Data Processing Agreement

Data Processing Agreement


The parties,

  1. Widget Brain B.V. a company having its principal place of business at Schiedamse Vest 154, 3011 BH Rotterdam, registered with the Chamber of Commerce under number 63463725, hereby duly represented by Joachim Arts, (hereinafter: ‘the Processor’);
  2. <<Client>>, a company having its principal place of business in <<Country>>, registered with the Chamber of Commerce under number <<Chamber of commerce nr>>, hereby duly represented by <<Authorised person>>, (hereinafter: ‘the Controller’);

hereinafter collectively referred to as ‘Parties’ and individually ‘Party’,

having regard to the fact that,

    • the Controller has access to the personal data of various clients (hereinafter: ‘Data subjects’);
    • the Controller wants the Processor to execute certain types of processing in accordance with the agreement concluded with the Processor on <<Date>> (hereinafter: ‘the Agreement’);
    • the Controller has determined the purpose of and the means for the processing of personal data as governed by the terms and conditions referred to herein;
    • the Processor has undertaken to comply with this data processing agreement (hereinafter: ‘the Data Processing Agreement’) and to abide by the security obligations and all other aspects of the Dutch Personal Data Protection Act (hereinafter: ‘Wbp’);
    • the Controller is hereby deemed to be the responsible party within the meaning of article 1 (d) of the Wbp;
    • the Processor is hereby deemed to be the processor within the meaning of article 1 (e) of the Wbp;
    • where, within the meaning of this Data Processing Agreement, the Wbp is referred to, from the 25th of May 2018 onwards, the corresponding provisions of the General Data Protection Regulation are meant;


The Parties, having regard also to the provisions of article 14 (5) of the Wbp, wish to lay down their rights and duties in writing in this Data Processing Agreement,

have agreed as follows,


Art. 1 Definitions

  1. Terms defined in the supply agreement between Processor and the Controller (“Agreement”) shall have the same meaning when used in this Data Processing Agreement. In addition, the definitions below apply in this Data Processing Agreement.
  2. “GDPR” is a regulation with the intent to strengthen and unify data protection for individuals within the European Union (EU), which replaces the data protection directive (95/46/EC) from 1995. Unless otherwise specified, all references to the GDPR shall be understood to be references to the applicable local equivalent which implements said reference into local law.
  3. “Model Clauses” means the standard contractual clauses annexed to the GDPR chapter 5 article 44 through 50, for the Transfer of Personal Data to Processors established in Third Countries under the GDPR.
  4. “Personal Data” means personal data as defined in the GDPR that the Processor processes on behalf of Controller in connection with the Agreement.
  5. “Controller” or “Controller”, as defined and described in article 4 of the GDPR, means the Controller that has executed the order for Services.
  6. “Processor”, as defined and described in article 4 of the GDPR, means the Processor subsidiary listed in the order for Services.
  7. “Personal Data” means any information relating to an identified or identifiable natural person that Controller or its end users provide to Processor as part of the Services; an identified or identifiable natural person (a “data subject”) is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
  8. “Process” or “Processing” means any operation or set of operations which is performed by Processor as part of the Subscription Services upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
  9. “Subprocessor” means a third party subcontractor engaged by Processor which, as part of the subcontractor’s role of delivering the Services, will Process Personal Data of the Controller.
  10. “Agreement” means the Services and other activities to be supplied to or carried out by or on behalf of Processor for the Controller pursuant to the Master Subscription Agreement signed on <<Date signed>>.
  11. The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data",  "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.
  12. Other terms have the definitions provided for them in the Agreement or as otherwise specified below.


Art 2. Scope

  1. The purpose for the collection, processing and use of the Personal Data from Controller is to provide the services as described in the Agreement, which forms an integral part hereof. The processing and use of the Personal Data takes place in a member state of the European Economic area. Any data transfer to a third country requires the prior approval of the Controller.
  2. The processing of the Personal Data by the Processor shall take place within the framework of this Data Processing Agreement and only to the extent that Controller has instructed the Processor to do so in relation with the Agreement. The Processor processes the Personal Data on behalf of Controller. Modifications to the processing of Personal Data under the Agreement are subject to mutual agreement.
  3. This Data Processing Agreement is subject to the terms of the Agreement and is incorporated into the Agreement. Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and the terms of this Data Processing Agreement, the relevant terms of this Data Processing Agreement shall take precedence.
  4. This Data Processing Agreement shall be effective for the Services Period of any order placed under the Agreement.


Art 3. Processing objectives

  1. The Processor undertakes to process personal data on behalf of the Controller in accordance with the conditions laid down in this Data Processing Agreement. The processing will be executed exclusively within the framework of the Agreement, and for all such purposes as may be agreed to subsequently.
  2. The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller. The Controller will inform the Processor of any such purposes which are not contemplated in this Data Processing Agreement.
  3. All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data subjects.
  4. The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision thereof to third parties and the storage duration of the data.


Art 4. Processor’s obligations

  1. The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the Wbp.
  2. The Processor shall furnish the Controller promptly on request with details regarding the measures it has adopted to comply with its obligations under this Data Processing Agreement and the Wbp.
  3. The Processor’s obligations arising under the terms of this Data Processing Agreement apply also to whomsoever processes personal data under the Processor’s instructions.

Art. 5 Transmission of personal data

  1. To the extent Personal Data originating from the EEA or Switzerland is transferred to Processor, Processor Affiliates or Sub Processors located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission pursuant to the GDPR or by a competent national data protection authority, such transfers are managed as follows. Transfers from Controller to Processor or Processor Affiliates are made subject to the terms of this Data Processing Agreement and (i) the Model Clauses, with Controller acting as the “data exporter” and Processor and/or the Processor Affiliate(s) acting as the “data importer(s)”; or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the applicable requirements of the GDPR. The terms of this Data Processing Agreement shall be read in conjunction with the Model Clauses or other appropriate transfer mechanism referred to in the prior sentence. For transfers from Processor to Processor Affiliates, Processor shall ensure that such transfers are subject to (i) the terms of the Processor intra-company agreement entered into between Processor Corporation and the Processor Affiliates, which requires all transfers of Personal Data to be made in compliance with the Model Clauses and with all applicable Processor security and data privacy policies and standards; or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the applicable requirements of the GDPR. For transfers from Processor or Processor Affiliates to Subprocessors, Processor requires the Subprocessor to execute Model Clauses incorporating security and other data privacy requirements consistent with those of this Data Processing Agreement.
  2. Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in.

Art. 6 Allocation of responsibility

  1. The Processor shall only be responsible for processing the personal data under this Data Processing Agreement, in accordance with the Controller’s instructions and under the (ultimate) responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and / or for other purposes.
  2. Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Agreement.

Art 7. Engaging of third parties or subcontractors

  1. Some or all of Processor’s obligations under the Agreement may be performed by Processor Affiliates. Processor and the Processor Affiliates have entered into the intra-company agreement specified above, under which the Processor Affiliates Processing Personal Data adopt safeguards consistent with those of Processor. Processor is responsible for its compliance and the Processor Affiliates' compliance with this requirement. Processor also may engage Subprocessors to assist in the provision of the Agreement. Processor maintains a list of Subprocessors that may Process the Personal Data of Processor’s Cloud Service Controllers and will provide a copy of that list to Controller upon request. All Subprocessors are required to abide by substantially the same obligations as Processor under this Data Processing Agreement as applicable to their performance of the Agreement. Controller may request that Processor audit the Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Controller in obtaining a third-party audit report concerning Subprocessor’s operations) to ensure compliance with such obligations. Controller also will be entitled, upon written request, to receive copies of the relevant terms of Processor’s agreement with Subprocessors that may Process Personal Data, unless the agreement contains confidential information, in which case Processor may provide a redacted version of the agreement. Processor remains responsible at all times for compliance with the terms of the Agreement and this Data Processing Agreement by Processor Affiliates and Subprocessors. Controller consents to Processor’s use of Processor Affiliates and Subprocessors in the performance of the Agreement in accordance with the terms of section 5 and 6.

Art. 8 Duty to report

  1. In the event of a security leak and/or the leaking of data, as referred to in article 34a of the Wbp, the Processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. The Processor will endeavour that the furnished information is complete, correct and accurate.
  2. If required by law and/or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.
  3. The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding:
    • the (suspected) cause of the leak;
    • the (currently known and/or anticipated) consequences thereof;
    • the (proposed) solution;
    • the measures that have already been taken.

Art.9 Technical and organizational measures

  1. When Processing Personal Data on behalf of Controller in connection with the Agreement, Processor has implemented and will maintain appropriate technical and organizational security measures for the Processing of such data, including the measures specified in this Section to the extent applicable to the Processor’s Processing of Personal Data. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing. Additional information concerning such measures, including the specific security measures and practices for the particular Agreement ordered by Controller, may be specified in the Agreement.
  2. Physical Access Control: Processor employs measures designed to prevent unauthorized persons from gaining access to data processing systems in which Personal Data is processed, such as the use of security personnel, secured buildings and data center premises.
  3. System Access Control: The following may, among other controls, be applied depending upon the particular Agreement ordered: authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access on several levels. For Agreement hosted at Processor’s systems: (i) log-ins to Agreement Environments by Processor employees and Subprocessors are logged; (ii) logical access to the data centers is restricted and protected by firewall/VLAN; and (iii) intrusion detection systems, centralized logging and alerting, and firewalls are used.
  4. Data Access Control: Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced. In addition to the access control rules set forth in Sections 9.1 – 9.3 above, Processor implements an access policy under which Controller controls access to its Agreement environment and to Personal Data and other data by its authorized personnel.
  5. Transmission Control: Except as otherwise specified for the Agreement (including within the ordering document or the applicable service specifications), transfers of data outside the Cloud Service environment are encrypted. Some Agreement, such as social media services, may be configurable to permit access to sites that require unencrypted communications. The content of communications (including sender and recipient addresses) sent through some email or messaging services may not be encrypted. Controller is solely responsible for the results of its decision to use unencrypted communications or transmissions.
  6. Input Control: The Personal Data source is under the control of the Controller, and Personal Data integration into the system, is managed by secured file transfer (i.e., via web services or entered into the application) from the Controller. Note that some Agreement permit Controllers to use unencrypted file transfer protocols. In such cases, Controller is solely responsible for its decision to use such unencrypted field transfer protocols.
  7. Data Backup: For Agreement hosted on Processor’s systems: backups are taken on a regular basis; backups are secured using a combination of technical and physical controls, depending on the particular Cloud Service.
  8. Data Segregation: Personal Data from different Processor Controllers’ environments is logically segregated on Processor’s systems.

Art. 10 Security

  1. The Processor does not guarantee that the security measures are effective under all circumstances. The Processor will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
  2. The Controller will only make the personal data available to the Processor if it is assured that the necessary security measures have been taken. The Controller is responsible for ensuring compliance with the measures agreed by and between the Parties.

Art. 11 Handling requests from involved parties

  1. Where a Data subject submits a request to the Processor to inspect, as stipulated by article 35 Wbp, or to improve, add to, change or protect their personal data, as stipulated by article 36 Wbp, the Processor will forward the request to the Controller and the request will then be dealt with by the Controller. The Processor may notify the Data subject hereof.

Art 12. Non disclosure and confidentiality

  1. All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this Data Processing Agreement is subject to a duty of confidentiality vis-à-vis third parties.
  2. This duty of confidentiality will not apply in the event that the Controller has expressly authorised the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of this Data Processing Agreement, or if there is a legal obligation to make the information available to a third party.


Art 13. Audit

  1. In order to confirm compliance with this Data Processing Agreement, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.
  2. The audit may only be undertaken when there are specific grounds for suspecting the misuse of personal data, and no earlier than two weeks after the Controller has provided written notice to the Processor.
  3. The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
  4. The costs of the audit will be borne by the Controller.

Art 14. Duration and termination

  1. The Data Processing Agreement is entered into for the duration set out in the Agreement, and in the absence thereof, for the duration of the cooperation between the Parties.
  2. The Data Processing Agreement may not be terminated in the interim.
  3. This Data Processing Agreement may only be amended by the Parties subject to mutual consent.
  4. The Processor shall provide its full cooperation in amending and adjusting this Data Processing Agreement in the event of new privacy legislation.

Art 15. Categories of Personal Data and Purpose of the Personal Data Processing

  1. In order to execute the Agreement, and in particular to perform the Services on behalf of Controller, Controller authorizes and requests that Processor processes the following Personal Data:
    • Name
    • Professional, commercial or business addresses
    • Date / Year / Birth Date
    • Telecommunications data (e. g. connection, location, usage and traffic data)
    • Email Address
    • Contract data (contractual relationship, product and/or contractual interests)
    • Controller history, contract implementation and payment data
    • Special data (information about race and ethnic origin, political opinions, religious or philosophical convictions, trade union membership, health or sexuality)
    • Personal data that is covered by the obligation to maintain professional secrecy
    • IP addresses
    • Planning and control data
    • Precise location data
    • Machine data
    • Device and service related diagnostic data
    • Categories of data subjects
  2. The Controller has defined the following data subject categories from who the Personal Data as defined above will be collected, processed and used by the Processor under this Data Processing Agreement:
    • Employees (Internal)
    • Controllers
    • Contact persons
    • Employees of external companies
    • Interested parties
    • Suppliers

Art. 16 Miscellaneous

  1. Terms defined in the supply agreement between Processor and the Controller (“Agreement”) shall have the same meaning when used in this Data Processing Agreement. In addition, the definitions below apply in this Data Processing Agreement.
  2. The Data Processing Agreement and the implementation thereof will be governed by Dutch law.
  3. Any dispute arising between the Parties in connection with and/or arising from this Data Processing Agreement will be referred to the competent Dutch court in the district where the Processor has its registered office.
  4. In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply.
    • the Agreement;
    • this Data Processing Agreement;
    • additional conditions, where applicable
  5. Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.

IN WITNESS WHEREOF, the Parties have caused this Data Processing Agreement to be executed by their duly authorized representatives.


Widget Brain B.V.                                               <<Controller name>>

_____/_____/___________                                   _____/_____/___________

Date                                                                              Date

______________________                                    ______________________

Name                                                                            Name  

______________________                                    ______________________

Signature                                                                    Signature