Article 1: Definitions:
In this Data Processing Agreement, the following definitions apply, unless stipulated otherwise:
1. GDPR: Regulation (EU) 2016/679 of the European Parliament and the Council.
2. Data Subject: The person whom Personal Data concerns.
3. Sensitive Personal Data: Personal Data as referred to in Article 9(1) of the GDPR.
4. Data breach: A breach of security that results in the destruction, loss, modification or unauthorised disclosure of or unauthorised access to transmitted, stored or otherwise processed data.
5. Service: The service that the Processor will provide under the Agreement.
6. Agreement: The agreement to provide services that is concluded for the online booking of a shipment using the Processor’s website.
7. Personal Data: Any data relating to an identified or identifiable natural person that is or will be processed by the Processor in any way whatsoever in the context of the Agreement.
8. Sub-processor: A party that processes Personal Data on the orders of the Processor.
9. Processor: Koninklijke PostNL B.V., gevestigd te ’s-Gravenhage (2595 AK), aan Prinses Beatrixlaan 23.
10. Data Processing Agreement: The present agreement. 11. Processing: Any act or series of acts related to the Personal Data. 12. Controller: The Processor’s client, and the other party to the Agreement.
Article 2: General
1. The Controller and the Processor foresee that, in the context of the Processor’s implementation of the Agreement, personal data within the meaning of Article 4(1) of the GDPR, as further defined in Article 16, will be processed without being subject to the direct authority of the Controller.
2. The Controller determines the purpose and means of the Personal Data Processing within the meaning of Article 4(7) of the GDPR.
3. The Processor processes Personal Data on behalf of the Controller pursuant to the Agreement within the meaning of Article 4(8) of the GDPR.
4. This Data Processing Agreement applies to all Processing of Personal Data during the implementation and term of the Agreement.
5. The Parties may already have concluded a data processing agreement in connection with the conclusion of the Agreement. In that case, the data processing agreement that has already been concluded shall prevail.
6. This agreement is a translation of the Dutch Data Processing Agreement. In case of discrepancies, Dutch Data Processing Agreement shall prevail.
Article 3: Data Processing
1. The Processor undertakes to process Personal Data under the terms of this Data Processing Agreement on behalf of the Controller. The Processor will process the Personal Data in accordance with the GDPR and other applicable laws and regulations and/or codes of conduct concerning the processing of Personal Data.
2. The Controller guarantees that the Personal Data that it provides to the Processor complies with all applicable laws and regulations in the field of the protection of personal data and that these laws and regulations permit the provision of Personal Data to the Processor, and that the Processor is permitted to process the Personal Data.
3. The Processor will process the Personal Data in a proper and careful manner and only to the extent necessary to provide the Service to the Controller. The categories of Personal Data that are given to the Processor and that may be processed for the execution of the Service are defined in Article 16.
4. The Processor will only process the Personal Data on the orders of and according to the instructions of the Controller. The Processor will not process the Personal Data for its own or other purposes, except in accordance with the mandatory legal obligations imposed on it.
5. The Processor will not store Personal Data made available to it under the Agreement for longer than is necessary (i) for the implementation of this Agreement; or (ii) to comply with a legal obligation resting on it.
Article 4: Confidentiality
1. Unless otherwise required by law and/or a court order, the Processor is obliged to treat the Personal Data as confidential and to keep it strictly confidential.
2. The Processor will ensure that those who act under its authority or on its instructions (employees and any third party) and who need to have access to the Personal Data comply with the duty of confidentiality set out in this article. The Processor will ensure that a non-disclosure agreement has been entered into or a non-disclosure clause has been agreed to by everyone involved in the Processing of this Personal Data.
3. The Processor will immediately inform the Controller of any request for access to or disclosure of the Personal Data, or other kind of request for and communication of the Personal Data, that conflicts with the confidentiality obligation set out in this article.
Article 5: Security and the duty to report Data Breaches
1. The Processor is responsible for ensuring that appropriate technical and organisational measures have been taken, maintained and, if necessary, adjusted to protect the Personal Data against loss, falsification, unauthorised distribution or access, or any other kind of unlawful Processing. Article 17 describes the security measures that the Processor has in any event taken at the time of entering into this Data Processing Agreement.
2. The Processor is responsible for ensuring that its (own or contracted) employees who are involved in the Processing of the Personal Data are aware of and comply with the obligations of the Processor included in this Data Processing Agreement.
3. In the event of a suspected or actual (i) Data Breach; (ii) violation of security measures; (iii) violation of the confidentiality obligation; or (iv) loss of Personal Data, the Processor will inform the Controller immediately, in any event no later than 36 hours after first discovering the incident. The information provided will include details of the suspected cause, possible consequences, planned solution and contact details for follow-up on the report. Information will also be provided on the number and categories of Data Subjects, categories of Personal Data as well as the measures taken to stop the breach and/or minimise its consequences.
4. The Processor will take all reasonably necessary measures to prevent or limit (further) unauthorised access, changes, and disclosure or otherwise unlawful processing, and to stop and prevent in the future any breach of security measures, violation of the confidentiality obligation or further loss of personal data, without prejudice to any of the Controller’s rights to compensation or to take other measures.
5. At the Controller’s request, the Processor will cooperate in informing the competent authorities and the Data Subject(s).
6. The Processor will reach agreements with Sub-Processors about reporting incidents to the Processor that will enable the Processor and Controller to fulfil obligations in the event of an incident as described in Article 5(3).
Article 6: Engaging Sub-Processors
1. The Controller gives the Processor permission to engage the Sub-Processors listed in Article 18 for the Processing of Personal Data. If the intention is to engage new Sub-Processors or if changes may occur, then the Processor must inform the Controller of this in advance and give it the opportunity to object to the changes.
2. The Processor is responsible for ensuring that the Sub-Processor in question accepts the same obligations as those that apply to the Processor as set out in this Data Processing Agreement.
3. In the relationship between the Parties, the Processor is at all times the point of contact for the Controller. The permission given by the Controller does not affect the responsibility and liability of the Processor for the fulfilment of the Data Processing Agreement.
Article 7: Processing outside the European Economic Area
1. The Processor will only transfer Personal Data to or make it accessible from a country outside the European Economic Area if it has taken appropriate safeguards. Article 19 contains an overview of Processing in non-EEA countries and the safeguards that have been taken.
Article 8: Rights of Data Subjects
1. Taking into account the nature of the Processing, and to the extent possible, the Processor will assist the Controller to comply with the obligations under the GDPR or other applicable regulations, within the statutory periods, in particular the rights of Data Subjects, including but not confined to the right of access, the right to rectification, the right to erasure (right to be forgotten), the right to restriction of processing, the right to data portability, and the right to object. The Processor will bear the reasonable costs associated with this.
2. The Processor will immediately inform the Controller of written requests from the Data Subjects to the Processor, and will ask the Controller for further instructions in this respect.
Article 9: Assistance with the implementation of the data protection impact assessment and prior consultation
1. Taking into account the nature of the Processing and the information available to the Processor, the Processor will assist the Controller to comply with the obligations under Article 35 of the GDPR (implementation of the data protection impact assessment) and Article 36 of the GDPR (prior consultation).
Article 10: Transfers and destruction of data
1. In consultation with the Controller, the Processor will ensure that (i) all or a part of the Personal Data determined by the Controller and made available within the context of the Service is destroyed at all locations; (ii) all or a part of the Personal Data determined by the Controller and made available within the context of the Service is made available to a subsequent Service Provider; or (iii) the Controller will be given the opportunity to withdraw Personal Data or a part of the Personal Data made available by the Controller in the context of the Service.
2. At the Controller’s request and within a reasonable period, the Processor is at all times obliged to destroy all transcripts and copies of the information originating from and/or generated by the Controller and concerning the Controller within the context of the Agreement.
3. The Processor may depart from the provisions in the previous paragraphs insofar as a legal retention or other period applies to the Personal Data or insofar as it is necessary in order to be able to prove to the Controller compliance with its obligations.
Article 11: Right of inspection
1. The Controller is entitled to check the Processor’s compliance with the provisions of this Data Processing Agreement, or to have this compliance checked, once per calendar year, after prior written notice and taking into account a period of ten working days.
2. At the request of the Controller, the Processor will make available all information that is reasonably necessary to demonstrate compliance with the obligations set out in this Data Processing Agreement and will assist in making audit possible. This audit will be carried out by an independent third party who is appointed by the Controller, and who is bound by a duty of confidentiality.
3. After consultation with the Controller, the Processor may opt to replace the audit with a Third-Party Declaration.
4. The Controller bears the costs of the audit, with the exception of the costs related to the Processor’s staff members who supervise the audit. If it becomes apparent from the audit that the Processor has seriously and materially failed to comply with this Data Processing Agreement, the reasonable costs of the audit will be charged to the Processor.
5. The Processor is aware of the Dutch Data Protection Authority’s independent monitoring powers and those of any other supervisory authorities to whose supervision the Controller is subject, and will give these supervisors access to the Personal Data and cooperate with an investigation with respect to the Personal Data processed pursuant to the Agreement. The Processor will inform the Controller immediately if it receives such a request from the Dutch Data Protection Authority.
Article 12: Liability
1. For any damages resulting from the Processor failing imputably in the fulfilment of the obligations arising from this Data Processing Agreement, or the Processor acting in violation of laws and regulations, the Processor will be liable in accordance with the terms agreed between the parties in the Agreement.
Article 13: Intellectual and other property rights to the Personal Data
1. All intellectual and other property rights – including any copyrights and database rights – to the Personal Data, the file and/or the files related to the Personal Data are vested at all times in the Controller or its licensor(s).
Article 14: Duration, termination and amendments
1. This Data Processing Agreement is a supplement to the Agreement, has the same term as the Agreement and terminates as soon as the Agreement terminates.
2. The termination of this Data Processing Agreement will not release the Parties from their obligations arising from this Data Processing Agreement, which by their nature are deemed to continue even after termination.
3. Amendments to this Data Processing Agreement are only valid if agreed between the Parties in writing.
Article 15: Final provisions
1. Unless otherwise stipulated in the Agreement, this Data Processing Agreement is governed by Dutch law.
2. Any disputes arising from or in connection with this Data Processing Agreement will be submitted exclusively to the competent court as set out in the Agreement.
Article 16: Overview of the categories of Personal Data to be processed
1. The Processor will process the following categories of Personal Data on behalf of the Controller:
Categories of Personal Data: Name and address details
Categories of Data Subjects: Addressees
Purpose: Collection of mail items
Purpose: Sorting by destination
Purpose: Delivery to delivery address
Article 17: Overview of security measures
1. The Processor will observe adequate and/or sufficient technical and organisational standards and measures with respect to the data to be processed for the Controller. The Processor will take at least the following security measures:
- Terrain separation
- Lockable façade openings
- Lockable spaces in the building
- Exterior lighting
- Window coverings
- Access system for people
- Access system for vehicles entering terrain
- Intrusion alarm system
- Theft/tampering restriction measures
- CCTV (camera) monitoring
- Burglary alarm buttons (depending on the selected product)
- Security Manual
- Visitors’ procedure
- Closed outer façade during process
- Lockers for employees
- Instruction processes/maps
- Confidentiality agreements
Article 18: Overview of Sub-Processors
1. The Processor will be working with the following Sub-processors:
Subcontractors: Support in the logistics process
Retailers: Support in the collection and delivery process
Network partners: Support in the international logistics process
International Postal Parties: Support in the international logistics process
Article 19: Overview of transfers to countries outside the European Economic Area
1. The Processor will transfer the Personal Data to the following third countries:
Third country: Depending on the product and destination chosen by the Controller as indicated in the Agreement
Purpose of transfer: Delivery of postal item(s)
Appropriate safeguards: Universal Postal Union/contracts with network partners