Processor agreement

This Processor Agreement applies to all forms of processing of personal data that The HACCP Company, registered with the Chamber of Commerce under number 59774002, (hereinafter: Processor) performs for the benefit of a counterparty to whom it provides services (hereinafter: Controller) on the basis of the agreement concluded between the parties.

1. Purposes of processing

1.1. Processor undertakes to process personal data under the conditions of this Processor Agreement on behalf of Data Controller. Processing will only take place in the context of storing data of Processing Controller and associated online services in the ‘cloud’, sending regular updates by mail on behalf of Processing Controller, alerting by mail, SMS or telephone, plus those purposes that reasonably connected or determined with further agreement.

1.2. The personal data that is processed by Processor in the context of the work as referred to in the previous paragraph and the categories of the parties from whom they originate are included in Annex 1. Processor will not process the personal data for any purpose other than as specified by The controller has been established. The controller will inform the Processor of the processing purposes insofar as these have not already been mentioned in this Processor Agreement. However, the processor may use the personal data for quality purposes, such as surveying the data subjects or conducting scientific or statistical research into the quality of its services.

1.3. The personal data to be processed on the instructions of the Processing Responsible Party remain the property of the Processing Responsible Party and / or the parties involved.

2. Obligations Processor

2.1 With regard to the processing operations referred to in Article 1, Processor will ensure compliance with the applicable laws and regulations, including at least the laws and regulations regarding the protection of personal data, such as the AVG .

2.2 The Processor will, at its first request, inform the Data Controller of the measures it has taken regarding its obligations under this Processor Agreement.

2.3 The Processor’s obligations arising from this Processor Agreement also apply to those who process personal data under the Processor’s authority, including but not limited to employees, in the broadest sense of the word.

2.4 The Processor will immediately inform the Controller if, in his opinion, an instruction from the Controller is contrary to the legislation referred to in paragraph 1.

2.5 Processor shall, to the extent that it is within its control, provide assistance to Data Controller for the performance of data protection impact assessments (DPIAs).

2.6 Processor will maintain a register of all categories of processing activities in accordance with Article 30 of the AVG, which it performs for the Controller under this Processor Agreement. Upon request, the Processor will provide the Controller with insight into this.

3. Transfer of personal data

3.1 Processor may process personal data in countries within the European Union. Transfer to countries outside the European Union is prohibited.

4. Division of responsibility

4.1 For the purposes of the processing, the Processor makes IT resources available that can be used by the Controller for the purposes stated above. Processor itself only processes on the basis of separate agreements.

4.2 Processor is solely responsible for the processing of the personal data under this Processor Agreement, in accordance with the instructions of the Controller and under the express (final) responsibility of the Controller. For the other processing of personal data, including at least, but not limited to, the collection of the personal data by the Processing Controller, processing for purposes not reported to the Processing Controller, processing by third parties and / or for other purposes, the Processing Agent explicitly not responsible.

4.3 Processing controller guarantees that the content, use and instruction to process the personal data as referred to in this processing agreement are not unlawful and do not infringe any rights of third parties.

5. Use of third parties or subcontractors

5.1. The Processor is permitted to use a Sub-processor within the framework of the Agreement. The Processor will impose the same requirements and obligations on a Sub-processor as those applicable to the Processor pursuant to this Processor Agreement.

6. Security

6.1 Processor shall endeavor to take sufficient technical and organizational measures with regard to the processing of personal data, against loss or against any form of unlawful processing (such as unauthorized access, encroachment, alteration or provision of personal data).

6.2 Processor does not guarantee that the protection will be effective under all circumstances. If an explicitly described security is missing in the Processor Agreement, Processor will endeavor to ensure that the security meets a level that, given the state of the art, the sensitivity of the personal data and the costs associated with taking the security, is not unreasonable is.

6.3 The controller only makes personal data available to the Processor for processing if it has ensured that the required security measures have been taken. The controller is responsible for compliance with the measures agreed by the parties.

7. Reporting obligation

7.1. The controller is at all times responsible for reporting a security incident and / or data breach (including: a security breach that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorized provision of or the unauthorized access to data transmitted, stored or otherwise processed) to the regulator and / or data subjects. To enable the Controller to comply with this legal obligation, the Processor informs the Controller of the security incident and / or the data breach within 48 hours after the leak has become known to him.

7.2. A notification must always be made, but only if the event has actually occurred.

7.3. The reporting obligation in any case involves reporting the fact that there has been a leak. In addition, the reporting obligation includes:

  • the nature of the personal data breach, where possible specifying the categories of data subjects and data in question and, approximately, the number of data subjects and data in question;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely impact of the personal data breach;
  • the measures that Processor has proposed or taken to address the personal data breach, including, where appropriate, the measures to limit any adverse consequences thereof.

7.4. Processor will document all data breaches in accordance with Article 33 (5) of the AVG, including the facts concerning the personal data breach, the consequences thereof and the corrective measures taken. Upon request, the Processor will provide the Controller with insight into this.

8. Article 8. Handling requests from stakeholders

8.1. In the event that a data subject submits a request for the exercise of his / her legal rights (Articles 15-22 of the AVG) to the Processor, the Parties will process the data request of the data subject in mutual consultation. In that case, the controller remains ultimately responsible for the handling.

9. Confidentiality and confidentiality

9.1. All personal data that the Processor receives from the Controller and / or collects itself in the context of this Processor Agreement is subject to a confidentiality obligation towards third parties. Processor shall not use this information for a purpose other than that for which it obtained it, even if it has been presented in such a form that it is not traceable to data subjects.

9.2. This duty of confidentiality does not apply to the extent that the Controller has given explicit permission to provide the information to third parties, if the information is provided to third parties logically necessary in view of the nature of the assignment given and the implementation of this Processor Agreement, or if there is a there is a legal obligation to provide the information to a third party.

10. Audit

10.1. The controller has the right to have audits carried out by an independent third party who is bound by confidentiality to check compliance with the general rules regarding the processing of personal data and everything that is directly related to this.

10.2. This audit may take place once a year and if there is a specific suspicion of misuse of personal data.

10.3. Processor shall cooperate with the audit and make all information reasonably relevant to the audit, including supporting data such as system logs, and employees available as soon as possible.

10.4. The findings resulting from the audit will be assessed by the Parties in mutual consultation and, as a result thereof, may or may not be implemented by one of the Parties or by both Parties jointly.

10.5. The costs of the audit are borne by the Controller.

11. Liability

11.1. The liability of the Processor for damage as a result of an attributable shortcoming in the fulfillment of the Processor Agreement, or as a result of an unlawful act or otherwise, is excluded. To the extent that the aforementioned liability cannot be excluded, it is limited per event (a series of consecutive events to be considered as one event) to compensation for direct damage, to a maximum of the amount received by the Processor for the work under this Processor Agreement for the month preceding to the event causing the damage. The liability of the Processor for direct damage will never amount to more than € 10,000.00 in total.

11.2. Direct damage is exclusively understood to mean all damage consisting of:

  • damage directly caused to material things (“property damage”);
  • reasonable and demonstrable costs to urge the Processor to (properly) comply with the Processor Agreement;
  • reasonable costs to determine the cause and extent of the damage insofar as it relates to direct damage as referred to here; and
  • reasonable and demonstrable costs incurred by the Controller to prevent or limit the direct damage as referred to in this article.

11.3. The liability of the Processor for indirect damage is excluded. Indirect damage is understood to mean all damage that is not direct damage and therefore in any case, but not limited to, consequential damage, lost profit, missed savings, reduced goodwill, damage due to business interruption, damage due to non-achievement of marketing objectives, damage related to the use of data or data files prescribed by the Data Controller, or loss, corruption or destruction of data or data files.

11.4. The exclusions and limitations referred to in this article will lapse if and insofar as the damage is the result of intent or willful recklessness on the part of the Processor or its management.

11.5. Unless fulfillment by the Processor is permanently impossible, the Processor’s liability for imputable failure to comply with the Agreement only arises if the Processing Responsible immediately gives Processor notice of default in writing, whereby a reasonable period of time for the remediation of the shortcoming is set, and Processor also after that imputable term continues to fail to meet its obligations. The notice of default must contain a description of the shortcoming that is as complete and detailed as possible, so that Processor is given the opportunity to respond adequately.

11.6. Any claim for compensation by the Controller against Processor that has not been specified and explicitly reported will lapse by the mere lapse of twelve (12) months after the claim arose.

12. Duration and termination

12.1. This Processor Agreement is part of the Main Agreement between the Controller and Processor, and commences as soon as this Agreement has been concluded.

12.2. This Processor Agreement has been entered into for the duration as stipulated in the Main Agreement between the Parties and, in the absence thereof, in any case for the duration of the cooperation.

12.3. As soon as the Processor Agreement has been terminated, for whatever reason and in whatever way, Processor will – at the discretion of the Controller – return all personal data that it has in its original or copy form to the Controller, and / or these original personal data and any copies thereof remove and / or destroy, with due observance of legal retention periods.

12.4. Processor is entitled to revise this agreement from time to time. It will notify the Data Controller at least three months in advance. The controller may cancel by the end of these three months if it cannot agree with the changes.

13. Applicable law and dispute resolution

13.1. The Processor Agreement and its implementation are governed by Dutch law.

13.2. All disputes that may arise between the Parties in connection with the Processor Agreement, will be submitted to the competent court for the district in which Processor is established.

Appendix 1: Specification of personal data and data subjects

In accordance with Article 1.1 of the Processor Agreement, the Processor will process the following (special) personal data of the aforementioned categories of data subjects on behalf of the Controller:

Regular updates / personal data are deleted 12 months after the user account is deactivated.

Account holders

  • Email address
  • name and address data


  • Email address
  • name and address data

Alerting via e-mail, SMS or telephone / personal data will be deleted 12 months after the de-activate user account.

Staff, account holders

  • Staff, account holders

Cloud storage of data / personal data will be deleted 12 months after the de-activate user account.


  • (Pass) photos
  • Phone number
  • IP address
  • Email address
  • Visiting behavior
  • Name and address details

Account Holders

  • (Pass) photos
  • Phone number
  • IP address
  • Email address
  • Visiting behavior
  • name and address data

Name and address data: Data controller guarantees that the personal data and categories of data subjects described in this Appendix 1 are complete and correct, and indemnifies Processor against any defects and claims resulting from incorrect display by Data controller.