Data Processing Agreement Last updated on 1st of May 2018.
This Processor Agreement (the "Agreement") is a legal agreement between You as the client and Hugo B.V., a private company registered under the Laws of The Netherlands with company number 64751333, having its registered address situated Keienbergweg 97, 1101 GG, Amsterdam, The Netherlands ("Hugo", or "We" "Our" or "Us"), that governs Your limited, non-exclusive and terminable right to the use of the Hugo Site and Services as defined herein. If You do not agree to this Agreement, You must not sign up for an account and shall not make use of any of the Services or the Site. By agreeing to this Agreement, you acknowledge that You have read this Agreement, understood it, and agree to be bound by its terms and conditions.
We may amend this Agreement from time to time. We will provide You with advance notice of the modifications via email to the email associated to Your account and You hereby agree that this shall constitute adequate notice in this regard. All amended terms automatically take effect on the sooner of the day You use the Site and/or Services, or 30 calendar days after they are initially posted on the Site. Your use of the Site and/or Services following the effective date of any modifications to this Agreement will constitute Your acceptance of the Agreement, as modified.
Having regard to the fact that
- the Controller has access to the personal data of various clients (hereinafter: ‘Data subjects’);
- the Controller has determined the purpose of and the means for the processing of personal data as governed by the terms and conditions referred to herein;
- the Processor has undertaken to comply with this data processing agreement (hereinafter: ‘the Data Processing Agreement’) and to abide by the security obligations and all other aspects of the General Data Protection Regulation Act (hereinafter: ‘GDPR’);
- the Controller is hereby deemed to be the responsible party within the meaning of article 4 (7) of the definitions of the GDPR;
- the Processor is hereby deemed to be the processor within the meaning of article 4 (8) of the definitions of the GDPR;
- Parties agree that the provision of the services under Hugo B.V.’s Terms of Service may qualify as commissioned data Processing as per the Dutch Wet Bescherming Persoonsgegevens until 25th May 2018 and, as from the 25th May 2018, the General Data Protection Regulation 2016/679;
- Parties agree that this Agreement shall render any and all other previous agreements entered into between the Controller and the Processor in relation to data protection, before the date of this Agreement, null and void.
Definitions and Interpretation
The following terms shall have the following meaning:
- Agreement means this agreement, including all schedules, notifications and all notices to this agreement;
- Applicable law means the relevant data protection and privacy laws to which the Parties are subject, including the Dutch Wet Bescherming Persoonsgegevens until the 25 May 2018 and, as from 25 May 2018, the General Data Protection Regulation 2016/679;
- Data Subject means the identified or identifiable person to whom Personal Data relates;
- Personal Data means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical. Physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Law;
- Process, Processing or Processed means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, ensure or destruction, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Law;
- Purpose Hugo B.V. offers her clients online tools to collect data, centralize and analyze data and optimize data by segmentation, features to connect to Controller’s first or third party solutions and ways to facilitate external communication. The purpose of collecting this data is for Hugo B.V. to allow its clients to better communicate with their customers and to better understand their customer’s needs. It serves to optimize and automate processes to enhance the overall user and / or customer experience.
- Services means the software as a service (SaaS) offered by Hugo B.V. and having a variety of resources including but not limited to questionnaires, (research) reports, email campaigns, conversational interfaces, and other functionalities as developed and introduced by Hugo B.V. from time to time and;
- Terms of Service means the legal agreement between the Controller as the user and the Processor, that governs the Controller’s limited, non-exclusive and terminable right to the use of the Hugo Services as defined in the Terms of Service.
Have agreed as follows
1. PROCESSING OBJECTIVES
1.1. The Processor undertakes to process personal data on behalf of the Controller in accordance with the conditions laid down in this Data Processing Agreement. The processing will be executed exclusively within the framework of the Agreement, and for all such purposes as may be agreed to subsequently.
1.2. The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller. The Controller will inform the Processor of any such purposes which are not contemplated in this Data Processing Agreement.
1.3. All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data subjects.
1.4. The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision thereof to third parties and the storage duration of the data.
1.5. The Controller shall Process Personal Data in accordance with the requirements of the Applicable Laws. For the avoidance of doubt, the Controller’s instructions for the Processing of Personal Data shall comply for the Applicable Law and the Processor reserves the right to refuse such instructions if not in compliance with the Applicable Law. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires the Personal Data.
2. DATA PROCESSING
2.1. The Processor shall only process Personal Data for the Purpose as described in this Agreement.
In addition, financial data, such as your bank account details, will be processed if you order products on one of our websites or if you subscribe to certain services, insofar as this data is necessary for the payment of the subscriptions or products in question. Our servers may also automatically register certain data, such as the URL, IP address, browser type and language, and the date and time of your visit to our (mobile) websites (including apps).
2.2. The data will be processed exclusively within a Member State of the European Union (EU). Any transfer of data to a country which is not a Member State of either the EU or the EEA requires the prior consent of the Controller and is subject to compliance with the special requirements on transfers of personal data to countries outside the EU/EEA and in compliance with the technical and organizational measures.
2.3. Depending on how the Controller chooses to use the Service, the subject matter of Processing of personal data may cover the following types/categories of data:
- Personal like Contact data, Identification data, Personal features, Physical features, Living habits, Education & schooling data, Occupational data;
- Technical like device’s IP address, device type (unique device identifiers), operating system, and browser type, geographic location (country only), preferred language used to display the Hugo services, referring URL and domain, date and time when Hugo services were used.
2.4. The group of Data Subjects affected by the Processing of their personal data under this Agreement includes end-users of the Controller’s services which make use of the Services provided by the Processor.
3. TECHNICAL AND ORGANIZATIONAL MEASURES
3.1. The Processor shall establish data security in accordance with the Applicable Laws. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience if the systems. The state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the safety of the risk to the rights and freedoms of natural persons, must be taken into account.
3.2. The Processor warrants and undertakes in respect of all Personal Data that it Processes on behalf of the Controller that, at all times, it maintains and shall continue to maintain appropriate and sufficient technical and organizational security measures to protect such Personal Data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing. Such measures shall include, but are not limited to, physical access control, logical access control (i.e. non-physical access control measures such as passwords), data access control, data transfer control, input control, availability measures. For more detailed information of the latest state of the measures adopted by our hosting provider, please refer to the following link : https://aws.amazon.com/
3.3. The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures from time to time. In so doing, the security level of the defined measures must not be reduced.
4. PROCESSOR’S OBLIGATIONS
4.1. The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data.
4.2. The Processor’s obligations arising under the terms of this Data Processing Agreement apply also to whomsoever processes personal data under the Processor’s instructions.
5. TRANSMISSION OF PERSONAL DATA
5.1. The Processor will by default process personal data within the European Union.
5.2. In case the Processor needs to process personal data in countries outside the European Union or transfer personal data to a country outside the European Union, it will only do so provided that such countries guarantee an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this Data Processing Agreement and the GDPR. Also the Processor will always notify the Controller in these cases.
6. ALLOCATION OF RESPONSIBILITY
6.1. The Processor shall only be responsible for processing the personal data under this Data Processing Agreement, in accordance with the Controller’s instructions and under the (ultimate) responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and / or for other purposes.
6.2. Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Agreement.
7.1. ‘Sub-Processing’, in the meaning of this Agreement, does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data Processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller’s data, even in the case of outsourced ancillary services to Sub-processors.
7.2. The Processor is authorised within the framework of the Agreement to engage third parties, without the prior approval of the Controller being required. Upon request of the Controller, the Processor shall inform the Controller about the third party/parties engaged.
7.3. The Processor shall in any event ensure that such third parties will be obliged to agree in writing to the same duties that are agreed between the Controller and the Processor.
7.4. The Controller agrees to the commissioning of the following sub-processors one the condition of a contractual agreement in accordance with applicable data protection laws:
- Amazon Web Services (Ireland): Secure Cloud Service Platform for Data Storage
- Google Ireland Limited (Ireland): Analytics
- Mollie (The Netherlands): Payment Service Provider
8. DUTY TO REPORT
8.1. In the event of a security leak and/or the leaking of data the Processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. The Processor will endeavour that the furnished information is complete, correct and accurate.
8.1. If required by law and/or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.
8.1. The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding:
- the (suspected) cause of the leak;
- the (currently known and/or anticipated) consequences thereof;
- the (proposed) solution;
- the measures that have already been taken.
9.1. The Processor will endeavour to take adequate technical and organisational measures against loss or any form of unlawful processing (such as unauthorised disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under this Data Processing Agreement.
9.2. The Processor will take the following security measures:
- encryption of data containing personal data;
- security of network connections via Secure Socket Layer (SSL) technology or comparable technology that provides at least the same security level;
- storage is set up in a Virtual Private Cloud (VPC - isolated network), reachable only via our hardening standards;
- storage and hosting according to the ISO 27001 standard.
9.3. The Processor does not guarantee that the security measures are effective under all circumstances. The Processor will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
9.4. The Controller will only make the personal data available to the Processor if it is assured that the necessary security measures have been taken. The Controller is responsible for ensuring compliance with the measures agreed by and between the Parties.
10. HANDLING REQUESTS FROM INVOLVED PARTIES
10.1. The Processor shall, to the extent legally permitted, promptly notify the Controller if the Processor receives a request from a Data Subject to exercise the Data Subject’s right of access, right to ratification, restriction of Processing, ensure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making.
10.2. Taking into account the nature of the Processing, the Processor shall assist Controller by appropriate technical and organizational measures, insofar as the right to be forgotten is possible, for the fulfillment of the Controller’s obligation to respond to a Data Subject’s request under the Applicable Law. The obligation to delete the Data Subject’s data shall, at all times remain with the Controller. For the avoidance of doubt, the Processor will not undertake any data deletion efforts for and on behalf the Controller.
11. NON-DISCLOSURE AND CONFIDENTIALITY
11.1. All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this Data Processing Agreement is subject to a duty of confidentiality vis-à-vis third parties.
11.2. This duty of confidentiality will not apply in the event that the Controller has expressly authorised the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of this Data Processing Agreement, or if there is a legal obligation to make the information available to a third party.
12.1. The Controller will indemnify the Processor in respect of all liabilities, costs and expenses suffered or incurred by the Processor in its capacity as processor of the data of the Controller arising from any Security Breach in the terms of this Agreement of any negligent act or omission by the Controller in the exercise of the rights granted to it under the Applicable Law provided that:
- The Processor, within reasonable time, notifies the Controller of any actions, claims or demands brought or made against it concerning any alleged Security Breach;
- The Processor will not compound, settle or admit to any actions, claims or demands without the consent of the Controller except by order of a court of competent jurisdiction;
- The Controller shall be entitled at its own cost to defend or settle any proceedings;
- The Processor shall not have acted on its own accord and independently of the instructions given to it by the Controller in its role as data processor in accordance with the provisions of this Agreement, except in specific situations as laid down in the Processor’s Terms of Service;
- This indemnity shall exclude any loss that has arisen out of negligence or willful act, default or omission of the Processor, its employees, contactors, sub-contractors or any other person outside the Controller’s control;
- Unless otherwise restricted or limited by any legislation in the applicable jurisdiction, the Controller’s maximum aggregate liability under this such claim under the Controller’s maximum aggregate liability under this Agreement shall, in no case exceed the maximum coverage paid out for such claim under the Controller’s insurance policy with respect to such claim. In the absence of an insurance policy, such liabilities, costs and expenses shall be capped at a level of one million Euros whether in respect of a single claim or a series of claims arising from the same incident except in the event of death or personal injury where there shall be no limit; and
- Nothing in this Agreement shall restrict or interfere with the Controller’s rights against the Processor or any other person in respect of contributory negligence;
- The processor’s right to claim damages shall be forfeited If the Processor fails to give written notice of any damages that may be sustained as aforesaid within ten (10) business days from the occurrence thereof or commences to make good such damages before written notice is given as aforesaid.
12.2. The Processor will indemnify the Controller in respect of all liabilities, costs and expenses suffered or incurred by the Controller in its capacity as controller of the data of the Processor arising from any Security Breach in the terms of this Agreement or any negligent act or omission by the Processor in the exercise of the rights granted to it under the Applicable Law provided that:
- The Controller, within reasonable time, notifies the Processor of any actions, claims or demands brought or made against it concerning any alleged Security Breach;
- The Processor shall be entitled at its own cost to defend or settle any proceedings;
- Unless otherwise restricted or limited by any legislation in the applicable jurisdiction, the Processor’s maximum aggregate liability under this Agreement shall, in no case exceed the maximum coverage paid out for such claim under the Processor’s insurance policy with respect to such claim;
- Nothing in this Agreement shall restrict or interfere with the Processor’s rights against the Controller or any other person in respect of contributory negligence.
12.3. In the event of a breach of this Agreement caused by the actions of a sub-processor, the Processor shall assign the right to the Controller to take action under the sub-processor contract as it deems necessary in order to protect and safeguard Personal Data. The Processor acknowledges and agrees that it shall remain liable to the Controller for any breach of the terms of this Agreement or any sub-processor contract by any sub-processor and another subsequent third-party processors appointed by it.
13.1. In order to confirm compliance with this Data Processing Agreement, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.
13.2. The audit may only be undertaken when there are specific grounds for suspecting the misuse of personal data, and no earlier than two weeks after the Controller has provided written notice to the Processor.
13.3. The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
13.4. The costs of the audit will be borne by the Controller.
14. DURATION AND TERMINATION
14.1. This Data Processing Agreement is entered into for the duration set out in the Agreement, and in the absence thereof, for the duration of the cooperation between the Parties.
14.2. The Data Processing Agreement may not be terminated in the interim.
14.3. This Data Processing Agreement may only be amended by the Parties subject to mutual consent.
14.4. The Processor shall provide its full cooperation in amending and adjusting this Data Processing Agreement in the event of new privacy legislation.
15.1. The Data Processing Agreement and the implementation thereof will be governed by Dutch law.
15.2. Any dispute arising between the Parties in connection with and/or arising from this Data Processing Agreement will be referred to the competent Dutch court in the district where the Processor has its registered office.
15.3. In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
- The Controller, within reasonable time, notifies the Processor of any actions, claims or demands brought or made against it concerning any alleged Security Breach;
- 1. the Agreement;
- 2. this Data Processing Agreement;
- 3. additional conditions, where applicable.
15.4. Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.