The Translation Company f.a.x. Translations b.v., with registered office in NL-9943 AN Groningen at Energieweg 9A (hereafter: ‘the Processor’), legally represented in this matter by J.W.L. Oorebeek;
The translator, interpreter or proofreader (hereafter: ‘the Subprocessor’), hereafter referred to collectively as: ‘the Parties’,
the Parties wish to lay down in this Subprocessing Agreement the agreements on the processing of personal data by the Subprocessor in the documents to be drawn up by the Subprocessor in the future;
the terms in this Subprocessing Agreement shall have the meanings assigned to these in the General Data Protection Regulation (hereafter: GDPR) and by the Dutch DPA;;
where this Subprocessing Agreement uses the feminine form of pronouns, this is also understood to denote the masculine form, in cases that arise;
the Parties, partly in view of the requirement arising from Article 28 (3) of the GDPR, wish to document in writing in this Subprocessing Agreement their mutual rights and obligations.
1.1. This Subprocessing Agreement pertains to the processing of Personal Data by the Subprocessor on the instructions of the Processor in the context of the performance of the Principal Agreement with the Subprocessor.
1.2. The Subprocessor is aware of the nature and purpose of the Processing, the type of Personal Data, the categories of Personal Data, the Data Subjects and the Recipients of the documents to be processed.
1.3. The Subprocessor guarantees it satisfies the requirements of the applicable legislation and regulations for the Processing of Personal Data from the GDPR and the (privacy) legislation relevant for the industry.
2. Term and termination
2.1. This Subprocessing Agreement takes effect at the moment it has been signed by the
2.2. The Subprocessing Agreement ends at the moment the Principal Agreement with the Controller ends.
2.3. Neither of the Parties can terminate this Subprocessing Agreement prematurely separately from the Principal Agreement.
2.4. Obligations which, by their nature, are intended to continue beyond termination of this Subprocessing Agreement remain in effect after termination of this Subprocessing Agreement. This stipulation covers, for instance, those provisions arising from the clauses on confidentiality, liability, dispute settlement and applicable law.
3.1. The Subprocessor Processes the Personal Data exclusively as commissioned and on the basis of written instructions from the Processor, except in the event of deviating statutory regulations which apply to the Subprocessor. The Subprocessor does not Process the Personal Data for a longer period of time or more extensively than necessary for performance of the Principal Agreement.
3.2. If the Subprocessor believes that an instruction as referred to in the first paragraph of this clause is in contravention of a statutory regulation concerning data protection, it will notify the Processor of this in advance of the Processing, unless a statutory regulation prohibits this notification.
3.3. If the Subprocessor must furnish Personal Data on grounds of a statutory regulation, it will inform the Processor of this immediately, and if possible before furnishing the data.
3.4. The Subprocessor shall ensure that only its Employees have access to the Personal Data, unless the Subprocessor makes use of further subprocessors, for which it requires permission from the Processor in accordance with clause 9 of this Subprocessing Agreement.
3.5. The Subprocessor will limit access to Employees for whom access is necessary for their work, whereby access will be limited to just the Personal Data that these Employees need for their work. The Subprocessor shall also ensure that the Employees who have access to the Personal Data have received correct and complete instructions on handling Personal Data and that they are aware of the responsibilities and statutory obligations.
3.6. The Processor is required by law to comply with the legislation and regulations in effect in relation to privacy. In particular, the Processor must determine whether there is a lawful basis for the Processing of the Personal Data. The Subprocessor shall ensure that it satisfies the regulations that apply to it as Subprocessor in relation to the
Processing of Personal Data and the agreements that have been made in this Subprocessing Agreement.
3.7. The Processing takes place under the responsibility of the Controller. Neither the Processor nor the Subprocessor shall have authority over the purpose for and means used for the Processing and neither shall take any decisions on matters such as the use of Personal Data, the retention period of the Personal Data, or the furnishing of Personal Data to third parties. The Controller must ensure that it has clearly determined the purpose and means for the Processing of the Personal Data.
4.1. The Subprocessor has taken security measures to protect the personal data which will be made available to it in the context of this Subprocessing Agreement. The risks to be mitigated, the state of the art, and the costs of the security measures have been taken into account by the Subprocessor in taking the security measures. These security measures at least include:
the encryption/pseudonymisation of Personal Data;
the ability to permanently guarantee the confidentiality, integrity, availability and
resilience of the processing systems
the ability to restore the availability of and access to the Personal Data in a timely
manner in the event of a physical or technical incident;
a procedure for testing, assessing and evaluating at set times the effectiveness of
the technical and organisational measures to secure the Processing.
4.2. The Processor and Subprocessor acknowledge that guaranteeing an appropriate level of security can constantly compel the taking of additional security measures. The Subprocessor shall be responsible for a security level attuned to the current risk. The Subprocessor shall also inform the Processor in a timely fashion if one of the security measures changes.
4.3. The Subprocessor provides appropriate safeguards for the use of the technical and organisational security measures in relation to the Processing Operations to be performed. If the Processor wishes to have the manner in which the Subprocessor complies with the security measures inspected, the Processor can submit a request for this to the Subprocessor. The Subprocessor and Processor will make agreements with each other in this respect. The costs of an inspection are at the Processor’s expense, unless the inspection indicates that the Subprocessor is not complying with its obligations under this Subprocessing Agreement. The Processor shall provide the Subprocessor with a copy of the inspection report.
4.4. Unless it has obtained advance written permission for this from the Processor, the Subprocessor shall not process any Personal Data or allow any data to be processed by itself or by third parties in countries outside the European Economic Area (‘EEA’).
5.1. A duty of confidentiality with respect to third parties applies to all Personal Data that the Subprocessor receives from the Processor and/or collects itself or must collect with the aim of Processing these data in accordance with the provisions of this Subprocessing Agreement.
5.2. The Subprocessor shall not use the Personal Data for a purpose other than that for which it has received the data, not even if these are put in a form such that they cannot be traced back to the Controller or to natural persons, such as the Data Subject.
5.3. The Subprocessor guarantees that the persons authorised to Process the Personal Data have committed to maintain confidentiality or are bound by an appropriate statutory duty of confidentiality which includes a penalty clause which does justice to the nature of the risk.
5.4. The duty of confidentiality does not apply to the extent the Processor or Data Subject him/herself has given explicit permission for the Personal Data to be furnished to a third party, or if and to the extent there is a statutory requirement to furnish information to a third party.
5.5. If the Subprocessor makes use of the services of other subprocessors, it unconditionally ensures that the other subprocessors will accept in writing the same duty of confidentiality as agreed on between the Parties, including an appropriate penalty clause, and that they will also comply strictly with this duty of confidentiality.
6.1. The Subprocessor is not liable for damage resulting from the failure by the Controller or
the Processor to comply with the GDPR or other legislation or regulations.
6.2. The Subprocessor is liable for disadvantage and damage arising from its work. Disadvantage and damage are understood to include, among other things, fines imposed by the Dutch DPA and security incidents within the organisation of the further subprocessors it has engaged.
6.3. In supplement to any applicable general terms and conditions, direct damage is defined in this Subprocessing Agreement exclusively as all damage consisting of:
Reasonable and demonstrable costs of reminding the Subprocessor to comply with the Subprocessing Agreement properly (again).
Reasonable costs to determine the cause and size of the damage.
Reasonable and demonstrable costs incurred by the Controller to prevent or limit
the direct damage as mentioned in this clause.
6.4. The exclusions and restrictions referred to in this Subprocessing Agreement and in any general terms and conditions of the Subprocessor cease to have effect if and to the extent the damage is the result of intent or wilful recklessness on the part of the Subprocessor and/or other subprocessors it uses.
7. Obligation to cooperate
7.1. The GDPR and other (privacy) legislation grants certain rights to the Data Subject. The Subprocessor shall lend its full and prompt cooperation to the Controller and/or Processor in complying with the obligations that the Controller and/or Processor has towards the Data Subject.
7.2. The Subprocessor shall forward to the Processor without delay any complaints or requests it receives from Data Subjects in relation to the Processing of Personal Data.
7.3. Immediately at the Processor's request to this end, the Subprocessor shall furnish the Processor with all relevant information concerning the aspects of the Personal Data Processing performed by it so that the Controller and/or Processor can, partly on the basis of that information, demonstrate that it complies with the applicable (privacy) legislation.
7.4. The Subprocessor shall also, immediately at the Processor's request, provide all necessary assistance in complying with the statutory obligations that the Controller and/or Processor bears on grounds of the applicable privacy legislation.
8. Personal Data breach
8.1. The Subprocessor shall report a security incident or Data Leak to the Processor within 12 hours after the Subprocessor has discovered or should reasonably have discovered that security incident or Data Leak, or in any event immediately, but at any rate within 12 hours, after the Subprocessor has been informed about such a security incident or Data Leak by a Subprocessor engaged by it.
8.2. The Subprocessor shall also inform the Processor about the developments in relation to the Personal Data breach reported by the Subprocessor.
8.3. In addition to reporting the fact that a Data Leak has occurred, the notification requirement means that the following must also be included in the notification:
the (presumed) cause of the data leak;
its effect, to the extent known at this point and/or to be expected;
the (proposed) solution;
what measures have already been taken.
The Subprocessor shall direct notifications in the context of this Subprocessing Agreement to the following Employee(s):
Email address: Telephone number:
Mr. J.W.L. Oorebeek
If the details for the above-mentioned Employees change or different Employees are appointed for this, the Parties will inform each other of this.
8.4. Reporting a Personal Data Breach to the Dutch DPA and (possibly) Data Subject(s) is always the responsibility of a Controller itself. The Subprocessor will cooperate to the extent necessary to enable such reports to be made.
8.5. To the extent the data leak is a security incident at the Subprocessor or at another subprocessor it uses, the Subprocessor will ensure, at its own expense, that the security measures are adapted such that such security incidents or data leaks, as the case may be, are prevented in future.
9. Engagement of other subprocessors
9.1. The Subprocessor shall not outsource its activities consisting of the Processing of Personal Data to other subprocessors without advance written permission from the Processor.
9.2. To the extent the Processor consents to the engagement of another subprocessor, the Subprocessor will impose on this other subprocessor at least the same obligations as apply for itself under this Subprocessing Agreement and under the law. The Subprocessor shall lay these agreements down in writing and supervise compliance with the agreements by the other subprocessors. The Subprocessor shall furnish the Processor, at the latter’s request, with copies of the agreement(s) contracted with the other subprocessors.
9.3. Despite the permission from the Processor for the engagement of other subprocessors who process (some) data on the instructions of the Subprocessor, the Subprocessor remains fully liable to the Processor for the consequences of outsourcing work to another subprocessor. Permission from the Processor for the outsourcing of work to another subprocessor does not alter the fact that the use of other subprocessors in a country outside the EEA requires permission from the Processor in accordance with the provisions of this Subprocessing Agreement.
10. Obligation to inform and audits
10.1. The Subprocessor shall make all information available that is necessary to demonstrate that the obligations under this Subprocessing Agreement have been and are being complied with.
10.2. The Subprocessor will make available to the Processor all information that is necessary to:
demonstrate compliance with the obligations of this Subprocessing Agreement laid down in this Subprocessing Agreement;
enable audits, including inspections by the Processor or Controller or an auditor authorised by the Processor or Controller.
10.3. At the Processor’s first request to this end, the Subprocessor will, within a reasonable period of time, provide the Processor with a statement from an independent external expert in which this expert gives an opinion on the compliance with the obligations contained in this Subprocessing Agreement. The Processor reserves the right to
suspend payment of the Subprocessor's invoices if the Subprocessor has not submitted a proper statement from an independent external expert within a reasonable period of time.
11. Return or erasure
11.1. After expiration of the Subprocessing Agreement, the Subprocessor shall ensure, at the Processor’s discretion, either the return to the Processor of the Personal Data or the deletion of all the Personal Data. The Subprocessor shall delete any copies, notwithstanding statutory regulations that deviate from this.
11.2. The Subprocessor shall delete or return the Personal Data within three months after expiration of the Subprocessing Agreement, failing which the Subprocessor shall owe the Processor a fine of € 100 per day, up to a maximum of € 10,000.
12. Applicable law and competent court
12.1. This Subprocessing Agreement is governed by Dutch law.
12.2. Disputes about the contents and performance of this Subprocessing Agreement will be settled by the court in the district where the Processor has its registered office.
Groningen 25 May 2018
f.a.x. Translations b.v.