This Data Processing Addendum (“DPA”) applies to Organizers that are subject to the EU General Data Protection Regulation (2016/EC/679) or “GDPR”), or equivalent legislation, including any amending or replacement legislation from time to time (“Applicable Data Protection Laws”), which require Krowden to process Personal Data on their behalf as part of Organizer’s use of the Services.
In this DPA references to “Controller” means the Organizer and references to “Processor” and “Krowden” means NetworkTables B.V.
With respect to provisions regarding Processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between Organizer and Processor, this DPA will control; except where Organizer and Krowden have individually negotiated data processing terms that are different from this DPA and which meet the requirements of Applicable Data Protection Law in full, in which case those negotiated terms will control.
1.1. The terminology used in this data processing addendum (DPA), such as “processing” and “personal data”, have the meaning as defined in the GDPR.
1.2. As of the 25th of May 2018, any references to articles of the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, hereinafter: “Wbp”) in the DPA will refer to the corresponding articles of the GDPR.
2. PROCESSING OBJECTIVES
2.1. The Processor undertakes to process personal data on behalf of the Controller in accordance with the conditions laid down in the DPA. The processing will be executed exclusively within the framework of the Agreement, and for all such purposes reasonably related thereto or as may be agreed to subsequently. In general, the purposes of processing will consist of enabling Controller to organize and promote events and manage session registration & matchmaking using Processor’s Services.
2.2. The Controller undertakes to use Processor’s services to process personal data. The personal data may include, but it is not limited to the following categories: name, address details, email, company, position, phone number, information related to events booked and attended, relationship to Organizer and any other Personal Data that Organizer requests of its Consumers;
2.3. The Controller undertakes to use Processor’s services to process personal data from the following categories of data subjects: Consumers, Controller’s employees, Board members, Independent contractors, People working for clients of the Controller, People working for suppliers of the Controller, Other business contacts and Other people who may be interested in the Controller’s event;
2.4. The Controller will notify the Processor of the processing purposes, as well as the categories of personal data and data subjects, to the extent these have not already been cited in the DPA. The Processor may use the contact information of the Controller and the employees of the Controller for quality purposes, such as sending surveys or carrying out statistical research into the quality of its services until revoked digitally or writing (e.g. email).
2.5. The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes.
2.6. All rights pertaining to the personal data processed by the Processor on behalf of the Controller, shall remain with the Controller and/or the concerning data subjects.
3. OBLIGATIONS OF THE PROCESSOR
3.1. With regard to the processing referred to in the previous article, the Controller and the Processor will undertake to comply with the applicable privacy legislation such as the Wbp and the GDPR.
3.2. On request of the Controller and within a reasonable time thereof, the Processor shall furnish the Controller with details regarding the measures it has adopted to comply with its obligations under the DPA.The Processor’s obligations arising under the terms of the DPA apply also to whomsoever processes the personal data under the Processor’s instructions (sub- processors).
4. ALLOCATION OF RESPONSIBILITY
4.1. The permitted processing operations shall be semi-automated and performed under the control of the Processor. The Processor is solely responsible for the processing of personal data under the DPA, in accordance with the instructions of the Controller and under the (final) responsibility of the Controller. The Processor is not responsible for any other processing operations involving personal data, including the gathering of personal data by the Controller, processing for purposes that the Controller has not reported to the Processor and processing by third parties and/or for other purposes not stated in the DPA.
4.2. The Controller represents and warrants that it has a valid legal basis to process the relevant personal data and to engage the Processor in relation to such processing of personal data. Furthermore, the Controller represents and warrants that the processing by the Processor is not unlawful and does not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the unlawful processing of personal data.
4.3. In case applicable privacy legislation requires a Privacy Impact Assessment to be conducted before the intended processing under the Agreement and the DPA may be carried out, then the Processor shall provide the Controller with assistance to the extent necessary and reasonable. The Processor may charge reasonable costs for the aforementioned assistance. The first two hours are included in our services. For extra hours required due to the nature (amount of questions), we charge 80eur per hour.
5. TRANSFER OF PERSONAL DATA
5.1. The Processor may process the personal data in countries inside the European Union (EU). In addition, the Processor may also transfer the personal data to a country outside the EU, provided that the legal requirements for such transfer have been fulfilled. In case data is stored outside the EU, we always ensure the same Privacy & Security Standards apply as the country the data was collected (EU) by ensuring at least one of the following safeguards is implemented:
√ We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
√ Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
√ Where we use providers based in the US, we only transfer data to them under the scope of a Data Processing Agreement which incorporates Standard Contractual clauses or Binding Corporate rules which require them to provide similar protection to personal data shared between Europe and the US.
All third parties are GDPR compliant and we have signed DPA’s with third parties which are available on request, please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA: firstname.lastname@example.org.
5.2. Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in.
5.3. Within the framework of the Agreement and the DPA, the Processor is hereby authorised to engage third parties (sub-processors). On request of the Controller, the Processor shall inform the Controller about which sub-processors are engaged by the Processor. The Processor shall inform the Controller about any planned change in the used sub-processors, in which case the Controller has the right to object (in writing, within two weeks and supported by arguments) to the proposed change in sub-processors. An overview of the sub-processors is available on Processor’s website: www.krowden.com/krowden-sub-processors
5.4. Should the Controller object to such change, then the Parties will jointly endeavour to find a reasonable solution. If Parties cannot come to a solution, then the Processor is allowed to make the planned change in the used sub-processors and the Controller is allowed to terminate the Agreement (including the DPA) on the date that the Processor will actually make the change in the used sub-processors.
5.5. The Processor undertakes to bind the relevant sub-processors to substantially the same obligations as the Processor is bound to based on the DPA.
6. SECURITY MEASURES
6.1. The Processor will endeavour to take adequate technical and organisational measures against loss or any form of unlawful processing (such as unauthorised disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under the DPA.
6.2. The Processor will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
6.3. The Controller will only make the personal data available to the Processor for processing if it is assured that the necessary security measures have been taken.
7. DUTY TO REPORT
7.1. In the event of a security breach, the Processor shall, to the best of its ability, notify the Controller thereof without undue delay, after which the Controller shall determine whether or not to inform the data subjects and/or the relevant regulatory authority.
7.2. A ‘security breach’ as stated in this article 7 is a breach of Processor’s security, leading to (a significant chance of) severe negative consequences for the protection of personal data, as referred to in article 34a Wbp.
7.3. If required by law and/or regulations, the Processor shall cooperate in notifying the relevant authorities and/or data subjects. The Controller remains the responsible Party for any statutory obligations in respect thereof.
7.4. The duty to report a security breach includes in any event the duty to report the fact that a personal data breach has occurred, including details regarding:
a. the (suspected) cause of the breach;
b. the nature of the breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of data records concerned;
c. the (currently known and/or anticipated) consequences thereof;
d. the (proposed) solution;
e. the measures that have already been taken to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.
8. HANDLING OF REQUESTS FROM DATA SUBJECTS
8.1. Where a data subject submits a request to the Processor regarding his/her personal data (for example, to inspect, correct or delete the data, or to receive a copy of the data), the Processor will forward the request to the Controller and the request will then be dealt with by the Controller. The Processor may notify the data subject hereof. On request of the Controller, the Processor will provide assistance with handling such request to the extent necessary and reasonable. The Processor may charge reasonable costs for such assistance. Organizer hereby instructs and authorizes Krowden to delete or anonymize the Consumer’s Personal Data on Organizer’s behalf.
9. NON-DISCLOSURE AND CONFIDENTIALITY
9.1. All personal data processed within the framework of the DPA by the Processor (and/ or its sub-processors) on behalf of the Controller is subject to a duty of confidentiality vis-à-vis third parties. The Processor shall bind its employees and/ or sub-processors, who will perform processing activities under the DPA, to an obligation of confidentiality.
9.2. This duty of confidentiality will not apply in the event that the Controller has expressly authorised the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of the DPA, or where there is a legal obligation to make the information available to a third party.
10.1. The Controller has the right to have audits performed by an independent third party bound by confidentiality to check Processor’s compliance with the DPA.
10.2. Such audits may only take place after:
- the Controller has requested (from the Processor) the similar audit reports from independent third parties that are already Processor’s possession; and
- the Controller has reviewed the aforementioned audit reports and can provide legitimate reasons to initiate an audit as mentioned in paragraph 1.
10.3. An audit as mentioned in paragraph 1, may only be undertaken once every 3 years. At least two weeks before an audit can take place, Controller shall inform the Processor of the audit.
10.4. The Processor shall cooperate with the audit and provide all information reasonably relevant for the audit, Except for that Personal Data with respect to which Processor acts as a Data Controller, return, delete, or destroy (at Controller’s election), the Personal Data and copies thereof, at Controller’s request (unless applicable law requires the storage of such Personal Data).
10.5. The findings further to the audit conducted will be assessed by the Parties in mutual consultation and, following on from this, may or may not be implemented by one of the parties or by both Parties together.
10.6. The costs of the audit, including the costs that the Processor has to make to cooperate with the audit, shall be borne by the Controller.
11. TERM AND TERMINATION
11.1. The DPA is an integral of the Agreement, which means that the DPA is entered into for the duration set out in the Agreement and that additional provisions in the Agreement and Processor’s General Terms, such as the limitation of liability, are also directly applicable to the DPA.
11.2. The Processor shall provide its full cooperation in amending and adjusting the DPA in the event of new or changing privacy legislation.
12. APPLICABLE LAW AND DISPUTE RESOLUTION
12.1. The DPA and the implementation thereof will be governed by Dutch law.
12.2. Any dispute arising between the Parties in connection with and/or arising from the DPA will be referred to the competent Dutch court in the district where the Processor has its registered oﬀice.
12.3. In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
a. the Agreement;
b. the DPA;
c. the General Terms;
d. additional conditions, where applicable.
12.4. Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.
Last Revised: 25th of January 2023, 17:34PM CET