Customer, being the Controller, and Supplier, the private company with limited liability Company.info B.V., established in (1096 BE) Amsterdam, the Netherlands, at Abram Dudok van Heelstraat 2, being the Processor, which are hereinafter also referred to individually as “Party” and jointly as “Parties“;

Taking into account that

1. In the context of acquiring the Product from the Supplier by the Customer, as agreed in a separate agreement, hereinafter: “the Agreement”, the Processor processes Personal Data as indicated below for the benefit of the Customer, being the Controller within the meaning of the General Data Protection Regulation (EU 2016/679) (hereinafter: the “GDPR”);
2. In this regard, the Parties agree as follows in this Data Processing Agreement, hereinafter: “DPA”, and in accordance with Article 28 of the GDPR, whereby capital words must be given the same meaning as defined in the GDPR.

Agree to the following:

1.1 This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in the context of the Agreement.

1.2 As a result of the Agreement, the Processor processes Personal Data on behalf of the Controller and on his instructions.

1.3 The Processor guarantees that it will process the Personal Data in a proper and careful manner, in accordance with the provisions of the Agreement, the GDPR and other applicable regulations regarding the processing of Personal Data, as well as any instructions or recommendations from the Dutch Data Protection Authority or another supervisory authority.

1.4 The Processor will only process the Personal Data on behalf of and in accordance with the instructions of the Controller. The Processor has no independent control over the Personal Data processed by the Controller. The Processor may not process the Personal Data for its own purposes and/or provide it to third parties and/or process it for other purposes, unless it is required to do so by legal obligations.

2.1 In accordance with Article 32 of the GDPR, the Processor will take appropriate technical and organizational measures to protect the Personal Data against loss or any form of unlawful processing.

2.2 The Processor has a demonstrable and documented information security policy and has developed the resulting internal controls on the operation of (privacy) compliance-related (production) systems, processes and facilities at the Processor.

2.3 The internal checks referred to in Article 2.2 are carried out by the Processor at least once a year and a log is kept of these with the date and time of the checks and the executive officer(s).

2.4 The Controller is at all times entitled to request (privacy) compliance provisions at the Processor in general and compliance with this Processing Agreement in particular, including but not limited to the measures taken by the Processor as described in this article, being examined by an, in the opinion of the Controller, independent expert. The Controller will announce such an investigation within a reasonable period to enable the Processor to make the necessary employees available for this. The costs of an external independent expert will be borne by the Controller. The Processor does not charge any costs to the Controller for facilitating and supervising the research.

2.5 If the Processor fails to take appropriate technical and organizational measures within the meaning of Article 2.1 and does not take the relevant measures within a period set by the Controller, the Controller is entitled to have those measures carried out at the expense of the Processor.

3.1 The Processor is only entitled to engage a third party to carry out its work if the Controller has given prior written permission to do so and if the same conditions as described in this agreement apply to the third party in question when processing the Personal Data.

3.2 The Processor will not engage third parties outside the EU in the performance of its work, unless the Controller has given prior written permission to do so and the Processor guarantees that the third party in question guarantees an appropriate level of protection and security of Personal Data within the meaning of the GDPR and proof thereof to the Controller.

3.3 Regardless of the provisions of Articles 3.1 and 3.2, the Processor will conclude a written sub-DPA with any subcontractor (sub-Processor) permitted by the Controller and will impose the same obligations on the subcontractor as those imposed on it under this DPA. In addition, the Processor will prohibit the subcontractor from engaging (sub sub) Processors in any sub-processor agreement. The said sub-Processor agreements are kept at the offices of the Processor and are made digitally and/or physically available to the Controller upon first request.

3.4 The Controller hereby gives the Processor permission to engage the following sub-processors:

• AWS cloud services, Ireland;
• Infosource Ltd, Bulgaria;
• Mendix Technology B.V., Netherlands and
• various data suppliers in the EEA.

4.1 The Processor is obliged to keep the Personal Data confidential and not to make these available directly or indirectly to third parties.

4.2 The Processor will ensure that those members of staff and any third parties who necessarily need to take note of the Personal Data comply with this confidentiality obligation by having them sign a confidentiality and integrity statement.

4.3 If the Processor receives a request from a supervisory authority, including but not limited to the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) and the Consumer & Markets Authority (“Autoriteit Consument & Markt”), to provide access to Personal Data or (privacy) compliance-related (production) systems, processes or facilities, the Processor will only do so after notification to and under the direction of the Controller. Processor will inform Controller of such a request a.s.a.p.

5.1 The Processor will make all Personal Data available to the Controller at the first request of the Controller, but no later than ten (10) working days after the end of this DPA or the end of the assignment.

5.2 The Processor is obliged to destroy the Personal Data within a reasonable period after the Agreement between the Parties is terminated.

6.1 The Processor will inform the Controller of issues which it can reasonably expect to influence the processing of Personal Data under the responsibility of the Controller.

6.2 The Processor will immediately inform the Controller of any incident or previously unrecognized risk of incidents that could predictably affect the confidentiality, availability, or integrity of the data processing.

6.3 The Processor is obliged to actively assist the Controller in the event of a data breach and any resulting reporting obligation for the Controller to the Dutch Data Protection Authority and/or data subjects.

6.4 The processor ensures that:

• at the first request of the Controller, the Processor enables the Controller to fulfill the notification obligations incumbent on the Controller under Articles 33 and 34 of the GDPR in the event of a breach of security of Personal Data, as set out in Article 6 of this DPA;
• The Processor keeps an overview of all security incidents and in particular any breach of the protection of Personal Data. The overview will in any case contain facts and information regarding the nature of the infringement, as referred to in Articles 33 and 34 GDPR.

7.1 Taking into account the nature of the Processing, the Processor will take appropriate technical and organizational measures and designate an employee as a contact person in order to provide adequate assistance to the Controller in fulfilling its obligation to process requests swiftly, and in any case within a period of one week., and to enable data subject to exercise their rights as set out in Chapter III of the GDPR.

7.2 The Processor will immediately inform the Controller if the Processor receives a request from a data subject to exercise the data subject’s rights set out in Chapter III GDPR.

7.3 The Processor will ensure that the Processor or sub-Processors engaged by it do not respond directly to the data subject to requests as referred to in Article 7.2 of this agreement, unless written instructions have been given to do so, in which case the Processor will inform the Controller of the request of the data subject, so that it can respond to the data subject’s request or instruct the Processor to respond to the data subject’s request and how this will be done.

8.1 Processor will cooperate with Controller in fulfilling its obligation to comply with Article 35 and Article 36 of the GDPR, regarding the carrying out of a data protection impact assessment, if applicable.

9.1 The Controller is liable for and indemnifies the Processor against fines, penalty payments and damage resulting from failure to comply with this agreement due to an act or omission of the Controller, as well as fines, charges and/or damage resulting from a violation by the Controller of the GDPR, the Telecommunications Act (“Telecommunicatiewet”) and all other applicable (European) privacy regulations.

9.2 The Processor is liable for and indemnifies the Controller against fines, penalty payments and damage resulting from failure to comply with this agreement due to an act or omission of the Processor and/or any (sub)processor engaged by the Processor, as well as fines, charges and/or damage resulting from a violation by the Processor and/or any (sub)processor engaged by the Processor of the GDPR, the Telecommunications Act (“Telecommunicatiewet”) and all other applicable (European) privacy regulations.

9.3 Without prejudice to what is provided in the Agreement or this DPA, the liability of each Party arising from or related to this DPA is subject to any total liability limitations as set out in the Agreement, unless it is a fine imposed by an enforcement authority, or unless the damage is the result of intent or deliberate recklessness on the part of the Party to whom the damage is attributable.

10.1 Changes to this DPA are only valid if agreed in writing between the Parties.

10.2 This DPA is a supplement to the Agreement between the Parties with regard to the supply of the Product by the Supplier to the Customer, has the same term as that Agreement and ends if that Agreement ends. However, the provisions in Articles 4 and 5 of this DPA will survive and remain in force.

10.3 Each of the Parties is entitled, without prejudice to the provisions of the Agreement, to suspend the implementation of this DPA or to terminate it with immediate effect without judicial intervention, if:

• the other Party is dissolved or otherwise ceases to exist;
• the other Party demonstrably fails to comply with the obligations arising from this DPA and that serious attributable failure has not been remedied within 30 days after a notice of default to that effect;
• a Party is declared bankrupt or applies for suspension of payments.

10.4 This DPA is exclusively governed by Dutch law. All disputes arising from this agreement will be submitted exclusively to the competent court in Amsterdam, the Netherlands.

10.5 This DPA is also available in Dutch and German. In the event of conflict or ambiguity, the provisions in the DPA in the Dutch language always prevail.

Appendix I

20-11-2023