Data Pro Statement

PROCESSOR AGREEMENT

AAS At Work B.V.

Consisting of:

  • Part 1. Data Pro Statement

  • Part 2. Standard Clauses for Processing

DATA PRO STATEMENT

This Data Pro Statement, together with the Standard Clauses for Processing, forms the processor agreement for the product or services of AAS At Work BV.

GENERAL INFORMATION

  1. This Data Pro Statement has been drawn up by AAS At Work BV, Bergen 2, 4844 EN Terheijden. For questions about this Data Pro Statement or data protection, please contact A. Hendriks, albert@aasatwork.nl

  2. This Data Pro Statement applies from 1 May 2018. We regularly adjust the security measures described in this Data Pro Statement, if necessary, to stay prepared and up-to-date with regard to data protection. We will keep you informed of new versions via our normal channels. 

NAViDocs OCR Service

  1. This Data Pro Statement applies to the NAViDocs OCR Service.

  2. The NAViDocs OCR Service is a Software as a Service (SAAS) application aimed at automatic document processing for Microsoft Dynamics NAV and Business Central.

  3. The NAViDocs OCR Service is designed to extract text from supplied digital documents/images and return it to the client.

  4. This product/service does not take into account the processing of special personal data, or data concerning criminal convictions and offences. Processing of this data with the aforementioned product or service by the client is at the client's own discretion.

  5. The data processor has applied privacy by design in the design of the product/service in the following way:

  • Users can themselves upload files in various formats (pdf, jpeg etc.) and can, if necessary, change and delete data themselves within their own Dynamics NAV / Business Central environment.

  • Processor does not check the data and will only view data at the request of the client, for example if necessary to answer a question to the helpdesk.

  1. Data processor uses the Data Pro Standard Clauses for Processing, which can be found at www.dataprocode.nl.

  2. Data processor processes the personal data of its clients within the EU/EEA.

  3. Data processor does not use sub-processors.

  4. Data processor assists client with requests from data subjects to extract text from documents supplied by client in pdf format and images.

  5. After termination of the agreement with a client, the data processor will in principle delete the personal data that it processes for the client within 3 months in such a way that it can no longer be used and is no longer accessible.

  6. After termination of the agreement with a client, the data processor will return all personal data that it processes for the client within 3 months.

Security Policy

  1. The data processor has taken the following security measures to protect its product or service:

  • Access to the NAViDocs OCR Service via a secure connection (SSL) with two-level authentication.

  • User-definable access.

  • Users must change their password regularly, at least once every six months.

  • Strict separation of data per client.

  • Anonymization of supplied documents/images.

  • Deletion of supplied documents/images after a period of 3 months.

  1. The data processor has conformed to the following Information Security Management System (ISMS): • NEN 7510, NEN 7512, NEN 7513 (for healthcare; insofar as applicable).

Data Breach Protocol

  1. In the event that something does go wrong, the data processor will use the following data breach protocol to ensure that the client is aware of incidents:

  • There is a procedure for internal reporting of incidents. If the data processor discovers a data breach in its organization, the data processor will inform its client as soon as possible by contacting the person designated for this purpose by the client. The data processor will provide as much relevant information as possible, including a description of the incident, the nature of the breach, the nature of the personal data or categories of data subjects involved, an estimate of the number of data subjects involved and the databases possibly involved, an indication of when the incident took place and what happened.

  • Notifications will be made to clients within 4 hours if possible. Data processor will not itself make notifications to AP or Data subjects. Whether or not to report remains the responsibility of the person designated by the Client. The data processor will, if desired, support the client or the controller in the reporting process.

Part 2: Standard Clauses for Processing

 

Article 1. Definitions

 

In these Standard Clauses for Processing, the Data Pro Statement and the Agreement, the following terms have the following meanings:

 

1.1 Data Protection Authority (DPA): the supervisory authority, as defined in Article 4(21) of the GDPR.

 

1.2 GDPR: the General Data Protection Regulation.

 

1.3 Data Processor: the party that, as an ICT supplier, processes Personal Data as a processor in the context of the performance of the Agreement on behalf of its Client.

 

1.4 Data Pro Statement: a statement by the Data Processor in which it provides information, among other things, on the intended use of its product or service, security measures taken, sub-processors, data leaks, certifications and the handling of data subjects' rights.

 

1.5 Data subject: an identified or identifiable natural person.

 

1.6 Client: the party on whose behalf the Data Processor processes personal data. The Client can be both the controller and another processor.

 

1.7 Agreement: the agreement between the Client and the Data Processor, on the basis of which the ICT supplier delivers services and/or products to the Client, of which the processing agreement forms part.

 

1.8 Personal Data: all information about an identified or identifiable natural person, as defined in Article 4(1) of the GDPR, which the Data Processor processes in the context of the performance of its obligations under the Agreement.

 

1.9 Processor Agreement: these Standard Clauses for Processing, which together with the Data Pro Statement (or similar information) from the Data Processor form the processor agreement as referred to in Article 28(3) of the GDPR.

 

Article 2. General

 

2.1 These Standard Clauses for Processing apply to all processing of Personal Data that the Data Processor carries out in the context of the delivery of its products and services and to all Agreements and offers. The applicability of the Client's processing agreements is expressly rejected.

 

2.2 The Data Pro Statement, and in particular the security measures included therein, may be amended by the Data Processor from time to time to reflect changing circumstances. The Data Processor will inform the Client of any significant changes. If the Client cannot reasonably agree to the changes, the Client is entitled to terminate the processing agreement in writing within 30 days of notification of the changes.

 

2.3 The Data Processor will process the Personal Data on behalf of and in accordance with the written instructions of the Client agreed with the Data Processor.

 

2.4 The Client, or its customer, is the controller within the meaning of the GDPR, has control over the processing of the Personal Data and has determined the purpose and means of the processing of the Personal Data.

 

2.5 The Data Processor is a processor within the meaning of the GDPR and therefore has no control over the purpose and means of the processing of the Personal Data and therefore does not take decisions on, among other things, the use of the Personal Data.

 

2.6 The Data Processor will comply with the GDPR as set out in these Standard Clauses for Processing, the Data Pro Statement and the Agreement. It is up to the Client to assess on the basis of this information whether the Data Processor offers sufficient guarantees with regard to the application of appropriate technical and organizational measures to ensure that the processing complies with the requirements of the GDPR and that the protection of the rights of data subjects is sufficiently guaranteed.

 

2.7 The Client warrants to the Data Processor that it acts in accordance with the GDPR, that it adequately secures its systems and infrastructure at all times and that the content, use and/or processing of the Personal Data is not unlawful and does not infringe any right of a third party.

 

2.8 An administrative fine imposed on the Client by the DPA cannot be recovered from the Data Processor, unless there is intent or deliberate recklessness on the part of the Data Processor's management.

 

Article 3. Security

 

3.1 The Data Processor shall take the technical and organizational security measures as described in its Data Pro Statement. In taking the technical and organizational security measures, the Data Processor has taken into account the state of the art, the implementation costs of the security measures, the nature, scope and context of the processing, the purposes and intended use of its products and services, the processing risks and the risks, in terms of probability and severity, to the rights and freedoms of data subjects that it could expect in view of the intended use of its products and services.

 

3.2 Unless explicitly stated otherwise in the Data Pro Statement, the Data Processor's product or service is not designed for the processing of special categories of Personal Data or data concerning criminal convictions or offences.

 

3.3 The Data Processor strives to ensure that the security measures it takes are appropriate for the use of the product or service intended by the Data Processor.

3.4 The described security measures offer, in the opinion of the Client, taking into account the factors mentioned in Article 3.1, a security level that is tailored to the risk of the processing of the Personal Data used or provided by him.

3.5 The Data Processor may make changes to the security measures taken if, in its opinion, this is necessary to maintain an appropriate level of security. The Data Processor will record important changes, for example in an amended Data Pro Statement, and will inform the Client of those changes where relevant.

3.6 The Client may request the Data Processor to take additional security measures. The Data Processor is not obliged to implement changes to its security measures in response to such a request. The Data Processor may charge the Client for the costs associated with the changes implemented at the Client's request. Only after the amended security measures desired by the Client have been agreed in writing and signed by the Parties, will the Data Processor have the obligation to actually implement these security measures.

Article 4. Data Breaches

4.1 The Data Processor does not warrant that the security measures will be effective in all circumstances. If the Data Processor discovers a data breach (as referred to in Article 4(12) of the GDPR), it will inform the Client without undue delay. The Data Pro Statement (under the data breach protocol) specifies how the Data Processor will inform the Client of data breaches.

4.2 It is up to the controller (Client, or its customer) to assess whether the data breach that the Data Processor has informed about must be reported to the DPA or Data subject. The reporting of data breaches, which must be reported to the DPA and/or Data subjects on the basis of Articles 33 and 34 of the GDPR, remains at all times the responsibility of the controller (Client or its customer). The Data Processor is not obliged to report data breaches to the DPA and/or the Data subject.

4.3 The Data Processor will, if necessary, provide further information about the data breach and will cooperate with the Client in providing the necessary information for a notification as referred to in Articles 33 and 34 of the GDPR.

4.4 The Data Processor may charge the Client for the reasonable costs it incurs in this context at its then applicable rates.

Article 5. Confidentiality

5.1 The Data Processor guarantees that the persons who process Personal Data under its responsibility have a duty of confidentiality.

5.2 The Data Processor is authorized to provide the Personal Data to third parties, if and to the extent that such provision is necessary in accordance with a court order, a legal provision or on the basis of a valid order given by a government authority.

5.3 All access and/or identification codes, certificates, information on access and/or password policy and all information provided by the Data Processor to the Client that gives substance to the technical and organizational security measures included in the Data Pro Statement are confidential and will be treated as such by the Client and will only be made known to authorized employees of the Client. The Client will ensure that its employees comply with the obligations set out in this article.

Article 6. Term and Termination

6.1 This processing agreement forms part of the Agreement and any new or subsequent agreement, enters into force at the time of the conclusion of the Agreement and is concluded for an indefinite period of time.

6.2 This processing agreement will terminate by operation of law upon termination of the Agreement or any new or subsequent agreement between the parties.

6.3 In the event of termination of the processing agreement, the Data Processor will, within the period specified in the Data Pro Statement, delete all Personal Data in its possession and received from the Client in such a way that it can no longer be used and is no longer accessible (render inaccessable), or, if agreed, return it to the Client in a machine-readable format.

6.4 The Data Processor may charge the Client for any costs it incurs in the context of the provisions of Article 6.3. Further arrangements can be made in the Data Pro Statement.

6.5 The provisions of Article 6.3 do not apply if a legal regulation prevents the Data Processor from deleting or returning all or part of the Personal Data. In such a case, the Data Processor will only continue to process the Personal Data to the extent necessary to comply with its legal obligations. The provisions of Article 6.3 also do not apply if the Data Processor is the controller within the meaning of the GDPR with respect to the Personal Data.

Article 7. Data Subject Rights, Data Protection Impact Assessment (DPIA) and Audit Rights

7.1 The Data Processor will, where possible, assist the Client with reasonable requests related to data subject rights invoked by data subjects at the Client. If the Data Processor is directly approached by a data subject, it will, where possible, refer the data subject to the Client.

7.2 If the Client is obliged to do so, the Data Processor will, after a reasonable request to do so, cooperate in a data protection impact assessment (DPIA) or a subsequent prior consultation as referred to in Articles 35 and 36 of the GDPR.

7.3 The Data Processor can demonstrate compliance with its obligations under the processing agreement by means of a valid Data Pro Certificate or an equivalent certificate or audit report (Third Party Memorandum) from an independent, expert auditor.

7.4 In addition, the Data Processor will, at the Client's request, provide all further information that is reasonably necessary to demonstrate compliance with the agreements made in this processing agreement. If, despite this, the Client has reason to believe that the processing of Personal Data is not taking place in accordance with the processing agreement, the Client may, at its own expense, have an audit carried out once a year by an independent, certified, external auditor who demonstrably has experience with the type of processing carried out on the basis of the Agreement. The audit will be limited to checking compliance with the agreements regarding the processing of Personal Data as set out in this Processing Agreement. The auditor will have a duty of confidentiality with regard to what he finds and will only report to the Client that which constitutes a shortcoming in the fulfilment of the obligations that the Data Processor has under this processing agreement. The auditor will provide a copy of his report to the Data Processor. The Data Processor may refuse an audit or instruction from the auditor if it is of the opinion that it is in breach of the GDPR or other legislation or constitutes an unacceptable intrusion into the security measures it has taken.

7.5 The Parties will consult each other as soon as possible on the findings of the report. The Parties will follow up on the proposed improvement measures set out in the report to the extent that this can reasonably be expected of them. The Data Processor will implement the proposed improvement measures to the extent that it considers them appropriate, taking into account the processing risks associated with its product or service, the state of the art, the implementation costs, the market in which it operates and the intended use of the product or service.

7.6 The Data Processor has the right to charge the Client for the costs it incurs in the context of this article.

Article 8. Sub-processors

8.1 The Data Processor has stated in the Data Pro Statement whether and, if so, which third parties (sub-processors) it engages in the processing of Personal Data.

8.2 The Client authorizes the Data Processor to engage other sub-processors in the performance of its obligations under the Agreement.

8.3 The Data Processor will inform the Client of any change in the third parties engaged by the Data Processor, for example by means of an amended Data Pro Statement. The Client has the right to object to the aforementioned change by the Data Processor. The Data Processor will ensure that the third parties it engages commit themselves to the same level of security with regard to the protection of Personal Data as the level of security to which the Data Processor is bound towards the Client on the basis of the Data Pro Statement.

Article 9. Other

These Standard Clauses for Processing, together with the Data Pro Statement, form an integral part of the Agreement. All rights and obligations under the Agreement, including the applicable general terms and conditions and/or limitations of liability, shall therefore also apply to the processing agreement.