Data Processing Agreement VisualRadioAssist

  • .

THE UNDERSIGNED:

  1. VisualRadioAssist, a company having its address at Telwal 25, 8375 CL in Oldemarkt and registered in the Trade Registry of the Dutch Chamber of Commerce with the number 72986654 ("Controller"; and

  2. Buyer of the software, as mentioned on the quotation (“Processor”).

Hereafter jointly referred to as “Parties”.

WHEREAS:

  • Controller offers a software, which can be used for supporting internal activities while making Visual Radio, during which Controller obtains Personal Data (as defined below) of multiple Data Subjects (as defined below);
  • Controller requests some forms of data processing to be performed by the Processor (the “Assignment”);
  • The Processor is willing to process the Personal Data for the Controller;
  • The Processor will process the Personal Data under the responsibility of the Controller; and
  • With regard to Article 28 of the General Data Protection Regulation (the “GDPR”), both Parties wish to establish their rights and duties in connection to the processing of Personal Data by the Processor in this agreement.

DECLARE TO HAVE AGREED AS FOLLOWS:

Article 1 - Definitions

Agreement The Data Processing Agreement is part of the Terms and Conditions.

GDPR The General Data Protection including all (Dutch) implementation legislation which is based on the GDPR and the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens) in the case the agreement is entered into before 25 May 25 2018.

Data Subject The natural person to whom Personal Data relates.

Appendix The appendix of this agreement, which contains an overview of the Personal Data that the Parties expect to process, the manner in which the Personal Data will be processed, the purposes and means of the processing and the usage and retention periods of Personal Data.

Data Breach Every situation in which, due to a security incident, Personal Data are unintentionally accessed by an unauthorized person or are lost, destroyed, amended or unlawfully processed.

Assignment All services which the Processor provides to the Controller and all other forms of collaboration, under which Processor processes Personal Data as defined in the GDPR.

DPIA Data Protection Impact Assessment as defined in article 35 of the GDPR.

Personal Data Every Personal Data concerning an identified or identifiable natural person that the Processor obtains during the execution of the Assignment.

Sub Processor Each party that is assigned to process the Personal Data on behalf of the Processor, which the Processor, based on this agreement, is authorized to process for the Controller.

Article 2 – The Data Subjects

  1. To be able to execute the Assignment, the Processor processes Personal Data from the Data Subjects. These Data Subjects are the following groups of persons:
  2. Employees who are employed by the Controller.
  3. Visitors of the website of the Controller.
  4. Visitors of the Controllers’ website.
  5. Personal Data of other Data Subjects are not processed by the Processor on behalf of the Controller.

Article 3 – The execution of processing

  1. The Processor agrees to execute the Assignment for the Controller under the conditions of this agreement and in compliance with the GDPR.
  2. The Controller holds and continues to hold the complete control over the Personal Data. The Processor processes the Personal Data lawfully, fairly and in a transparent manner.
  3. The Processor processes the Personal Data exclusively for the purpose of fulfilling the Assignment. The Processor complies with the written instructions of the Controller, in accordance with the purposes and means determined by the Controller in the Appendix and subject to the retention periods mentioned in the Appendix.
  4. The Processor does not make use of a Sub Processor unless the Controller gives its written consent to the Processor to do so.
  5. The Controller hereby gives the written permission to the Processor to use one or more Sub Processors when processing the Personal Data.
  6. The Processor undertakes the Sub Processors to comply with the same obligations as the obligations of the Processor under this agreement.
  7. The Processor remains responsible for the correct fulfillment of this agreement.
  8. The Processor informs the Controller when the Processor starts sharing Personal Data with a Sub Processor.

Article 4 - The rights of Data Subjects

  1. The Processor ensures that the Data Subject can exercise all his/ her rights deriving from the GDPR and/ or all other applicable laws and regulation.
  2. At first request of the Controller, the Processor will perform the following actions as soon as possible, but at least within five working days after the Controller has submitted the request:
    1. To provide the necessary information;
    2. To improve, complete, erase or shield the Personal Data and;
    3. To transfer the Personal Data to the Controller or to a third party which is designated by the Controller.

Article 5 – Data Protection Impact Assessment

  1. In the event the Controller is obliged to perform a DPIA, the Processor supports and cooperates with the Controller in order to comply with the execution of a DPIA.
  2. The Processor supports and cooperates with the Controller with the implementation of new (security) measures that must be taken resulting from a DPIA.
  3. The Processor will only charge reasonable costs to the Controller for fulfilling these obligations. These reasonable costs do not exceed a maximum of €«bedrag» per hour.
  4. The Processor supports and cooperates with the Controller with the implementation of new (security) measures that have to be taken as a result of further analyses and changes, such as changing (insights into) legislation.

Article 6 - Security measures

  1. The Processor shall implement appropriate technical and organizational measures which are necessary to protect the Personal Data adequately and to keep these Personal Data protected adequately against any kind of loss or any kind of carelessness or any kind of inexpert or unlawful use or processing. The Processor makes sure that the protection adheres to the actual state of the data protection technique.
  2. The Processor undertakes, at least, the following measures:
  3. Encryption of digital files containing Personal Data.
  4. Securing networks via Secure Socket Layer (SSL) technology or via technology that has a comparable security level.
  5. The Personal Data is protected in a way that is compatible with the ISO 27001 norm.
  6. Gathered IP-addresses are anonymized.
  7. The Processor guarantees that persons that act under its authority only process the Personal Data in a lawful manner and in compliance with this agreement and the GDPR.
  8. If the Processor fails to take appropriate technical and organizational security measures and, consequently, fails to take appropriate measures within a reasonable time, the Controller is entitled without prejudice to its other rights under this agreement and/ or the law to carry out these measures or to have these measures carried out at the expense of the Processor.
  9. The Processor will immediately inform the Controller in case of a data breach concerning Personal Data. The Processor will do so as soon as possible, but at least within 24 hours. The Processor does not charge any costs for this.
  10. At the request of the Controller, the Processor will provide the Controller with information about the measures being taken to comply with the GDPR and/ or all other relevant laws and regulation, this agreement and all other instructions of the Controller.

Article 7 – Record of processing activities

  1. The Controller shall maintain a record of processing activities under its responsibility. This record contains the name and contact details of the Controller, the purpose of the processing, a description of the categories of Data Subjects and the categories of personal data.
  2. The Processor shall maintain a record of processing activities under the Assignment. This record contains the name and contact details of the Controller as well as the Processor, the purpose of the processing on behalf of the Controller, a description of the categories of Data Subjects, the categories of personal data and a description of the technical and organizational security measures.

Article 8 - Transfer of Personal Data

  1. The Processor only processes Personal Data to a third country when:
    1. That third country has an adequate level of protection;
    2. The transfer is subject to appropriate safeguards or;
    3. There is a derogation for a specific situation which allows the transfer of the Personal Data out of the EU.
  2. The Processor only transfers Personal Data to countries and/ or organizations that are outside of the EU when the Controller has given its consent for these transfers.
  3. The Controller hereby gives its consent for the transfer of Personal Data to (organizations in) the following Countries: all Countries.
  4. The Processor only transfers Personal Data to the countries in paragraph 3 when the requirement from paragraph 1 is fulfilled.
  5. The Processor reports the Controller within which country or countries Personal Data are processed. The Processor also reports the Controller when due to a data breach or for any other reason Personal Data is processed erroneously in a third country.

Article 9 - Confidentiality

  1. All Personal Data processed by the Processor is subject to confidentiality towards third parties. The Processor and all persons employed by the Processor and/ or working on behalf of the Processor are obliged to maintain confidentiality of the Personal Data.
  2. The Processor ensures that all persons employed by the Processor and/ or working on behalf of the Processor are obliged to observe confidentiality.
  3. Confidentiality is not applicable if this agreement provides otherwise and/ or if a statutory provision or judicial judgment requires publication.
  4. The Processor will immediately inform the Controller of any request for access, distribution or other form of retrieval and notification of the Personal Data in violation of the confidentiality included in this article. The Processor will do this within 24 hours after the discovery of the breach of confidentiality.

Article 10 - Duration and termination of this agreement

  1. This Data Processing Agreement is part of the agreement and will apply as long as the Agreement lasts.
  2. After the expiry of the agreement, the data processing agreement will also expire automatically.
  3. The agreement can be terminated by the end of the extended period by registered letter. The notice period is 1 month.
  4. If this agreement ends or is dissolved, the provisions of this agreement with regard to confidentiality, liability, indemnity and all other provisions that by their nature are intended to continue after termination or termination of this agreement shall remain in force.
  5. Parties can terminate this agreement with immediate effect by registered letter, in case of:
    1. application by or the provision of a suspension of payments procedure (surseance van betaling) to the other party;
    2. application for bankruptcy by or bankruptcy (faillissement) of the other party; or
    3. liquidation of the other party (liquidatie) or non-temporary discontinuation of the company (stopzetten van de onderneming) of the other party.

Article 11 – Removing the Personal Data


  1. The Processor shall make all Personal Data available to the Controller at the first request of the Controller, but at the latest within 10 working days after the termination of this agreement or the Assignment.
  2. The Processor is obliged to completely and irrevocably erase all Personal Data at the first request of the Controller.
  3. As soon as after the termination of this agreement it is certain that the Controller has all Personal Data in a format accepted in writing by the Controller, the Processor will erase all Personal Data completely and irrevocably within 14 days.
  4. The Processor may deviate from the obligations under paragraph 1 and paragraph 2 of this article in the event Personal Data must be retained during a statutory retention period or if it is necessary for it to prove the fulfilment of its obligations to Controller.

Article 12 – Liability

The Processor is liable for and indemnifies the Controller from all damage caused by the Processor and/or its processing of Personal Data which infringes this agreement or the GDPR and/or relevant legislation.

Article 13 – Audit

  1. To monitor the compliance to this agreement the Controller has the right to audit the Processor once a year. The audit can be conducted by the Controller in the event of permission thereto of the Processor or can be conducted by another auditor mandated by the Controller.
  2. The costs of the audit are for the account of the Controller, with the exception of the costs of the Processor’s personnel accompanying the audit. If the audit shows that the Processor is materially in breach of the agreement, all costs of the audit are for the account of the Processor, without prejudice to the other rights of the Controller. If the Processor is in default, yet the default is not material, the Processor shall repair the default as soon as possible.
  3. The Controller will notify the Processor of the audit in writing 10 days before the start of the audit. With this notification the Controller provides the Processor with an explanation of what is to be investigated and how the investigation will take place.
  4. In the event the Processor conducts its own audit by an independent certified party, the Processor makes the outcomes of the audit available to the Controller.

Article 14 – Penalty

In the event of a breach of an obligation under this agreement, the Processor shall compensate damages that the Controller has incurred due to the breach of this agreement by the Processor.

Article 15 – Invalid provisions

If at any time a provision of the agreement is wholly or partially invalid or unenforceable under the applicable legislation and regulations, the other provisions or parts of the provisions of the agreement will continue to apply. The Parties will negotiate in good faith to replace the provision in question with a valid and enforceable provision that differs as little as possible from the original provision in light of the purpose and scope of the agreement.

Article 16 – Miscellaneous

  1. The Agreement may only be amended or changed in writing by the Parties.
  2. The Processor is not entitled to suspend the fulfilment of its obligations under this agreement, nor to settle or to make it conditional to any action or statement of the Controller. Default of the Controller to the Assignment or cancellation of the agreement based on which the Assignment is performed can in no way lead to non-compliance with the obligations of the Processor under this agreement.
  3. This agreement prevails over all other agreements between the Controller and the Processor.

Article 17 – Governing law and jurisdiction

  1. The agreement, and any non-contractual rights and obligations arising thereto, are completely governed by and will completely be interpreted in accordance with the laws of The Netherlands.
  2. All disputes between Parties related to this agreement, or the agreements concluded in the performance of, or in connection with the agreement, will be submitted exclusively to the competent court of Overijssel.

APPENDIX

Categories of Personal Data.

Information you provide

We collect the following information you provide us with directly:

Customer data User / Manager:

  1. Your first name;
  2. Your last name;
  3. Company name / name radio station
  4. Your phone number;
  5. Your address;
  6. Your country;
  7. Your date of birth;
  8. Chamber of Commerce number
  9. VAT number
  10. Phone number;
  11. Customer number

Platform user of VisualRadioAssist

  1. Username
  2. Password
  3. E-mail address
  4. Other profile information

Other categories

  1. Access control: log access

We collect data from our websites. Therefore, we created the privacy policy for our website.

The execution of the procession.

We will not rent or sell your information to third parties outside, unless you give us explicit permission to do this.

Purposes and means of the procession

We use all of the information we have to help us provide and support our Services. Here is how:

  1. remember information so you will not have to re-enter it during your visit or the next time you visit the Service;
  2. provide, improve, test, and monitor the effectiveness of our Service;
  3. To help you efficiently access your information after you sign in;
  4. monitor metrics such as total number of visitors, traffic, and demographic patterns;
  5. diagnose or fix technology problems;
  6. develop and test new products and features; and

Communications

We may use your information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link.

All information we collect is used to work more efficiently and provide you the best experience with our Service.

Legal requests and preventing harm

We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so. We may also access, preserve and share information when we have a good faith belief it is necessary to: detect, prevent and address fraud and other illegal activity; to protect ourselves, you and others, including as part of investigations; and to prevent death or imminent bodily harm. Information we receive about you may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of our terms or policies, or otherwise to prevent harm.

VisualRadioAssist has taken appropriate technical and organizational measures by using the latest technologies to protect your information against loss or unlawful processing.

International transfer

Your information may be transferred to, and maintained on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. If you are located outside Netherlands and choose to provide information to us, please note that we transfer the information to The Netherlands. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

Terms of usage and retention

In accordance with the GDPR and the other relevant legislation, VisualRadioAssist does not store any personal data longer than is necessary for the realisation of the purposes for which it is collected or processed. For customer contact details, this period is set at 2 years. The legal retention periods apply to customer data for administration purposes. For access control this period is set at 6 months after the right of access expires.

Right to access, right to corrections, right to object and right to data portability.

If you want to view your personal data, change or delete your data or if you want to transfer your data in whole or in part to you or a third party, you can contact VisualRadioAssist by sending an e-mail to info@ visualradioassist.live or send a letter to:

VisualRadioAssist B.V.

Telwal 25

8375 CL in Oldemarkt

If you do not agree the way we handle your data, you can submit a complaint to the Dutch Data Protection Authority.


VisualRadioAssist B.V. © 2020