This data processing agreement is an appendix to "General Terms & Conditions of Service" (hereinafter: the Agreement) by and between Operational Expert (hereinafter: Controller) and Bayes’ Company (hereinafter: Processor).
Article 1. Purposes of processing
- 1.1. Processor hereby agrees under the terms of this Data Processing Agreement to process personal data on behalf of the Controller. Processing shall be done solely for the purpose of the Agreement, in particular for facilitating orders and payments for products or services of Controller, storing data in the 'cloud' for the benefit of Controller, and associated online services, managing financial administration (invoicing) of Controller for services rendered to customers, providing customer service by e-mail and phone with customers of Controller (Bayes’ members and prospective members), managing the (Bayes’) customer administration of Controller, and all purposes compatible therewith or as determined jointly.
- 1.2. The personal data to be processed by Processor for the purposes as set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data Processing Agreement. Processor shall not process the personal data for any other purpose unless with Controller's consent. Controller shall inform Processor of any processing purposes to the extent not already mentioned in this Data Processing Agreement. Processor however is permitted to use personal data for quality assurance purposes, including surveys to data subjects and statistical research purposes regarding the quality of Processor's services.
- 1.3. All personal data processed on behalf of Controller shall remain the property of Controller and/or the data subjects in question.
Article 2. Processor obligations
- 2.1. Regarding the processing operations referred to in the previous clause, Processor shall comply with all applicable legislation, including at least all data processing legislation such as the GDPR.
- 2.2. Upon first request Processor shall inform Controller about any measures taken to comply with its obligations under this Data Processing Agreement.
- 2.3. All obligations for Processor under this Data Processing Agreement shall apply equally to any persons processing personal data under the supervision of Processor, including but not limited to employees in the broadest sense of the term.
- 2.4. Processor shall inform Controller without delay if in its opinion an instruction of Controller would violate the legislation referred to in the first clause of this article.
- 2.5. Processor shall provide reasonable assistance to Controller in the context of any data protection impact assessments to be made by Controller.
- 2.6. Processor shall, in accordance with Article 30 GDPR, keep a register of all categories of processing activities which it carries out on behalf of the Controller under this data processing agreement. At Controller's request, Processor shall provide Controller access to this register.
Article 3. Transfer of personal data
- 3.1. Processor may process the personal data in any country within the European Union
- 3.2. Transfer to countries outside the European Union is not permitted.
- 3.3. Processor shall report to Controller of the countries involved.
Article 4. Allocation of responsibilities
- 4.1. The authorised processing operations shall be performed in a fully automated fashion under control of Processor.
- 4.2. Processor is solely responsible for the processing of personal data under this Data Processing Agreement in accordance with the instructions of Controller and under the explicit supervision of Controller. For any other processing of personal data, including but not limited to any collection of personal data by Controller, processing for purposes not reported to Processor, processing by third parties and/or for other purposes, the Processor does not accept any responsibility.
- 4.3. Controller represents and warrants that the content, usage and instructions to process the personal data as meant in this Data Processing Agreement are lawful and do not violate any right of any third party.
Article 5. Involvement of sub-processors
- 5.1. Processor shall not involve any third parties in the processing under this Data Processing Agreement without the prior written permission of Controller, which permission may be made conditional.
- 5.2. Controller will permit Processor to share personal data with (prospective) Bayes’ customers for the purpose of rendering services by the Controller to such (prospective) customers.
- 5.3. In any event, Processor shall ensure that any third parties are bound to at least the same obligations as agreed between Controller and Processor. Controller has the right to inspect the agreements containing such obligatons.
- 5.4. Processor shall ensure that these third parties shall comply with the obligations under this Data Processing Agreement and is liable for any damages caused by violations by these third parties as if it committed the violation itself.
Article 6. Security
- 6.1. Processor shall use reasonable efforts to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk for the processing operations involved, against loss or unlawful processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed).
- 6.2. Processor does not warrant that the security is effective under all circumstances. If any security measure explicitly agreed in this Data Processing Agreement is missing, then Processor shall use best efforts to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
- 6.3. Controller shall only provide personal data to Processor for processing if it has ensured that the required security measures have been taken. Controller is responsible for the parties' compliance with these security measures.
Article 7. Notification and communication of data breaches
Article 8. Processing requests from data subjects
- 8.1. In the event a data subject makes a request to exercise his or her legal rights under the GDPR (Articles 15-22) to Processor, Processor shall pass on such request to Controller, and Controller shall process the request. Processor may inform the data subject of this passing on.
Article 9. Confidentiality obligations
- 9.1. All personal data that Processor receives from Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties. Processor shall not use this information for any goals other than for which it was obtained, not even if the information has been converted into a form that is no longer related to an identified or identifiable natural person.
- 9.2. The confidentiality obligation shall not apply to the extent Controller has granted explicit permission to provide the information to third parties (ref. Article 5.2 of this Processor Agreement), the provision to third parties is reasonably necessary considering the nature of the assignment to Controller or the provision is legally required.
Article 10. Audit
- 10.1. Controller has the right to request audits on Processor to verify compliance with the Data Processing Agreement, and all issues reasonably connected thereto.
- 10.2. This audit may be performed in the event of a substantiated allegation of misuse of personal data.
- 10.3. Processor shall give its full cooperation to the audit and shall make available employees and all reasonably relevant information, including supporting data such as system logs.
- 10.4. The audit findings shall be assessed by the parties in joint consultation and may or may not be implemented by either party or jointly.
- 10.5. The costs of the audit shall be borne by Controller.
Article 11. Liability and contractual fine
- 11.1. Parties explicitly agree that any liability arising in connection with personal data processing shall be as provided in the Agreement.
- 11.2. In case of a violation of the Data Processing Agreement Processor shall pay to Controller a contractual fine of € 2.500,00 per violation and € 250,00 per day such violation continues. This fine is notwithstanding the right to demand compensation for actual damages.
Article 12. Term and termination
- 12.1. This Data Processing Agreement enters into force upon signature by the parties and on the date of the last signature.
- 12.2. This Data Processing Agreement is entered into for the duration of the Agreement.
- 12.3. The Agreement can be terminated by the Controller at all times, in writing. Controller grants Processor a 3 (three) month notice period from the date of writing after which the termination will come into effect.
- 12.4. Upon termination of the Data Processing Agreement, regardless of reason or manner, Processor shall - at the choice of Controller - return in original format or destroy all personal data available to it.
- 12.5. This Data Processing Agreement may be changed in the same manner as the Agreement.
Appendix 1.1: Stipulation of personal data and data subjects
Data subjects and personal data of different purposes
Processor shall process the below personal data of the categories data subjects from different purposes (with retention period if specified) under the supervision of Controller, as specified in article 1 of the Data Processing Agreement:
Cloud storage of data/ 1 (one) year >
Customers (members)
- Names and addresses
- Telephone numbers
- Email addresses
- Visitor behaviour
- IP addresses
- Company
- Title or role
- Bank details
- Invoice data
Operational experts
- Names and addresses
- Telephone numbers
- Email addresses
- (Portrait)photos
- Resumes
- Company
- Bank details
- Invoice data
Potential customers (prospective members)
- Names and addresses
- Telephone numbers
- Email addresses
- Visitor behaviour
- IP addresses
- Company, title or role
Customer and/or member administration/ 1 (one) year
Customers (members)
- Names and addresses
- Telephone numbers
- Email addresses
- Visitor behaviour
- IP addresses
- Company
- Title or role
- Bank details
- Invoice data
Operational experts
- Names and addresses
- Telephone numbers
- Email addresses
- (Portrait)photos
- Resumes
- Company
- Bank details
- Invoice data
Potential customers (prospective members)
- Names and addresses
- Telephone numbers
- Email addresses
- Visitor behaviour
- IP addresses
- Company
- Title or role
Handling orders and payments for products or services of Controller/ 1 (one) year
Customers (members)
- Names and addresses
- Telephone numbers
- Email addresses
- Visitor behaviour
- IP addresses
- Company
- Title or role
- Bank details
- Invoice data
Operational experts
- Names and addresses
- Telephone numbers
- Email addresses
- (Portrait)photos
- Resumes
- Company
- Bank details
- Invoice data
Customer Relationship Management/ 1 (one) year
Customers (members)
- Names and addresses
- Telephone numbers
- Email addresses
- Company
- Title or role
Operational experts
- Names and addresses
- Telephone numbers
- Email addresses
Potential customers (prospective members)
- Names and addresses
- Telephone numbers
- Email addresses
- Company
- Title or role
Customer service / 1 (one) year
Customers (members)
- Names and addresses
- Telephone numbers
- Email addresses
- Visitor behaviour
- IP addresses
- Company
- Title or role
- Bank details
- Invoice data
Operational experts
- Names and addresses
- Telephone numbers
- Email addresses
- (Portrait)photos
- Resumes
- Company
- Bank details
- Invoice data
Potential customers (prospective members)
- Names and addresses
- Telephone numbers
- Email addresses
- IP addresses
- Company
- Title or role
Financial administration (products or services settlement)/ 1 (one) year
Customers (members)
- Names and addresses
- Telephone numbers
- Email addresses
- IP addresses
- Company
- Title or role
- Bank details
- Invoice data
Operational experts
- Names and addresses
- Telephone numbers
- Email addresses
- (Portrait)photos
- Resumes
- Company
- Bank details
- Invoice data
Controller represents and warrants that the description of personal data and categories of data subjects in this Appendix 1.1 is complete and accurate, and shall indemnify and hold harmless Process for all faults and claims that may arise from a violation of this representation and warranty.