This Data Processing Agreement ("DPA") is entered into by and between VIKTOR B.V ("VIKTOR") and the Customer (as defined below). VIKTOR and the Customer are hereinafter jointly referred to as the "Parties" and each individually as a "Party".
This DPA complements the Customer Agreement (as defined below) entered into between VIKTOR and the Customer and lays down the mutual rights and obligations of the Parties in regards of the Processing of Personal Data (as defined below), to the extent VIKTOR Processes such Personal Data on behalf of the Customer.
1.1. In this DPA, unless where explicitly provided otherwise, capitalised words and expressions have the following meanings.
| Word/Expression | Meaning |
|---|---|
| Customer | The entity that entered into the Customer Agreement with VIKTOR; |
| Customer Agreement | The agreement entered into between VIKTOR and the Customer on the basis of which the Customer is granted a license to use the VIKTOR platform; |
| Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed; |
| Data Protection Laws | All applicable laws and regulations concerning the Processing and protection of Personal Data, including but not limited to the GDPR and the GDPR Implementation Act; |
| Data Subject | The identified or identifiable natural person to whom the Personal Data refers; |
| DPA | This Data Processing Agreement; |
| GDPR | General Data Protection Regulation (EU 2016/679); |
| Personal Data | Any information relating to an identified or identifiable natural person, referred to in the applicable Data Protection legislation, which VIKTOR may process; |
| Process/Processing | Any operation or series of operations which is performed on Personal Data or on a set of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
| GDPR Implementation Act | The General Data Protection Regulation Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming); |
1.2. In this DPA, unless specified otherwise:
2.1. This DPA applies when VIKTOR Processes Personal Data on behalf of the Customer when operating the VIKTOR platform, and therefore only applies in the situation that VIKTOR acts as a processor within the meaning of the GDPR and the Customer acts as the Controller.
2.2. VIKTOR Processes Personal Data in accordance with the instructions of the Customer under the Customer's responsibility.
2.3. The nature and purpose of the Processing to be carried out by VIKTOR, as well the types of Personal Data and the Data subjects to whom such Personal Data relates, are set out in Schedule 1 below.
3.1. VIKTOR Processes Personal Data only on the instructions of the Customer, unless there are deviating legal obligations. If the instructions of the Customer are in breach of the applicable Data Protection Laws, VIKTOR shall notify the Customer thereof.
3.2. The Customer agrees and guarantees that VIKTOR is entitled to Process Personal Data in accordance with this DPA.
3.3. VIKTOR will only provide the Personal Data to its employees that have a need know and after having informed these employees of the confidential nature of the Personal Data. VIKTOR ensures that these employees commit themselves to confidentiality.
3.4. VIKTOR shall cooperate with the Customer in the performance of the Customer's obligation to respond to requests of Data Subjects exercising their rights under the applicable Data Protection Laws, by taking appropriate technical and organisational measures.
3.5. VIKTOR undertakes to cooperate with the Customer in the performance of its obligations under article 32 to 36 of the GDPR.
4.1. Without undue delay after becoming aware of a Data Breach that involves or may involve Personal Data of the Customer, VIKTOR shall notify the Customer thereof.
4.2. VIKTOR shall provide the Customer with all reasonably needed information, including the information set forth in article 33 of the GDPR, to enable the Customer to notify the competent supervisory authority where necessary.
5.1. VIKTOR has taken all appropriate technical and organisational security measures as required by article 32 of the GDPR. The privacy statement of VIKTOR provides an overview of security measures taken by VIKTOR.
5.2. The Customer has the right to inspect the security measures taken by VIKTOR and the right to inspect VIKTOR's compliance with the requirements of this DPA. VIKTOR shall contribute to audits or inspections in this respect, under the following conditions:
6.1. Customer hereby grants its permission to VIKTOR for the engagement of the sub-processors listed here for the performance of its services and this DPA. If VIKTOR wishes to add a new sub-processor to the list or replace a sub-processor, VIKTOR will update the list. If the Customer objects to the use of a certain sub-processor, the Customer should inform VIKTOR thereof as soon as possible. The Parties will then work together in good faith to resolve the objection.
6.2. VIKTOR ensures that all sub-processors it engages are bound by the same or similar obligations as included in this DPA.
7.1. VIKTOR may Process Personal Data outside the European Economic Area ("EEA"). The Customer hereby grants VIKTOR permission to Process Personal Data in the countries specified in Schedule 1 below.
7.2. When VIKTOR Processes Personal Data outside the EEA, it shall do so in accordance with requirements of the applicable Data Protection Laws.
8.1. The Parties agree that the limitation of liability clause included in VIKTOR's general Terms and Conditions (available here) shall apply to this DPA as well.
9.1. This DPA is entered into for an indefinite period of time and shall terminate automatically once the Customer Agreement ends.
9.2. In the event of termination of this DPA, VIKTOR shall within a reasonable period of time after termination return all Personal Data to the Customer or destroy all Personal Data, unless in VIKTOR's reasonable opinion there is an independent legal obligation that prohibits or limits VIKTOR to fully or partially return or delete the Personal Data.
10.1. Any variation of this DPA is not valid unless and until it is in writing and has been signed by or on behalf of all Parties.
10.2. If a provision of this DPA is or becomes invalid or non-binding, the Parties shall remain bound by the remaining provisions. In that event, the Parties shall replace the invalid or non-binding provision by provisions that are valid and binding and that have, to the greatest extent possible, a similar effect as the invalid or non-binding provision, given the contents and purpose of this DPA.
10.3. Each Party hereby waives, to the extent permitted by law, the right to partially or wholly rescind (ontbinden) or partially or wholly nullify (vernietigen) or otherwise terminate this DPA. The Parties hereby agree to exclude the applicability of Section 6:230, paragraph 2 of the Dutch Civil Code.
11.1. This DPA is governed by and shall be construed in accordance with the laws of the Netherlands.
11.2. All disputes arising out of or in connection with this DPA shall be submitted exclusively to the competent court in Rotterdam, the Netherlands, notwithstanding the right of appeal.
Nature and purpose of processing: VIKTOR will Process Personal Data as far as this is necessary to perform its obligations under the Customer Agreement and as further instructed by the Customer.
Type of personal data: Personal data processed through the application build by Customer using the VIKTOR platform, such as name, email address, and other personal data as configured by Customer.
Categories of data subjects: Data subjects whose personal data are processed through the application build by Customer using the VIKTOR platform, such as employees of Customer.
Processing outside the EEA: VIKTOR Processes personal in the United Kingdom, the United States and Australia. For more information, please refer to: Regional Hosting Docs
Last updated:
Download