Where this Data Processing Agreement uses terms that are defined in the GDPR, those terms shall have the
same meaning as in the GDPR unless otherwise defined hereinafter. Where this Data Processing Agreement
uses terms that are defined in the terms & conditions of OrderLemon, those terms shall have the same
meaning as in the terms and conditions of OrderLemon. The capitalized
terms
used in this Data Processing Agreement have the following meaning:
Controller:
the Contractor that concludes the Agreement with OrderLemon to use the Platform and
other
Services.
Data
Subject: the individual who is the subject of Personal Data.
Data
Processing Agreement: the present Data Processing Agreement.
GDPR:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
such data.
Personal
Data: any information relating to an identified or identifiable natural person the Processor processes
for the purposes of the execution of the Agreement with the Controller.
Processor:
OrderLemon.
By using the Platform and/or other Services of OrderLemon, personal data are processed. The categories
of Data Subjects and types of Personal Data processed by the Processor are included in Annex
1.
The
Processor shall process the Personal Data it has received only on the basis of the Controller’s written
instructions and only for the purposes of the execution of the Agreement, unless anyprovision of EU law
or Member State law requires it to carry out this processing. In that case, theProcessor shall notify
the Controller of this legal requirement prior to the processing operation unless this legislation
prohibits this notification for important reasons of public interest.
The
Processor does not have any control over the purposes and means of the processing of PersonalData.
Nothing in this Data Processing Agreement is intended to transfer control over Personal Data to the
Processor in any way.
The
Processor is not permitted:
a.
to process Personal Data for its own purposes; b. to process Personal Data for other or more extensive
purposes than those that are reasonably required for the execution of the Agreement;
c.
to disclose Personal Data to third parties to the extent this is not permitted under theAgreement and/or
the Data Processing Agreement and/or under any mandatory statutory provision requiring the Processor to
disclose Personal Data to supervisory or investigation authorities.
The parties shall act in accordance with the provisions of the GDPR and any future national orEuropean
statutory and other rules on the processing of Personal Data that may be in force from time to time. If
future statutory and other rules reveal a need to adjust the Data ProcessingAgreement, the parties will
consult with each other for the purpose of making new arrangements that reflect the tenor of this Data
Processing Agreement as much as possible.
The
Processor agrees to cooperate with the Controller in the execution of a Privacy ImpactAssessment to the
extent it may do so given the information available to it and the nature of the processing. The
reasonable costs this duty to cooperate entails must be borne by the Controller.
To
the extent that the Controller is required under statutory or other rules to give information about the
processing of Personal Data to a supervisory authority, the Processor shall, when first requested to do
so by the Controller, render all cooperation with the Controller that is reasonably requested, so as to
ensure that this information is made available and the supervisory authority can be adequately informed.
The Processor agrees to maintain confidentiality of the Personal Data and to ensure that the
personsauthorized to process the Personal Data undertake to maintain confidentiality.
This duty of confidentiality will continue to exist after the termination of this Data Processing
Agreement, unless it concerns information that is already available to the public other than as aresult
of any violation of the aforementioned duty of confidentiality.
The Processor will take appropriate technical and organizational measures to safeguard a security level
tailored to the risk identified and which comprise of the measures set out in Annex
2.
In determining the measures to be taken, the Processor shall take account of the state of the art and
the implementation costs as well as of the nature, scope, context and purposes of the processing
operation concerned and the various risks, in terms of probability and severity, for the risks and
freedoms of individuals.
In
assessing the appropriate security level, the Processor shall take particular account of theprocessing
risks, mainly those relating to the destruction or loss of data that have been transmitted,stored or
processed in any other way, as well as those relating to changes made in or theunauthorized disclosure
of such data, either accidentally or unlawfully.
The
Processor agrees to take measures to ensure that every natural person who works under theauthority of
the Processor and who has access to Personal Data will process these data only on theinstructions of the
Controller, unless any provision of EU law or Member State law requires it to carryout this processing.
The Processor agrees to provide the Controller with the necessary information at the latter’s request,to
ensure that the Controller is able to assess the Processor’s compliance with the provisions of thisData
Processing Agreement.
If
the Processor is of the opinion that any instruction given by the Controller within the meaning
ofparagraph 1 constitutes a violation of any statutory or other rules that are in force, including
theGDPR, it shall immediately inform the Controller thereof.
The
Controller is entitled to engage an independent expert to ascertain whether the Processor fulfilsthe
obligations of the Processor in this Data Processing Agreement, which independent expert will beunder an
obligation to main confidentiality in respect of the foregoing. The Processor shall cooperatein the
audit and make all information that is reasonably relevant to the audit available as soon aspossible.
The costs of the audits carried out on the instructions of the Controller must be borne bythe
Controller, unless it turns out that the Processor has failed to fulfill its obligations to a
sufficientextent, in which case the Processor must bear the costs.
If
the audit report of the independent expert shows that the measures taken by the Processor do
notsufficiently comply with the GDPR and/or other statutory or other rules that are in force,
theProcessor shall immediately take such measures as are necessary to comply with the foregoing
rulesafter all.
The Processor shall inform the Controller immediately, as soon as it finds that there has been anybreach
with respect to the Personal Data. This information provided must enable the Controller tofulfill its
obligations under Section 34a of the Dutch Data Protection Act and Articles 33 and 34 of theGeneral Data
Protection Regulation.
The Processor shall always keep the Controller fully informed about the progress of any actions toremedy
the breach and all relevant developments in respect of the data breach and theconsequences thereof. The
Processor shall take all measures that can be reasonably expected from itto mitigate the adverse
consequences of any unauthorized access of data. Contractor is obliged toprovide current and accurate
information to OrderLemon and to keep such information up to date. Ifthe processing of an Order faces
technical or other operational issues, OrderLemon will, wherereasonably possible, contact the relevant
Customer by telephone or other means on behalf of theContractor, with the intention to solve the issue
where possible.
The Processor is not permitted to communicate with the relevant Data Subject(s) and/or supervisory
authorities other than on the instructions of the Controller or with its express and explicit
permission.
Processor hereby obtains consent to subcontract parts of the processing of Personal Data to
otherprocessors during the term of the Agreement, The subcontractors are:
●
META
●
Online Payment Platform
●
MessageBird
The processor shall inform the Controller of any intended changes regarding the addition or replacement
of sub-processors, giving the Controller the opportunity to object to such changes.
Processor
shall ensure that all sub-processors engaged by it that play a role in the performance of theAgreement
will comply with the obligations contained in this Data Processing Agreement, in particular the
obligation to provide adequate safeguards regarding the application of appropriate technical and
organizational measures in order to ensure an equivalent level of protection ofPersonal Data.
Under the GDPR, the Controller has obligations vis-à-vis the Data Subject, such as in respect of
theprovision of information, giving access to, rectifying, and deleting Personal Data. The Processor
shall– where possible – cooperate with the Controller in fulfilling the latter’s obligations in this
regard.Processor reserves the right to charge its regular hourly rate to Processor for its cooperation.
If
a Data Subject contacts Processor directly in relation to the performance of its rights under theGDPR,
the Processor will not address this (in substance), but will notify the Controller without delay.
The Processor shall ensure that every processing operation of Personal Data that is performed by oron
behalf of the Processor, including third parties engaged by it for the purposes of the execution ofthe
Agreement, is carried out within the European Economic Area (EEA) or to or from countries thatoffer an
adequate level of protection in accordance with the GDPR.
Consequently,
without the Controller’s prior written permission, the Processor may not transmitPersonal Data to or
store them in a country outside the EEA or make Personal Data accessible from anon-EEA country, unless
this country ensures an adequate level of protection or if an applicableprovision of Union law or Member
State law requires it to process the relevant data. In that case theProcessor shall notify the
Controller, prior to the processing operation, about that legal requirement,unless this legislation
prohibits this notification for important reasons of public interest.
The Controller warrants that the data processing will be carried out in accordance with the law.
Thismeans in any case that the Controller warrants that it is entitled to collect data or have data
collectedand that it is entitled to process these data and have these collected.
The
Controller shall indemnify the Processor for any loss or damage and costs resulting from anyclaims by
third parties, expressly including the Data Subjects and supervisory authorities (such as theDutch Data
Protection Authority), relating to or arising from any unlawful processing operationand/or any other
violation of the GDPR or the Data Processing Agreement that can be attributed tothe Controller.
This Data Processing Agreement enters into force at the time of entry into force of the Agreement and is
entered into for the duration of the Agreement.
As
soon as the Agreement terminates or is terminated for whatever reason, the present DataProcessing
Agreement will remain in force as long as Personal Data are processed by the Processor, after which this
Data Processing Agreement ends by operation of law.
Upon the termination of this Data Processing Agreement, the Processor shall at first request and at the
discretion of the Controller:
a.
make available to the Controller all personal data in a customary format requested by theController; or
b. delete all Personal Data.
The
Processor may retain a copy of the Personal Data only if it is obliged to do so in accordance witha
mandatory statutory provision.
Amendments and additions to the present Data Processing Agreement are valid only if the Partieshave
agreed upon them in writing.
This
Data Processing Agreement is exclusively governed by Dutch law.
Any
disputes arising under or in connection with this Data Processing Agreement must be exclusively
submitted to the Court of Utrecht.
Annex
1 - categories of Data Subjects and types of Personal Data processed by the Processor
OrderLemon
and Messagebird
●
Phone numbers
●
Names and surnames
●
Address
Online
Payment Platform ● Phone numbers
●
Names and surnames
●
Address
●
Official ID Documents such as Passports or National ID Card
●
IBAN
