Data Processing Agreement

Last updated: November 24, 2022

Article 1. Applicability

1. For the purpose of the fulfilment of its obligations under the Agreement between Tabular (hereinafter: Processor) and Client (hereinafter: Controller) for the delivering and use of the Service (hereinafter: the Agreement), Processor shall process personal data on behalf of Controller.
2. In accordance with article 28 General Data Protection Regulation (hereinafter: GDPR) Controller and Processor describe the subject and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties in this Data Processing Agreement.
3. Definitions that are used in this Data Processing Agreement, such as processing, personal data, controller and processor shall have the meaning as determined in the GDPR. In order to comply with the GDPR, with respect to the Processing of Personal Data, parties agree upon the conditions as set forth in this Data Processing Agreement.

Article 2. General

1. Processor processes the personal data on Controller’s behalf and in accordance with the written instructions agreed on by Controller and Processor. An overview of the categories of personal data and the purposes for which the personal data are processed, is included in SCHEDULE 1.B. to this Processing Agreement.
2. Controller, the controller in the sense of the GDPR, has control over the processing of personal data and has established the purpose of and the means for the personal data processing.
3. Processor is processor in the sense of the GDPR and, for that reason, has no control over the purpose of and the means for the personal data processing and, therefore, does not take any decisions on, amongst other things, the use of the personal data.
4. Processor implements the GDPR as laid down in this Data Processing Agreement. Controller is responsible for assessing, on the basis of this information, whether Processor offers adequate guarantees with respect to applying appropriate technical and organizational measures for the processing to meet the requirements posed by the GDPR and to adequately safeguard the protection of the data subjects’ rights.
5. Controller guarantees Processor that it acts in compliance with the GDPR, that its systems and infrastructure are at any time appropriately secured and that the content, the use and/or the processing of the personal data are not unlawful and do not breach any third party rights.
6. Controller is not entitled to seek recovery from Processor of an administrative fine imposed on Controller by the supervisory authority, on whatever legal ground.  By ‘supervisory authority’ is understood to mean the supervisory authority referred to in the GDPR. 

Article 3. Security

1. Processor takes all the technical and organizational security measures described in the Agreement and Schedule 2. When implementing these technical and organizational measures, Processor has taken into account the state of the art, the costs involved in implementing the security measures, the nature, scope and context of the processing, the nature of its products and services, the processing risks and the varying risks, in terms of likelihood and severity, posed to the rights and freedoms of the data subjects that Processor could expect in view of the use intended to be made of its products and services.
2. Processor’s service is not intended for processing special categories of personal data or data relating to convictions under criminal law or criminal offences.
3. Processor endeavours to ensure that the security measures to be taken by Processor are appropriate for the use of the product or service intended by Processor.
4. The security measures described offer a security level, in Controller’s opinion and taking the factors referred to in article 3.1 into account, appropriate to the risk involved in processing personal data used or provided by Controller.
5. Processor may adjust the security measures implemented if this should be required, in Processor’s opinion, to continue to offer an appropriate security level. Processor keeps a record of important adjustments and informs Controller of these adjustments where relevant.
6. Controller may request Processor to implement further security measures. Processor is not obliged to implement any adjustments in its security measures following such request. Processor may charge Controller for the costs involved in implementing the adjustments requested by Controller. Processor is not obliged to actually implement these adjusted security measures before the security measures requested by Controller have been agreed on in writing.

Article 4. Personal Data Breaches

1. Processor does not guarantee that the security measures are effective in all circumstances. If Processor discovers a personal data breach, Processor informs Controller of this without undue delay. Processor and Controller will contact each other using the contact details as set out in Schedule 1.A.
2. It is up to Controller as a controller (or Controller’s clients) to assess whether the personal data breach reported by Processor must be reported to the supervisory authority or the data subject. Reporting personal data breaches is, at any time, controller’s – i.e. Controller’s or Controller’s clients – responsibility. Processor is not obliged to report personal data breaches to the supervisory authority and/or the data subject.
3. Where required, Processor provides further information on the personal data breach and renders assistance in providing the information to Controller that Controller needs to report a breach to the supervisory authority or the data subject.
4. Processor may charge Controller for the costs involved in this context, within reason and at Processor’s current rates.

Article 5. Confidentiality

1. Processor ensures that the obligation to observe confidentiality is imposed on any person processing personal data under Processor's responsibility.
2. Processor is entitled to provide personal data to third parties if and insofar as this should be required pursuant to a judicial decision or a statutory requirement, on the basis of an authorized order by a public authority or in the context of the proper performance of the Agreement.

Article 6. Term and Obligations following Termination

1. The duration of the Data Processing Agreement is equal to the duration of the Agreement.
2. In the event the Data Processing Agreement ends, Processor deletes or return, within a reasonable time, all personal data received from Controller that it has in its possession in such a way that they can no longer be used and are rendered inaccessible.
3. The provisions of article 6.1 do not apply if statutory provisions should prohibit Processor to delete the personal data or return these, in part or in full. In such event Processor only continues to process the personal data insofar as required under its statutory obligations.
4. The provisions of article 6.1 do not apply either if Processor is a controller in the sense of the GDPR with respect to the personal data.

Article 7. Data subjects' rights, Data Protection Impact Assessment (DPIA) and Audit Rights

1. Where possible, Processor renders assistance in reasonable requests by Controller that are related to data subjects exercising their rights against Controller. If Processor is directly contacted by a data subject, Processor refers this data subject, whenever possible, to Controller.
2. If Controller should be obliged under the GDPR to carry out a Data Protection Impact Assessment (DPIA) or a prior consultation following this, Processor renders assistance, at Controller's reasonable request, in this DPIA or prior consultation.
3. At Controller's request, Processor provides all information that would be reasonably required to demonstrate compliance with the arrangements laid down in this Data Processing Agreement with respect to personal data processing, for example by means of a valid Data Pro Certificate or another certificate at least equal to it, an audit report (Third Party Memorandum) drafted by an independent expert commissioned by Processor or by means of other information to be provided by Processor. If Controller should nevertheless have reasons to assume that the personal data are not processed in accordance with the Data Processing Agreement, Controller may commission an audit, no more than once per year and at Controller's expense, by an independent, certified external expert who has demonstrable experience in the type of data processing that is carried out under this agreement. Processor is entitled to refuse an expert if this expert affects, in Processor's opinion, Processor's competitive position. The audit is limited to verifying compliance with the arrangements on personal data processing as laid down in this agreement. The expert is obliged to observe confidentiality with respect to his findings and only reports issues to Controller which result in a failure by Processor to meet its obligations under this agreement. The expert provides Processor with a copy of his report. Processor may refuse an expert, an audit or an instruction by the expert if this should be, in Processor's opinion, in violation of the GDPR or other laws and regulations or if this should be an unacceptable breach of the security measures implemented by Processor.
4. Processor and Controller hold consultations on the findings of the report as soon as possible. They comply with the improvement measures proposed and laid down in the report insofar as this can be reasonably expected from them. Processor implements the proposed measures insofar as these are appropriate in Processor's opinion, taking into account the processing risks associated with Processor's product or service, the state of the art, the implementation costs, the market in which Processor operates and the intended use of the product or service.
5. Controller is fully responsible for the costs it has incurred in the context of the provisions laid down in this article. Processor and Controller will consult with each other in advance, in order to determine the costs.

Article 8. Subprocessors

1. Controller authorises Processor to engage other processors to fulfil (parts of) the obligations under the Agreement, subject to the conditions that Processor shall notify Controller of any intended change concerning the addition or replacement of other processors. Controller may object to any intended change within 5 working days after being notified. If Processor does not accept Controller's objections, Controller may terminate the Data Processing Agreement without observing any notification period.
2. If Processor instructs another processor for carrying out specific processing activities on behalf of Controller, Processor shall ensure that the same data protection obligations as set out under this Processing Agreement are imposed on the other processor. Processor shall lay down these obligations in a written contract. If the other processor fails to comply with its obligations regarding data protection, Processor shall remain liable to Controller for the performance of that other processor's obligations.

Article 9. Liability

1. The liability provisions of the Agreement shall also apply to the rights and obligations of the parties under this Data Processing Agreement, unless the law expressly provided otherwise.

Article 10. Transfer to Third Countries

1. Processor is entitled to process personal data within the European Economic Area (EEA). Transfer of personal data to countries outside the EEA is only permitted if the country guarantees an adequate level of protection or if it has taken appropriate safeguards for this, as is referred to in articles 45 and 46 of the GDPR.
2. If Processor must provide personal data to any third party pursuant to a legal obligation applicable in national or European regulations, Processor will verify the basis of the request and the identity of the applicant and Processor will immediately, prior to the provision, inform Controller, unless the law prohibits this for substantial reasons of public interest.

Article 11. Miscellaneous

1. This Data Processing Agreement forms an integral part of the Agreement. Therefore, all rights and obligations under the Agreement, including conditions regarding liability, will also apply to this Data Processing Agreement. In the event of any contradictions, this Data Processing Agreement shall prevail.
2. If changes occur in the national legislation or the European legislation on the protection of personal data in the future, Processor and Controller will amend this Data Processing Agreement to the extent that this is necessary to comply with new regulations.

SCHEDULE 1 — PARTIES AND DESCRIPTION OF TRANSFER

A. PARTIES

Data exporter(s); Controller: Processor will inform Controller via the contact details as filled in by Controller when entering into the Agreement.

Data importer(s), Processor:

Name: Tabular Marketing B.V.

Address: Molenlaan 106, (3055 EP) Rotterdam, The Netherlands

Contact person's name, position and contact details: Data Protection Officer, dpo@tabular.email

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

SCHEDULE 2 — TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

• Measures of pseudonymisation and encryption of personal data
• Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
• Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
• Measures for Controller identification and authorisation
• Measures for the protection of data during transmission
• Measures for the protection of data during storage
• Measures for ensuring events logging
• Measures for ensuring system configuration, including default configuration
• Measures for internal IT and IT security governance and management
• Measures for certification/assurance of processes and products
• Measures for ensuring data minimisation
• Measures for ensuring data quality
• Measures for ensuring limited data retention
• Measures for ensuring accountability
• Measures for allowing data portability and ensuring erasure