- The Controller has entered into one or more agreements with the Processor for the Processor to provide various services to the Controller or will enter into such an agreement. This agreement or these agreements jointly is/are further herein referred to as ‘the Main Agreement’.
- In performing the Main Agreement the Processor will process data for which the Controller is and remains responsible. These data include personal data within the sense of the General Data Protection Regulation (EU 2016/679), further herein the ‘GDPR’.
- Considering the provisions in Article 28 paragraph 3 of GDPRthe Parties want to lay down in this Agreement the conditions on which these personal data will be processed.
- This Agreement is applicable insofar as in providing the services under the Main Agreement one or more processing operations are carried out which are included in Annex 1.
- The processing operations of Annex 1which are carried out in providing the services are further herein referred to as: the ‘Processing Operations’. The personal data processed in this connection are: ‘the Personal Data’.
- All concepts in this Agreement have the meaning given to them in the GDPR.
- If more and other personal data are processed on the instructions of the Controller or if they are processed otherwise than described in this clause, this Agreement applies as much as possible to those Processing Operations as well.
- The Annexes form part of this Agreement. They consist of:
Annex 1 the Processing Operations, the Personal Data and the retention periods;
- The Controller has and retains full control of the Personal Data. If the Controller does not process the Personal Data himself by using the systems of the Processor, the Processor will exclusively process on the basis of written instructions from the Controller, for instance with regard to any Personal Data being passed on to third parties outside the European Union. The Main Agreement is considered as a generic instruction in this connection.
- The Processing Operations are only carried out in connection with the Main Agreement. The Processor shall not process Personal Data other than as provided for in the Main Agreement. In particular the Processor shall not use the Personal Data for his own purposes.
- The Processor will perform the Processing Operations in a proper way and with due care.
- The Processor shall take all the technical and organizational security measures which are required from him under the GDPR and in particular pursuant to Article 32 GDPR.
- The Processor shall ensure that persons, not limited to employees, who participate in Processing Operations at the Processor are obliged to observe confidentiality with regard to Personal Data.
- Data Breaches & Privacy Impact Assessment
- The Processor shall notify the Controller of any ‘personal data breach’ as meant in Article 4 under 12 GDPR.Such a breach is hereafter referred to as: a ‘Data Breach’.
- The Processor will provide the Controller within due time all the information which he has in his possession and which is necessary to fulfill the obligations of Article 33 GDPR.For that matter the Processor must provide the respective information as soon as possible in a standard format to be determined by the Processor. This entails that the Processor informs the Controller of a Data Breach as soon as possible if it is evident that the Data Breach is likely to result in a risk to the rights and freedoms of natural persons. If it is evident that a Data Breach is unlikely in a risk to the rights and freedoms of natural persons the Processor is allowed to notify the Controller at a later time, provided the notification takes place without undue delay. If there is reason to doubt whether the Data Breach is likely to result in a risk to the rights and freedoms of natural persons, the Processor shall notify the Controller of the Data Breach as soon as possible.
- It is exclusively up to the Controller to determine whether a Data Breach established at the Processor is to be reported to the Dutch Authority for Personal Data and/or to the data subject.
- Engagement of sub-processors
- In performing the Processing Operations the Processor is not entitled to engage a third party as the sub-processor without the prior consent of the Controller. The consent of the Controller can also relate to a certain category of sub-processors.
- If the Controller gives his consent, the Processor must ensure that the respective third party enters into an agreement in which he at least observes the same legal obligations and any additional obligations as those the Processor has under this Agreement.
- In the event that the consent relates to a certain type of third party, the Processor shall inform the Controller about the sub-processors engaged by him. The Controller can then object to the additions or replacements with regard to the sub-processors of the Processor.
- Confidentiality obligation
- The Processor will keep the Personal Data confidential. The Processor ensures that the Personal Data will not directly or indirectly become available to any third parties. The term third parties also includes the personnel of the Processor, insofar as it is not necessary for them to take note of the Personal Data. This prohibition does not apply if provisions to the contrary are laid down in this Agreement and/or insofar as a statutory regulation or judgment requires any disclosure.
- The Processor shall inform the Controller of any request from a party other than the data subject for access to, provision of or other form of requesting and communicating Personal Data contrary to the confidentiality obligation included in this clause, unless the Processor is prohibited by law to do so. In case of data subject requests The Processor shall forward those requests to the Controller, or refer the data subject to the Controller.
- Retention periods and deletion
- The Controller is responsible for determining the retention periods with regard to the Personal Data. Insofar as Personal Data are under the control of the Controller (for instance in the event of hosting services) he will delete them himself within due time.
- In case of termination of the Main Agreement or, the Processor shall delete the Personal Data after expiration of the retention period mentioned in Annex 1, at the discretion of the Controller, transfer them to him, unless the Personal Data must be retained longer, such as in connection with the (statutory) obligations of the Processor, or if the Controller requests that Personal Data is to be retained longer and the Processor and the Controller reach agreement concerning the costs and the other conditions of that longer retention, the latter notwithstanding the responsibility of the Controller to observe the statutory retention periods. Any transfer to the Controller takes place at the expense of the Controller.
- In case the Controller requests an Account and data removal via the protected login, The Processor shall delete the Personal Data within thirty days after the Account and data removal request, at the discretion of the Controller, transfer them to him, unless the Personal Data must be retained longer, such as in connection with the (statutory) obligations of the Processor, or if the Controller requests that Personal Data is to be retained longer and the Processor and the Controller reach agreement concerning the costs and the other conditions of that longer retention, the latter notwithstanding the responsibility of the Controller to observe the statutory retention periods. Any transfer to the Controller takes place at the expense of the Controller.
- The Processor will state at the request of the Controller that the deletion meant in the previous paragraph has taken place. The Controller can have it verified at his own expense whether this actually took place. Clause 10of this Agreement applies to that verification. Insofar as this is necessary, the Processor shall inform all sub-processors involved in processing the Personal Data of any termination of the Main Agreement and will instruct them to act as provided for therein.
- Unless otherwise agreed by the parties, the Controller himself will take care of a backup of the Personal Data.
- Rights of the data subject
- If the Controller himself has access to the Personal Data he himself shall comply with all requests by the data subject relating to the Personal Data. The Processor shall immediately pass on to the Controller any requests received by the Processor.
- Only if what has been intended in the previous paragraph is impossible will the Processor cooperate fully and within due time with the Controller in order to:
- provide the data subject with access to their respective Personal Data after approval from and on the instructions of the Controller,
- remove or correct Personal Data,
- demonstrate that Personal Data have been removed or corrected if they are incorrect (or, in the event that the Controller does not agree that the Personal Data are incorrect, to record the fact that the data subject considers his Personal Data to be incorrect)
- provide the Controller or the third party appointed by the Controller with the respective Personal Data in a structured, usual and machine-readable form and
- enable the Controller otherwise to comply with his obligations under the GDPR or other applicable legislation in the area of processing Personal Data.
- The costs of and requirements imposed on the cooperation referred to in the previous paragraphis jointly determined by the parties. Without any agreements in this respect the costs will be borne by the Controller.
- The Controller is for instance responsible and on that account he is fully liable for (the stipulated purpose of) the Processing Operations, the use and content of the Personal Data, the provision to third parties, the duration of the storage of the Personal Data, the manner of processing and the means applied to this end.
- The Processor is liable to the Controller as provided for in the Main Agreement. Verification
- The Controller is entitled to verify the compliance with the provisions of this Agreement once every year at his own expense or to have them verified by an independent registered auditor or registered informatics professional.
- The Processor shall provide the Controller with all the information necessary to demonstrate that the obligations in Article 28 GDPRhave been complied with. If the third party engaged by the Controller gives an instruction which in the opinion of the Processor constitutes an infringement of the GDPR, the Processor will inform the Controller of this immediately.
- The investigation of the Controller will always be limited to the systems of the Processor being used for the Processing Operations. The information obtained during the verification shall be dealt with confidentially by the Controller and only be used to verify the compliance of the Processor with the obligations under this Agreement and the information or parts of it will be deleted as soon as possible. The Controller warrants that any third parties engaged will also undertake these obligations.
- Other provisions
- Any amendments to this Agreement are only valid if they have been agreed by the parties in writing.
- The parties will adjust this Agreement to any amended or supplemented regulations, supplementary instructions of the relevant authorities and increasing insight into the application of the GDPR (for instance by, but not limited to, case law or reports), the introduction of standard provisions and/or other events or insights which require such adjustment.
- This Agreement is effective for as long as the Main Agreement is effective. The provisions of this Agreement remain in force insofar as this is necessary for settlement of this Agreement and to the extent they are meant to survive the termination of this Agreement. The last category of provisions include, but without limitation, the provisions with regard to confidentiality and disputes.
- This Agreement prevails over all other agreements between the Controller and the Processor.
- This agreement is exclusively governed by Dutch law.
- The parties will exclusively submit their disputes in connection with this Agreement to the District Court of Amsterdam.
Processing Operations of Personal Data and retention periods
This Annex forms part of the Processing Agreementand must be initialed by the parties.
- The Personal Data that the parties expect to process:
- E-mail address
- Body data of DMARC forensic data (RUF, non DMARC compliant emails)
- The use (= processing method(s)) of the Personal Data and the purposes of and the resources for the processing:
- PowerDMARC processes the incoming DMARC reports. Within the DMARC specification there are two types of reports:
- Aggregate reports
These reports contain data on the number of messages sent for your domain(s) for a certain IP address on a daily basis including the results of the SPF and DKIM checks for these messages. Aggregate reports do not contain personal data.
- Forensic reports
The forensic reports are sent by a limited number of DMARC report senders. These are copies of specific messages that failed the DMARC checks. The contents of these messages can contain Personally identifiable information (PII). PowerDMARC offers several methods on storing these messages:
- Default: By default the message body is stripped and only the headers are stored
- Encrypted: The client can upload a public PGP key in the PowerDMARC software. The entire incoming messages will be encrypted using this key. The client is able to decrypt the data using their private key and password.
- Unencrypted: After specific confirmation and acceptance of PowerDMARC as a Data processor, the client will be able to store the full message body unencrypted in the PowerDMARC Software.
- License: All licenses except basic free version
- Data retention: 365 days