DATA PROCESSING AGREEMENT (DPA)
Version: 30 May 2024
Introduction
This DPA with its annexes is an attachment to the agreement (the “Agreement”) between Alleo B.V. (“Alleo”) and Alleo Platform Transactions B.V. (“Alleo Platform Transactions”) respectively as service providers and the client as specified in the Agreement (the “Client”). The DPA is used by both Alleo and Alleo Platform Transactions, meaning that the DPA applies separately to the Agreement between Client and Alleo, and to the Agreement between Client and Alleo Platform Transactions. Both Alleo and Alleo Platform Transactions are independent contracting parties which are not liable for the actions of the other.
When performing the services specified in the Agreement, Alleo and Alleo Platform Transactions may process personal data on the Client’s behalf. In such cases, Alleo and Alleo Platform Transactions act as Processor, and the Client as Controller. References in this DPA to “Processor” shall be references to Alleo or Alleo Platform Transactions as the case may be (depending on the Agreement that is applied in a particular case) , and references to Controller shall be references to the Client.
Article 1. Definitions
In this DPA, capitalized terms shall have the following meaning:
Article 2. General Provisions
2.1. Controller determines the purpose and the means of the processing activities. Controller therefore falls within the scope of article 4 (7) GDPR. Processor is exclusively engaged to process Personal Data on behalf and on written instruction of the Controller. Processor therefore falls within the scope of article 4 (8) GDPR.
2.2. Processor will provide Controller with all necessary information in order to comply with the applicable privacy laws and regulations.
Article 3. Processing of Personal Data
3.1. Processor shall process the Personal Data for Controller in accordance with the applicable privacy laws and regulations. Annex 1 contains an overview of the type(s) of Personal Data that is/are processed, the categories of the Data Subjects to which the Personal Data relates and the purpose and means by which/for which the Personal Data is processed.
3.2. The Processor shall only process Personal Data in accordance with the Controller’s instructions. The Processor will only deviate from these instructions if it is legally obliged to do so.
3.3. When processing Personal Data, the Processor shall not deviate from the purpose for which the Personal Data was originally provided by the Controller, unless it is obliged to do so on the grounds of statutory provision.
3.4. The Processor shall not provide the Personal Data to a Third Party, unless this exchange takes place on the written instruction and/or with the written consent of the Controller. The Processor is also allowed to provide the Personal Data to a Third Party, if the exchange is necessary to comply with a legal obligation.
3.5. Processor shall ensure that the Personal Data will not be processed outside of the EEA, unless Controller has given its written consent. By signing this DPA, Controller has given its consent for transfer of Personal Data to the non-EEA countries listed in Annex 1.
3.6. If Processor has received permission from the Controller to process the Personal Data outside of the EEA, the Processor shall implement appropriate safeguards to protect the Personal Data, including the use of the standard contractual clauses provided by the European Commission (Implementing Decision (EU) 2021/914) and/or only processing or transferring Personal Data on the basis of an adequacy decision (article 45 GDPR) and/or approved certification mechanisms (article 42 GDPR).
Article 4. Technical and organisational measures
4.1. In accordance with article 32 GDPR, the Parties shall take and maintain appropriate technical and organizational measures to ensure an appropriate security level relative to the associated risk(s). Annex 2 gives an overview of the technical and organizational taken by the Processor. These measures will be periodically evaluated and – if necessary – amended.
4.2. When implementing security measures, the Processor will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of the Data Subject.
4.3. The Processor shall record every processing activity in its systems (e.g. the Log). The Processor will make the Logs available to the Controller without undue delay, if so requested by the Controller.
Article 5. Assistance
5.1. Processor shall, to the extent required by article 28, section 3 (f) of the GDPR, provide all reasonable assistance to Controller to enable Controller to comply with its obligations of the GDPR, such as with respect to security, data breaches and data protection impact assessments, considering the information available to and the role of Processor, and to the extent that the Controller does not have access to the relevant information itself. Processor shall be entitled to charge its reasonable internal costs and expenses incurred because of its compliance with this article.
5.2. As soon as the Processor receives a request from a Data Subject, such as a request for information, access, rectification, erasure, restriction of processing and/or data portability (article 13 – 20 GDPR), or any other right that the Data Subject might invoke, this request shall be forwarded to the Controller without undue delay.
5.3. The Processor shall provide all reasonable assistance to the Controller after the latter receives a request from the Data Subject, so that the Controller might be able to fulfil its statutory obligations under the applicable privacy laws and regulations.
Article 6. Audits
6.1. The Controller is entitled to – at its own expense and at reasonable intervals – conduct an audit into the processing activities of the Processor. The Processor shall provide all reasonable assistance to the audit, including – after prior consultation between the Parties – granting access to buildings where Alleo B.V. is operational, databases and/or making relevant data/information available to the Controller.
6.2. The Processor will implement the recommendations arising from the audit without undue delay and in consultation with the Controller. The Processor will only have to bear the costs of implementing said recommendations if the proposed changes are the result of a failure to comply with the security requirements under this DPA.
6.3. The Processor shall provide all reasonable assistance if the Autoriteit Persoonsgegevens and/or any other supervisory authority conducts an investigation into the processing activities of the Processor. In addition, the Processor shall inform the Controller without undue delay of the fact that an investigation is being conducted.
Article 7. Incidents
7.1. Upon becoming aware of a security incident which may have resulted in a personal data breach (as defined by the GDPR), Processor will – after duly investigating the incident itself – notify the Controller of the potential data breach without undue delay and in any case within 72 hours of becoming aware of the potential data breach.
7.2. The Processor shall take all reasonable measures to limit the consequences of the Incident and/or prevent a new Incident. Processor shall also provide all reasonable cooperation to Controller in assessing the Incident, so that the latter can comply with its statutory obligations consisting of notifying the competent supervisory authorities and/or informing the Data Subjects.
Article 8. Sub-processors
8.1. The Controller hereby grants permission to the Processor to engage Sub processors for the performance of the Agreement. A list of the Sub-processors that Processor engages on the start date of the Agreement is specified in Annex 1. If the Processor wishes to engage or replace a Sub-processor, it must inform the Controller thereof. The Controller is then entitled to object to this proposal within a term of 14 days after receipt of the notification. If the Controller does not object within 14 days after receipt of the information regarding the intended change, it shall be deemed to have authorized the intended change.
8.2. The Processor shall enter into an agreement with the Sub-processors that it has engaged. This agreement must be in accordance with the applicable privacy laws and regulations. The Processor will impose terms and conditions that are substantially equivalent to those set out in this DPA on the Sub-processor.
Article 9. Confidentiality
9.1. The Processor shall keep all Personal Data that it receives from the Controller confidential. The provisions on confidentiality in the Processor’s General Terms & Conditions apply.
Article 10. Term and Termination
10.1. This DPA shall enter into force at the time of conclusion of the Agreement and and shall continue to be in force for as long as the Agreement is in force. The DPA shall end by operation of law upon termination of the Agreement. Obligations of a permanent nature shall remain to be in force between the Parties after the DPA has been terminated and/or ended (by operation of law).
10.2. Upon termination of the Agreement, the Processors shall permanently delete all personal data processed on the Controller’s behalf, unless the Controller requests Processor, within 15 days from termination of the Agreement, to make the Personal Data available to the Controller - or any other Third Party designated by it – in which case the Processor will provide the data in a structured, commonly used and machine readable format.
10.3. After transferring the Personal Data to the Controller, the Processor shall ensure that any remaining Personal Data shall be destroyed, unless longer storage is required by law. In addition, the Processor shall ensure that any Personal Data present at its Sub-processors shall be destroyed as well.
10.4. In the event of bankruptcy, this DPA shall remain in full force and effect between the Parties, in order to enable the continuity of the processing within the context in which the Personal Data were initially provided.
ANNEX 1 – PROCESSING DETAILS
The individuals to which the Personal Data relates are:
The types of Personal Data processed by the Processor are:
In case Alleo is the Processor
The following Personal Data is always processed by Alleo B.V.:
The following Personal Data is only processed if the indicated product module is offered by Alleo as part of the Agreement:
In case Alleo Platform Transactions is the Processor:
The following Personal Data is always processed by Alleo Platform Transactions B.V.:
Processor processes the Personal Data for the following purposes:
In case Alleo is the Processor:
In case Alleo Platform Transactions is the Processor:
The Personal Data is not processed for the following purposes:
Following the termination of the business relationship, the Controller shall have a period of thirty (30) days (the "Retention Period") to request the export or deletion of Personal Data. During the Retention Period, the Controller may instruct the Processor to either: a. Export the Personal Data in a commonly used, machine-readable format, or b. Delete the Personal Data.
Upon either receiving a request from the Controller to delete Personal Data or the expiration of the Retention Period, whichever occurs first, the Processor shall, within a maximum period of thirty (30) days: a. Permanently delete or destroy all Personal Data, or b. Anonymize all Personal Data to ensure that the data subjects are no longer identifiable.
The Processor shall confirm in writing to the Controller that all Personal Data has been deleted, destroyed, or anonymized in accordance with this clause within ten (10) days following the completion of such actions.
Any Personal Data that is required by any applicable laws to be retained for a longer period will be removed and/or destroyed after said period has concluded.
The Personal Data is processed in the following countries outside of the EEA:
Processor shall use the following Sub-processors for the performance of the Agreement:
For questions or comments regarding this DPA and the Annexes thereof, please do not hesitate to contact the representative of:
Sven Cune
COO/DPO
ANNEX 2 – TECHNICAL AND ORGANISATIONAL MEASURES
This Annex aims to contain the technical and organizational measures implemented by the Processor to protect Personal Data. The measures included in this Annex may be amended and/or expanded upon if and when necessary. Controller considers the measures listed below to be appropriate to mitigate the level of risk that is involved when outsourcing certain processing activities to the Processor.