Processing agreement
This processor agreement applies to all clients ("Responsible Parties") using the services of:
(a) "Kaminada Fiscal Y Contable SL", located at Ctr. del Cap de la Nau 135, in Javea, Spain, and registered under CIF number B70931993;
(b) "Kaminada B.V.", located at Dr. Lelykade 44K, in Scheveningen, the Netherlands, and registered under KvK number 88043479;
(c) "Kaminada Gestao e Fiscalidade unipessoal LDA", located at Avenida Conde de Oeiras 13ª, in Amadora, Portugal and registered under NIF number PT518205282;
and represented by its partner, Mr J. de Haas da Cruz (hereinafter "Kaminada" or "Processor").
By entering into an order for services with Kaminada, the Respondent agrees to the provisions of this processor agreement. This agreement forms an integral part of the assignment agreement between Kaminada and the Respondent and applies for as long as Kaminada processes personal data on behalf of the Respondent in the context of that assignment.
The agreement has been drafted in accordance with the requirements of the General Data Protection Regulation (GDPR), and is in line with additional national provisions in the Netherlands, Spain and Portugal.
Considerations:
- Kaminada has entered into the Contract with you on account of the provision by Kaminada of the following services: the collection, processing, classification and summarisation of financial data (the keeping of accounts) as well as the filing of sales tax returns and the handling of requests and objections concerning tax matters (the "Contract"). In doing so, Kaminada processes the Personal Data set out in the Annex attached to this Agreement.
- Kaminada - by virtue of the performance of this Assignment and in respect of the Personal Data that Kaminada will Process in the process - is to be regarded as "Processor" and You as "Controller". In this Agreement, the parties lay down the mutual rights and obligations.
The parties agree as follows:
- Definitions
A number of terms are used in this agreement. The meaning of those terms is clarified below. The terms mentioned are capitalised in this agreement. Often, the enumeration below uses the description of the term from the privacy laws and regulations, the AVG Act.
Concerned: | The person to whom a Personal Data relates.
|
Processor: | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller without being subject to its direct authority.
|
Sub-processor: | Another processor engaged by the Processor to perform specific processing activities on behalf of the Controller. A sub-processor works under the supervision of the Processor.
|
Controller: | A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
|
Special Personal Data: | These are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, or data concerning a person's sexual behaviour or sexual orientation. As well as personal data relating to criminal convictions and offences or related security measures.
|
Data breach/breakage of personal data: | A breach of security leading accidentally or unlawfully to - or where it cannot reasonably be excluded that it may lead to - destruction. The loss, alteration or unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.
|
Third parties: | Others than You and Kaminada and Her Collaborators.
|
Duty to report data breaches: | The obligation to report Data Breaches to the Personal Data Authority and (in some cases) to Data Subject(s).
|
Staff: | Persons employed by You or by Kaminada, either in employment or temporarily hired.
|
Assignment: | The order referred to above in recitals A.
|
Agreement: | This processor agreement.
|
Personal data: | Any information relating to an identified or identifiable natural person ("the Data Subject") processed in the context of the "Engagement"; an identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characterising the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
|
Personal data of sensitive nature: | Personal Data where loss or unlawful Processing may lead to (inter alia} stigmatisation or exclusion of data subject, damage to health, financial loss or to (identity) fraud. These categories of personal data include, but are not limited to: - Special personal data - Data on the financial or economic situation of the Data Subject - {Other} data that may lead to stigmatisation or exclusion of the Data Subject - User names, passwords and other login data - Data that can be misused for (identity) fraud
|
Processing/Adjustment: | An operation or set of operations involving personal data or a set of personal data, whether or not carried out by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
|
AVG: | General Data Protection Regulation, a European Union regulation, including its implementing law, The AVG replaces the Wbp as of 25 May 2018.
|
- Applicability and duration
2.1 This agreement applies to any Processing carried out by Kaminada as
Processing is done on the basis of the Assignment given by You as the Controller.
2.2 This agreement takes effect on the date on which the Engagement takes effect and ends when Kaminada no longer holds any Personal Data that Kaminada processes for you under the Engagement. It is not possible to terminate this Agreement prematurely subject to three calendar months' notice. Termination must be in writing.
2.3 Articles 6 and 7 of this agreement shall continue to apply even after the agreement (or Order) has ended.
- Processing
3.1 Kaminada Processes Personal Data only in the manner agreed by Kaminada with you in the Engagement. This Processing shall be done by Kaminada no longer al' more extensively than necessary for the performance of this Engagement. The Processing will take place in accordance with Your written instructions, unless Kaminada is required by law or regulation to act otherwise (for example, when weighing up whether a report of an "unusual transaction" must be made under the Money Laundering and Terrorist Financing (Prevention) Act. If an instruction, in Kaminada's opinion, violates the AVG, it will notify You immediately.
3.2 The Processing takes place under Your responsibility. Kaminada does not control the purposes and means of the Processing and does not make decisions on matters such as the use of Personal Data and the provision of Personal Data to Third Parties, You must ensure that You have clearly defined the purposes and means of the Processing of the Personal Data. The Controller and the Processor shall, to the extent required by law, agree retention periods for each category of Personal Data in writing or record them in an internal policy, available for review. Control of Personal Data shall never rest with Kaminada. If Kaminada should have an independent obligation under laws and regulations regarding Processing of Personal Data, Kaminada shall comply with these obligations.
3.3 You are required by law to comply with applicable privacy laws and regulations. In particular, you must determine whether there is a lawful basis for Processing the Personal Data, Kaminada shall ensure that it complies with the regulations applicable to it as a Processor regarding the Processing of Personal Data and the arrangements made by Kaminada in this agreement.
3.4 Kaminada will ensure that only its Employees have access to the
Personal data. The exception to this is set out in Article 3.5. Kaminada limits access to Employees for whom access is necessary for their work, whereby access is limited to Personal Data that such Employees need for their work. Kaminada shall also ensure that Employees who have access to Personal Data have received proper and complete instructions on how to handle Personal Data and that they are familiar with the responsibilities and legal obligations.
3.5 Under its responsibility, Kaminada may engage other processors (Sub-processors) to perform certain activities arising from the Order, for example if these Sub-processors have specialist knowledge or resources not available to Kaminada. If engaging Sub-processors results in these Personal Data being processed then Kaminada will impose (in writing) on those Sub-processors the obligations under this Agreement. Before engaging other Sub-Processors, Kaminada will first seek Your consent. This consent form will name the names, locations and nature(s) of cooperation of the Sub-Processors. You may refuse consent but this may in some cases mean that Kaminada must terminate the Assignment. Whether an Assignment should be terminated for this reason is at the sole discretion of Kaminada.
3.6 To the extent possible, Kaminada shall assist You in fulfilling Your obligations to handle requests for exercise of rights of Data Subjects. If Kaminada receives (directly) requests from Data Subjects to exercise their rights (e.g. access, modification or deletion of Personal Data), Kaminada will forward these requests to You. You handle these requests yourself, whereby Kaminada may of course assist You if Kaminada Administrations have access to such Personal Data in the context of the Engagement. Reasonable costs may be charged for assistance in handling requests from Data Subjects, provided that the request is manifestly unfounded or excessive
3.7 Kaminada will not process Personal Data outside the European Economic Area (EEA) unless there is a valid legal basis to do so in accordance with the AVG Act. The parties shall record these agreements in writing, or by e-mail.
3.8 Requests from competent authorities will be handled in accordance with the procedures contained in Kaminada's Privacy Statement.
3.9 At the request of the Controller, Kaminada shall offer the opportunity to inspect or audit Sub-Processors to the extent reasonable and necessary, subject to the contractual obligations of that Sub-Processor and on reimbursement of costs.
- Security measures
4.1 Kaminada has taken the security measures listed in the Schedule accompanying this agreement. When taking the security measures, the risks to be mitigated, the state of the art and the cost of the security measures were taken into account.
4.2 You have properly informed yourself about the security measures taken by Kaminada and believe that these measures have a level of security appropriate to the nature of the Personal Data and the scope, context, purposes and risks of the Processing.
4.3 Kaminada will inform You if any of the security measures change substantially.
4.4 Kaminada provides appropriate guarantees for the application of technical and organisational security measures in relation to the Processing to be carried out. If You wish to have the manner in which Kaminada complies with the security measures inspected, You may make a request to Kaminada to this effect, Kaminada will make arrangements jointly with You in this regard. The cost of an inspection will be at Your expense You will provide Kaminada with a copy of the inspection report.
- Data breach
5.1 If there is a Data Breach, Kaminada will notify You Kaminada aims to do so within 72 hours after Kaminada discovers this Data Breach, or as soon as possible after Kaminada is informed of it by its Sub Processors.
5.2 The reporting of Data Breaches to the Personal Data Authority and (possibly) Data Subject(s) is always Your own responsibility.
5.3 Notifications of data breaches are made in accordance with the internal data breach policy as set out in Kaminada's Privacy Statement.
- Duty of confidentiality
6.1 The parties undertake to maintain confidentiality in accordance with the provisions contained in Kaminada's General Terms and Conditions and applicable professional rules.
- Liability
7.1 You warrant that the Processing of Personal Data based on this agreement is not unlawful and does not infringe the rights of Data Subject(s).
7.2 Processor's liability is limited to the amount for which it is insured, unless there is intent or gross negligence, in accordance with Article 82 of the AVG Act. The Controller shall indemnify the Processor only for damages arising directly from the Controller's failure to comply with its own obligations under the AVG Act. You shall also indemnify Kaminada for claims by Third Parties based on such damages. The indemnification applies not only to damages suffered by Third Parties (material but also immaterial), but also to the costs incurred by Kaminada in connection therewith, for example in any legal proceedings, and the costs of any fines imposed on Kaminada as a result of Your actions.
7.3 The limitation of Kaminada's liability agreed in the Engagement and associated general terms and conditions shall apply to the obligations set out in this agreement, on the understanding that one or more claims for damages under this agreement er/or the Engagement can never lead to the limitation being exceeded.
- Transferability Agreement
8.1 You and Kaminada may not, unless the parties jointly agree otherwise in writing, assign this Agreement and the rights and obligations associated with this Agreement to any other person.
- Termination and return/destruction of Personal Data
9.1 If the Order is terminated then Kaminada will pay to You the
Kaminada provided Personal Data back to You or - if You request Kaminada to do so - destroy it. Kaminada will only retain a copy of the Personal Data if Kaminada is required to do so by law or regulation.
9.2 The costs of collecting and transferring Personal Data at the termination of the Engagement shall be borne by You. The same applies to the costs of destruction of the Personal Data If You so request, Kaminada will provide You with a cost estimate in advance.
- Supplements and amendments Agreement
10.1 Changes shall be made in accordance with the General Terms and Conditions.
10.2 A change in the Personal Data processed or in the reliability requirements, privacy regulations or Your requirements may be cause to supplement or amend this Agreement. If this results in significant changes to the Engagement, or if Kaminada cannot provide an appropriate level of protection, this may be grounds for Kaminada to terminate the Engagement.
- Final provisions
11.1 At Your request, Kaminada shall make available to You all information necessary to demonstrate compliance with the obligations set out in this Agreement Kaminada shall facilitate and contribute to audits, including inspections, by You or an auditor authorised by You. The costs of such requests, audits or inspections shall be borne by You. Any audits of our Sub processors will also be at Your expense.
11.2 Cooperation with supervisory authorities will take place in accordance with the AVG and the internal privacy policy.
11.3 This agreement shall be governed by the law of the Member State in which the Respondent is established, recognising applicable mandatory EU law.
11.4 For requests from data subjects in Spain or Portugal, Kaminada provides local contacts who communicate in the respective national language.
