Agreement Digital Testing System (Annex 4 to the RFP Digital Testing System) Annex 1 - Data Processing Agreement

Transcription

1 Agreement Digital Testing System (Annex 4 to the RFP Digital Testing System) Annex 1 - Data Processing Agreement ANNEX 1 DATA PROCESSING AGREEMENT RELATING TO THE AGREEMENT DIGITAL TESTING SYSTEM BETWEEN TECHNISCHE UNIVERSITEIT EINDHOVEN AND <CONTRACTOR> THE UNDERSIGNED: (1) TECHNISCHE UNIVERSITEIT EINDHOVEN, a legal entity governed by public law, hereinafter also referred to as: the Client, with its registered office in Eindhoven and its principal place of business at Groene Loper 5, 5612 AE Eindhoven, duly represented for these purposes by [..], and (2) <CONTRACTOR>, hereinafter referred to as the: "the Contractor", established in [.], duly represented for these purposes by [ ], hereinafter also jointly referred to as the: Parties" and individually referred to as a: Party" TAKE THE FOLLOWING INTO ACCOUNT: (A) (B) (C) The Client has concluded an Agreement with the Contractor dated [..], with reference [.], with regard to the supply of a Digital Testing System and services related to an Digital Testing System, hereinafter referred to as the "Agreement"; As part of the implementation and performance of the Agreement, the Contractor may process Personal Data in favour of and on behalf of the Client, whereby the Contractor will act as the data processor and the Client will act as the data controller; In accordance with the provisions of Article 30 of the Agreement, the provisions of Article 14 of the Dutch Data Protection Act and the provisions of the Dutch DPA Guidelines, the Parties intend to set out their agreements on the processing of Personal Data by the Contractor on behalf of the Client in this Data Processing Agreement, AND DECLARE THEY ARE IN AGREEMENT WITH THE AFOREMENTIONED AND THE FOLLOWING: 1 Definitions 1.1 Annex: an annex to this Data Processing Agreement. 1.2 Applicable Law: law(s) or any other (local) regulations, guidelines or policies, instructions or recommendations of any Governmental Authority applicable to the processing of the Personal Data, including any amendments, replacements, updates or other later versions thereof; 1.3 Data Breach: any incident resulting in (potential) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data which have been sent, stored or otherwise processed, and regardless whether the incident occurred on the Data Processing System or elsewhere; 1.4 Data Processing Agreement: this Data Processing Agreement, including its recitals and schedules thereto, and any alteration, substitution, update or later versions thereof ; Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 1/13

2 1.5 Data Processing System: any system that is used or has been used or is relevant for processing the Personal Data by the Contractor or its subcontractors, including supporting documentation; 1.6 Data Subject: the person to whom the Personal Data relates; 1.7 Governmental Authority: a Dutch or foreign competent authority; 2 Subject of this Data Processing Agreement 2.1 Insofar as the Contractor processes Personal Data in the context of the implementation of its activities under the Agreement, the Client must be regarded as a controller for the purposes of the DPA and the Contractor as a processor in favour of the Client. 2.2 The Contractor guarantees that it will process the Personal Data in a proper and careful manner, in accordance with the Applicable Law. 2.3 The Contractor will only process the Personal Data on behalf of and as instructed by the Client. The Contractor has no independent control over the Personal Data processed by it. The Contractor may not process the Personal Data for its own purposes, for the purposes of third parties or for other purposes, subject to deviating mandatory legal obligations vested in it. 2.4 This Data Processing Agreement forms part of the Agreement. This Data Processing Agreement sets aside any other arrangements of an earlier date relating to the processing of Personal Data between the Client acting as data controller, and the Contractor acting as a data processor in respect of the Personal Data, if applicable. This includes any data processing agreement of an earlier date. 3 Processing of the Personal Data 3.1 To implement the Agreement, the Contractor shall process Personal Data of the Data Subject as specified in Annex A to this Data Processing Agreement. 3.2 The Contractor shall only disclose the Personal Data to those employees who are required to inspect the Personal Data for the implementation of the Agreement and to keep it otherwise confidential, subject to deviating obligations under Applicable Law. 3.3 Annex A specifies which (groups) of employees of the Contractor should have access to which Personal Data and what actions these (groups of) employees may perform with the Personal Data. The Contractor is expressly prohibited from (i) providing other (groups of) employees with access to the Personal Data other than specified in Annex A, and (ii) performing acts with the Personal Data other than those specified in Annex A. 3.4 The Contractor shall impose the obligations set out in this Data Processing Agreement and the Agreement, including the security and confidentiality obligations, on the employees engaged by it. The Contractor shall ensure that these employees adhere to these obligations. Subcontracting Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 2/13

3 3.5 The following conditions will be attached in any event to the acquisition of written consent from the Client for the engagement of third parties by the Contractor for the implementation of its obligations under this Data Processing Agreement, in accordance with Article 33 of the Agreement: the third party must be directly involved in the delivery of the Digital Testing System and/or Digital Testing System services under the Agreement; and The Contractor must submit a written sub-data processing agreement concluded with the third party and impose on this third party the same obligations as are vested in the Contractor under this Data Processing Agreement. In addition, the Contractor shall prohibit the third party in any subdata processing agreement from engaging (sub) sub-data processors. 3.6 In case of subcontracting the Contractor will remain fully responsible and liable for fulfilment of its obligations under the Agreement and this Data Processing Agreement. 3.7 Annex C lists the third parties that the Contractor wishes to engage in the delivery of the Digital Testing System and/or Digital Testing System services under the Agreement. The Client hereby gives its consent with regard to engaging the legal entities stated in Annex C as sub-data processors under the conditions of this Data Processing Agreement, more in particular article Reliability Requirements and Security Measures 4.1 The Contractor shall at least comply with the reliability requirements as set forth in Annex A and implement the technical and organizational security measures as described in that Annex A as well, in order to meet with the reliability requirements set by the Client. 4.2 The technical and organizational security measures to be implemented by the Contractor must ensure an adequate level of protection, taking into account the state of the art, the costs concerned with implementation and execution of security measures, the risks concerned with processing Personal Data and the nature of the Personal Data including possible risks concerned with Data Breaches. 4.3 When implementing any security measures the Contractor shall maintain compliancy with any Applicable Law, and the Contractor will include adequate preventive measures should enable the Contractor to identify any Data Breach immediately and to report the Client on such incident in a timely manner, such as intrusion detection, future proof encryption, the possibility to restore the availability of the Personal Data in a timely manner, including a process for regular testing, assessment and evaluation of the technical and organizational security measures in order to guarantee the security of the processing of the Personal Data. 5 Security Reports 5.1 Without prejudice to any audit rights which the Client may have, the Contractor shall, at its own costs, evaluate the Data Processing activities, the Data Processing System and the security measures on a regular basis, being at least once every year, and on that basis provide the Client with a yearly written security report. The Contractor shall provide the written security report to the Client at least within two weeks after finalizing the evaluation. Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 3/13

4 The evaluation will be executed by an independent third party (expert) according to adequate and by the Client accepted audit standards. 5.2 The security report shall relate to all data processing activities of the Personal Data and at least include the status of the Data Processing System, the security measures, the registered downtime of any technical security measures, the established (non) compliance with organizational measures, any Data Breaches that occurred, perceived threats to the security and the Personal Data and the required and/or recommended improvements. 5.3 The Contractor shall take all (immediate) measures in order to adequately recover the observed threats, weaknesses and other identified problems and also implement the necessary and/or recommended improvements in the security report. 6 Reporting of Data Breaches 6.1 Notwithstanding its other obligations under the Agreement and this Data Processing Agreement, the Contractor shall maintain adequate procedures designed to detect and respond to all Data Breaches, including procedures for preventive and corrective actions, and also to avoid recurrence of any Data Breaches that occurred. These procedures have been established by the Contractor in such a manner that both the Client and the Contractor will be able to live up with their notification duties in relation to Data Breaches under the Applicable Law. When and how should the Contractor notify a Data Breach? 6.2 As soon as the Contractor detects a Data Breach or reasonably suspects that a Data Breach has occurred, the Contractor shall without undue delay, in any case within 24 hours upon detection or suspicion of a Data Breach notify the Client by a direct phone call to the (backup) contact person of the Client referred to in Annex B. The Contractor shall furthermore immediately, in any case also within 24 hours upon the detection or suspicion of a Data Breach, report and/or confirm the Data Breach and provide the details of the Data Breach by to the Client using the (backup) addresses as indicated in Annex B as well. Should the Contractor not reach the Client immediately, then the Contractor will use all reasonable efforts to find a way of communication to contact the Client directly. 6.3 The Contractor will see to it that the contact person and/or the backups on behalf of the Contractor mentioned in Annex B remain(s) fully at the disposal of the Client for the handling of and reporting on the Security Breach, until other (back up) contact persons have been agreed upon between Parties in writing. Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 4/13

5 Feedback and measures upon discovery/reporting of Data Breach 6.4 Upon discovery of a Data Breach, the Contractor shall provide reasonable feedback to the Client and provide support to the Client and the (possibly) affected Data Subjects. The feedback and support should include at least: a) a description of the nature and the scope of the Data Breach, an estimation of the amount of Data Subjects (possibly) affected and an indication of the types of the Personal Data concerned and whether or not such Personal Data was encrypted, or otherwise secured or made unintelligible or inaccessible; b) a description of the preventive and corrective measures taken and to be taken, planned and recommended to minimize possible harm, including an emergency plan, and the expected resolution and work-around time; c) information on which third parties, such as Governmental Authorities and the (social) media, are or could be aware of the Data Breach, d) the contact details of the authorized representative(s) of the Contractor with whom the Client may obtain immediate and regular updates on the status of the Data Breach; and e) any other information that could help to minimize possible harm or damage of the organization of the Client and the privacy of the affected Data Subject(s). 6.5 The Contractor will provide the Client also with reasonable other assistance and share with the Client also other necessary or by the Client requested information, so that the Client will be able to notify the Data Subject(s) that were (was) (possibly) affected and/or the Governmental Authorities, that are competent to supervise the processing of the Personal Data, of the Data Breach in a timely manner. The Contractor will enable the Client to prove compliance with the Applicable Law in relation to its notification duties of Data Breaches. 6.6 Parties may agree upon that the Contractor, instead of the Client, will inform the Data Subject(s) that are (possibly) affected and/or the competent Governmental Authority on the Data Breach. The Contractor will not notify the Data Subject(s) and / or Governmental Authority without the written permission of the Client. Other assistance 6.7 The Contractor shall upon the first request of the Client: assist in the identification of the Data Subjects that (possibly) are affected and the Personal Data that has or may have been compromised; allocate call center facilities and training to manage possible inquiries from Data Subjects; Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 5/13

6 6.7.3 provide Data Subjects that are (possibly) affected by the (consequences of) Data Breach with all other assistance, as reasonably requested by the Client and/or required by the Applicable Law; undertake an audit to determine and execute any appropriate corrective measures to avoid a recurrence or occurrence of a similar situation without prejudice to any audit rights of the Client; notify the Client in writing of all the corrective measures taken; and provide the Client with all reasonable documentation on the Data Breach, including any documentation regarding the corrective measures taken and any information provided to the Data Subjects, so that the Client will be able to live up with its statutory obligation to maintain and update an internal Data Breach log. 7 Transfer of the Personal Data 7.1 Except with the written consent of the Client, the Contractor shall not transfer Personal Data, which will be processed by or on behalf of the Contractor or a third party engaged by it in connection with the execution of the Agreement, to or make it accessible to countries outside the European Economic Area (EEA) which do not ensure an adequate level of protection in accordance with applicable privacy legislation. When obtaining permission, the Contractor shall inform the Client of the countries or the third parties, respectively that this relates to. The Client may attach further conditions to the providing of permission. The Contractor shall provide, at the first request, insight into the location(s) where processing takes place. 7.2 The Client hereby provides for the permission to transfer personal data to [country] where Contractor is located, and to the [number of sub processors] sub processor(s) indicated in Annex C, which are located in [country]. Such transfer shall be governed by a data transfer agreement based on the EU Standard Contractual Clauses for data controllers data processors when Personal Data is transferred to processors established in third countries which do not ensure an adequate level of data protection. This data transfer agreement forms part of the Agreement (Annex 2 to the Agreement). 8 Requests of Data Subjects 8.1 The Contractor shall provide its full cooperation to allow the Client to fulfil its legal obligations if a Data Subject exercises its rights under the Applicable Law concerning the processing of Personal Data, such as the right of access or the right of correction. 8.2 At such time as the Contractor receives a request from a Data Subject, as referred to in the preceding paragraph, the Contractor shall immediately inform the Client accordingly. The Client will inform the Contractor whether the Contractor, on behalf of the Client, can respond to the request and, if so, in what way. 8.3 Without prejudice to its obligations as set forth in the Agreement, the Contractor shall immediately correct or otherwise amend the Personal Data, in accordance with the instructions of the Client. Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 6/13

7 9 Requests of Governmental Authorities 9.1 If the Contractor receives a request from a Governmental Authority relating to (inspection of) the Personal Data, the Contractor shall, prior to providing (inspection of) Personal Data, immediately inform the Client thereof in writing, and provide the Client with copies of all the correspondence it has received in this respect. The Contractor shall solely respond to such request in case of a legal obligation under the Applicable Law. The Client may provide the Contractor with reasonable instructions in this respect which the Contractor should follow, unless this would stand in the way of fulfilling the aforementioned legal obligation. 9.2 To guarantee the protection of the Personal Data, the Contractor shall then ensure that does not provide more Personal Data to the Government Agency than that which is strictly necessary in order to comply with the request of the Government Agency. If the possibility exists to legally challenge the request for the provision of Personal Data or any prohibition on informing third parties about the request, the Contractor shall fully exploit this opportunity. 9.3 If the Contractor, based on a request to it to provide Personal Data, is not permitted to inform the Client and/or third parties about the received request and any subsequent disclosure to a Government Agency, then the Contractor shall continue to represent the reasonable interests of the Client. The Contractor shall in any case: 10 Cost assess the legality of the extent to which (i) the Contractor is legally obliged to comply with the request or order; and (ii) the Contractor is actually prohibited from meeting its obligations to the Client under Article 9.1; only cooperate with the request or order if it is legally required to do so and, where possible, (legally) oppose the request or order or the prohibition to inform the Client about this or to follow its instructions; no more or other Personal Data may be provided than is strictly necessary to comply with the request or order; in the case of transfer to a country outside the EEA: the options for complying with Articles 76 and 77 of the Dutch Data Protection Act must be explored; The Client shall immediately be informed in writing as soon as this is permitted The costs relating to the execution of this Data Processing Agreement are included in the prices and fees as agreed in the Agreement. 11 Indemnification 11.1 The Contractor shall indemnify the Client for all claims of third parties, including Data Subjects, that may be brought vis-à-vis the Client due to a breach of the Applicable Law that can be attributed to the Contractor or to employees engaged by it. 12 Duration and termination 12.1 This Data Processing Agreement shall enter into force at such time as the Contractor first processes the Personal Data on behalf of the Client under the Agreement. Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 7/13

8 12.2 This Data Processing Agreement shall apply as long as the Agreement is in force. Upon termination of the Agreement, this Data Processing Agreement shall end by operation of law without any further (legal) action being required. However, this Data Processing Agreement shall remain in force with respect to those obligations that by their nature continue beyond this end date of the Agreement Interim termination of this Data Processing Agreement by the Contractor is not possible Notwithstanding the provisions of Article 26 of the Agreement, the Contractor shall, subject to statutory regulations vested in the Contractor, ensure in the event this Data Processing Agreement ends or at such earlier date as the Client indicates that the processing of (part of) the Personal Data is no longer relevant for the implementation of the activities under the Agreement, that: the Personal Data shall be returned immediately on a data carrier considered suitable by the Client or provided by the Client or provided to a replacement appointed by the Client to the Contractor; or, at the discretion of the Client, the Personal Data shall be Securely Deleted immediately if the Client so requests. Securely Deleted means that industry standard methods will be taken for the purpose of ensuring that no unauthorized person or entity shall be able to reasonably locate or extract the Personal Data after the deletion date The Contractor shall ensure that it shall immediately cease and not resume all processing of Personal Data after the return, disclosure or deletion. The Contractor shall provide the Client with written confirmation and guarantee this, and permit the Client to verify that the relevant Personal Data is no longer processed by the Contractor If the Client chooses to continue processing the Personal Data at the time of (premature) termination of the Agreement and it is not reasonably possible for the Contractor to provide the Personal Data at that time to the Client or to a replacement contractor in a manner that the processing of the Personal Data can be continued without interruption, the Contractor shall, at the request of the Client, continue the processing of the Personal Data under identical conditions as a contingency plan, as described in this Data Processing Agreement, until such time as the Client or a replacement contractor is reasonably capable of taking over the processing of the Personal Data and the Personal Data can be provided in an appropriate manner. Continuation of the processing of Personal Data will not take place any longer than reasonably required, whereby a period of three months after termination of the Agreement can be considered reasonable. 13 Modifications and Renegotiation 13.1 The Parties shall implement modifications to the processed Personal Data, the processing operations of the Contractor on behalf of the Client and/or the applicable reliability requirements in Annex A to this Data Processing Agreement. The relevant modifications shall become applicable upon signature of the amended Annex A by both parties If a modification in circumstances gives good cause to do so, the Client is entitled to renegotiate this Data Processing Agreement. If the Parties to the renegotiations reach agreement, the Client is entitled to terminate the Agreement without being liable for any resulting damage. Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 8/13

9 13.3 The Contractor shall immediately inform the Client of the (necessary) modifications in the implementation of this Data Processing Agreement, so that the Client can monitor compliance with the agreements with the Contractor that are set out in this Data Processing Agreement. 14 Miscellaneous 14.1 This Data Processing Agreement is subject to Dutch law in accordance with Article < > of the Agreement All disputes arising from this Data Processing Agreement shall be resolved in accordance with Article < > of the Agreement. DRAWN UP IN DUPLICATE AND SIGNED Technische Universiteit Eindhoven <Contractor> Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 9/13

10 Annex A - Specification of the processing by the Parties: Categories of Data Subjects (Categories of) Personal Data processed by the Contractor Where applicable differentiated based on sensitivity (Groups of) employees of the Contractor or other persons engaged by the Contractor who have or may have access to the Personal Data Data processing activities that these persons may perform with the Personal Data To be completed by the Client To be completed by the Client To be completed by the Contractor To be completed by the Contractor Reliability requirements and security measures Subject to the following reliability requirements, the Contractor shall ensure that there is an appropriate level of security in accordance with the provisions of the Agreement. Personal Data students availability integrity confidentiality low medium high x x x Personal Data of personnel of the Client availability integrity confidentiality low medium high x x x Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 10/13

11 Security measures The above reliability requirements, whereby the Contractor shall ensure that there is an appropriate level of security in accordance with the provisions of the Agreement, have been elaborated by the Contractor including by the implementation of the following security measures: <To be completed by Contractor> DRAWN UP IN DUPLICATE AND SIGNED Technische Universiteit Eindhoven <Contractor> Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 11/13

12 Annex B - Contacts and back ups Technische Universiteit Eindhoven primary contact Name and job title telephone numbers other information including addresses To be completed by Client back up contact 1 back up contact 2 <name contractor> Name and job title telephone numbers other information including addresses primary contact To be completed by Contractor back up contact 1 back up contact 2 Technische Universiteit Eindhoven <Contractor> Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 12/13

13 Annex C - Third parties engaged by the Contractor: Third parties engaged by the Contractor acting as sub-data processors Specification of the processing by third parties engaged by the Contractor: Name and address of the sub-data processor Data processing activities that these entities may perform with the Personal Data To be completed by the Contractor To be completed by the Contractor Technische Universiteit Eindhoven <Contractor> Initials Contractor Initials Client Annex 1, Data Processing Agreement, page 13/13