needed for the processing of personal data;
ii. Unauthorised persons cannot read, copy, change, or remove the equipment (systems) and other carriers of personal data;
iii. Unauthorised persons cannot use the systems used to process personal data using data transmission equipment;
iv. The Processor will be able to check and establish afterwards to which recipients personal data were provided or made available.
The Processor has at least taken the following measures:
Logical access control for the application in a general sense, using passwords. If this has been configured in the account, multi-factor authentication is possible for (all) users when selected in the application by the Controller.
Limited (digital) access for the Processor’s employees to servers (database) on which personal data is stored. Physical access by the Processor’s employees is not possible.
Secure communication with the server (HTTPS/SSL).
The systems have been installed based on the principle of least privilege. The Processor’s employees (except for Administrators) do not have access to the personal data without the Controller’s explicit consent (as recorded in the application) and then only in the context of providing management and help desk services. Access to the personal data without the Controller’s consent will be allowed only in case of necessary technical management or to deal with disruptions, whereby all access will be logged.
Various anti-virus and anti-malware measures.
Warning mechanisms based on suspicious log events.
Scans/baselining for known vulnerabilities.
Policy for frequent roll-out of security patches and software updates.
Application and server hardening.
These measures guarantee, to the level possible given the state of the art and costs involved in implementation, an appropriate level of security given the risks involved in the processing and nature of the data to protect.
The Controller will not submit any personal data for processing to the Processor if the Controller has not confirmed that the required security measures have been taken. The Controller is responsible for compliance with the measures agreed by the Parties.
The Processor has detailed its security measures in its Security Policy.
Article 5. Data subject rights
- If a data subject submits a request for access, rectification, completion, modification, erasure, or protection and/or restriction of the processing, as specified in the GDPR, to the Processor, the Processor will not fulfil such a request itself, but instead notify the Controller of the request. Whether and how such a request will be fulfilled will be up to the Controller to decide. The Processor will always enable the Controller to meet its responsibilities under the GDPR within the statutory time periods.
The Processor will be authorised to charge the Controller for the costs involved in handling requests from data subjects.
Article 6. Confidentiality and data breach notification obligation
- All personal data that the Processor receives from the Controller within the scope of this Data Processing Agreement is subject to a duty of confidentiality towards third parties. The Processor will not use this information for any purposes other than for which it was provided, not even if the information was provided in a format that ensures that it cannot be traced back to data subjects.
Persons employed by or otherwise working for the Processor, as well as the Processor itself, are subject to a duty of confidentiality in relation to the (personal) data to which they have been able to gain access. These persons have signed a non-disclosure agreement.
This duty of confidentiality does not apply to the extent that the Controller has specifically consented to the transfer of information to third parties, if transfer of the information to third parties is logically necessary given the nature of the instruction given and the performance of this Data Processing Agreement, or if there is a legal requirement to transfer the information to a third party. If the Processor is under a legal obligation to transfer the data to a third party, the Processor will notify the Controller thereof without delay, and if possible before actually transferring the data.
The Processor agrees to (within 48 hours) report security incidents or data breaches to the Controller upon first discovery thereof. The data breach notification policy rules will be used as a guideline in determining whether or not something can be considered a data breach. If the Processor has identified (attempted) illegitimate or otherwise unauthorised processing operations or breaches of security measures for personal data, the Processor will notify the Controller.
The Processor will provide all information that the Controller deems necessary to be able to assess the incident. The Processor will at least provide the Controller with the following information:
• the (alleged) cause of the incident;
• the impact (as known at the time and/or to be expected);
• the (proposed) solution;
• contact details for further follow-up of the notification;
• the number of persons whose data was involved by the incident
• a description of the group of persons whose data is involved in the incident;
• the type of personal data involved in the incident;
• the date on which the incident occurred (if no exact date is known: the period within which the incident occurred);
• the date and time on which the Processor or a
third party hired by the Processor or a sub-contractor learnt of the incident;
• whether the data is encrypted, hashed, or otherwise unreadable or
has been made inaccessible for unauthorised persons;
• measures taken already to terminate the incident and to mitigate the impact of the incident.
The Processor will, at its own expense, take all measures that it can reasonably be required to take to prevent or limit (further) non-compliance with the GDPR with respect to the processing of personal data. This will be without prejudice to the Processor’s obligation to compensate any losses sustained by persons whose personal data has been compromised.
If necessary, the Processor shall, on the Controller’s request, provide the data subject whose data is processed on the Controller’s behalf with adequate information of the processing of personal data.
Article 7. Audit
- The Controller shall at all times be authorised to audit or have a third party audit the processing of personal data (hereinafter: ‘Audit’). The Controller will give the Processor reasonable prior notice (three working days) of its intention to conduct such an Audit. The Processor will grant the Controller and/or a third party hired by the Controller and/or an authorised government agency the required access to the records and/or systems that are relevant for this Data Processing Agreement. The Processor agrees to cooperate with the Controller and/or a third party hired by the Controller and/or an authorised government agency to the required degree, provided that such cooperation will not disrupt the Processor’s normal business operations. The Processor agrees to, within a term set by the Controller, provide all information requested by the Controller, third party hired by the Controller, or the authorised government agency.
Costs incurred by the Controller or third party hired by the Controller in conducting an audit, as well as any reasonable costs incurred in this respect by the Processor, will fall to the Controller.
Article 8. Liability
- The Processor is liable for damage or losses ensuing from non-compliance with or violation of the GDPR and/or non-compliance with or violation of the provisions of this Data Processing Agreement, on the understanding that the Processor can only be held liable for damage or losses caused exclusively by its activities and/or non-compliance in its role as Processor. The Processor cannot be held liable for indirect or consequential loss or damage, lost profits, revenue, value, income, goodwill, reputational damage, and loss of business.
Article 9. Destruction/return of data
- If this Data Processing Agreement is terminated or whenever requested by the Controller(s), the Processor shall destroy the personal data immediately at the Controller’s request in line with an instruction issued by the Controller(s), in which case the Processor shall also give the Controller written confirmation of destruction.
Article 10. Term and expiry
- This Data Processing Agreement is effective as of the effective date of the user agreement for the application and shall automatically expire upon termination of the user agreement for the application. Expiry of this Data Processing Agreement does not relieve either party from its obligations under this Data Processing Agreement that, given their nature, are expected to remain effective after expiry of the Data Processing Agreement.
The Processor may amend this Data Processing Agreement in writing with one week’s notice.
The Data Processing Agreement is governed exclusively by Dutch law. Any disputes ensuing from or relating to this Data Processing Agreement will be submitted to the court of The Hague.