Where this Data Processing Agreement uses terms that are defined in the GDPR, those terms shall have the same meaning as in the GDPR unless otherwise defined hereinafter. Where this Data Processing Agreement uses terms that are defined in the terms & conditions of OrderLemon, those terms shall have the same meaning as in the terms and conditions of OrderLemon. The capitalized
terms used in this Data Processing Agreement have the following meaning:
‍
Controller: the Contractor that concludes the Agreement with OrderLemon to use the Platform and
other Services.
‍
Data Subject: the individual who is the subject of Personal Data.
‍
Data Processing Agreement: the present Data Processing Agreement.
‍
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
‍
Personal Data: any information relating to an identified or identifiable natural person the Processor processes for the purposes of the execution of the Agreement with the Controller.
‍
Processor: OrderLemon.
By using the Platform and/or other Services of OrderLemon, personal data are processed. The categories of Data Subjects and types of Personal Data processed by the Processor are included in Annex 1.
The Processor shall process the Personal Data it has received only on the basis of the Controller’s written instructions and only for the purposes of the execution of the Agreement, unless anyprovision of EU law or Member State law requires it to carry out this processing. In that case, theProcessor shall notify the Controller of this legal requirement prior to the processing operation unless this legislation prohibits this notification for important reasons of public interest.
The Processor does not have any control over the purposes and means of the processing of PersonalData. Nothing in this Data Processing Agreement is intended to transfer control over Personal Data to the Processor in any way.
The Processor is not permitted:
a. to process Personal Data for its own purposes; b. to process Personal Data for other or more extensive purposes than those that are reasonably required for the execution of the Agreement;
c. to disclose Personal Data to third parties to the extent this is not permitted under theAgreement and/or the Data Processing Agreement and/or under any mandatory statutory provision requiring the Processor to disclose Personal Data to supervisory or investigation authorities.
The parties shall act in accordance with the provisions of the GDPR and any future national orEuropean statutory and other rules on the processing of Personal Data that may be in force from time to time. If future statutory and other rules reveal a need to adjust the Data ProcessingAgreement, the parties will consult with each other for the purpose of making new arrangements that reflect the tenor of this Data Processing Agreement as much as possible.
The Processor agrees to cooperate with the Controller in the execution of a Privacy ImpactAssessment to the extent it may do so given the information available to it and the nature of the processing. The reasonable costs this duty to cooperate entails must be borne by the Controller.
To the extent that the Controller is required under statutory or other rules to give information about the processing of Personal Data to a supervisory authority, the Processor shall, when first requested to do so by the Controller, render all cooperation with the Controller that is reasonably requested, so as to ensure that this information is made available and the supervisory authority can be adequately informed.
The Processor agrees to maintain confidentiality of the Personal Data and to ensure that the personsauthorized to process the Personal Data undertake to maintain confidentiality.
This duty of confidentiality will continue to exist after the termination of this Data Processing Agreement, unless it concerns information that is already available to the public other than as aresult of any violation of the aforementioned duty of confidentiality.
The Processor will take appropriate technical and organizational measures to safeguard a security level tailored to the risk identified and which comprise of the measures set out in Annex 2.
In determining the measures to be taken, the Processor shall take account of the state of the art and the implementation costs as well as of the nature, scope, context and purposes of the processing operation concerned and the various risks, in terms of probability and severity, for the risks and freedoms of individuals.
In assessing the appropriate security level, the Processor shall take particular account of theprocessing risks, mainly those relating to the destruction or loss of data that have been transmitted,stored or processed in any other way, as well as those relating to changes made in or theunauthorized disclosure of such data, either accidentally or unlawfully.
The Processor agrees to take measures to ensure that every natural person who works under theauthority of the Processor and who has access to Personal Data will process these data only on theinstructions of the Controller, unless any provision of EU law or Member State law requires it to carryout this processing.
The Processor agrees to provide the Controller with the necessary information at the latter’s request,to ensure that the Controller is able to assess the Processor’s compliance with the provisions of thisData Processing Agreement.
If the Processor is of the opinion that any instruction given by the Controller within the meaning ofparagraph 1 constitutes a violation of any statutory or other rules that are in force, including theGDPR, it shall immediately inform the Controller thereof.
The Controller is entitled to engage an independent expert to ascertain whether the Processor fulfilsthe obligations of the Processor in this Data Processing Agreement, which independent expert will beunder an obligation to main confidentiality in respect of the foregoing. The Processor shall cooperatein the audit and make all information that is reasonably relevant to the audit available as soon aspossible. The costs of the audits carried out on the instructions of the Controller must be borne bythe Controller, unless it turns out that the Processor has failed to fulfill its obligations to a sufficientextent, in which case the Processor must bear the costs.
If the audit report of the independent expert shows that the measures taken by the Processor do notsufficiently comply with the GDPR and/or other statutory or other rules that are in force, theProcessor shall immediately take such measures as are necessary to comply with the foregoing rulesafter all.
The Processor shall inform the Controller immediately, as soon as it finds that there has been anybreach with respect to the Personal Data. This information provided must enable the Controller tofulfill its obligations under Section 34a of the Dutch Data Protection Act and Articles 33 and 34 of theGeneral Data Protection Regulation.
The Processor shall always keep the Controller fully informed about the progress of any actions toremedy the breach and all relevant developments in respect of the data breach and theconsequences thereof. The Processor shall take all measures that can be reasonably expected from itto mitigate the adverse consequences of any unauthorized access of data. Contractor is obliged toprovide current and accurate information to OrderLemon and to keep such information up to date. Ifthe processing of an Order faces technical or other operational issues, OrderLemon will, wherereasonably possible, contact the relevant Customer by telephone or other means on behalf of theContractor, with the intention to solve the issue where possible.
The Processor is not permitted to communicate with the relevant Data Subject(s) and/or supervisory authorities other than on the instructions of the Controller or with its express and explicit permission.
Processor hereby obtains consent to subcontract parts of the processing of Personal Data to otherprocessors during the term of the Agreement, The subcontractors are:
â—Ź META
â—Ź Online Payment Platform
â—Ź MessageBird
The processor shall inform the Controller of any intended changes regarding the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
Processor shall ensure that all sub-processors engaged by it that play a role in the performance of theAgreement will comply with the obligations contained in this Data Processing Agreement, in particular the obligation to provide adequate safeguards regarding the application of appropriate technical and organizational measures in order to ensure an equivalent level of protection ofPersonal Data.
Under the GDPR, the Controller has obligations vis-à-vis the Data Subject, such as in respect of theprovision of information, giving access to, rectifying, and deleting Personal Data. The Processor shall– where possible – cooperate with the Controller in fulfilling the latter’s obligations in this regard.Processor reserves the right to charge its regular hourly rate to Processor for its cooperation.
If a Data Subject contacts Processor directly in relation to the performance of its rights under theGDPR, the Processor will not address this (in substance), but will notify the Controller without delay.
The Processor shall ensure that every processing operation of Personal Data that is performed by oron behalf of the Processor, including third parties engaged by it for the purposes of the execution ofthe Agreement, is carried out within the European Economic Area (EEA) or to or from countries thatoffer an adequate level of protection in accordance with the GDPR.
Consequently, without the Controller’s prior written permission, the Processor may not transmitPersonal Data to or store them in a country outside the EEA or make Personal Data accessible from anon-EEA country, unless this country ensures an adequate level of protection or if an applicableprovision of Union law or Member State law requires it to process the relevant data. In that case theProcessor shall notify the Controller, prior to the processing operation, about that legal requirement,unless this legislation prohibits this notification for important reasons of public interest.
The Controller warrants that the data processing will be carried out in accordance with the law. Thismeans in any case that the Controller warrants that it is entitled to collect data or have data collectedand that it is entitled to process these data and have these collected.
The Controller shall indemnify the Processor for any loss or damage and costs resulting from anyclaims by third parties, expressly including the Data Subjects and supervisory authorities (such as theDutch Data Protection Authority), relating to or arising from any unlawful processing operationand/or any other violation of the GDPR or the Data Processing Agreement that can be attributed tothe Controller.
This Data Processing Agreement enters into force at the time of entry into force of the Agreement and is entered into for the duration of the Agreement.
As soon as the Agreement terminates or is terminated for whatever reason, the present DataProcessing Agreement will remain in force as long as Personal Data are processed by the Processor, after which this Data Processing Agreement ends by operation of law.
Upon the termination of this Data Processing Agreement, the Processor shall at first request and at the discretion of the Controller:
a. make available to the Controller all personal data in a customary format requested by theController; or b. delete all Personal Data.
The Processor may retain a copy of the Personal Data only if it is obliged to do so in accordance witha mandatory statutory provision.
Amendments and additions to the present Data Processing Agreement are valid only if the Partieshave agreed upon them in writing.
This Data Processing Agreement is exclusively governed by Dutch law.
‍
Any disputes arising under or in connection with this Data Processing Agreement must be exclusively submitted to the Court of Utrecht.
‍
Annex 1 - categories of Data Subjects and types of Personal Data processed by the Processor
OrderLemon and Messagebird
â—Ź Â Phone numbers
â—Ź Â Names and surnames
â—Ź Â Address
Online Payment Platform â—Ź Â Phone numbers
â—Ź Â Names and surnames
â—Ź Â Address
â—Ź Â Official ID Documents such as Passports or National ID Card
â—Ź Â IBAN
.png){kind=icon}
.png){kind=icon}
