Data Processing Agreement

Introduction

This Data Processing Agreement forms part of the Main Agreement between Yard Tower (hereinafter: “Yard Tower” or “Processor”) and the natural person or legal entity with whom Yard Tower enters into an agreement for the supply and use of Yard Tower software (hereinafter: “Client” or “Data Controller”). The Data Controller and the Processor are together referred to as the “Parties”.

For the use of the Yard Tower software, the Parties have entered into an agreement to which the General Terms and Conditions of Yard Tower also apply (together: “Main Agreement”).

For the performance of the Main Agreement, Yard Tower processes personal data on behalf of the Data Controller. In accordance with the Applicable Legislation, the Parties enter into this agreement, which sets out their respective rights and obligations with regard to the processing of personal data (the “Data Processing Agreement”). The Main Agreement and the Data Processing Agreement together determine the subject matter and duration of the Processing of Personal Data.

1. Definitions

The following terms have the meaning ascribed to them below:

  • Data Subject or Data Subjects: the identifiable natural person whose Personal Data is processed.
  • Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data transmitted, stored or otherwise processed.
  • Personal Data: any information relating to an identified or identifiable natural person that Yard Tower processes in the context of the Main Agreement on behalf of the Data Controller.
  • Personnel: the persons authorised by the Parties to perform this Data Processing Agreement and who work under their responsibility.
  • Sub-processor: any third party engaged by the Processor to process Personal Data on behalf of the Processor, without being subject to the direct authority of the Processor.
  • Applicable Legislation: laws or other (local) regulations, ordinances, directives, guidelines or policies, instructions or recommendations from government authorities that apply to the processing of personal data, including any amendments, replacements, updates or later versions thereof;
  • Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

2. Permitted processing

  • Yard Tower undertakes to process Personal Data only on behalf of the Data Controller in the context of the activities described in the Main Agreement. The Main Agreement and the Data Processing Agreement together determine the subject matter and duration of the Processing.
  • For the performance of the Main Agreement, the ongoing development of the Application and for the support of the Data Controller, Yard Tower may, for the full term of the agreement, subject the Personal Data to the following processing operations: storage, adaptation or alteration, consultation, use, restriction, erasure or destruction of data.
  • Yard Tower processes the following types of Personal Data: names, country of establishment, email, bank details, IP addresses, location data, device types.
  • This Personal Data relates to the following categories of Data Subjects: contacts of the Data Controller;

3. Rights and obligations of the Data Controller

  • The Data Controller makes the Personal Data available to Yard Tower. The Data Controller determines the purposes and means of the Processing. The Data Controller warrants that the Processing of the Personal Data, including the collection thereof, is in accordance with the relevant Applicable Legislation.

4. Data processing

  • Yard Tower may only process the Personal Data that is strictly necessary for the performance of the Main Agreement. Yard Tower has no control over the purpose of the Processing of Personal Data.
  • Yard Tower shall disclose the personal data only to personnel and/or sub-processors who (necessarily) have access to the personal data for the performance of the obligations under the Main Agreement, unless otherwise required by the Applicable Legislation.
  • Yard Tower does not process Personal Data at a location outside the European Economic Area.
  • The Personal Data on backups enjoys the same protection as the original Personal Data.
  • Yard Tower ensures that its Personnel have access to the Personal Data only to the extent necessary to perform their tasks in the context of the processing instructions. Yard Tower shall inform its Personnel of the obligations under this Data Processing Agreement.

5. Sub-processors

  • Yard Tower is entitled to use sub-processors in the performance of the services. Upon request, information on sub-processors may be obtained by the Data Controller. The Data Controller may only object on substantiated grounds. Yard Tower remains at all times the point of contact for the Data Controller.
  • Yard Tower ensures that an agreement is concluded with engaged sub-processors in which the same data protection safeguards are agreed as set out in this Agreement. The Processor remains fully liable to the Data Controller for the Sub-processor’s compliance with its obligations.
  • In addition, subject to explicit consent of the Data Controller, personal data may be shared with sub-processors where use is made of additional services.

6. Confidentiality

  • Yard Tower is bound by a duty of confidentiality with respect to the Personal Data processed on behalf of the Data Controller. This duty of confidentiality applies in full to Yard Tower’s Personnel and to any Sub-processors. The duty of confidentiality continues after termination of the Data Processing Agreement.
  • This duty of confidentiality does not apply when the Processor is required by the Supervisory Authority, a legal provision or a court order to disclose such Personal Data, when the information is publicly known, and when the disclosure takes place on the instructions of the Data Controller.

7. Security measures

  • Yard Tower shall implement the appropriate technical and organisational measures required to ensure a level of security appropriate to the risk, so that the Processing complies with the Applicable Legislation and the rights of Data Subjects are safeguarded.
  • Yard Tower applies an appropriate level of protection, taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing. Yard Tower is responsible for implementing and/or modifying the level of protection where this is deemed necessary or required by law.
  • Yard Tower is responsible for implementing and/or modifying the level of protection where this is deemed necessary under the Applicable Legislation or is requested by the Client. Any additional costs shall be borne by the Client, unless otherwise agreed.

8. Notification of a personal data breach

  • If Yard Tower becomes aware of a Personal Data Breach, it shall notify the Data Controller without undue delay and at the latest within 48 hours of becoming aware of it. This notification shall describe or communicate at least the following:
  1. The nature of the personal data breach, where possible including the categories of Data Subjects and the Personal Data concerned;
  2. The likely consequences of the Personal Data Breach; the measures that Yard Tower takes to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.
  • Yard Tower shall also inform the Data Controller after a notification under the previous paragraph of any developments regarding the Personal Data Breach that has been identified.
  • The Data Controller shall assess whether it must inform the Supervisory Authority and/or the Data Subjects thereof.
  • Each Party shall bear its own costs incurred in connection with a notification to the Supervisory Authority and/or the Data Subject.

9. Intellectual property rights

  • All intellectual property rights in the Personal Data and in the databases containing such Personal Data vest in the Data Controller. These intellectual property rights include copyright and the sui generis database right. Yard Tower receives only a limited right of use insofar as necessary to perform the agreed Processing operations.

10. Term and termination

  • The Data Processing Agreement enters into force when the Parties conclude the Main Agreement and is entered into for the duration of the Main Agreement.
  • The Parties may not terminate the Data Processing Agreement prematurely.
  • The Data Processing Agreement ends after and to the extent that Yard Tower has erased all Personal Data in accordance with this Data Processing Agreement. Yard Tower shall delete backups and copies, save where otherwise required by law.
  • Upon termination of the Main Agreement, all processed Personal Data responsible for the timely export of Personal Data.

11. General provisions

  • This Data Processing Agreement forms part of the Main Agreement. The rights and obligations arising from the Main Agreement and the General Terms and Conditions of Yard Tower therefore also apply to the Data Processing Agreement.
  • In the event of any conflict between the provisions of the Data Processing Agreement and the Main Agreement, the provisions of this Data Processing Agreement shall prevail insofar as they specifically relate to the Processing of Personal Data.
  • In accordance with the General Terms and Conditions of Yard Tower, Dutch law applies to the Data Processing Agreement and disputes shall be brought before the competent court in Amsterdam; or, at Yard Tower’s option, before the competent court of the Data Controller’s place of residence.
Start for free