Data Processing Agreement Maatos
Maatos has its registered office in Amsterdam, at Amstelveenseweg 63-IV (1075VV), legally represented by its managing director A. Verkooijen, hereinafter referred to as: “Processing Manager”;
“User”, “Instructor”, or “you”: any natural person or legal entity who has or will have a contractual relationship of any kind with Maatos through its platform as a “Processor”.
Processing Manager and Processor are collectively referred to as: “Parties”
- Parties have entered into or will enter into an agreement regarding activities on the basis of which the Processor processes personal data on the instructions of the Processing Manager as referred to in the General Data Protection Regulation;
- Parties to this Processing Agent agreement wish to lay down the rights and obligations for the processing of Personal Data by the Processor.
Article 1: Definitions
- Main agreement: The agreement concluded between Processor and Processing Manager during the creation of the environment or the conclusion of the agreement and which relates to, among other things, providing courses, teaching courses, managing the platform, providing additional services.
- Processing agreement: This agreement and its annexes.
- Personal data: Personal data as referred to in the General Data Protection Regulation.
- Person concerned: The person to whom the processed Personal Data applies to.
- Data breach: A breach of security that leads to a significant likelihood of serious adverse consequences or serious adverse consequences for the protection of Personal Data and/or that is likely to have an adverse effect on the privacy of a data subject.
Article 2: Content of Processing Contract
- This Processing Agreement regulates the processing of Personal Data by Processor within the framework of the Main Agreement.
- The processor guarantees the application of appropriate technical and organisational measures to ensure that the processing of personal data meets the requirements of the General Data Protection Regulation and that the protection of the rights of the data subject is guaranteed.
- Processor warrants to comply with the requirements of applicable laws and regulations regarding the processing of Personal Data.
- The nature and purpose of processing Personal Data, the type of Personal Data and the categories of Data Subject are described in more detail in Appendix 1.
Article 3: Date of entry into force and duration
- This Processing Agreement will enter into force after the creation of an account and acceptance of the Processing Agreement or the conclusion of an agreement with Maatos.
- This Processing Agreement ends after and insofar Processor has deleted or returned all Personal Data in accordance with Article 9.3.
- Neither of the Parties is entitled to terminate this Processing Agent Agreement in the interim.
Article 4: Processing
- Processor shall ensure compliance with the conditions set for the processing of Personal Data pursuant to the General Data Protection Regulation.
- Processor processes the Personal Data on behalf of Processing Manager, in accordance with its written instructions and under its responsibility.
- Processor has no control over the purpose and means of the processing of the Personal Data and makes no decisions about its use, its disclosure to third parties or the duration of the storage of the Personal Data.
- In the execution of this Processing Agreement, Processor shall maintain confidentiality.
- The processing manager guarantees that the processing of the Personal Data is exempt from notification to the Personal Data Authority.
- Processors are not permitted to process Personal Data outside the European Economic Area (“EEA”) without the prior written consent of the processing manager. The transfer and storage of Personal Data outside the EEA is not permitted without the prior written consent of the Processing Manager.
- The Processor and those working under the authority of the Processor are obliged to maintain the confidentiality of Personal Data processed by the Processor and/or of which the Processor has become aware, unless a legal provision obliges the Processor to notify the Processor or the Processor’s task results in a need to notify the Processor.
- Processor shall promptly notify Processing Manager of any requests made to Processor regarding the rights of data subjects, such as (but not limited to) requests to access, correct, supplement, referral or blocking the Personal Data. Processor fully cooperates with Processing Manager to comply with the Processing Manager’s obligations under the General Data Protection Regulation, regardless of whether the data subject’s request is addressed to Processor or Processing Manager.
- The Processor is not permitted to engage a third party in the performance of this Processing Agreement, unless the Processing Manager has given the Processor written permission to do so.
- Processor should support Processing Manager in fulfilling the obligation to comply with Complainant’s requests and with other obligations of Processing Manager.
- The Processor must provide the Processing Manager the opportunity to verify that the Processor is complying with the agreements laid down in this Processing Agreement.
Article 5: Data Breaches
- In the event that the Processor is found to be affected by a Data Breach, the Processor will inform the Processing Manager immediately after the Processor has become aware of said Data Breach.
- In the event that Processor is found to have a Data Breach, Processor will take all measures necessary to limit the (possible) damage. In that case, the Processor also undertakes to provide all possible cooperation in order to enable the Processing Manager to timely inform the Personal Data Authority and, if necessary, the person involved.
- The Processor shall also inform the Processing Manager of any developments in relation to the data breach in accordance with the first paragraph of this article, including the developments in relation to personal data.
- The parties shall bear their own costs in connection with the notification to the competent supervisory authority and the Person concerned.
Article 6: Security
- Processor shall take all appropriate technical and organisational measures, further described in Annex 2, to protect the Personal Data against loss or any form of unlawful processing. Those measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, taking into account the state of the art and the cost of their implementation.
- Ensuring an appropriate level of security may continually force the Parties to adopt additional security measures. Processors therefore guarantee a level of security appropriate to the risk. Processor shall take additional measures with regard to the security of the Personal Data if Client expressly requests this in writing.
Article 7: Obligations of the Processing Manager
- The Processing Manager guarantees that any processing of Personal Data is in accordance with the General Data Protection Regulation.
Article 8: Liability
- Processor shall be liable for all damages and penalties imposed on Processor by the Personal Data Authority (or other competent authorities) as a result of or in connection with the breach of this Processing Agent Agreement and/or any act in violation of the General Data Protection Regulation.
Article 9: Final provisions
- This processing agreement is governed by Dutch law.
- This Processing Agreement and the rights and obligations under this Processing Agreement may not be transferred by Processor to third parties without the prior written consent of the Processing Manager.
- In the event of termination of this processing agreement, Processor shall immediately return the Personal Data to Processing Manager and destroy all digital copies of the Personal Data. Processor will then immediately notify Processing Manager that it has carried out the obligations imposed in this article.
- Should any provision in this Processing Agreement be null and void, voidable or non-binding, the remaining provisions of this Processing Agreement shall remain in force. The parties will consult the relevant provision, with the aim of agreeing on a legally valid provision, with as much the same content and effect as the invalid, voidable or non-binding provision.
Appendix 1: Processing of Personal Data
This Appendix further specifies the processing of Personal Data. The following subjects are concerned:
The subject and nature and purpose of the processing of Personal Data:
The personal data will be used by the processor to: deliver purchases, provice access to the platform, teach courses, post and share materials, answer questions and other matters that are necessary during the execution of the course.
The kind of personal data:
Names, e-mail addresses, usernames, telephone numbers, avatars, IP addresses, order data, company data and account data.
A description of the categories of personal data:
The processing concerns personal data from the category ‘normal personal data’.
A description of the categories of persons concerned:
Personal data is collected from existing or potential customers.
A description of the categories of recipients of personal data:
The Processor that processes these data includes instructors, tax authorities, teachers, managers of the environment and organisations that purchase an environment from Maatos.
Appendix 2: Technical and organisational security measures
The Processing Manager has taken appropriate technical and organisational measures in order to protect your personal data against loss or unlawful processing. The website has an SSL-certificate, which allows the data to be sent over a secure connection. In addition, passwords are encrypted and daily backups are made.
Processing manager has taken security measures with regard to third parties. For example, the Processing Manager has entered into a processing agreement with third parties that process your personal data. The purpose of the processing and the agreements on the level of technical and organisational measures are laid down in the processing agreement.
The processor takes as many security measures as necessary to prevent a data breach. This could be an SSL connection when working on a website. In addition, passwords that are needed are stored encrypted.
Annex 3: Agreements in the event of a Personal Data breach
In the event of a Personal Data breach, the following procedure will be followed:
- After the discovery of a data breach, the Processor will examine whether this data breach should be reported to the Personal Data Authority.
- In the event that the data breach has to be reported, Processor will do so within 72 hours.
- Processor will document the data breach.
- Processor will determine whether the data breach should be reported to the Processor Manager. If this happens to be the case, Processor will (timely) inform Processing Manager about the breach.