This Data Processing Agreement applies to all forms of processing of personal data carried out by MovaWorks, located in Heerlen, registered with the Chamber of Commerce under number 50722115, (hereinafter referred to as: Processor) on behalf of a party to whom they provide services (hereinafter referred to as: Data Controller).
Hereinafter collectively referred to as 'Parties';
A. The Parties have entered into an agreement regarding hosting services and domain name registrations, hereinafter referred to as: “Agreement”. In the execution of the Agreement, the Processor processes Personal Data on behalf of the Data Controller;
B. The Parties wish to handle the Personal Data processed (or to be processed) in the execution of the Agreement with care and in compliance with the GDPR and other applicable laws and regulations regarding the processing of personal data;
C. The Parties wish to formalize their rights and obligations concerning the processing of Personal Data of Data Subjects in writing in this Data Processing Agreement in accordance with the GDPR and other applicable laws and regulations regarding the processing of Personal Data;
D. Only the Data Controller determines the purpose and means of processing personal data, and the Processor has no influence over this;
1.1 Data Subject: The individual to whom a Personal Data relates.
1.2 Data Breach: A breach of security concerning Personal Data that results in significant adverse effects on the protection of Personal Data.
1.3 Personnel: The individuals appointed by the Parties to execute this Data Processing Agreement, who will work under their responsibility.
1.4 Personal Data: Any information relating to an identified or identifiable natural person. This also includes pseudonymized personal data that can be re-identified.
1.5 Subprocessor: A third party employed by the Processor to process Personal Data on behalf of the Processor, without being directly subject to the Processor's control.
1.6 Data Controller: The entity responsible for the processing as defined under the Dutch Personal Data Protection Act (WBP) and/or European regulations and directives regarding the protection of personal data (GDPR).
1.7 Processor: The entity that processes Personal Data on behalf of the Data Controller, without being subject to its direct control.
1.8 Processing: Any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, updating, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of provision, combining, linking, as well as blocking, erasure, or destruction of data.
2.1 If the Processor only has access to Personal Data without an obligation to process it, the Processor will comply with national and international laws and regulations regarding Personal Data and the provisions of this Data Processing Agreement, provided that the Data Controller has notified the Processor in advance of the existence of Personal Data and its location.
2.2 If the Processor has committed in the Agreement to processing Personal Data, it will do so with due diligence and in accordance with the purposes of the processing, following both national and international laws and regulations regarding Personal Data and the provisions of this Data Processing Agreement, provided that the Data Controller has notified the Processor in advance of the existence of Personal Data and its location.
3.1 The Data Controller will notify the Processor of any changes regarding the Processing (if applicable) and the potential consequences thereof in a timely manner, in principle within 10 business days.
3.2 The Data Controller guarantees that the instruction for processing the Personal Data (if applicable) is not unlawful and does not infringe upon the rights of third parties.
4.1 The Processor will only access and/or process the Personal Data as necessary for the execution of the Agreement and will follow all reasonable instructions from the Data Controller.
4.2 The Processor will not store the Personal Data outside the European Economic Area. For domain registrations, it may be necessary to transfer Personal Data to countries outside the European Economic Area. This will be limited to what is required by the relevant registry.
4.3 The Processor guarantees that its Personnel will comply with the terms of this Data Processing Agreement if and to the extent they are involved in processing Personal Data. Employees of the Processor are bound by a confidentiality obligation.
4.4 The Processor has appointed a Data Protection Officer.
4.5 Upon the Data Controller’s request, the Processor will immediately return all copies of the Personal Data processed on behalf of the Data Controller or, upon request, destroy them.
4.6 The Processor will implement appropriate technical and organizational security measures to protect the Personal Data against loss and unlawful processing. These measures will ensure an adequate security level, considering the state of the art and the costs of implementing them, as well as the risks associated with processing and the nature of the data being protected.
4.7 The Processor keeps a record of all categories of processing activities it carries out on behalf of the Data Controller.
4.8 The Processor will provide full and timely cooperation with the Data Controller to allow Data Subjects access to their Personal Data, to have their Personal Data corrected or deleted, and/or to demonstrate that such corrections or deletions have been made, or if the Data Controller disputes the Data Subject's position, to record that the Data Subject considers their data to be incorrect.
4.9 The Processor will take adequate internal control measures to ensure compliance with the obligations under this Agreement and will keep these measures documented for ease of monitoring compliance. Any activities and incidents related to Personal Data will be recorded in logs.
4.10 At the request of the Data Controller, the Processor will cooperate in the encryption and pseudonymization of Personal Data. If this results in higher costs for the Processor, the Data Controller will compensate these costs.
4.11 The Data Controller can have the processing of Personal Data reviewed for compliance with this Data Processing Agreement by an independent EDP Auditor, once per year. The Auditor will be required to maintain confidentiality. The Processor will provide all requested information to the Auditor. The Auditor will report in general terms to the Data Controller, but will not disclose details about security measures. The costs of the audit will be borne by the Data Controller.
4.12 The content and scope of the processing assignment and the associated remuneration are governed by the Agreement. The Processor will follow the Data Controller’s instructions regarding the processing and/or storage of Personal Data.
5.1 The Processor may subcontract the performance of this Data Processing Agreement to a Subprocessor. The Processor remains the point of contact for the Data Controller and is responsible for ensuring the Subprocessor complies with the terms of this Data Processing Agreement.
5.2 The Processor will impose the same obligations on the Subprocessor – and document these in a contract – as those outlined in this Data Processing Agreement and ensure the Subprocessor's compliance. The Processor is fully responsible to the Data Controller for the consequences of outsourcing tasks to a Subprocessor.
5.3 An exception to Articles 5.1 and 5.2 is the outsourcing of domain registrations. Depending on the Top-Level Domain, your Personal Data may become publicly available, and/or the Processor may not be able to guarantee the security of your Personal Data.
6.1 The Processor may not disclose Personal Data to anyone other than the Data Controller unless required by law or for the execution of the Agreement with the Data Controller.
6.2 If the Processor is required to disclose Personal Data due to a legal obligation, it will:
7.1 The Data Controller and Processor will take appropriate technical and organizational measures to ensure a security level proportional to the risk, so that processing complies with the GDPR and other applicable regulations, ensuring the protection of Data Subjects' rights. The security measures are outlined in Appendix A.
7.2 Both Parties will make every effort to secure the Personal Data against intruders, mishandling, unlawful disclosure, and against loss, destruction, or damage. Both Parties will ensure that their IT facilities and equipment are physically protected from unauthorized access and damage, and will implement measures to prevent unauthorized access to information systems.
7.3 Both Parties will continuously monitor whether the processing systems meet the required confidentiality, integrity, availability, and resilience (quick recovery after temporary unavailability).
7.4 Upon written request from the Data Controller, the Processor will implement additional security and/or confidentiality measures for the identified categories of Personal Data. If this incurs additional costs for the Processor, the Data Controller will reimburse these costs.
8.1 In the event of a data breach, the Processor shall immediately notify the Controller, but in any case, within 24 hours, providing details of the nature of the data breach, the (suspected) consequences, and the measures taken to remedy or mitigate the consequences.
9.1 All data of the Controller and its customers are confidential and shall be treated as such by the Processor. The Processor is obligated to maintain confidentiality regarding all personal data and information it processes, or learns of in the course of the Agreement or this Data Processing Agreement.
9.2 The confidentiality obligation does not apply to information:
This confidentiality obligation will remain in effect after the termination of this Data Processing Agreement.
10.1 All Intellectual Property Rights, including copyrights, database rights, and all other intellectual property rights, as well as similar rights for the protection of data collections and personal data, copies, or modifications thereof, shall be vested in the Controller (or a customer of the Controller). 10.2 All intellectual property rights – including copyrights, database rights, and all other intellectual property rights, as well as similar rights for the protection of information – in the products and services of the Processor shall be vested in the Processor.
11.1 This Data Processing Agreement shall enter into effect on the date of signing by the Parties.
11.2 The provisions concerning the duration and termination of the Agreement shall apply to the duration and termination of the Data Processing Agreement. When the Agreement terminates for any reason, the Data Processing Agreement will also terminate.
11.3 In the event of termination of the Data Processing Agreement, the Processor shall transfer all personal data to the Controller or, at the Controller’s explicit written request, destroy the personal data in the Processor’s possession.
11.4 Obligations that, by their nature, are intended to continue after the termination of the Data Processing Agreement shall remain in effect after termination. These obligations include, among others, provisions regarding confidentiality, transfer and destruction, liability, and applicable law.
12.1 Either Party may terminate the Agreement in whole or in part if the other party is in material breach of the Data Processing Agreement and has not remedied the breach after being given notice of default, without prejudice to the right to claim damages.
12.2 Either Party may terminate the Agreement immediately and in whole or in part without prior notice if the other party is granted a suspension of payments, if bankruptcy proceedings are initiated against the other party, if the other party’s business is liquidated, or if the business is terminated other than for reconstruction or merger.
13.1 Changes or additions to this Agreement shall be agreed in writing between the Processor and the Controller. Changes or additions shall be documented in an addendum to this Agreement and shall be binding once the addendum is signed by both Parties.
13.2 Any disputes arising from this Agreement, after an attempt to resolve the dispute through mutual consultation has been unsuccessful, shall be settled by arbitration in accordance with the rules and procedures of the Netherlands Arbitration Institute, with the arbitrator(s) applying Dutch law.
The measures the Processor shall comply with include:
