Processor Agreement Felixx.® arbo


The undersigned:

A: (hereinafter referred to as: the ‘Controller’), established in , at the , registered with the Chamber of Commerce under number duly represented in this matter by .

and

B: The private company with limited liability under Dutch law Felixx.® Pensioen & HR Consultants B.V. with its registered office in Lisse and registered with the Chamber of Commerce under number 32114079, trading under the name of Felixx.® werk & inkomen (hereinafter to be referred to as: ‘Felixx.®’) duly represented in this matter by its directors, hereinafter to be referred to as ‘Processor’.

 

The Controller and the Processor, hereinafter to be jointly referred to as the Parties and each individually as a Party declare to have agreed as follows:

  • The Parties have entered into a Processor Agreement in the context of which Personal Data of Third Parties are (possibly) processed by the Processor.
  • In the context of the Agreement, the Processor shall for the benefit of the Controller process Personal Data, where the Controller is to be regarded as “controller”, and the Processor as “processor”, as defined in the General Data Protection Regulation.
  • The Parties shall both meet their obligations ensuing from the General Data Protection Regulation and comply with national legislation and regulations regarding the protection of Personal Data.
  • The Processor shall for the benefit of the Controller offer guarantees with regard to compliance with this regulation with regard to the protection of Personal Data, including providing suitable technical and organizational security measures to guarantee an adequate level of protection commensurate with the risks.
  • The Parties lay down the arrangements in this Processor Agreement that apply to the processing of Personal Data by the Processor for the benefit of the Controller.

 

Article 1: Definitions and principles

1.1 The following definitions are used in this Processor Agreement:

  • GDPR: The General Data Protection Regulation and other (national) legislation and regulations with regard to the protection of Personal Data.
  • Data Subject: A natural person whose Personal Data are processed by the Controller and the Processor, as described in more detail in Appendix 1.
  • Special categories of Personal Data: These are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Also Personal Data related to criminal convictions and offences or security measures related to these data.
  • Data Leak: A breach of security that leads to the destruction, loss, modification or the unauthorized provisioning or unauthorized access to transferred, stored or otherwise processed data, which constitutes a risk to the rights and freedoms of the Data Subject(s).
  • Third Parties: Parties other than the above-mentioned Parties and employees of the Parties.
  • Obligation to report Data Leaks: The obligation to report Data Leaks to the Dutch Data Protection Authority and (in some cases) to the Data Subject(s).
  • Employee(s): Persons who work at/for the Controller or the Processor, either in employment or on a temporary contract.
  • Agreement: The Agreement (with appendices) between the Parties.
  • Personal data: The (categories of) Personal Data regarding Data Subject(s), as described in more detail in Appendix 1.
  • Personal data of a sensitive nature: Personal data where their loss or unlawful processing may lead to (among other things) stigmatization or exclusion of the Data Subject(s), damage to health, financial damage or (identity) fraud. These categories of Personal Data must at least include the following: special categories of Personal Data, data about the financial or economic situation of the Data Subject(s), (other) data that may lead to stigmatization or exclusion of the Data Subject(s), user names, passwords and other login details and data that may be misused for (identity) fraud.
  • Sub-Processor: The third party that shall process the Personal Data on the orders of the Processor.
  • Process / processing: Each operation involving Personal Data, including at any rate recording, sorting, storage, updating, editing, modification, retrieval, consultation, use, transmission, distribution, correlating, exchange, erasure, destruction or restriction.
  • Processor: A natural or legal person, a public authority, an agency or another body that processes Personal Data for the Controller, without coming under the direct authority of the latter.
  • Processor Agreement: This Processor Agreement.
  • Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

 

Article 2: Scope of this Processor Agreement

2.1 The Processor shall process the Personal Data exclusively for the benefit and on the orders of the Controller and always in accordance with the provisions of the Processor Agreement, alternatively with other written instructions from the Controller. Unless the Processor is required by legislation or regulation to act differently (for example in deciding whether or not an “unusual transaction” must be reported in the context of the Dutch Prevention of Money-Laundering and Financing of Terrorism Act (Wwft, Wet ter voorkoming van witwassen en financieren van terrorisme)).

2.2 If the Processor at any time is of the opinion that a provision from this Processor Agreement or a written instruction from the Controller is not (fully) compatible with the GDPR, then the Processor shall inform the Controller about this immediately. The Parties shall then consult about the possible consequences and the progress of the Processor Agreement.

2.3 The Processor shall only process the Personal Data of Data Subject(s) for the benefit of the processing purposes, as described in Appendix 1.

2.4 Any (intellectual) property rights in respect of the Personal Data or the carriers on which these are stored shall remain vested exclusively with the Controller.

 

Article 3: General obligations of the Processor 

3.1 The Processor undertakes to follow all the instructions of the Controller with regard to the Personal Data in the context of this Processor Agreement.

3.2 The Processor shall fulfil his obligations on the basis of the GDPR and comply with all other relevant legislation and regulations and codes of conduct in respect of the protection and security of Personal Data, as they are in force from time to time. The Processor declares to be familiar with the legislation and regulations and to keep abreast of any changes therein in a timely fashion. If necessary, the Controller may issue instructions to the Processor to this effect.

3.3 The Processor shall process the Personal Data in a proper and careful manner in accordance with the GDPR.

3.4 The Processor shall instruct employees, Sub­Processors and other Third Parties that carry out work in the context of the performance of this Agreement, so that they are not acting in a way that is at odds with this Processor Agreement. This is the responsibility of the Processor.

3.5 The Processor is not allowed to use the Personal Data for his own purposes or any purpose other than the purposes of processing specified in this Processor Agreement and/or to furnish those Personal Data to Third Parties.

3.6 The Processor shall provide the Controller at first request with reasonably necessary information, on the basis of which the Controller can form an opinion about the compliance by the Processor with this Processor Agreement. At first request from the Controller, the Processor shall explain the configuration and the functioning of the system of measures and procedures that aims to ensure compliance with this Processor Agreement.

3.7 The Processor shall at first request from the Controller grant the Controller access to the Personal Data, alternatively make the Personal Data available to the Controller in a manner that shall be determined by the Controller.

3.8 If the Processor receives a request to hand over Personal Data, the Processor shall only do so if the request is issued by an authorized body (Data Protection Authority or any governmental or judicial or supervisory body with regard to the provisioning or processing of the Personal Data). In that event, the Processor shall first ascertain whether this request is binding and/or whether the Processor has to comply with the request by virtue of professional rules or a code of conduct. If there are no criminal law or other legal obstacles, then the Processor shall immediately inform the Controller of the request. In that case, the Processor shall consult with the Controller as to the manner in which the data are to be provided.

 

Article 4: Sub-processors and transfer

4.1 For the purpose of processing the Personal Data within the context of the Processor Agreement, the Processor may deploy Sub­Processors. The Controller hereby grants general consent for the addition or replacement of a Sub­Processor by the Processor. The Controller and the Processor may agree on conditions for the deployment of a Sub­Processor.

4.2 If (a part of) the processing of Personal Data is outsourced to the Sub-Processor, the Processor is fully liable to the Controller and fully responsible for the execution by the Sub-Processor in accordance with the obligations incumbent on the Processor pursuant to the Processor Agreement. The Processor guarantees the Controller that the processing of Personal Data by a Sub­Processor shall only take place within the scope of this Processor Agreement.

4.3 The Processor and any Sub­Processors shall not process Personal Data in or transfer these to third countries or transfer these data to international organizations, as referred to in the GDPR, unless the Parties have come to arrangements in writing in this respect. The Processor shall strictly follow the instructions of the Controller with regard to the processing in or transfer of Personal Data to third countries or to international organizations.

4.4 By means of a written Processor Agreement the Processor shall ensure that at as a minimum the same responsibilities and obligations are imposed on the Sub­Processors as those that have been imposed on the Processor in this Processor Agreement.

 

Article 5: Confidentiality

5.1 The Processor must not disclose Personal Data to Third Parties or give those Third Parties access thereto, unless the Controller has given his prior and explicit permission therefor in writing. Third Parties are understood to include the personnel of the Processor insofar as it is not necessary for such personnel to take note of the Personal Data for performing the Agreement. This duty of confidentiality shall remain in full force after this Processor Agreement has expired.

5.2 The Processor undertakes to inform employees and Sub-Processors or other Third Parties who carry out work in the context of the performance of this Agreement about the contents of the Processor Agreement and to ensure that they commit themselves in writing to complying with the obligations from the Processor Agreement with regard to, but not limited to, among other things, preserving the secrecy of Personal Data referred to in this Article and treating them as confidential.

 

Article 6: Security

6.1 On his own initiative, the Processor shall take and maintain such technical and organizational security measures that the Personal Data are adequately protected against loss or any form of careless, improper, unprofessional or unlawful processing of the Personal Data and that with regard to the Personal Data there is always an adequate level of protection, which is appropriate taking into account the state of the art. The Processor shall make efforts that the security measures are at least at the level that is customary in the sector in which the Processor operates. Periodically, the Processor shall (by means of audits or certification) demonstrate that the agreed security measures are in place and effective.

6.2 The Processor shall at any rate take the security measures included in Appendix 2.

6.3 The Parties shall periodically review the measures mentioned in this Article and in Appendix 2. As soon as the Controller deems new or modified arrangements necessary with regard to the security of the Personal Data, both Parties shall enter into consultations about this. The Processor is required to take new or additional security measures, if this is reasonably necessary to guarantee a permanent, adequate level of protection.

 

Article 7: Inspections

7.1 The Processor enables the Controller and where applicable any Third Parties designated by the Controller (auditors) to (have someone) verify compliance by the Processor with this Processor Agreement at the request of the Controller within a reasonable period.

7.2 The Controller and any Third Parties designated by the Controller (auditors) shall observe the security measures of the Processor that apply at any time and shall treat the Processor’s information that comes to their knowledge during the audit as confidential. If so desired, the Controller and Third Parties designated by the Controller shall sign a confidentiality agreement.

7.3 The costs of an audit initiated by the Controller as described in this Article are to be borne by the Controller, unless the audit shows that the Processor demonstrably violates or has violated the provisions of the Processor Agreement. In such a case, the Controller may recover the costs of the audit (in part) from the Processor.

7.4 Periodically, the Processor shall issue, or at first request from the Controller, a report to the Controller in which the Processor provides information about the state of the security measures as described in Article 6 and Appendix 2, and information about Data Leaks and possible security risks with regard to the Personal Data.

 

Article 8: Data Leak 

8.1 The Processor organizes its security measures and organization in such a way that it is able to detect a Data Leak at all times.

8.2 As soon as the Processor becomes aware of a Data Leak, of whatever nature, the Processor shall inform the Controller without unreasonable delay (that is to say, if possible within 24 hours at any rate).

8.3 The Processor shall in any case provide the following information on that occasion:

  • the nature and extent of the Data Leak and the facts insofar as they are known or suspected
  • the time of the Data Leak and the time of its detection
  • whether the Data Leak occurred at the Controller’s or at a Third Party’s
  • the (potentially) affected (categories of) Personal Data and the possible recipients of the Personal Data
  • the established and expected consequences of the Data Leak for the processing of Personal Data and the people involved
  • the measures that the Processor has taken or shall be taking to cancel or mitigate the negative effects of the Data Leak and to prevent it from happening again

8.4 At the request of the Controller, the Processor shall provide the assistance requested which the Controller deems necessary for the assessment and handling of the Data Leak and/or reporting it to the Data Protection Authority and/or the Data Subject(s). The Processor shall never report a Data Leak independently without prior explicit permission from the Controller.

8.5 The Processor shall always inform the Controller of any new developments regarding a Data Leak. Furthermore, the Processor shall always be available for consultations.

 

Article 9: Liability

9.1 The Controller warrants that the processing of Personal Data on the basis of this Processor Agreement is not unlawful and does not violate the rights of the Data Subject(s).

9.2 The Processor is not liable for damage resulting from the Controller’s failure to comply with the GDPR or other legislation or regulations. The Controller shall indemnify the Processor against claims by Third Parties based on such damage. This indemnification shall apply not only to the damage sustained by Third Parties (both material and immaterial), but also to the costs incurred by the Processor in connection therewith, for example in the event of a legal procedure, and the cost of any penalties imposed on the Processor  as a result of the Controller’s actions.

9.3 The limitation of the Processor’s liability agreed in the underlying Agreement and the associated Terms and Conditions applies to the obligations included in this Processor Agreement, with the proviso that one or more claims pursuant to this Processor Agreement and/or the underlying Agreement can never result in that limit being exceeded.

 

Article 10: Rights of Data Subjects 

10.1 Requests from Data Subjects regarding their right of access, rectification, erasure, limiting of the processing or transfer of Personal Data of the Data Subject shall be forwarded to the Controller by the Processor without delay, but in any case within 48 hours after receiving such a request. Unless the Parties agree otherwise, requests from Data Subjects shall be handled by the Controller.

10.2 The Processor shall offer support to the Controller insofar as this is possible to give effect to lawful requests from Data Subjects, insofar as this is (legally) allowed and insofar as the Controller has no (direct) access to the Personal Data.

10.3 If the Processor receives a complaint from a Data Subject about the way in which it processes of Personal Data, then the Processor shall inform the Controller about such a complaint without delay, but in any case within 48 hours after receiving such a complaint. Unless otherwise agreed, such a complaint shall be handled by the Controller. The Processor shall provide the Controller with all reasonable and necessary assistance in connection with the handling of a complaint from a Data Subject.

 

Article 11: Handling Personal Data upon expiry of the Processor Agreement

11.1 Upon expiry of the Processor Agreement, irrespective of the reason, the Processor shall do the following:

  • At first request from the Controller, make the “raw” Personal Data available to the Controller (the Parties may make additional arrangements about the format desired by the Controller)
  • immediately cease the processing of Personal Data and desist from processing those data
  • ensure that any Sub­Processors immediately cease the processing of Personal Data and desist from processing those data

11.2 For the supply of the raw Personal Data connected to the elements as referred to in article 11.1, the Processor shall charge a one-off fee of €300.00.

11.3 Files, minutes of meetings, action points, notes and other data that have already been processed and cannot be categorized as "raw Personal Data" shall not be supplied by the Processor. The Controller is responsible for downloading those data.

11.4 All Personal Data that are stored electronically on a data carrier shall be deleted permanently by the Processor after seven years (fiscal retention obligation), or insofar as permanent deletion of the data on the data carrier is not reasonably possible, to destroy the Personal Data or data carrier.

11.5 Only at a request from the Controller in writing shall the Processor permanently delete the Personal Data before the expiry of the fiscal retention obligation , or insofar as permanent deletion of the data carrier is not reasonably possible, destroy the Personal Data or data carrier.

11.6 The risk that Personal Data are not returned, destroyed or deleted, contrary to the above provisions, continues to be borne by the Processor and in that case the Processor shall remain wholly bound by all stipulations in this Processor Agreement with regard to the handling of Personal Data during and after expiry of the Processor Agreement.

11.7 The Processor shall inform all Third Parties and Sub­Processors involved in the processing of Personal Data of the expiry of the Processor Agreement and guarantees that all Third Parties and Sub­Processors shall destroy, delete or return Personal Data to the Controller in the manner that applies to the Processor.

 

Article 12: Commencement, duration and modification of the Processor Agreement

12.1 This Processor Agreement comes into force on the date on which it was signed by the Parties.

12.2 This Processor Agreement shall apply for the time during which the Processor processes Personal Data in the context of the performance of the Agreement. A termination of the Agreement also means a termination of this Processor Agreement.

12.3 The Parties shall not be able to terminate this Processor Agreement prematurely.

12.4 The provisions in this Processor Agreement shall also remain in full force after the expiry of the Processor Agreement as long as the Processor is in possession of Personal Data, unless it follows from the nature of the obligation that these provisions need to apply longer, as in the case of general obligations of the Processor (Article 3), duty of confidentiality (Article 5) and applicable law (Article 13).

12.5 If a provision from this Processor Agreement is not compatible with the provision from the Agreement, then the provision in this Processor Agreement shall prevail.

12.6 Changes in this Processor Agreement are only valid if they have been agreed, laid down in writing and the relevant document has been signed by the Parties. The Processor shall assist in bringing about a change if (an amendment in) the GDPR necessitates the change.

 

Article 13: Applicable Law and Jurisdiction

13.1 This Processor Agreement and the performance thereof are governed by Dutch law.

13.2 This Processor Agreement takes precedence over other agreements entered into between the Processor and the Controller. If the Controller has Terms and Conditions, they shall not apply to this Agreement. The provisions from this Agreement shall prevail over the provisions in the Terms and Conditions of the Processor, unless explicit reference is made to a provision from the Processor’s Terms and Conditions.

13.3 In the event of disputes arising from or in connection with this Processor Agreement, the Parties shall make efforts to reach a joint solution. If the Parties are not able to reach a solution together through mediation, any disputes that belong to the competence of the court, shall be submitted to the district court in the region (“arrondissement”) in which the head office of Felixx.® is situated.

 

Article 14: Final Provisions

14.1 The Parties are not allowed - unless otherwise agreed in writing between the Parties - to transfer this Processor Agreement and the rights and obligations ensuing from this Processor Agreement to another party.

14.2 Every person signing this Processor Agreement is a duly authorized representative and guarantees that he/she is duly authorized to represent the company.

 

Appendix 1 Personal Data and Purposes

Article 1: Personal Data   

1.1 The Processor shall process the following (categories of) Personal Data:

1.1.1 Standard Personal Data:

  • name, address, place of residence, date of birth, telephone number and email address
  • education data
  • place of residence (travel and the like)
  • position, department, employee ID, type of employment
  • sex, marital status, family composition, citizen service number (BSN)
  • employment relationships, data concerning commencement and termination of employment
  • reports in the context of the “Wet Verbetering Poortwachter” (Gatekeeper Improvement Act, Dutch legislation aimed at dealing with chronic absenteeism)
  • reports submitted to the Netherlands Center for Occupational Diseases
  • first day of illness and date of notification of recovery 
  • data about the referral
  • data about the working conditions, including workplace investigations
  • conditions with regard to the capacity in relation to the workload (pressure at work)
  • proposed or implemented re-integration measures
  • information acquired from medical professionals (the actual processing of that information)
  • data about the legal position (decisions by the UWV (Uitvoeringsinstituut werknemersverzekeringen, the implementing body for employee insurance schemes), data about any legal procedures and expert opinion)
  • other data required for compliance with legal requirements
  • connection data (of an employee who actually uses the agreed service on behalf of the Controller) such as IP address, logging of activities and so forth

1.1.2 Special categories of Personal Data

  • not applicable

 

Article 2: Data Subjects

2.1 The Personal Data involve the following (categories of) Data Subjects:

  • all employees who have been referred by the employer in the context of inability to work for the purposes of supervision of absenteeism or re-integration or who have requested (preventative) advice on their own initiative
  • interns (insofar as necessary)

 

Article 3: Purposes of the processing

3.1 The purposes for which the above-mentioned Personal Data are processed are:

  • Health and Safety services, support of employees who are off work due to disabilities or injuries

 

Article 4: Processing operations

4.1 According to the Agreement.

4.2 Storing (hosting), access/use with a view to application management and database management (including help desk). Making backups and where necessary restoration (deletion).

 

Appendix 2     Technical and organizational security measures

 Article 1: Control of access

1.1 Physical control of access to infrastructure:

  • Adequate physical protection of the relevant areas in which the equipment on which the Personal Data are stored (such as access restriction, temperature control, measures to prevent and combat fire and water damage).

1.2 Control of (logical access) (to) systems:

  • Installing and keeping up to date a system with which access to the Personal Data is made secure by means of appropriate verification tools, such as the use of a login name and password
  • Protecting the system with which the Processor processes Personal Data by means of up to date software detecting viruses, Trojan horses and other malware
  • Monitoring and logging access to the system (including checking for signs of unauthorized access to the Personal Data, such as unsuccessful login attempts and cases where the powers of authorization were exceeded or abused)
  • Designating employee(s) - who come under the direct control (management and supervision) of the Processor - who are in charge of the execution of the processing and who have been authorized to grant themselves access to Personal Data on a ‘need to know’ basis

1.3 The Processor keeps a log of all the breaches, and the measures that have been taken following such breaches and provides access to it at the request of the Controller.

 

Article 2: Certification

2.1 The Processor is ISO 27001 certified and upon request shall submit the declaration of applicability which is obtained each year in the context of the ISO 27001 certification.

 

Article 3: Awareness of personnel

3.1 The Processor ensures that its personnel has received / receives training with regard to their responsibilities.

 

Article 4: Third Parties

4.1 The Processor deploys the following Sub-Processors to perform the Agreement:

  • The services are hosted on the platform of Visma Software B.V. in Amsterdam
  • The services are provided in cooperation with @arbo in Haarlem

Leave this empty:

Signature arrow sign here

Signed by B.F. Tegel Directeur
Signed On: 18 November 2021


Signature Certificate
Document name: Processor Agreement Felixx.® arbo
lock iconUnique Document ID: 670dc7b3c9a36b274c6ddd6dbb8c2876564743e8
Timestamp Audit
2 September 2021 08:44 CETProcessor Agreement Felixx.® arbo Uploaded by B.F. Tegel Directeur - avg@felixxgroep.nl IP 94.237.43.103