Data Processing Addendum
If you are a customer and would like a signed DPA, please contact firstname.lastname@example.org.
Please find a preview of the agreement below.
Data Processing Addendum
In the course of providing the Networkapp service to our customers, Inscene Company B.V. trading as Networkapp and Netwerkapp may process personal data on our customer’s behalf where such personal data is subject to EU data protection laws like GDPR. To this end, we offer a data protection addendum (DPA) as provided below. The DPA will only be legally binding and effective if: (1) executed by signing the DPA in your Networkapp administrator account; and (2) you are a Networkapp customer on the date it is fully executed. Please note that because we have many customers, we are not able to change this DPA for any particular customer.
- Both parties attach great importance to adequate protection of personal data of Customers, employees and other parties involved, of which Networkapp processes personal data;
- Both parties have the obligation to ensure that personal data made available to third parties, whether or not as part of a separate Agreement, are adequately protected and the informational privacy of the data subjects is adequately guaranteed;
- Networkapp can be regarded as a Data Processor within the meaning of the European General Data Protection Regulation (GDPR) regarding the processing of data that the “Customer” offers for processing in the Networkapp dashboard. The “Customer” can be regarded as the Data Controller in the sense of the GDPR as the former processes data for the latter without being directly subject to his authority and the latter establishes the purpose of and the means for the processing of the personal data;
- Networkapp can be designated as Data Controller for the processing of the data that end users offer directly in the Networkapp application and/or webpage and with regard to the data of customers that it processes for its own business operations;
- Customer has concluded an Agreement with Networkapp for the provision of a digital community and /or event software for its Customers;
- In the context of the implementation thereof, personal data within the meaning of the GDPR are processed;
- The processor is willing to do so and is also prepared to fulfil obligations regarding security and other obligations of the GDPR;
- Parties in accordance with the GDPR in this Processing Addendum wish to record their agreements regarding the processing of the Personal Data by Networkapp;
- This Processing Addendum is only supplementary and clarifying in nature to the Agreement and does not make any changes to it. In the event of conflicting content between the Processing Addendum and the Agreement, the contents of this Processing Addendum will prevail;
- That this Processing Addendum replaces all existing processing addenda that parties may have entered into in the past.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
“Agreement” means the offer accepted and signed by the Customer or the related order form, including the General Terms and Conditions of Delivery of “Networkapp” which describe the nature of the services, responsibilities and payment agreements. The General Terms of Delivery may be updated regularly by “Networkapp”.
“Personal data” means any information relating to an identified or identifiable natural person.
“Data Controller” means the entity that determines the purpose, means and duration of the processing of the personal data.
“Data Processor” means the entity that processes the data on behalf of the Data Controller and that does not report hierarchically to the Data Controller.
“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification programme that is executed by the U.S. Department of Commerce and approved by the European Commission C(2016)4176 on 12 July 2016 and by the Swiss Federal Council on January 11, 2017, respectively.
“Services” means any product and/or service provided by Networkapp pursuant to the Agreement.
“Sub-processor” means any Data Processor engaged by Networkapp to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.
“Processing purpose” means the purpose described in paragraph 3 for the processing of the data.
“Data breach” means a breach of the security of personal data. In the case of a data breach, the personal data are exposed to loss or unlawful processing where it can reasonably be assumed that the infringement leads to a considerable chance of adverse consequences for the protection of personal data processed by the Data Processor.
“European Economic Area” means all countries of the European Union, Liechtenstein, Norway and Iceland.
“Networkapp application and web page” means the environment to which end users (Customer relations) can access when they create an account with Networkapp and thus gain access to an online Community or event environment.
“Networkapp Dashboard” means the online environment to which the Customer has access to via his administrator account to manage his or her online event and/or Community.
2. Purpose of the Processing Addendum
2.1 Role of the parties
Arranging and recording agreements between parties in order to jointly comply with the legal requirements regarding the processing of personal data. The Parties conclude to use the expertise that Processor has in the processing and securing of Personal Data for the purposes arising from the Agreement(s) and described in this Processing Addendum.
2.2. Customer Processing of Customer Data.
Customer agrees that: (i) it will comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Networkapp; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for Networkapp to process Customer Data and provide the Services pursuant to the Agreement and this DPA.
2.3. Networkapp Processing of Customer Data.
Networkapp will process Customer Data only for the purposes described in the DPA and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Networkapp in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) will require prior written agreement between Customer and Networkapp.
- GENERAL PROVISIONS PROCESSING
3.1 Roles in data processing
This Processing Addendum applies to the processing of personal information that is offered and managed by the Customer in the Networkapp Dashboard. The Customer has an administrator account and can at all times determine which information is stored or deleted. Customer is the Data Controller of Customer Data and Networkapp will process Customer Data only as a Data Processor acting on behalf of the Customer.
3.2 Purpose and nature of the Processing
The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of Networkapp pursuant to the Agreement (including this DPA) or as otherwise agreed by the parties.
- Type of information and personal data
Networkapp stores and processes data from two types of relationships:
(1) Relationships of the Customer, who in some cases are also users of the Networkapp application or webpage. Within the Networkapp application and web page, information can be offered segmented on the basis of profiles, compiled on the basis of criteria set by the “Customer”.
The following data can be processed:
(a) name, (b) job title, (c) organisation, (d) email address, (e) password (f) telephone number, (g) expertise domains, (h) areas of interest, (i) employer (j) location, (k) work domain, (l) appointments with other users, (m) visited events, (n) answers to questionnaires.
(2) Customers of Networkapp, with or without an administrator account, whether or not created by themselves in the Networkapp Dashboard. The following data can be processed:
(a) name, (b) job title, (c) organisation, (d) address, (e) billing address, (f) Chamber of Commerce number or similar identifying company number, (g) VAT number, (h) bank account number, (i) ) email address, (j) password (k) phone number (l) purchase history.
The Customer acknowledges that Networkapp has the right to use this information for the realisation of the agreed services, such as invoicing, providing technical and operational support to customers and users, product development, account management, sales and marketing. For the processing of this data, Networkapp is the Data Controller and will act accordingly in accordance with its Privacy Statement and in line with the applicable privacy and data protection legislation (e.g. GDPR).
3.4 Duration of Processing
This Processing Addendum enters into effect on the date that the Parties have signed the Agreement. This agreement will be in force during the term of the Agreement. If the Agreement ends, this Processing Addendum ends automatically.
Each party is entitled, without prejudice to the provisions in the Agreement, to suspend the execution of this Processing Addendum and the related Agreement, or to dissolve it with immediate effect without judicial intervention, if:
- the other party is dissolved or otherwise ceases to exist;
- the other party demonstrably fails to fulfil the obligations arising from this Processing Addendum and that serious attributable shortcoming has not been rectified within 30 days after a written notice of default to that effect;
- a party is declared bankrupt or applies for suspension of payments or an international variant such as a judicial reorganisation or court agreement.
The Customer is entitled to terminate this Processing Addendum and the Agreement immediately if Networkapp indicates that it can no longer meet the reliability requirements imposed on the processing of the personal data on the basis of developments in law and/or case law.
Obligations which by their nature are intended to continue after termination of the Processing Addendum shall continue to apply after termination of the Processing Addendum. These obligations include those arising from the provisions concerning confidentiality, transfer and cancellation, liability and applicable law.
The rights and obligations under this Processing Addendum cannot be transferred to a third party, unless Networkapp is no longer entitled to perform the Agreement at any time. In that case, the parties will enter into consultation before the moment of transfer in order to discuss any operational consequences and to make further agreements on this subject.
4 OBLIGATIONS OF THE PROCESSOR
Networkapp is only entitled to use the data provided by the Data Controller within the framework of the Processing Purpose and Networkapp declares to process Personal Data in a proper and careful manner and in accordance with the GDPR and other applicable regulations concerning the Processing of Personal Data.
Networkapp will follow all reasonable instructions from the Customer in relation to the processing of the personal data. Networkapp immediately informs the Customer if in its opinion instructions are in conflict with the applicable legislation regarding the processing of personal data.
Networkapp allows the Customer at any time to comply with the obligations under the GDPR within the statutory periods, in particular the rights of Data subjects such as, but not limited to, a request for access, improvement, supplementation, the removal or protection of Personal Data.
Networkapp processes Personal Data only on the instructions of the Customer, subject to deviating legal obligations and subject to the authority that Networkapp has to determine technical and organisational aspects of the Processing of Personal Data when implementing this Processing Agreement.
Networkapp is not permitted to provide Personal Data to anyone other than the Customer or Data Subject, unless at the written request of the Customer or user, or with his written consent.
If Networkapp is required to provide data on the basis of a legal obligation, Networkapp verifies the basis of the request and the identity of the applicant and informs the Customer immediately, if possible prior to the provision. Networkapp will make every effort to limit the provision to what is legally required and enable the Customer to exercise the rights of the Customer and the Parties concerned.
5 CHAIN REQUIREMENTS SUB-PROCESSORS
The Customer agrees with the fact that Networkapp uses Sub-Processors for the processing of Personal Data for the execution of the Agreement. The Sub-Processors that Networkapp currently uses and that are authorised by the Customer are listed on Appendix A.
5.2 Obligations of Sub-Processors
Networkapp will: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Networkapp to breach any of its obligations under this DPA.
5.3 Changes Sub-Processors
Networkapp will provide an up-to-date list of the Sub-Processors it has appointed upon written request from the Customer. And notify Customer (email will suffice) if changes are made within ten (10) days after presenting the Sub-Processor list.
The Customer may object in writing to the appointment of a new Sub-Processor within five calendar days of the change being discussed, provided that the objection is reasonably related to the protection of personal data. In this situation, the parties look for a suitable solution together. If this proves impossible, the Customer has the right to suspend or dissolve the Agreement.
6.1 Security Measures
Networkapp will implement all necessary technical and organisational security measures in accordance with the regulations set by or pursuant to the GDPR with regard to the processing of Personal Data. Networkapp will ensure that the security policy and the implementation of the security policy at least meet the criteria of an appropriate security level. These measures in any case include:
- measures to ensure that only authorised personnel have access to the personal data for the purposes of the said processing;
- measures whereby the processor gives his employees, subcontractors, access only to personal data via registered accounts;
- measures to protect the personal data against unintentional or unlawful destruction, accidental loss or alteration, unauthorised or unlawful storage processing, access or disclosure;
- measures to identify vulnerabilities with respect to the processing of personal data in the systems used to provide services to Data Controller.
Networkapp has taken adequate internal control measures to fulfil the obligations arising from this agreement and can demonstrate the effective operation of this at the Customer’s request. The measures are described in Networkapp’s Security Statement, which is included in Appendix B.
6.2 Updates on Security Measures
The Customer is responsible for assessing the information that Networkapp offers regarding the data security and must make an independent assessment of whether the measures taken are sufficient in relation to the requirements of the GDPR. The parties recognise that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvement of outdated security measures. Networkapp will therefore continually evaluate and tighten, supplement or improve the measures implemented to continue to fulfil its obligations under this Processing Agreement.
6.3 Responsibility of the Customer
Regardless of the aforementioned measures and obligations of Networkapp, the Customer is responsible for the safe use of the services, including adequate username and password policy and the adequate protection of personal data when downloaded from the Networkapp Dashboard. The Customer acknowledges that email is not a safe medium for sending personal data.
- SECURITY REPORTS AND EXTERNAL TESTS
Networkapp updates and follows its own Information Security Management System. This includes internal audits and control measures. In addition, external tests are regularly carried out. The customer can inspect the management summary of the tests and internal audits on request and on condition of confidentiality.
Networkapp will also respond on written grounds and under the condition of confidentiality to the Customer’s questions regarding the Information Security, insofar as the Customer deems this necessary to verify that Networkapp complies with its obligations under this Processing Addendum. Provided the Customer does not use this right more than once a year. And performing a check will not lead to a delay of the work to be performed by Networkapp in the framework of the Agreement and this Processing Addendum.
- LOCATION STORAGE OF DATA
8.1 Location Data Centres
Networkapp uses secure servers from Amazon for the storage of the data. These are situated within Europe (Germany and Switzerland).
8.2 Transfer of Data outside the EU/US Privacy Shield
Networkapp will not store or transfer any Personal Data to countries outside the European Economic Area (EEA), excluding transfering data to sub-processors that are based in countries outside the EEA but are explicitly recognised by the EU (adequacy decision) as a safe country, such as Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States. For the United States a party must have a certificate in the framework of the EU-U.S. Privacy Shield Framework self-certification programme. https://www.privacyshield.gov.list)
9 Incident management, data breaches and information obligations
As soon as an incident with regard to the processing of the personal data occurs, has occurred or could occur, Networkapp is obliged to inform the Customer thereof without delay and to provide all relevant information regarding the nature of the incident, the risk that data are or can be processed unlawfully and the measures that are or will be taken to resolve the incident or to limit the consequences/damage as much as possible. The term “incident” in any case means the following:
- a complaint or (information) request from a natural person with regard to the processing of personal data by the Contractor;
- an investigation or seizure by government officials of the personal data or a suspicion that this will take place;
- any unauthorised access, processing, deletion, mutilation, loss or any form of unlawful processing of personal data;
- a breach of security and/or confidentiality, at least any other incident that leads (or possibly leads) to unintentional or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the personal data, or any indication that such an infringement will take place or has taken place.
When a (possible) Data breach occurs at Networkapp, Networkapp reports this immediately, but no later than within 48 hours after discovery, to a person or persons to be designated by the Customer, stating the nature of the Data breach. Reporting to the Data Controller does not absolve Networkapp from the obligation to report itself to the Dutch Data Protection Authority (AP) if the nature and size of the Data breach so warrant.
The parties make further agreements about the officers they designate as the point of contact in the event that a Data breach must be reported immediately and/or immediately to the AP. These persons are included in Appendix 3 to this agreement and can be read and filled out in the DPA that is available in the customers administrator account in the Networkapp dashboard.
10. REFUND OR REMOVAL OF PERSONAL DATA
10.1 Removal of Personal data
Networkapp does not store the personal data for longer than strictly necessary and in any case no longer than until the end of this agreement, unless there is a legal obligation and/or to substantiate a legal claim. The user of the Networkapp application or its web page can still keep his or her personal Networkapp account after completion of the Agreement.
At the time that this Processing Addendum ends, Networkapp will also provide all its cooperation with regard to the transfer of the work concerning the processing of the Personal Data to the Customer, insofar as the Customer can not independently retrieve the data from the Networkapp Dashboard.
Networkapp is bound to secrecy of all Personal Data and information that it processes as a result of this Processing Agreement, except to the extent that such data or information is obviously not secret or confidential, or are already generally known.
In its agreements with the Personnel of Processors, Sub-Processors and any other party acting under the responsibility of the Processor, Networkapp will stipulate that these persons will observe the same confidentiality with regard to all data and information that they provide in the context of their work for Data Controller.
12. NOTICE OF DEFAULT AND LIABILITY
The parties are each responsible and liable for their own actions. If the Parties accountably fail to comply with their obligations under this Processing Addendum, they may give notice of default to each other, unless compliance is permanently impossible. Prior to the notice of default, Parties agree with each other on a period within which the identified shortcoming can be rectified. If fulfilment still does not occur within this agreed period, or Parties do not mutually reach a mutually acceptable term, the Parties may give notice of default to each other. The notice of default will be in writing, giving the other Party a reasonable period to still fulfill its obligations. This deadline is a fatal term. If compliance fails within this period, the Party is in default.
Any limitation of liability in the Agreement applies mutatis mutandis to this Processing Addendum, with the understanding that:
a.) any (implicit or explicit) exclusions of liability for loss and/or mutilation of Personal Data are excluded;
b.) any (implicit or explicit) exclusions of liability for penalties imposed by the Dutch Data Protection Authority or another regulator that are directly related to an attributable shortcoming of the Processor, or behaviour or omission attributable to the Processor, are excluded.
Data Processor indemnifies Data Controller against all claims, actions, claims from third parties, as well as fines from the Authority for Personal Data, which arise directly from an attributable shortcoming by Data Processor and/or its subcontractors/Sub-Processors in the fulfilment of its obligations under this Processing Agreement and/or any violation by the Data Processor and/or its subcontractors/Sub-Processors of the applicable legislation regarding the processing of Personal Data.
Appendix A – List of Sub-Processors of Networkapp
Networkapp uses various third parties for the execution of its services, some of which qualify as Sub-Processors for the law. The processor offers cloud hosting, email services and tools for customer support.
List of Sub-Processors as of 1-01-2019
|Sparkpost||United States, United Kingdom, data in Dublin, Ireland|
|Rsync.net||United States; data in Zürich, Switzerland|
|Amazon||United States, data in Frankfurt, Germany|
|Sentry, Functional Software Inc.||United States|
|Ireland and United States|
Appendix B – Security Statement
The most current Security Statement that applies to security, including privacy statement and user agreement can be found at: Security-Statement-2jul2018.pdf
Build your app in less than 15 minutes and try it out with your team.