Data Processing Agreement

In this document, definitions, words, or phrases will have the same meaning as in the Standard Contract, unless and to the extent the context requires otherwise.

Under applicable law, Publisher is the data controller of Personal Data collected when signing up for our services while being a data processor for the Personal Data you use through the Offering. Reference is made to the Privacy clause in this respect.

This Data Processing Agreement is entered into between the Customer (acting as the Data Controller) and Publisher (acting as the Data Processor)

Article 1:          Background

The Customer acknowledges that the use of the Offering may imply the processing of Personally Identifiable Information (Personal Data) as described in the Privacy Policy.

Article 2:          General

Publisher shall process Personal Data in accordance with the requirements of all laws and regulations, including laws and regulations of the European Union, the European Economic Area, and their member states, applicable to the processing of Personal Data, including but not limited to the Dutch Data Protection Act and the General Data Protection Regulation.

Article 3:          Confidentiality

  1. Publisher shall keep all Personal Data strictly confidential, make sure that the number of Officers having access to Personal Data is as limited as possible, and make sure that all Officers having access to Personal Data are bound to the same strict confidentiality obligations.
  2. Publisher is not bound by these confidentiality obligations in case disclosure of Personal Data is required by law, in that case, Publisher will inform the Customer about the disclosure as far as and as soon as legally admitted and reasonably possible.

Article 4:          Data security

Spinpanel's service organization is Service Organization Controls (SOC type 2), certified for all services provided.

  1. As processor, Publisher shall take extensive organizational and technical security measures to prevent unauthorized access to Personal Data.

These measures include where appropriate the following measures:

    1. The Offering runs in datacenters with Information Security Certification and controls SOC type 2.
    2. Encryption of Personal Data.
    3. Spinpanel Dutch personnel must have a certificate of good conduct for natural persons (VOG NP) and a check for existence of a police record and ID Verification in other countries, education verification, and reference checks.
    4. Protection of network connections.
    5. Inbound and Outbound vulnerability assessments.
    6. Vulnerability Intelligence and threat management reporting.
    7. Implemented patch management procedures.
    8. Precautions ensuring that natural persons working for Spinpanel that have access to Personal Data, only process these Personal Data as part of the assignment of Customer, unless such processing would be prescribed by law.
    9. Customer has the right to audit these measures in order to assess the adequacy of the measures in relation to the processing and Personal Data at its own costs.

Article 5:          General information obligations

Publisher shall provide a list of locations in which the Personal Data may be processed listed at the applicable Publisher URL or as otherwise communicated to Customer.

Publisher shall inform the Customer about relevant changes concerning the Offering such as the implementation of additional functions.

Article 6:          Rights of the data subject

Publisher is obliged to support the Customer as far as reasonably possible in facilitating exercise of data subjects’ rights to access, correct, or delete their Personal Data. In case such support would lead to more than negligible costs, these reasonable costs shall be borne by Customer.

Article 7:          Security breaches

  1. Publisher implemented an appropriate policy regarding incidents and Security Breaches, such as but not limited to protocols that comply with data protection laws and regulation. A Security Breach is considered any actual or reasonably suspected unauthorized disclosure of Personal Data by Spinpanel or by Subprocessors as appointed by Spinpanel, such as but not limited to Subprocessors.
  2. Publisher will notify Customer as soon as possible, preferably within 24 (twenty four) hours after the discovery by Spinpanel of any Security Breach or breach of security measures, such as stipulated in article 4.1 above, that leads to the significant chance to severe disadvantageous consequences or severe disadvantageous consequences for the protection of Personal Data and will support Customer in every way possible to handle this breach, such as but not limited to the (support for) timely notice of the breach to the relevant authorities and, when required, the notification of Data Subjects.
  3. The notification that Spinpanel makes to Customer as referred to in article 7.2 above, shall as far as reasonably possible entail the following information:
  4. the possible cause and consequences of the Security Breach or the incident.
  5. the (categories) of Personal Data involved.
  6. a summary of the possible consequences for Data Subjects.
  7. a summary of the possible (unauthorized) recipients of Personal Data.
  8. the measures that Spinpanel recommends limiting the damages when such is relevant.

Article 8:          Deletion of data

When after the termination of this Data Processing Agreement, Publisher possesses any Personal Data received from Customer, this Personal Data shall as soon as possible and not later than ten working days after termination of this Data Processing Agreement be returned to Customer, or – such in consultation with Customer – be destroyed, save for the situation that Spinpanel is obliged to keep the Personal Data on the basis of applicable laws or regulations. For the interpretation of this article, the possession of Personal Data entails, amongst other definitions but not limited to such, the Personal Data as stored on any data carrier, any rented or bought storage space on servers, whatever the location of such servers, in sandboxes, memory sticks, SSD-cards or any other means that is used to record or store Personal Data.

Article 9:          Subprocessors

  1. Customer consents to the use by Publisher of Subprocessors while performing the Cloud Services as long as (i) these Subprocessors are bound by similar obligations as Publisher under this Data Processing Agreement, (ii) the Subprocessors are based in the EU, and (iii) the Services are performed in the EU. Subprocessors that may be involved are listed at the applicable Publisher URL or as otherwise communicated to Customer. In case other Subprocessors are involved, Publisher will inform Customer about this, prior to the involvement.
  2. In principle Personal Data will only be stored within the EU. If it is required to have Personal Data processed outside the EU, Publisher shall do so only upon prior written consent by Customer and shall solely process Personal Data in a country from which the European Commission has determined that such country manages an appropriate level of security for Personal Data, as determined in accordance with Directive 95/46/EG.
  3. As an exception to the above and only upon prior written consent by Customer, Personal Data may be processed in a country without an appropriate level of security for Personal Data, when this appropriate level of security is ensured in any other way by the appropriate authorities or institutions, such as but not limited to the use of, Binding Corporate Rules (approved by the appropriate authority) or the use of the EU Model Clauses, or other EU approved facilities such as the Privacy Shield Framework. Any Customer consent shall not be unreasonably withheld in case of use of Binding Corporate Rules, EU Model Clauses, or other EU-approved facilities such as the Privacy Shield Framework. Customer shall cooperate with concluding standard contracts.

Article 10:        Warranties Customer

Customer warrants that all processing of Personal Data on in the Offering on behalf of the Customer pursuant to the commission of the Customer is in compliance with applicable data protection laws and fully indemnifies Publisher against all claims from third parties including Subprocessors relating to a breach of Data Protection Law by Customer.

Article 11:        Term

This Data Processing Agreement will be in force for the duration of the Customer’s right to use the Offering and until all Personal Data is deleted or returned in accordance with Customer instructions or the terms of this Data Processor Agreement.

Article 12:        Miscellaneous

This Data Processing Agreement shall exclusively be governed by Dutch law. In case of any conflict with other contractual documents relating to the Offering, this Data Processing Agreement will prevail. Any conflict arising from this agreement shall be submitted to the competent Dutch court exclusively.