Privacy and Data Protection

Last updated: October 1, 2023

1. DEFINITIONS

          For the purposes of this Data Processing Agreement, the following terms shall have the following meanings, unless the context requires otherwise:

“Applicable Data Protection Law”

means the General Data Protection Regulation (“GDPR”) and relevant implementation acts, and any amendments and/or changes thereto.

Company Affiliate

means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

Data Subjects

means the individuals to whom the Data relate;

Data

means data as defined in the Applicable Data Protection Law that will be processed by the INQQA in connection with the performance of the Services, which data includes the data as set forth in Schedule 1 to this Data Processing Agreement;

“Data Breach”

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, data transmitted, stored or otherwise processed;

“Process, Processed or Processing”

has the meaning given to it in the Applicable Data Protection Law;

 

“Public Authorities”

 

means any Dutch or foreign regulatory authority, law enforcement authority or national security authority that has statutory authority to supervise the relevant data collection and data processing activities of the Company and/or the INQQA, including but not limited to the (Dutch) Data Authority (Autoriteit Persoonsgegevens);

“Services”

means the software capabilities, services and other activities to be supplied to or carried out by or on behalf of INQQA for the Company [and Company Affiliates];

“Third Countries”

means all countries outside of the European Union (EU), excluding countries which provide an adequate level of protection for data as determined by the European Commission from time to time.

 

2. PROCSSING OF COMPANY DATA

    • In the performance of the Services, the Company shall be the data controller as defined in the Applicable Data Protection Law and INQQA shall be the data processor as defined in the Applicable Data Protection Law.
    • The Company instructs INQQA to Process Non-Personal Data (see Schedule 1) as INQQA considers reasonably necessary for the provision of the Services and warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give this instruction on behalf of each relevant Company Affiliate.
    • INQQA shall comply with the Applicable Data Protection Law in the Processing of the Data; and
    • shall not Process Data other than on the Company’s documented instructions unless INQQA is required to otherwise Process or transfer the Data under the laws of the European Union or one of its Member States. Where such a requirement is placed on INQQA, INQQA shall provide prior notice to Company, unless the law prohibits such notice on important grounds of public interest.

3. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Security measures

    • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, INQQA shall in relation to the Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
    • In assessing the appropriate level of security, INQQA shall take account in particular of the risks that are presented by Processing, in particular from a Data Breach.

 Data Breach

    • INQQA shall notify the Company without undue delay upon INQQA becoming aware of a Data Breach affecting Data, providing the Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Data Breach under the Applicable Data Protection Law.
    • INQQA shall co-operate with the Company and take such reasonable commercial steps as are directed by the Company to assist in the investigation, mitigation, and remediation of each such Data Breach
    • INQQA shall adhere to the additional required measures as defined in Schedule 2.

4. INTERNATIONAL TRANSFERS

    • INQQA shall be permitted to transfer Data within the European Union (“EU”) in accordance with this Clause 4.
    • In the event that INQQA Processes, accesses, stores and/or transfers Data in or to any country outside the EU or to any country that does not provide an adequate level of protection for  data (as determined by the European Commission from time to time), INQQA shall comply with the (international transfer) obligations under the Applicable Data Protection Law by ensuring that appropriate safeguards are put in place to provide an adequate level of protection in relation to the Processing of the transferred Data (such as for example entering into standard contractual clauses for the transfer of  data as issued by the European Commission or on the basis of the Privacy Shield arrangement). Upon request of INQQA, the Company shall enter into such standard contractual clauses and provide any requested cooperation.

 

5. SUB-PROCSSORS AND EMPLOYEES

    • INQQA will respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another data processor.
    • INQQA will ensure that all of its employees authorized to have access to (or otherwise to Process) the Data have committed themselves to confidentiality on appropriate terms or are under an appropriate statutory obligation of confidentiality.

6. CO-OPERATION

INQQA will:

    • take appropriate technical and organizational measures, insofar as is possible, to assist the Company in responding to requests from data subjects for access to or rectification, erasure or portability of Data or for restriction of Processing or objections to Processing of Data (but INQQA will not themselves respond to any such Data Subject’s request except on the Company’s written instructions); and
    • give the Company such assistance as the Company reasonably requests and INQQA is reasonably able to provide to ensure compliance with the Company’s security, data protection impact assessment and obligations imposed by the Public Authorities under the Applicable Data Protection Law, taking into account the nature of the Processing and the information available to

7. AUDIT RIGHTS

    • INQQA shall make available to the Company all information in respect of its Processing of Data as may validly be required to demonstrate compliance with the obligations laid down in this Data Processing Agreement and allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by the Company.
    • Paragraph 1 does not require INQQA to disclose to the Company or the Company’s auditors any information disclosed to INQQA in confidence by, or otherwise held by INQQA in confidence on behalf of, any of INQQA ‘s other clients or any other person. INQQA may refuse the Company and the Company’s auditors’ access to systems containing such information or documents if INQQA cannot practicably grant access to those systems without giving the Company or the Company’s auditors access to such information or documents.

8. DELETION OR RETURN OF DATA

    • Subject to paragraph 2, when provision of the Services is complete, or earlier if the Company withdraws their instructions, INQQA will as soon as is practicable delete (or return to the Company, at the Company’s option – to be exercised by written notice before the earlier of completion of provision of the Services and withdrawal of the Company’s instructions) any Data in INQQA’s possession or under INQQA ‘s control which is subject to the Applicable Data Protection Law.
    • Paragraph 1 does not require INQQA to delete or return:

8.2.1      Processed Data which INQQA is required to retain by the law or regulation of a member state of the European Union; or

8.2.3      copies of Data which it is not technically practicable for INQQA to locate and delete or return.

9. INDEMNITY

Each Party (the “Indemnifying Party”) indemnifies the other Party for any claims of third parties, including Data Subjects, or penalties imposed by the relevant supervisory authorities, to the extent that such penalties and/or claims can be attributed to the Indemnifying Party and/or are a result of non-compliance with the Indemnifying Party’s obligations under this Data Processing Agreement and/or the Applicable Data Protection Law.

10. TERM AND TERMINATION

    • This Data Processing Agreement shall become effective on the date of singing hereof.
    • This Data Processing Agreement will terminate automatically, without any notice being required, as per the date that the Services are being terminated.

11. GENERAL

    • In the event of any changes to the Applicable Data Protection Law, the Parties shall consult each other and discuss and agree on the required amendments to this Data Processing Agreement to ensure continued compliance with the (relevant amendments to the) Applicable Data Protection Law.
    • In the event that any of the provisions of this Data Processing Agreement are declared void or otherwise not enforceable, the remaining provisions will remain unimpaired. Parties shall do their utmost to agree to alternate provisions for those provisions declared void or otherwise not enforceable that are as close as possible to the original text and intent of the void or unenforceable provisions.
    • Any general or special terms and conditions of Company shall not apply to this Data Processing Agreement and are hereby explicitly declined by INQQA.
    • This Data Processing Agreement shall be governed by and construed in accordance with the laws of the Netherlands.
    • All disputes arising under or in connection with this Data Processing Agreement, or further arrangements resulting thereof, shall exclusively be submitted to the competent court of Amsterdam, the Netherlands.