The General Data Processing Terms (“GDPT”) form part of the General Terms And Conditions (“General Terms”) or any other written Agreement between Momice (“Processor”) and user (“Controller”) to which the General Terms apply. The Processor processes personal data on behalf of the Controller in relation to organization and management of promotional events using the all-in-one event software of Processor.
The GDPT is to be understood as a legal binding act pursuant to article 28 of General Data Protection Regulation (“GDPR”). In the course of providing Services to Controller pursuant to the Agreement, Processor agrees to comply with the provisions of the GDPT. Parties may deviate of the GDPT in writing. Processor also offers an optimized version of the GDPT: The Data Processing Amendment. Please send any enquiries to firstname.lastname@example.org.
Article 1. Terminology
1.1 The terminology used in the GDPT, such as "processing" and "personal data", have the meaning as defined in the GDPR.
Article 2. Processing objectives
2.1 The Processor undertakes to process personal data on behalf of the Controller in accordance with the conditions laid down in the GDPT. The processing will be executed exclusively within the framework of the Agreement, and for all such purposes reasonably related thereto or as may be agreed to subsequently. In general, the purposes of processing will consist of registering and contacting people that are interested in Controller’s event with the use of Processor’s services.
2.2 The Controller undertakes to use Processor’s services to process personal data. The personal data may include, but it is not limited to the following categories:
- Address details
- Email addresses
- Phone numbers
- Names of employers
- Job titles
- Other personal data categories specified by the Controller
2.3 The Controller undertakes to use Processor’s services to process personal data from the following categories of data subjects:
- Controller's employees
- Board members
- Independent contractors
- People working for clients of the Controller
- People working for suppliers of the Controller
- Other business contacts
- Other people who may be interested in the Controller's event
2.4 The Controller will notify the Processor of the processing purposes, as well as the categories of personal data and data subjects, to the extent these have not already been cited in the GDPT. The Processor may use the contact information of the Controller and the employees of the Controller for quality purposes, such as sending surveys or carrying out statistical research into the quality of its services.
2.5 The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes.
2.6 All rights pertaining to the personal data processed by the Processor on behalf of the Controller, shall remain with the Controller and/or the concerning data subjects.
2.7 Processor can under no circumstance be held liable for any damages or other consequences as a result of the processing of special categories of personal data (art. 9 GDPR) on behalf of the Controller.
Article 3. Obligations of the Processor
3.1 With regard to the processing referred to in the previous article, the Controller and the Processor will undertake to comply with the applicable privacy legislation such as the GDPR.
3.2 On request of the Controller and within a reasonable time thereof, the Processor shall furnish the Controller with details regarding the measures it has adopted to comply with its obligations under the GDPT.
3.3 The Processor’s obligations arising under the terms of the GDPT apply also to whomsoever processes the personal data under the Processor’s instructions (sub-processors).
Article 4. Allocation of responsibility
4.1 The permitted processing operations shall be semi-automated and performed under the control of the Processor. The Processor is solely responsible for the processing of personal data under the GDPT, in accordance with the instructions of the Controller and under the (final) responsibility of the Controller. The Processor is not responsible for any other processing operations involving personal data, including the gathering of personal data by the Controller, processing for purposes that the Controller has not reported to the Processor and processing by third parties and/or for other purposes not stated in the GDPT.
4.2 The Controller represents and warrants that it has a valid legal basis to process the relevant personal data and to engage the Processor in relation to such processing of personal data. Furthermore, the Controller represents and warrants that the processing by the Processor is not unlawful and does not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the unlawful processing of personal data.
4.3 In case applicable privacy legislation requires a Privacy Impact Assessment to be conducted before the intended processing under the Agreement and the GDPT may be carried out, then the Processor shall provide the Controller with assistance to the extent necessary and reasonable. The Processor may charge reasonable costs for the aforementioned assistance.
Article 5. Conditions of the Service
5.1 The Processor may process the personal data in countries inside the European Union (EU). In addition, the Processor may also transfer the personal data to a country outside the EU, provided that the legal requirements for such transfer have been fulfilled. In relation to the aforementioned, the Processor is specifically allowed to use the Google Cloud Platform to host its services. Google is Privacy Shield verified and the Processor will choose one of Google’s European data centres to be used for hosting Processor’s service and storing the personal data gathered through that service.
5.2 Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in. Furthermore, when the Controller makes use of the Processor’s ticket services, the Controller agrees that payments for such tickets will be handled by Adyen. Adyen is an international payment service provider, therefore employees of Adyen outside of the EU are technically able to process the relevant personal data.
5.3 Within the framework of the Agreement and the GDPT, the Processor is hereby authorised to engage third parties (sub-processors). On request of the Controller, the Processor shall inform the Controller about which sub-processors are engaged by the Processor. The Processor shall inform the Controller about any planned change in the used sub-processors, in which case the Controller has the right to object (in writing, within two weeks and supported by arguments) to the proposed change in sub-processors. An overview of the sub-processors is available on Processor’s website.
5.4 Should the Controller object to such change, then the Parties will jointly endeavour to find a reasonable solution. If Parties cannot come to a solution, then the Processor is allowed to make the planned change in the used sub-processors and the Controller is allowed to terminate the Agreement (including the GDPT) on the date that the Processor will actually make the change in the used sub-processors.
5.5 The Processor undertakes to bind the relevant sub-processors to substantially the same obligations as the Processor is bound to based on the GDPT.
Article 6. Security measures
6.1 The Processor will endeavour to take adequate technical and organisational measures against loss or any form of unlawful processing (such as unauthorised disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under the GDPT.
6.2 The Processor will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
6.3 With regard to the aforementioned paragraphs, the Processor shall take the technical and organisational measures as mentioned in Processor’s security policy. This security policy is available on Processor’s website, and may be updated from time to time.
6.4 The Processor endeavours to only update its security policy for the better, taking into account paragraph 1 and 2 of this article, innovations in the security field and the user experience.
6.5 The aforementioned security policy may be added to the GDPT as an appendix for information purposes, however the security policy as made available on Processor’s website will remain leading.
6.6 The Controller will only make the personal data available to the Processor for processing if it is assured that the necessary security measures have been taken.
Article 7. Duty to report
7.1 In the event of a security breach, the Processor shall, to the best of its ability, notify the Controller thereof without undue delay, not later than 48 hours after having become aware of it, after which the Controller shall determine whether or not to inform the data subjects and/or the relevant regulatory authority.
7.2 A ‘security breach’ as stated in this article 7 is a breach of Processor’s security, leading to (a significant chance of) severe negative consequences for the protection of personal data, as referred to in articles 33 and 34 GDPR.
7.3 If required by law and/or regulations, the Processor shall cooperate in notifying the relevant authorities and/or data subjects. The Controller remains the responsible Party for any statutory obligations in respect thereof.
7.4 The duty to report a security breach includes in any event the duty to report the fact that a personal data breach has occurred, including details regarding:
a. the (suspected) cause of the breach;
b. the nature of the breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of data records concerned;
c. the (currently known and/or anticipated) consequences thereof;
d. the (proposed) solution;
e. the measures that have already been taken to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.
Article 8. Handling of requests from data subjects
8.1 Where a data subject submits a request to the Processor regarding his/her personal data (for example, to inspect, correct or delete the data, or to receive a copy of the data), the Processor will forward the request to the Controller and the request will then be dealt with by the Controller. The Processor may notify the data subject hereof. On request of the Controller, the Processor will provide assistance with handling such request to the extent necessary and reasonable. The Processor may charge reasonable costs for such assistance.
Article 9. Non-disclosure and confidentiality
9.1 All personal data processed within the framework of the GDPT by the Processor (and/or its sub-processors) on behalf of the Controller is subject to a duty of confidentiality vis-à-vis third parties. The Processor shall bind its employees and/ or sub-processors, who will perform processing activities under the GDPT, to an obligation of confidentiality.
9.2 This duty of confidentiality will not apply in the event that the Controller has expressly authorised the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of the GDPT, or where there is a legal obligation to make the information available to a third party.
Article 10. Auditing
10.1 The Controller has the right to have audits performed by an independent third party bound by confidentiality to check Processor’s compliance with the GDPT.
10.2 Such audits may only take place after:
- the Controller has requested (from the Processor) the similar audit reports from independent third parties that are already Processor’s possession; and
- the Controller has reviewed the aforementioned audit reports and can provide legitimate reasons to initiate an audit as mentioned in paragraph 1.
10.3 An audit as mentioned in paragraph 1, may only be undertaken once per calendar year. At least two weeks before an audit can take place, Controller shall inform the Processor of the audit.
10.4 The Processor shall cooperate with the audit and provide all information reasonably relevant for the audit, including supporting data such as system logs, and employees, as promptly as possible.
10.5 The findings further to the audit conducted will be assessed by the Parties in mutual consultation and, following on from this, may or may not be implemented by one of the parties or by both Parties together.
10.6 The costs of the audit, including the costs that the Processor has to make to cooperate with the audit, shall be borne by the Controller.
Article 11. Term and termination
11.1 The GDPT is an integral part of the Agreement, which means that the GDPT is entered into for the duration set out in the Agreement (including all renewals and/or extensions thereof) and that additional provisions in the Agreement and Processor’s General Terms, such as the limitation of liability, are also directly applicable to the GDPT.
11.2 Thirty (30) days after an event of the Controller has come to an end, the Processor will delete all (personal) data relating to this event from its systems. Within the aforementioned thirty-day period, the Controller has the ability to export its (personal) data in Excel format.
11.3 After the expiry of the Agreement, the Processor will (depending on the choice of the Controller) provide the Controller with the opportunity to obtain a copy of the relevant personal data (still available on Processor’s systems on that point in time) in .CSV format, or delete the relevant personal data still available on Processor’s systems, unless there is a legal obligation for the Processor to retain the data.
11.4 The Processor shall provide its full cooperation in amending and adjusting the GDPT in the event of new or changing privacy legislation.
Article 12. Applicable law and dispute resolution
12.1 The GDPT and the implementation thereof will be governed by Dutch law.
12.2 Any dispute arising between the Parties in connection with and/or arising from the GDPT will be referred to the competent Dutch court in the district where the Processor has its registered office.
12.3 In the case of any inconsistency between documents and the appendices there to, the following order of priority will apply:
a. the Agreement;
b. the GDPT;
c. the General Terms;
d. additional conditions, where applicable.
12.4 Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.