Processing Agreement Horeko B.V.

GDPR – Processing Agreement

Version: March 2018

DEFINITIONS

  • GDPR, General Data Protection Regulation (Algemene Verordening Databescherming);
  • Data Subject, identified or identifiable natural person to whom the Personal Data relates;
  • Data Breach, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed;
  • Third Party, a natural or legal person, a public authority, an agency or any other body other than the Data Subject, neither the Controller nor the Processor, nor the persons authorised to process the Personal Data under the direct authority of the Controller or the Processor;
  • Services, the Services that will be provided to the Controller by Horeko B.V.;
  • EEA, the European Economic Area;
  • Data Protection Impact Assessment, an assessment of the impact of the intended Processing activities on the protection of Personal Data, which is conducted prior to carrying out the Processing.
  • Licence: the licence agreement between the parties for the performance of the Services, from which this Processing Agreement arises;
  • Personal Data, any data relating to an identified or identifiable natural person, as referred to in Article 4, paragraph 1 of the GDPR;
  • Sub-Processor, a non-subordinate Third Party involved by the Processor in the Processing of Personal Data in the context of the Contract, not being employees of the Processor;
  • Regulator, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), an independent administrative body appointed by law in the Netherlands to supervise the Processing of Personal Data;
  • Processor, Horeko B.V., established at Spaceshuttle 60 in Amersfoort, the Netherlands, with Chamber of Commerce number 55430171, which is the party Processing Personal Data on behalf of the Controller, without being subject to its direct authority;
  • Processing Agreement, this agreement including the attached Annexes;
  • Processing, any operation or set of operations that is performed with regard to Personal Data or sets of Personal Data, whether or not by automatic means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
  • Controller, a legal entity that purchases a Service from Horeko B.V. and determines, alone or together with others, the purpose of and the means for Processing the Personal Data;

WHEREAS:

  1. That the Controller, pursuant to Articles 28 and 32 of the GDPR, is obligated to enter into a Processing Agreement with the Processor and to ensure that the Processor provides sufficient guarantees with respect to the technical and organisational security measures in connection with the Processing to be carried out.
  2. That the Processor declares that it has taken appropriate technical and organisational measures to protect the Personal Data from loss or from any form of unlawful Processing. These measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the data to be protected, having regard to the state of the art and the costs of implementation.

HAVE AGREED AS FOLLOWS:

ARTICLE 1. FORMATION, DURATION AND TERMINATION

  1. This Processing Agreement commences on the date it is signed.
  2. This Processing Agreement is part of the Services and is valid for the duration of the licence for the Services.
  3. If the licence for the Services ends, this Processing Agreement will also end by operation of law. The parties cannot terminate the Processing Agreement separately from the licence for the Services.
  4. At the end or termination of the license for the Services, the parties undertake to continue to comply with the provisions of the Processing Agreement with respect to confidentiality, liability, indemnification and all other provisions that by their nature are intended to continue after the end or termination.
  5. This Processing Agreement is part of the Services the Processor provides to the Controller and is necessary for its implementation. The Controller shall ensure that this Processing Agreement is signed in good time, correctly and in full by an authorised person. The Controller indemnifies the Processor against any claims, penalties or damage resulting from non-timely, incorrect or incomplete signing of this Processing Agreement.

ARTICLE 2. IMPLEMENTATION OF THE PROCESSING

  1. The Processor shall handle the Personal Data in a careful, proper and transparent manner during the execution of the Contract and will only process the Personal Data on the instructions of the Controller, in accordance with its written instructions and within the framework of the performance of the Services.
  2. The Processor shall process the Personal Data in accordance with this Processing Agreement and the applicable laws and regulations in the area of Personal Data protection, including the stipulations of the GDPR.
  3. The Personal Data to be processed by the Processor and the applicable Processing objectives to which this Processing Agreement relates are further described in Annex 2. The Processor will not process Personal Data for any other purpose, except on the explicit written instructions of the Controller or in the event of legal regulations containing different provisions.

ARTICLE 3. OBLIGATIONS OF THE PROCESSOR

  1. The Processor processes the data on behalf of the Controller, in accordance with its written instructions.
  2. The control over the Personal Data made available under this Processing Agreement shall never be vested in the Processor. The Processor does not make decisions about the receipt and use of the data, the duration of data storage or the provision to Third Parties.
  3. The obligations of the Processor arising from this Processing Agreement also apply to those who process the Personal Data under the authority of the Processor, including, but not limited to, employees of the Processor. The Processor further guarantees that persons and contracted parties acting under its authority, including its employees, will only process Personal Data lawfully and in accordance with this Processing Agreement and the GDPR.
  4. The Processor provides the Controller with all necessary assistance and cooperation in fulfilling the obligations incumbent on the parties under the GDPR and other applicable laws and regulations. With regard to the security of the Personal Data, the Processor shall in any case assist the Controller by conducting checks and inspections, conducting a data protection impact assessment, consulting with the Regulator in advance, complying with requests from the Regulator or any other government authority, complying with requests from Data Subjects and reporting a Data Breach.
  5. At the request of the Controller, the Processor will provide information to the Controller about the security measures taken to comply with the obligations under the GDPR, this Processing Agreement and other instructions of the Controller.
  6. When the Controller receives a request from a Data Subject who wishes to exercise his or her special rights, such as, but not limited to, a request to inspect, correct, supplement, delete or block Personal Data, to object to the processing of the Personal Data and a request for transferability of his or her own Personal Data, the Processor will send a response to the Controller within 14 days and will cooperate with the request within a period of 30 days.
  7. When a Data Subject makes a request to the Processor, as mentioned in the above paragraph, the Processor will refer this request to the Controller and the request will be handled by the Controller. The Processor may notify the Data Subject that it has referred the request to the Controller.

ARTICLE 4. OBLIGATIONS OF THE CONTROLLER

  1. The Controller will comply with applicable laws and regulations when processing the Personal Data.
  2. If the Controller fails to comply with applicable laws and regulations, the Controller will indemnify the Processor for damage suffered and/or to be suffered by the Processor.

ARTICLE 5. SUB-PROCESSORS

  1. The Processor is only entitled to outsource all or part of the execution of the work to Third Parties, such as Sub-Processors who are not working under the authority of the Processor, after the Controller has given its prior written consent. The Controller may attach conditions to this written consent, both in the area of confidentiality and with regard to compliance with the other obligations of this Processing Agreement. Permission from the Controller may also relate to a category of Sub-Processors.
  2. If work is partly or entirely outsourced to Third Parties, the Processor remains the point of contact and the party responsible for compliance with the provisions of this Processing Agreement at all times. The Processor also guarantees that these Sub-Processors will, at a minimum, assume the same obligations in writing as those agreed upon between the Processor and the Controller. At the request of the Controller, the Processor will also provide the Controller with access to the agreements with the Sub-Processors which include these obligations.
  3. The Controller herewith gives the Processor general permission to engage Sub-Processors and/or categories of Sub-Processors.
  4. The Processor will notify the Controller in writing no later than 7 days prior to an intended addition, replacement or adjustment of Sub-Processor(s), which will give the Controller the opportunity to object to these changes. In the event of an objection, the parties shall enter into negotiations with a view to finding a solution.
  5. The Processor will provide the Controller, at its request, with an overview of the Sub-Processors engaged by the Processor.

ARTICLE 6. TRANSFER

  1. The Processor will only process Personal Data, or have it processed, in countries within the European Economic Area (EEA). Transfer to other countries is only permitted with the prior written consent of the Controller and in accordance with applicable laws and regulations.
  2. The Controller has provided its written consent for the transfers mentioned in Annex 2.
  3. The Controller can only grant the Processor permission for a transfer of Personal Data to third countries or international organisations if an adequacy decision has been taken with regard to the third country or international organisation, appropriate security has been put in place or one of the conditions of Article 49, paragraph 1 of the GDPR has been met.

ARTICLE 7. SECURITY AND SUPERVISION

  1. The Processor shall take, maintain, and if necessary adapt appropriate technical and organisational measures to protect the Personal Data against loss and unlawful Processing.
  2. These measures will ensure an appropriate level of security, taking into account the state of the art, the costs of implementation and the risks represented by the Processing and the nature of the data to be protected. The measures are also aimed at preventing unnecessary collection and further Processing of the Personal Data. An overview of these measures and the relevant policy is included in Annex 2.
  3. After prior written notification, the Controller is entitled to take any necessary measures to investigate whether the Processor has taken adequate technical and organisational measures. In this regard, the Processor shall grant access to the Controller or a regulatory body that is subject to confidentiality, to supervise on behalf of the Controller. The Processor will provide its cooperation to the supervision, including making relevant information available. The costs of the supervision will be borne by the Controller. The Processor will immediately inform the Controller if, in the opinion of the Processor, an instruction from the Controller or the regulatory body infringes the GDPR and/or the other applicable laws and regulations.
  4. If, in the course of supervision, it is established that the Processor is not in compliance with the provisions of the Processing Agreement, the GDPR and/or other applicable laws and regulations with regard to the Processing of Personal Data, the parties will consult with regard to finding a solution.

ARTICLE 8. NOTIFICATION OBLIGATION FOR DATA BREACHES AND SECURITY INCIDENTS

  1. In the event of the discovery of a possible Data Breach, the Controller shall inform the Processor about all breaches of security and suspected breaches of security, as well as other incidents that must be reported to the Regulator or the Data Subjects pursuant to legislation, as soon as possible and in any case no later than 24 hours after discovery. The Processor is then obliged to undo or limit the consequences of such breaches and incidents as soon as possible.
  2. The Processor shall also, at the request of the Controller, provide any information that the Controller deems necessary to assess the incident. If the Processor discovers a Data Breach and/or security incident, the Processor will provide information that is similar to the information to be provided to the Regulator.
  3. After the notification of a Data Breach to the Controller, the Processor will keep the Controller informed of new developments regarding the Data Breach and the measures taken by the Processor to limit the scope of and end the Data Breach and prevent a similar incident in the future.
  4. The Controller shall assess whether the security breach referred to in paragraph 1 of this article poses a risk to the rights and freedoms of natural persons within the meaning of Article 33, paragraph 1 and Article 34, paragraph 1 of the GDPR.
  5. The Controller shall decide, in accordance with Articles 33 and 34 of the GDPR, whether it will report the breach to the Regulator without delay and/or inform the Data Subject(s) without delay. The Processor shall leave the reporting to the Regulator and the informing of the Data Subject(s) to the Controller.
  6. Where necessary, the Processor will cooperate fully with the Controller in the shortest possible time to adequately inform the Data Subject(s) and/or the Regulator of such security breaches.

ARTICLE 9. CONFIDENTIALITY

  1. All Personal Data that the Processor receives on the basis of this Processing Agreement is subject to an obligation of confidentiality towards Third Parties. All persons employed by or working on behalf of the Processor, under the authority of the Processor, as well as the Processor itself, are obliged to maintain the confidentiality of the Personal Data. To this end, the employees of the Processor will sign a declaration of confidentiality.
  2. The Processor will not provide the Personal Data to Third Parties, copy it, or otherwise reproduce or disclose it to Third Parties without the permission of the Controller.
  3. If the Processor receives a request from a Third Party to provide access to the Personal Data on the basis of an alleged obligation or legal obligation, it will first inform the Controller in writing before providing such Third Party with access to the Personal Data, to allow the Controller to assess whether the request of such Third Party is well-founded.

ARTICLE 10. RETURN OF PERSONAL DATA AND RETENTION PERIODS

  1. The Personal Data processed by the Processor in accordance with the Processing Agreement, will be destroyed at the request of the Controller or after expiry of the agreed or statutory retention period.
  2. Upon termination of the Agreement, the Processor will give the Controller the opportunity, for a period of two months, to move all the data, including Personal Data, that is retained by the Processor on the basis of this Processing Agreement and/or the information systems of the Processor to another location. The Processor is entitled to charge the costs incurred for this to the Controller.
  3. Two months after the end or termination of the Agreement, the Processor will remove or destroy all data, including Personal Data, that is retained by it under the Processing Agreement (including any copies thereof).

ARTICLE 11. LIABILITY

  1. The Controller is entitled to hold the Processor liable if the Processor fails to comply with the further instructions of the Controller and the obligations arising from this Processing Agreement, and if the Processor fails to comply with the provisions of the GDPR or other applicable laws and regulations in the area of privacy and protection of Personal Data.
  2. The Processor is liable for damage resulting from a failure to comply with the GDPR or other applicable laws and regulations and the provisions of this Processing Agreement, insofar as this damage is caused by the execution of work by the Processor, but this liability will never exceed the subscription amount under this Processing Agreement for six months prior to the damage-causing event. This limitation of liability will expire if and insofar as the damage is the result of deliberate intent or gross negligence on the part of the Processor.
  3. The Processor is not liable for indirect damage, including stagnation in the regular course of business of the company, loss of profit, missed savings and consequential damage suffered by the Controller in connection with, or caused by, the execution of the work by the Processor under this Processing Agreement.
  4. The Processor indemnifies the Controller against claims from the Data Subjects or other Third Parties, insofar as these claims relate to the Processing of the Personal Data and all other activities that the Processor performs or has performed for the Controller under this Processing Agreement, if this is the result of unlawful or negligent acts on the part of the Processor.

ARTICLE 12. FINAL PROVISIONS

  1. This Processing Agreement is governed exclusively by Dutch law. Disputes shall be submitted to the competent court in the district of Midden-Nederland.
  2. Deviations from this Processing Agreement shall only be valid if the parties agree to this in writing.
  3. If part of this Processing Agreement is null and void or voidable, the Processing Agreement shall otherwise remain in effect. The parties undertake to enter into reasonable consultations in order to agree on a replacement provision that reflects the substance of the void or voidable provision as much as possible.

ANNEX 1 – Overview of security measures

Description of the security measures taken by the Processor:

    • A finger scan login only stores a unique and illegible ID code. This code can never be traced back to a picture of a finger.
    • The Personal Data processed on behalf of the Controller are stored in a separate database within the application of the Processor. The Processor creates a unique database for each customer, in order to separate the data optimally.
    • In the event of malfunctions, in some cases a specific database is placed on the test server of the Processor. This test server is physically present at the office address of the Processor in Amersfoort. All sensitive data is rendered anonymous at the moment it is placed on the test server.
    • All traffic to and from the application of the Processor takes place via secure SSL connections (HTTPS). Unsecured connections are not permitted. All back-ups are stored in encrypted format.
    • Only the technical support staff of the Processor in the Netherlands have access to back-ups and the codes required for decryption.
    • Users of the application must have a password.
    • Internally, the data is secured by means of a username and password.

ANNEX 2a – Overview of the Processing of Personal Data and objective of the Processing

Applicable to: Horeko Employee Manager or Horeko Kitchen Manager together with Horeko Employee Manager

Description of activities and objective of the Processing

    • Personnel administration in the Horeko applications. The Data is processed to provide the Controller with a central location for its personnel administration.

Categories of Data Subjects:

    • Employees of the Controller

Categories of Personal Data:

    • First name and surname
    • E-mail address
    • Address details
    • Telephone number
    • Citizen Service Number (BSN)
    • Contract details
    • Passport photo
    • Fingerprint impression

Retention periods of the Personal Data (or the criteria for determining these periods):

Data will be stored in our application as long as the Controller is an active paying customer of Horeko B.V.. Records of employees who leave the company of the Controller are kept in the system in order to be able to continue to comply with the retention obligation regarding hours worked. At such time as a Controller is no longer a customer of Horeko B.V., the relevant customer database will be deleted.

Transfer

The Controller authorises the Processor to perform the following transfer to Third Countries and/or international organisations:

Description of transferRecipient of the Personal DataAppropriate guarantees
The Processor has its own development team outside the EEA. This team only has access to anonymised databases on a test server, whereby the data always remains on the test server in the Netherlands. Only in very exceptional cases is there a non-anonymous database on the test server and a transfer of Personal Data. This will only take place after approval from managers in the Netherlands.Dedicated development team of Horeko B.V., Macedonia.Appropriate guarantees for such transfers have been put in place, by means of a model transfer contract, without additions or amendments, namely the Commission Decision of 5 February 2010 (2010/87/EU).

ANNEX 2 – Overview of the Processing of Personal Data and objective of the Processing

Applicable to: Horeko Kitchen Manager

Description of activities and objective of the Processing

    • HACCP registration in the Horeko applications. The data are processed to support the Controller to comply with mandatory Hazard Analysis and Critical Control Points (HACCP) legislation and to monitor the execution of mandatory tasks.

Categories of Data Subjects:

    • Employees of the Controller

Categories of Personal Data:

    • First name and surname
    • E-mail address
    • Address details
    • Telephone number

Retention periods of the Personal Data (or the criteria for determining these periods):

Data will be stored in our application as long as the Controller is an active paying customer of Horeko B.V.. Records of employees who leave the company of the Controller are kept in the system in order to be able to continue to comply with the retention obligation regarding hours worked. At such time as a Controller is no longer a customer of Horeko B.V., the relevant customer database will be deleted.

Transfer

The Controller authorises the Processor to perform the following transfer to Third Countries and/or international organisations:

Description of transferRecipient of the Personal DataAppropriate guarantees
The Processor has its own development team outside the EEA. This team only has access to anonymised databases on a test server, whereby the data always remains on the test server in the Netherlands. Only in very exceptional cases is there a non-anonymous database on the test server and a transfer of Personal Data. This will only take place after approval from managers in the Netherlands.Dedicated development team of Horeko B.V., Macedonia.Appropriate guarantees for such transfers have been put in place, by means of a model transfer contract, without additions or amendments, namely the Commission Decision of 5 February 2010 (2010/87/EU).