Data Processing Agreement (DPA)

Data Processing Agreement for the Processing of (Special) Personal Data
This Data Processing Agreement forms an integral and inseparable part of the arrangements agreed upon by the Parties and laid down in the registration form (hereinafter: “the Agreement”).

BETWEEN
The Licensee
Company Name: [company name]
Hereinafter referred to as “the Controller”, of the one part,

AND
BenFit, De Meerheuvel 6a, 5221EA, ’s-Hertogenbosch,
Registered with the K.v.K., Dutch Chamber of Commerce, under number 82578168
Represented by Ton van der Heijden
Hereinafter referred to as “the Processor”, of the other part,

Hereinafter jointly referred to as “the Parties” or individually as a “Party”,

Whereas:

  • The Controller wishes to make use of the services of the Processor;
  • The Controller and the Processor have entered into the Agreement for this purpose;
  • The Processor may, in the performance of the Agreement, be regarded as a Processor within the meaning of Article 4(8) of the General Data Protection Regulation (hereinafter: “GDPR”);
  • The Controller is regarded as the Controller within the meaning of Article 4(7) of the GDPR;
  • Any reference in this Data Processing Agreement to personal data refers to personal data as defined in Article 4(1) of the GDPR;
  • The Processor is willing to comply with obligations regarding security and other aspects of the GDPR, to the extent within its power;
  • The GDPR imposes an obligation on the Controller to ensure that the Processor provides sufficient guarantees regarding the technical and organisational measures related to the processing to be carried out;
  • The GDPR also imposes an obligation on the Controller to monitor compliance with those measures;
  • The Parties, also in light of the requirement set out in Article 28 of the GDPR, wish to lay down their rights and obligations in writing through this Data Processing Agreement (hereinafter: “Data Processing Agreement”).

The Parties agree as follows:

  1. Purposes of the Processing

1.1 The Processor agrees, under the terms of this Data Processing Agreement, to process personal data on behalf of the Controller. Processing shall take place exclusively in the context of the performance of the Agreement, as well as any reasonably related activities or any activities defined with additional consent. Annex 1 of this Data Processing Agreement specifies the categories of data subjects and personal data involved.

1.2 The Processor shall not process the personal data for any purpose other than as determined by the Controller. The Controller shall inform the Processor of the purposes of the processing insofar as these are not evident from the Agreement or this Data Processing Agreement.

1.3 The Processor has no control over the purpose and means of the processing of personal data. The Processor shall not make autonomous decisions regarding the receipt and use of the personal data, the disclosure to third parties, or the retention period of personal data. Unless otherwise agreed, retention periods as stated in the privacy policy shall apply.

1.4 The Controller guarantees that, as of 25 May 2018, when the GDPR became applicable, it shall maintain a record of the processing activities governed by this Data Processing Agreement. The Controller indemnifies the Processor against any claims or demands related to non-compliance with this record-keeping obligation.

  1. Obligations of the Processor

2.1 With regard to the processing activities referred to in Article 1, the Processor shall ensure compliance with the conditions imposed by the GDPR for the processing of personal data in its role as Processor.

2.2 Upon request, the Processor shall inform the Controller of the measures it has taken with respect to its obligations under this Data Processing Agreement.

2.3 The obligations of the Processor under this Data Processing Agreement shall also apply to any persons processing personal data under the authority of the Processor.

2.4 The Processor shall inform the Controller if, in its opinion, an instruction from the Controller violates applicable privacy legislation and regulations.

2.5 The Processor shall provide the necessary cooperation to the Controller if a data protection impact assessment or prior consultation with the supervisory authority is required in the context of the processing.

  1. Transfer of Personal Data

3.1 The Processor is permitted to process personal data in countries within the European Union. Additionally, the Processor may transfer personal data to countries outside the European Union, provided that the Processor complies with the obligations arising from this Data Processing Agreement and applicable laws and regulations.

3.2 Upon request, the Processor shall inform the Controller in which country or countries the personal data is being processed.

  1. Allocation of Responsibility

4.1 The permitted processing activities shall be carried out within a (semi-)automated environment under the control of the Processor.

4.2 The Processor is solely responsible for the processing of personal data under this Data Processing Agreement, in accordance with the instructions of the Controller and under the express (ultimate) responsibility of the Controller. The Processor is expressly not responsible for other processing activities of personal data, including but not limited to the collection of personal data by the Controller, processing for purposes not disclosed by the Controller to the Processor, processing by third parties and/or processing for other purposes.

4.3 The Controller warrants that the content, use, and instruction for the processing of personal data as referred to in this Data Processing Agreement are not unlawful and do not infringe on the rights of third parties. The Controller indemnifies the Processor against all claims and demands from third parties relating to the lawfulness of the content, use, and instruction for the processing of personal data as set out in this Data Processing Agreement.

  1. Engagement of Third Parties or Subprocessors

5.1 The Controller hereby grants the Processor permission to engage third parties (subprocessors) in the context of this Data Processing Agreement, provided that the Controller may object to the engagement of a specific third party, but only if there are reasonable grounds to justify such an objection. Should the Controller object to a third party engaged by the Processor, the Parties shall consult with each other to reach a resolution.

5.2 The Processor shall ensure that these third parties undertake, in writing, the same obligations as those agreed between the Controller and the Processor with regard to the processing of personal data.

 

  1. Security

6.1 The Processor shall make efforts to implement appropriate technical and organisational measures for the processing of personal data, in order to protect against loss or any form of unlawful processing (such as unauthorised access, damage, alteration or disclosure of personal data).

6.2 The Processor shall endeavour to ensure that the level of security is not unreasonable, taking into account the state of the art, the sensitivity of the personal data, and the cost of implementing the security measures. The Processor does not guarantee that the security will be effective under all circumstances.

6.3 The Controller shall only make personal data available to the Processor for processing if the Controller has ensured that the required security measures have been taken. The Controller is responsible for compliance with the measures agreed between the Parties.

  1. Confidentiality

7.1 All personal data that the Processor receives from the Controller in the context of this Data Processing Agreement shall be subject to a duty of confidentiality towards third parties.

7.2 This duty of confidentiality shall not apply to the extent that:

  • the Controller has given express consent to disclose the information to third parties;
  • disclosure is logically necessary in view of the nature of the assignment and the execution of this Data Processing Agreement; or
  • there is a legal obligation to disclose the information to a third party.
  1. Handling Data Subject Requests

8.1 In the event that a data subject submits a request to the Processor to exercise any legal rights, the Processor shall forward the request to the Controller, who shall handle the request. The Processor may inform the data subject of this referral. If it becomes apparent that the Controller requires the assistance of the Processor in fulfilling a data subject request, the Processor shall cooperate and may charge the Controller for such assistance.

  1. Duty to Report

9.1 In the event of a data breach (defined as a breach of security leading to a significant risk of, or actual, adverse consequences for the protection of personal data, as referred to in Article 33 of the GDPR) involving the Controller’s personal data, the Processor shall make every effort to inform the Controller as soon as possible. The Processor shall endeavour to ensure that the information provided is as complete, accurate, and correct as possible.

9.2 If required by law and/or regulations, the Processor shall cooperate in notifying the relevant supervisory authorities and, where applicable, the data subjects concerned.

9.3 The duty to report shall in any case include notification of the fact that a breach has occurred, as well as:

  • the (alleged) cause of the breach;
  • the (currently known and/or expected) consequences;
  • contact details for follow-up regarding the notification.
  1. Audit

10.1 The Controller has the right to have audits conducted by an independent Registered EDP Auditor who is bound by confidentiality, to verify compliance with the provisions of this Data Processing Agreement.

10.2 Such an audit shall only take place in the event of a concrete and substantiated suspicion of misuse of personal data, and only after the Controller has requested and reviewed similar audit reports held by the Processor and provided reasonable arguments justifying an audit initiated by the Controller. Such an audit shall be justified if the audit reports available from the Processor do not or insufficiently clarify the Processor’s compliance with this Data Processing Agreement. The Controller shall announce the audit to the Processor in advance, allowing at least two weeks’ notice.

10.3 The findings resulting from the audit shall be evaluated by the Parties in mutual consultation and may, depending on the outcome, be implemented by one or both Parties.

10.4 The costs of the audit shall be borne by the Controller.

  1. Duration and Termination

11.1 This Data Processing Agreement is concluded by the signatures of the Parties and shall remain in effect for the duration of the Agreement and, in the absence thereof, for the duration of the (continued) cooperation.

11.2 This Data Processing Agreement may only be amended in writing and with the mutual consent of both Parties.

11.3 The Parties shall cooperate fully to amend and adapt this Data Processing Agreement to comply with any new privacy legislation.

11.4 Upon termination of the Data Processing Agreement, for whatever reason and in whatever manner, the Processor shall return all personal data in its possession, whether in original or copy form, to the Controller, and shall subsequently delete and/or destroy said data and any copies thereof.

ARTICLE 1. OTHER PROVISIONS

12.1 This Data Processing Agreement and its execution shall be governed by Dutch law.

12.2 All disputes arising between the Parties in connection with this Data Processing Agreement shall be submitted to the competent court in the district where the Processor is established.

12.3 Logs and measurements recorded by the Processor shall constitute conclusive evidence, subject to evidence to the contrary provided by the Controller.

ANNEX 1 – Specification of Personal Data and Data Subjects

In the context of the Agreement, the Processor shall process the following (special) categories of personal data on behalf of the Controller:

The Processor shall, on behalf of the Controller, process the following types of personal data of participants:

  • Name, address, place of residence, and telephone number (NAPT data)
  • Email address

Special categories of data:

  • Date of birth
  • Gender
  • Heightercentage
  • BMI
  • Fat mass
  • Occupational and sport-related adjustments
  • Anthropometric measurements
  • Target weight and target body fat percentage
  • Physical complaints
  • Name of the coach

The following categories of data subjects are concerned:

  • License holders
  • Clients of license holders

The Controller warrants that the personal data and categories of data subjects described in this Annex 1 are complete and accurate, and indemnifies the Processor against any deficiencies and claims arising from an incorrect representation by the Controller.