The capitalized terms in these Processor Terms and Conditions are defined in the General Data Protection Regulation (EU 2016/679, GDPR). In addition the following terms are used:
Data Breach: shall mean a breach (within the meaning of Articles 33 and 34 GDPR) involving personal data received by the Processor from or via the Controller.
Personal Data: shall have the meaning as defined in the GDPR; under these Processor Terms and Conditions it applies only to Personal Data that have been provided to the Processor by, on behalf or via the Controller.
Processor Terms and Conditions: shall mean these terms and conditions including the preamble and appendices.
Article 1. Terms and Conditions
- Under these Processor Terms and Conditions, the Processor undertakes to process Personal Data under the instructions of the Controller. Processing will take place only within the framework of the Main Agreement, i.e. for the provision of MTinfo 3000 services for the Controller and related online services, for cloud storage of data from the Controller and related online services, plus any purposes that are reasonably related to this or that are stipulated in further detail between the parties.
- Except for performing statistical meta-analyses with regard to its services, the Processor will not use the Personal Data for any other purposes than those specified in these Terms and Conditions. The Processor will not make any decisions about the use of Personal Data, the provision of data to third parties and the duration of the storage of Personal Data other than as specified in these Terms and Conditions.
- The Personal Data to be processed at the instructions of the Controller will remain the property of the Controller and/or the data subjects in question. All (intellectual) property rights – including copyrights and database rights – to the collected Personal Data or copies or updates thereof are owned at all times by the Controller or its licensor(s).
Article 2. Obligations
- With regard to the processing referred to in Article 1, the Processor will ensure compliance with the applicable laws and regulations, including in any case the laws and regulations governing the protection of personal data, such as the GDPR.
- The Processor will inform the Controller upon first request about the measures it has taken with regard to its obligations under these Processor Terms and Conditions.
- The Processor’s obligations under these Processor Terms and Conditions also apply to anyone who processes Personal Data under the authority of the Processor, including but not limited to employees.
Article 3. Engaging third parties or subcontractors
- The Processor is permitted to use third parties or subcontractors within the framework of these Processor Terms and Conditions, provided the Processor notifies the Controller in advance. The Processor currently uses the services of Rootnet (https://www.rootnet.nl/) for data storage. The Processor uses Vodafone and T-Mobile as its telecommunication service providers for “Critical IoT”-services. KPN and Tele2 are also used for “Massive-IoT” services (including sensors). In addition, Processor shares data with API providers, such as RailAlert if the person concerned gives permission for this. The Controller will be notified as soon as new or other parties are used for the processing of Personal Data.
- The Processor will ensure that these third parties or subcontractors assume the same obligations in writing as those in effect between the Processor and the Controller.
Article 4. Transfer of personal data
- The Processor is allowed to process the Personal Data within the European Union. The Processor is also allowed to transfer the personal data to countries outside of the European Union, provided the laws governing the transfer of Personal Data to third countries are observed.
- If this is the case, the Processor shall inform the Controller which country or countries the data is sent to.
Article 5. Division of responsibility
- The Processor will provide the Controller with ICT tools for the processing, to be used for the purposes described above.
- The Processor is only responsible for the processing of the Personal Data under these Processor Terms and Conditions, in accordance with the instructions of the Controller and at the express (final) responsibility of the Controller. The Processor is explicitly not responsible for any other processing of Personal Data, in any case including but not limited to the collection of the Personal Data by the Controller, processing for purposes that have not been communicated by the Controller to the Processor, processing by third parties and/or for other purposes.
- The Controller guarantees that the content, the use and the instructions to process the Personal Data, within the meaning of these Processor Terms and Conditions, are not illegitimate and do not infringe on any rights of third parties.
Article 6. Security
- The Processor will take appropriate technical and organizational measures with regard to the processing of Personal Data to prevent loss or any form of illegitimate processing (such as unauthorized inspection, access, change or disclosure of the Personal Data).
- The Processor does not guarantee that the security measures will be effective under all circumstances, but it will make reasonable effort to provide a level of security that is appropriate in light of the state of the art, the sensitivity of the Personal Data and the cost of implementing the security measures.
- The Controller shall supply the Processor with Personal Data for processing only after confirming that the required security measures have been taken. The Controller is responsible for compliance with the measures agreed to by the Parties.
Article 7. Duty to report
- The Controller is responsible at all times for reporting any Data Breaches. To enable the Controller to comply with this statutory duty, the Processor shall inform the Controller of a Data Breach as soon as he becomes aware that a Data Breach has occurred at the Processor or at any third parties or subcontractors engaged by the Processor involving Personal Data that are processed for the Controller.
- The duty to report in any case involves reporting the fact that there has been a breach. In addition, the duty to report includes:
- The (suspected) cause of the breach
- The consequences (that are known so far and/or expected)
- Who will act as the contact person for follow-up on the Data Breach
- The Processor will assist the Controller in the performance of its duties under Articles 33 and 34 GDPR with due observance of the Controller’s procedures. The Controller will reimburse the Processor for all reasonable costs incurred in this context.
- The Processor will keep the Controller informed of new developments concerning the Data Breach and of the measures taken by the Processor to limit the consequences of the Data Breach and to prevent a reoccurrence.
Article 8. Handing requests from data subjects
- If a data subject submits a request, as referred to in Articles 15 through 22 of the GDPR to the Processor, the Processor will forward such request to the Controller, and the Controller shall handle the request. The Processor is allowed to inform the data subject of this.
- The Processor shall fully cooperate with the Controller to fulfill the obligations under Articles 15 through 22 of the GDPR within the statutory periods. The Controller shall reimburse the Processor for all reasonable costs incurred in this context.
Article 9. Secrecy and confidentiality
- All Personal Data the Processor receives from the Controller and/or collects itself within the framework of these Processor Terms and Conditions are subject to a duty of confidentiality with regard to third parties. The Processor shall not use this information for any purposes other than those for which it received this information, not even if it is provided in such a way that the data subjects cannot be identified.
- This duty of confidentiality does not apply insofar as the Controller has given explicit permission to supply the information to third parties, if the provision of the information to third parties is logically necessary in light of the nature of the provided instructions and the implementation of these Processor Terms and Conditions, or if the law requires the provision of the information to a third party.
- The Processor will impose a duty of confidentiality with regard to the Personal Data to its employees and any other parties it engages as part of its services and who have access to the Personal Data.
- After the expiration of the Main Agreement and these Processor Terms and Conditions, this Article 9 and the confidentiality rules set out here shall remain in force.
Article 10. Audit
- The Controller has the right to perform audits to monitor compliance with the obligations of the Processor arising from these Processor Terms and Conditions.
- This audit shall be announced at least two weeks in advance to give the parties the opportunity to properly prepare. The audit shall take place no more than once a year and not before the Controller has asked for and reviewed the Processor’s certifications, (audit) reports and similar documents, and has presented sufficiently compelling reasons justifying an audit initiated by the Controller.
- The Processor shall cooperate with the audit and make available all information that is reasonably relevant for the audit, including supporting data such as system logs and employees, as soon as possible.
- The findings from the performed audit shall be assessed by the Processor and the Controller in mutual consultation, and based on this assessment they shall be implemented by one of the parties or by both parties together.
- The costs of the audit initiated by the Controller shall be borne by the Controller.
Article 11. Liability
- In the event the Processor is liable for any losses suffered by the Controller or third parties, this liability is limited to what is specified in this Section.
- The Processor is not liable for any losses, of whatever nature, resulting from the incorrect use of its services including MTinfo 3000, or for losses that are the result of the Processor using incorrect and/or incomplete data provided by or on behalf of the Controller.
- In the event the Processor is liable for any losses, the Processor’s liability is always limited to the amount paid out by its insurer.
- If the Processor’s insurer does not cover the loss, the Processor shall pay compensation for the loss up to an amount that is equal to twice the invoice amount of the provided services in the year in question under the Main Agreement; this only includes the invoice amount of the services to which the liability applies.
- The Processor shall only be liable for direct losses. Direct loss is defined exclusively as (i) direct financial loss suffered by the Controller, (ii) the reasonable cost of determining the cause and scope of the loss, insofar as the determination pertains to a loss in the sense of these Terms and Conditions, (iii) any reasonable costs incurred in making the defective performance of the Processor comply with these Terms and Conditions, insofar as these can be imputed to the Processor, and (iv) reasonable costs incurred to prevent or limit losses, insofar as the Controller can show that these costs resulted in the limitation of direct losses within the meaning of these Terms and Conditions. With regard to the aforementioned direct losses, the Processor shall be required to compensate the Controller in such a way that the Controller’s position is what it would have been had the Processor fulfilled its obligations as it should have.
- The Processor shall not be liable for indirect losses, including consequential loss, lost profit, missed savings and losses due to business interruption.
- Deficiencies of whatever nature in the services provided by third parties, such as data storage or telecommunication service providers cannot be imputed to the Processor and the Processor is not liable for any losses caused by these deficiencies.
- The limitations of liability included in this Section shall not apply if the loss is due to gross negligence on the part of the Processor.
Article 12. Force majeure
- The Processor is not required to fulfill any obligations under these Terms and Conditions if it is prevented from doing so by circumstances for which it is not at fault and for which it is not responsible on the basis of the law, a legal action or generally accepted standards, including force majeure.
- In these Terms and Conditions, force majeure includes, in addition to what is included in the law and case law, all external causes, foreseen and unforeseen, over which the Processor has no influence but as a result of which the Processor is not able to fulfill its obligations, including delays or imputable failures on the part of producers and/or suppliers, transportation and communication difficulties, computer system failures and strikes. The Processor also has the right to invoke force majeure if the circumstance preventing (further) compliance with the Terms and Conditions occurs after the Processor should have fulfilled its obligation.
- The Processor is allowed to suspend the obligations under the Terms and Conditions while the force majeure lasts. If this period lasts longer than two months, each of the parties has the right to terminate the Main Agreement without being required to compensate the other party.
Article 13. Indemnification
- The Controller indemnifies the Processor against any claims from third parties who suffer loss related to the implementation of these Terms and Conditions that can be imputed to someone other than the Processor.
- If such a claim is brought against the Processor by a third party, the Controller is required to assist the Processor in and out of court and to do whatever can be expected of the Controller in that case without delay. If the Controller fails to take adequate measures, the Processor has the right to take its own measures without further notification. All resulting costs and losses on the part of the Processor and third parties are fully at the Controller’s cost and risk.
Article 14. Duration and termination
- These Processor Terms and Conditions are entered into for the duration specified in the Main Agreement, or in the absence thereof, in any case for the duration of the cooperation. The Processor Terms and Conditions will continue to apply to the processing of Personal Data by the Processor as long as the Processor processes these data or has them processed by a third party.
- As soon as the Processor Terms and Conditions are terminated, for whatever reason and by whatever method, the Processor shall remove and/or destroy all Personal Data in its possession and any copies thereof after 1 year. The Processor specifies this period because the data in question may be needed later on in the context of the infrastructural services provided by the Processor.
- These Processor Terms and Conditions can be changed in the same manner as the Main Agreement.
- The parties undertake to update these Processor Terms and Conditions in mutual consultation to reflect any amendments to privacy laws and regulations.
Article 15. Applicable law
- Processing of Personal Data by the Processor is subject exclusively to these Terms and Conditions and the Main Agreement. Any terms and conditions of the Controller explicitly do not apply.
- These Terms and Conditions are subject exclusively to Dutch law. Any disputes in relation to these Terms and Conditions shall be brought exclusively before the District Court of ‘s-Hertogenbosch and shall be heard in accordance with Dutch procedural law.