1. Processing Objectives and Details
1.1. The Processor undertakes to process personal data on behalf of the Controller in accordance with the conditions laid down in this Data Processing Addendum. This Data Processing Addendum applies exclusively to the processing of personal data within the framework of the Agreement between Subscriber and TaxModel. Subscriber will act as the controller and TaxModel will act as the processor.
1.2. Terms such as “processing”, “personal data”, “controller” and “processor” shall have the meaning ascribed to them in the General Data Protection Regulation (2016/679/EU, hereinafter to be referred to as: the “GDPR”).
1.3. The Processor shall refrain from making use of the personal data other than for the purpose of the providing the Service to the Data Controller. An overview of the categories of Personal Data, categories of data subjects, nature of the processing and purposes for which the Personal Data are being processed is provided Article 2.
1.4. All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant data subjects.
2. Details of the processing of Personal Data
2.1. The Categories of personal data that may be processed are:
- Email address
- Phone number
2.2. Personal data is retained as long as needed to perform the services and maximum three months after end of contract.
2.3. The following categories of data subjects may apply: employees, contractors and advisors of Data Controller.
3. Data controller and data processor responsibilities
3.1. The Data Processor will act in accordance with instructions of the Data Controller. Data Processor will immediately inform Data Controller in writing if Data Processor is of the opinion that an instruction of Data Controller is in violation of, or causes a breach with this Data Processing Addendum or applicable legislation, including the GDPR. Parties will together seek an appropriate solution in case any external developments endanger the lawfulness of the processing of the Personal Data.
3.2. The Data Controller is responsible for lawful acquisition of the Personal Data and the Processing of the Personal Data by the Data Processor based on the Agreement, this Data Processing Addendum and as otherwise instructed. Instructions shall generally be given in writing, unless the urgency or other specific circumstances require another (e.g., oral, electronic) form. Instructions in another form than in writing shall be confirmed by the Data Controller in writing without delay. To the extent that the implementation of an instruction results in costs for the Processor, the Data Processor will first inform the Data Controller about such costs. Only after the Data Controller’s confirmation to bear such costs for the implementation of an instruction, the Data Processor is required to implement such instruction.
3.3. The Data Processor shall only process the Personal Data in such manner as – and to the extent that – this is necessary for the provision of the services under the Agreement with Data Processor, except as required to follow instructions of the Data Controller, or to comply with a legal obligation to which the Data Processor is subject, in which case the Data Processor will notify the Data Controller of such legal obligation, unless that law prohibits the notification on important grounds of public interest. The Data Processor shall never process the Personal Data for its own purposes. Data Processor shall take steps to ensure that persons acting under its authority have access to the Personal Data act in accordance with this Data Processing Addendum.
3.4. Parties shall comply with all applicable law, including the GDPR, and applicable orders and regulations of competent public authorities.
4. International transfer of Personal Data
4.1. Data Controller acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA from time to time.
4.2. If, in the performance of Services under the Agreement, Data Processor transfers any Personal Data to a sub-processor and, without prejudice to clause 4, where such sub-processor will process the Personal Data outside the EEA, Data Processor shall in advance of any such transfer ensure that a mechanism to achieve adequacy in respect of that processing is in place, such as: (a) the requirement for Data Processor to have the sub-processor accept and agree the EU Standard Contractual Clauses (Commission Decision C(2010)593); or (b) the existence of any other specifically approved safeguard for data transfers in accordance with the GDPR and/or a European Commission finding of adequacy.
5. Engaging of sub-processors
5.1. The Data Controller provides the Data Processor with general authorization to engage sub-processors.
5.2. The currently only used sub-processor by Data Processor is Microsoft Azure. The Data Processor shall inform the Data Controller in advance of the engagement and/or replacement of a sub-processor, in which event Data Controller has the right at its discretion to object to (the engagement of) that sub-processor within four weeks.
5.3. The Data Processor shall remain fully liable vis-à-vis the Data Controller for the performance of – or the failure to perform – the obligations set out in this Data Processing Addenda by sub-processors, in accordance with Article 11. However, the Data Processor shall not be liable for damages and claims that ensue from the Data Controller’s instructions to Sub-processors.
5.4. The Data Processor shall ensure that the sub-processor is bound in writing by the same obligations as the Data Processor under this Data Processing Addendum.
6. Notification obligations
6.1. In case of a data breach or another event set out in this Article, the Data Processor shall without delay notify the Data Controller, cooperate with the Data Controller and follow the Data Controller’s instructions, in order to enable the Data Controller to perform a thorough investigation, to formulate a correct response and to take suitable further steps. Specifically, the Data Processor shall make available all information necessary to enable the Data Controller to fulfil its legal obligations, such as the obligation to notify data breaches under Section 33 and 34 GDPR.
6.2. In case of any breach of the security and/or confidentiality as set out in Section 32 GDPR or Articles 7 and 8 of this Data Processing Addendum leading to the loss or any form of unlawful processing, including destruction, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place, the Data Processor notifies the Data Controller within 24 hours after discovery of the breach. Such notification includes: (i) the nature of the breach; (ii) the date and time upon which the breach took place and was discovered; (iii) the (amount of) data subjects affected by the breach; (iv) which categories of Personal Data were involved with the breach; and (v) whether and, if so, which security measures – such as encryption – were taken to render the Personal Data incomprehensible or inaccessible to anyone without the authorization to access these data.
6.3. In case of an investigation into or seizure of the Personal Data by government officials with the Data Processor, or any indication that this is about to take place, the Data Processor notifies the Data Controller within 24 hours after discovery of the investigation or seizure.
6.4. Data Processor shall, to the extent legally permitted, promptly notify Customer if Data Processor receives a complaint or a request (such as a request to access, rectification or erasure) from a data subject (“Request”). Taking into account the nature of the Processing, Data Processor shall assist Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Data Controller’s obligation to respond to a Request in accordance with the GDPR.
The Processor shall take appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing of the Personal Data. The technical and organization security measures are set out in the TaxModel’s Information Security Policy.
8. Non-Disclosure and Confidentiality
The Data Processor warrants that it shall treat all Personal Data and notifications pursuant to Article 6 as strictly confidential towards any third parties, including public authorities. The Data Processor shall ensure that all persons authorized to process the Personal Data are bound to confidentiality. These obligations will not prevent a Party from sharing information with a third party to the extent such disclosure is mandatory under applicable law.
9.1. At the request of the Data Controller, the Data Processor shall promptly provide all information deemed reasonably necessary for the Data Controller to comply with its obligations under applicable law.
9.2 The Data Controller has the right to perform an audit of the Data Processor in order to determine to what extent the Data Processor complies with the provisions of the Data Processing Addendum. Such audit will be performed by an independent third party and will take place at a time defined by both parties together, at the latest two months after the initial request of the Data Controller. The Data Processor shall provide the auditor access – on request of the auditor – to the facilities, personnel, policies and documents that are reasonably necessary for the purpose of the audit.
9.3. The costs of the audit will be borne by the Controller.
10. Returning or Destruction of Personal Data
Unless retention is required by applicable law, the Data Processor shall, at the discretion of the Data Controller, destroy the Personal Data or return it to the Data Controller upon expiration of this Data Processing Addendum. Data Processor shall simultaneously destroy all existing copies of the Personal Data. In such event, the Data Processor shall ensure that all engaged sub-processors cooperate to return and/or destroy the Personal Data.
11. Liability and Indemnity
12. Duration and Termination
121. This Data Processing Addendum shall come into effect and expire simultaneously with the Agreement.
12.2 Termination or expiration of this Data Processing Addendum shall not discharge the Data Processor from its obligations meant to survive the termination or expiration of the Data Processing Addendum.
13.2 Any notifications performed pursuant to this Data Processing Addendum by the Data Processor to the Data Controller, for instance the notifications pursuant to Article 6, 7 and 8, shall be addressed to
- Attn.: Mr. Hank Moonen
- Stationsplein 12
- 5211 AP ‘s-Hertogenbosch
- The Netherlands
13.3 This Data Processing Addendum is governed by the laws of the Netherlands. Any disputes arising out or in connection with this Data Processing Addendum shall be brought exclusively before the competent court of s-Hertogenbosch, the Netherlands.