Data Processing Agreement

Data Processing Agreement

Version 23 May 2018

This Processing Agreement forms an integral part of the agreements reached by the Parties (the “Agreement”).   The Processor’s general terms and conditions apply in full to this Processing Agreement.

The parties:

The private company CargoHub, located at Speenkruid 20 in Alphen aan den Rijn and registered in the Trade Register of the Chamber of Commerce under number 55989853, hereby legally represented by R. Paul (“Processor”);

and

And “the Customer” as mentioned in the license agreement (“Controller”).
jointly referred to as the “Parties” and separately as the “Party”;

 

Considering that:

  • Processor offers (web) hosting and related services and Controller wishes to make use of the services as specified in the Agreement;
  • Processor, in carrying out the Agreement, shall process personal data at the behest of Controller;
  • Controller shall be deemed the responsible party within the meaning of Article 1 sub d of the Data Protection Act (“DPA”) or, when the occasion arises, as processor within the meaning of Article 1 sub e of the DPA, in which case the Processor performs the role of sub-processor;
  • Processor is prepared when processing personal data to meet the obligations required of him on the basis of the applicable privacy legislation and regulations;
  • Parties wish to lay down their rights and obligations with regard to the personal data to be processed under this agreement (the “Processing Agreement”);

 

and agree:

 

Article 1:  Introductory Provisions

1.1.  Terms in this Processing Agreement that are defined in the DPA have the meanings specified therein.

1.2.  When reference is made in this Processing Agreement to a provision in the DPA, this will, from 25 May 2018, refer to the corresponding provision in the General Data Protection Regulation (de “GDPR”).


Article 2:  Purposes of Processing

2.1. Processor undertakes, in accordance with the conditions of this Processing Agreement, to process personal data as commissioned by the Controller.  Processing shall be performed solely as part of the execution of the Agreement and for purposes that may subsequently be determined.

2.2.  Controller determines which (sorts of) personal data he will have the Processor process and the (categories of) data subjects this personal data relates to.  The Processor has no influence over this.

2.3.  Processor will not process the personal data for any purpose other than that determined by the Controller.   The Controller will inform the Processor of the purpose of the processing insofar as this has not already been specified in the Processing Agreement.

2.4. The personal data to be processed at the behest of the Controller remains the property of the Controller or the data subjects concerned.

2.5.  Controller guarantees that the contents, the use and the directive to process the personal data as specified in the Processing Agreement is not unlawful and does not infringe any rights of third -parties. In addition the Controller will ensure:

  • that the processing of personal data falls under one of the DPA waivers, or, if this is not the case, that the Dutch Data Protection Authority has been notified; and
  • that from 25 May 2018, a register will be kept of the processing tasks undertaken under this Processing Agreement.

2.6. Controller indemnifies Processor against all claims associated with non-compliance with, or incorrect compliance with, the obligations of Article 2.5.


Article 3.  Processor’s Obligations

3.1.  With respect to the processing mentioned in Article 2, the Processor shall take care to comply with the conditions that, on the grounds of the DPA and the GDPR, are required with regard to the processing of personal data by the Processor.

3.2.  Processor shall inform the Controller, upon his first request, of the measures Processor has taken to comply with his obligations within this Processing Agreement, the DPA and GDPR.

3.3.  The obligations on the Processor resulting from this Processing Agreement also apply to those processing personal data under the authority of the Processor.


Article 4.  Transmission of Personal Data

4.1.  Processor may process personal data in the countries within the European Union.  Transmission to countries outside the European Union is only allowed subject to compliance with the applicable regulations of the DPA and GDPR.

4.2.  The Processor shall advise the Controller, upon his request, which country or countries are involved.


Article 5.  Division of Responsibility

5.1.  The permitted processing will be undertaken by the Processor within a (semi-) automated environment under the control of the Processor.

5.2.  Processor is only responsible for the processing of the personal data under this Processing Agreement, in accordance with the instructions of the Controller and under the explicit (final) responsibility of the Controller.

5.3.  Processor is not responsible for all other personal data processing, including in any case the collection of personal data by the Controller, processing for purposes that have not been advised to the Processor by the Controller, processing by third parties or for other purposes.

 

Article 6.  Involving Third Parties or Sub-Contractors

6.1.  Controller authorizes the Processor to make use of third parties when processing personal data on the basis of this Processing Agreement, subject to compliance with the applicable privacy legislation and regulations.

6.2.  Upon the Controller’s request, the Processor will, as promptly as possible, advise the Controller of the third parties engaged.  Controller has the right to object to any of the third parties engaged by the Processor.

6.3.  Processor will not object on unreasonable grounds and should duly substantiate an objection.  If the Controller objects to third parties engaged by the Processor, the Parties shall consult with one another in order to find a solution.

6.4.  Processor will ensure that third parties engaged by him agree in writing to obligations that are at least as stringent as the obligations resting upon the Processor on the grounds of the Processing Agreement.

6.5.  Processor is responsible for the correct compliance by third parties with the obligations mentioned in Article 6.4 and, in the case of errors, will be held responsible by the Controller as if he had made the error(s) himself.

6.6.  Processor’s maximum liability for damages, as alluded to in Article 6.5, is limited to the amount agreed in the Agreement (including the Processor’s general terms and conditions).

 

Article 7.  Security

7.1.  Processor shall, with regard to the personal data processing to be performed, take appropriate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized access, violation, modification or disclosure of the personal data).

7.2. Notwithstanding the Processor conforming to the first paragraph of this Article in adopting appropriate measures, Processor cannot guarantee that these security measures will be effective in all circumstances.  Processor will, in the event of a threat to – or an actual breach of – these security measures, do his utmost to limit the loss of personal data as far as possible.

7.3.  If a security measure specifically defined in the Processing Agreement is absent, the Processor must ensure that security protection meets a level that, taking into account the state of the technology, the sensitivity of the personal data and the costs involved in making the security arrangements, is not unreasonable.

7.4.  Controller only makes personal data available to the Processor for processing once the Controller has assured himself that the required security measures are in place.

 

Article 8.  Duty to Report

8.1.  In the event of a data breach (meaning: a breach of the protection of personal data leading to a significant risk of negative consequences, or having negative consequences, for the protection of personal data within the meaning of Article 34a DPA), the Processor will inform the Controller as soon as possible, but in any case within 48 hours of the data breach becoming known to the Processor.

8.2.  The duty to report applies only if the breach has actually happened and includes, in any case, reporting the fact that a breach has occurred, along with, insofar as this information is available to the Processor:

  • what the (suspected) cause of the breach is;
  • what the (known or anticipated) consequences are;
  • what the (proposed) solution is;
  • contact details for follow-up of the report
  • the number of people whose details have been leaked, or, if the exact number is unknown, the minimum and maximum number of persons whose details have been leaked;
  • a description of the group of people whose details have been leaked;
  • the sort of personal data that has been leaked;
  • the date on which the leak took place, or, if the exact date is unknown, the period in which the leak took place;
  • the date and time the leak became known to the Processor or by one of his engaged third parties or sub-contractors;
  • if the details were encrypted, hashed or in any other way made incomprehensible or inaccessible to unauthorized parties; and
  • what measures are proposed, or have already been taken, to plug the leak and to limit the consequences.

8.3.  Controller himself assesses whether he will inform the relevant authorities and/or data subjects and is himself responsible for complying with (legal) reporting obligations.   If stipulated by the privacy legislation and regulations, the Processor shall cooperate in this respect by informing the relevant authorities or data subjects.

 

Article 9.  Handling of Requests from Data Subjects

9.1.  Should a data subject wish to exercise one of his legal rights and submits a request to the Processor, the Processor will forward this request to the Controller.   Controller shall then deal with the request.  The Processor may advise the data subject accordingly.

9.2.  In the event that a data subject directs a request for the exercising of one of his legal rights to the Controller, the Processor shall, if the Controller so wishes, cooperate insofar as this is possible and insofar as this is reasonable.  The Processor may charge the Controller reasonable costs for this.

 

Article 10.  Confidentiality Obligations

10.1.  Upon all personal data the Processor receives from the Controller or which the Processor himself collects in the context of this Processing Agreement, rests a duty of confidentiality with regard to third parties.

10.2.  This duty of confidentiality does not apply if the Controller has given explicit permission for the information to be provided to third parties, insofar that the provision of the information to third parties is considered logically necessary for the implementation of the Processing Agreement, or if a legal requirement exists to provide a third party with the information.

10.3.  If the Processor is required by law to provide a third party with information, the Processor will advise the Controller as quickly as possible insofar as this is legally permitted.


Article 11. Audit

11.1.  Controller has the right to have audits undertaken by a third party independent expert, who shall be bound to secrecy, in order to check the security requirements as agreed in Article 7 of the Processing Agreement.

11.2.  The in Article 11.1 said audit would take place only if there is a concrete suspicion of misuse that can be demonstrated by the Controller.  The audit initiated by the Controller would take place two weeks after the Controller gives notice.

11.3.  Processor shall cooperate with the audit and all reasonably relevant information for the audit, including supporting information such as system logs, and employees will be made available as soon as possible and within a reasonable period, where a period of maximum two weeks is reasonable.

11.4. The findings resulting from the performed audit shall be considered by the Parties in mutual consultation and, as a result of this, may or may not be implemented by one of the Parties or jointly by both Parties.

11.5. The cost of the audit will be borne by the Controller.

 

Article 12.  Liability

12.1.  For the Parties’ liability for damages resulting from an accountable shortcoming in the fulfillment of the Processing Agreement, as a result of an unlawful act or otherwise, the schedule regarding liability agreed in the Agreement (and including the general terms and conditions of the Processor) shall be declared applicable.


Article 13.  Duration and Termination

13.1.  This Processing Agreement is entered into for the period specified in the Agreement and, in the absence thereof, in any case for at least the duration of the cooperation between Parties.  This Processing Agreement cannot be terminated prematurely.

13.2.  Parties may only change this Processing Agreement by mutual agreement, but shall give their full cooperation to amending the Processing Agreement due to any new or amended privacy legislation and regulations.

13.3.  Upon termination of the Processing Agreement, the Processor shall destroy all personal data held by him, unless the Parties agree otherwise.

 

Contact Us

If you have any questions with regards to our services, employment opportunities, or you just want to say 'hello', please feel free to call or make an inquiry, below.

ADDRESS

A. van Leeuwenhoekweg 36B-11
2408 AN, Alphen aan den Rijn

The Netherlands

CONTACT US

Contact us

Privacy Statement
© 2026 All Rights Reserved CargoHub BV