Processor Agreement

Concerning agreements on the legitimate processing of personal data

Version: 2024

Parties:

The private company Payt B.V., hereinafter referred to as ‘Processor’;

in

Customer of Payt B.V., hereinafter referred to as ‘Controller’;

Hereinafter collectively referred to as ‘Parties’ and individually as ‘Party’.

Whereas:

  • The Processor has developed an online platform for debtor management and collection services;
  • The Controller uses or intends to use the Processor’s services;
  • This usage entails the Processor processing or intending to process Personal Data on behalf of the Controller;
  • The Controller and the Processor aim to document their mutual rights, obligations, and agreements concerning the Processing of Personal Data in relation to these services in this Processing Agreement.
  • The following Appendices are an integral part of this Processing Agreement:
    • APPENDIX 1: Personal Data; individuals concerned, subject and duration, nature and purpose, method and means of processing;
    • APPENDIX 2: Security Measures.
  • Should any provision of an Appendix be incompatible or conflict with a provision of the Processing Agreement, the provisions of the Appendix will take precedence.

1. Definitions

Within this Processing Agreement, the following terms, identified by an initial capital letter and applicable in both their singular and plural forms, are defined as follows:

  • Data Subject: the individual to whom the personal data pertains or their designated representative.

    Processor: the party that processes Personal Data on the Controller’s behalf, without falling under the Controller’s direct supervision. In the context of this Processing Agreement, this is Payt B.V.

    Appendix: a component of the Processing Agreement providing further clarification and information on a specific aspect or component of the services.

    Personal Data: any data concerning an identified or identifiable individual.

    Controller: the individual, legal entity, or any other body or administrative unit that, alone or together with others, defines the objectives and means of processing Personal Data.

    Processing: any action or series of actions conducted on Personal Data, encompassing, but not limited to, gathering, documenting, organizing, storing, updating, altering, retrieving, consulting, employing, sharing via transmission, spreading or otherwise making available, amalgamating, associating, as well as blocking, deleting, or annihilating Personal Data.

2. Duration and termination

This Processing Agreement remains in effect for the duration of the Processor’s engagement in processing Personal Data on behalf of the Controller and cannot be terminated prematurely.

The Processor shall, upon the Controller’s first request and no later than ten working days after the conclusion of this Processing Agreement, make all Personal Data available to the Controller.

Upon termination of this Processing Agreement, the Processor shall delete and/or destroy all Personal Data in its possession, along with any copies thereof.

The Processor may depart from the stipulations of the preceding two paragraphs to the extent that a legal retention period is applicable to the Personal Data or as far as necessary to demonstrate compliance with its obligations towards the Controller.

3. Subject

  1. The Processor shall process Personal Data on behalf of the Controller, with the Controller supplying Personal Data to the Processor for this purpose.

    The Processor shall process Personal Data solely in accordance with the Controller’s written instructions (as specified in this Processing Agreement and the service agreement entered into between the Controller and the Processor, to which this Processing Agreement is annexed), unless legally required to process the Personal Data. In such cases, the Processor will notify the Controller of this legal requirement prior to processing, except where the law prohibits such notification on significant grounds of public interest.

    Should the Processor consider that an instruction from the Controller violates data protection legislation, including the General Data Protection Regulation (GDPR), it shall promptly notify the Controller.

    The Controller has defined the purposes for processing Personal Data and has communicated these purposes to the Processor.

    The Processor agrees not to process the Personal Data for any purposes other than those specified in Appendix 1.

    The Personal Data processed by the Processor on the Controller’s behalf, regardless of how it is obtained, remains the property of the Controller and/or the relevant Data Subject.

    The Controller assures the Processor that the handling, use, and/or processing of the Personal Data is lawful and does not infringe any third party’s rights, that such Personal Data have been lawfully collected and shared, and indemnifies the Processor against any legal claims by a Third Party arising from the processing of these Personal Data, unless the Controller can demonstrate that the facts underlying the claim are attributable to the Processor.

4. Execution of processing

  1. The Processor is accountable solely for processing Personal Data within the scope of services rendered under the stipulations of this Processing Agreement. The Processor is explicitly not liable for any other processing of Personal Data, including the collection of Personal Data by the Controller and/or third parties.

    Without express prior written consent from the Controller and compliance with legal stipulations, the Processor shall not process Personal Data in countries outside of the European Economic Area (‘EEA’) that lack an adequate level of protection. The transfer of Personal Data to countries outside the EEA lacking adequate protection is prohibited.

    The Processor shall store and process Personal Data related to the Controller separately from the Personal Data it processes for itself or on behalf of third parties.

    The Processor shall process the Personal Data diligently and with care, in alignment with its obligations as a Processor under data protection legislation, including the General Data Protection Regulation.

    The Controller shall supply the Processor with the data necessary for executing the tasks. The Controller shall only provide the (Personal) data essential for the performance of the Processor’s tasks and which are permissible for the Controller to supply for that purpose.

5. Securing Personal Data

  1. The parties agree that the Processor shall implement suitable technical and organizational security measures, which are commensurate with the current state of technology and the associated costs, relative to the nature of the Personal Data being processed, to safeguard the Personal Data from loss, unauthorized access, alteration, or unlawful processing, as well as to ensure the (timely) availability of the Personal Data.

    The parties acknowledge that security requirements evolve continually, necessitating effective security, frequent assessments, and periodic enhancements of obsolete security measures. Consequently, the Processor will consistently review the security measures in place to protect Personal Data and will, as necessary, strengthen, augment, or refine them to maintain compliance with its obligations.

    Beyond the stipulations of this article, the Processor undertakes the security measures as detailed in Appendix 2.

    The Processor does not warrant that the security measures will be effective under all conditions.

6. Monitoring

  1. The Controller is entitled to conduct a (penetration) test annually to verify compliance with the terms of this Processing Agreement. This evaluation may be carried out by the Controller directly or through an independent certified public accountant, certified computer scientist, or other accredited auditor.

    The Processor shall retain the necessary supporting data for the (penetration) tests mentioned in this article, such as system logs.

    Individuals executing the test will adhere to the Processor’s current security procedures.

    The Processor commits to cooperate and to provide all information reasonably relevant to the test in a timely manner.

    Unless otherwise agreed in writing, the Controller bears the costs of the test.

    The Controller shall notify the Processor in writing of a planned test, after which the Processor will facilitate the commencement of this test within a reasonable timeframe.

7. Duty of notification of data breaches & monitoring

  1. Should a breach involving personal data occur within the Processor’s domain, the Processor shall promptly notify the Controller upon discovery.

    The obligation to report shall minimally include the notification of the occurrence of a breach or incident, the (suspected) cause of the breach or incident, the currently known and/or anticipated consequences, and the (suggested) resolution.

    The Controller, should it find it necessary, will notify Data Subjects and other third parties, including the Dutch Data Protection Authority, about a data breach or other incidents. The Processor is not authorized to directly communicate information regarding a data breach or other incidents to Data Subjects or other third parties unless legally required to do so or with express consent from the Controller.

8. Confidentiality

  1. All Personal Data that the Processor receives from the Controller and/or collects independently in the course of this Processing Agreement is subject to a duty of confidentiality towards third parties.

    The Processor will ensure that its personnel authorized to process the Personal Data are committed to the confidentiality obligation stipulated in this article.

    The confidentiality obligation does not apply in cases where the Controller has explicitly authorized the disclosure of information to third parties, if the disclosure to third parties is logically necessary due to the nature of the assigned task and the implementation of this Processing Agreement, or if there exists a legal mandate to disclose the information to a third party. Should the disclosure of information to third parties be based on a legal requirement, the Processor shall inform the Controller of this action as promptly as possible, preferably before the disclosure occurs.

9. Rights of the Data Subjects

  1. The Processor commits to providing full support to the Controller, upon the Controller’s approval and on its behalf, to:

    • Grant data subjects access to their Personal Data and furnish details concerning the processing of their Personal Data;
    • Enable data subjects to obtain their Personal Data in a structured, commonly used, and machine-readable format and to transmit those data to another party;
    • (Temporarily) restrict the processing of Personal Data solely to storage, or to processing for which the Data Subject has granted consent, until the Controller decides to lift the processing restriction;
    • Erase or amend Personal Data of Data Subjects (for instance, if a Data Subject legitimately contests the processing of their Personal Data);
    • Verify that Personal Data have been erased or corrected if they are inaccurate (or, if there is disagreement from the Controller regarding the accuracy of Personal Data, to document the Data Subject’s belief that their Personal Data are incorrect).

    Moreover, upon the Controller’s initial request, the Processor will, as promptly as possible but no later than five working days following the receipt of the request:

    • Provide all necessary written information that the Controller may require;
    • Amend, supplement, delete, or protect Personal Data.

    To the fullest extent possible, the Processor will cooperate fully with the Controller in meeting its obligations under the relevant data protection legislation.

10. Engaging of and sharing personal data with a sub-processor

  1. Engaging of and sharing personal data with a sub-processor

    The Processor is authorized to engage third parties for the Processing of Personal Data under the following conditions:

    • The Processor has provided written notification in advance and the Controller has not objected within fourteen days following the notification; or
    • The Processor has obtained consent from the Controller; or
    • The involvement of third parties is logically necessary due to the nature of the assignment and/or the execution of this Processing Agreement.

    The Processor ensures that any third parties engaged adhere to at least the same obligations as those stipulated for the Processor in this Processing Agreement.

    For the effective performance of services, the Processor engages third parties and shares the personal data collected on behalf of the Controller with, among others (but not limited to), the partners listed in ANNEX 1, for which the Controller hereby grants permission.

    Should the Processor wish to engage a third party located outside the EEA, the Processor must first secure permission from the Controller. Irrespective of the above, the Processor also ensures that this third party provides an appropriate level of protection and security for Personal Data as defined by the General Data Protection Regulation.

    The Processor bears responsibility to the Controller for the actions of the third parties it engages.

    If the Controller requests the Processor to share Personal Data with a third party not already included in the list of parties with whom the Processor shares data as mentioned in ANNEX 1, then the conditions of this article do not apply, and the Controller is fully responsible for any damages arising directly or indirectly from this action.

    The Processor may also disclose Personal Data to third parties if required to do so by a request or an authorized order from a governmental or judicial authority, or in relation to a legal obligation.

11. Retention period

  1. Payt is committed to retaining the minimal amount of data that is no longer relevant. Simultaneously, historical data presents opportunities for enhanced insights, financing options, and reference material for annual reports.

    Considering the nature of the service, the retention period commences once an invoice has been settled.

    The Processor adheres to a standard retention period of 25 months.

    Alterations to this standard can be made through the application or via the service desk.

12. Final provisions

  1. Amendments to this Processing Agreement are only binding if agreed upon in writing by the Parties.

    This Processing Agreement supersedes all other agreements between the Controller and the Processor concerning the processing of Personal Data.

    This Processing Agreement is governed exclusively by Dutch law.

    Disputes arising from or related to this Processing Agreement shall be exclusively resolved by the competent court in the Processor’s place of business.

APPENDIX 1 Personal Data; purpose, method and means; retention periods

APPENDIX 1 Personal data; purpose, manner and means of processing; retention periods

Processed Personal Data

Data relating to accounts receivable of the Controller:

Name, address, place of residence, telephone number, e-mail address, gender, debtors,as well as data about payment behavior and communication between debtors and Payt customers and billing information.

Categories of Data Subjects

Debtors

Subject, duration and nature of the processing

Processor offers Controller a SaaS solution to automate accounts receivable management. The conditions under which this SaaS solution is provided to the Controller and which services it includes are further described in the service agreement that the Processor has concluded with the Controller.

The purposes, manner and means of processing

The Personal Data is processed by the Processor with the aim of:

a) to be able to pay the claims offered by the Controller through the Processor;

b) in order to be able to perform the services as agreed between the Controller and the Processor.

These Personal Data are processed and stored in the relevant software systems of the Processor. Furthermore, the Processor engages third parties to correctly perform the services. At the time this Processing Agreement is entered into, the Processor uses the following sub-processors:

Amazon Web Services, inc. EEA
Aangetekend BV EEA
Paragon Customer Communications B.V. EEA
eConnect International B.V. EEA
Messagebird B.V. EEA
Flowmailer B.V. EEA
Sendgrid, inc. EEA/USA
Speos Belgium N.V. EEA

You can request a current list of the names of parties with which the Processor shares data, as well as an explanation of the data and the purpose of sharing that data via servicedesk@paytsoftware.com.

The Processor also supports connections with Third Parties who have their own processing responsibility and with whom the Controller has a direct contractual relationship. This includes bailiffs, suppliers of payment services (such as but not limited to Pay and Mollie), suppliers of credit assessment services (such as Graydon).

APPENDIX 2 Security measures

APPENDIX 2 Security measures

The processor takes, among other things, security measures in the following areas, as laid down in its information security policy. Processor has an ISO 27001 certification for its information security policy.

  • Safe staff;
  • Asset management;
  • Access security;
  • Cryptography;
  • Physical security;
  • Security of business operations;
  • Communications security;
  • Acquisition etc. of systems;
  • Supplier relations;
  • Management of Information Security Incidents;
  • Aspects of business continuity management;
  • Compliance.

We are happy to make the declaration of applicability available to you confidentially and upon request.

Payt

KvK: 08155915
BTW: NL817576320B01

Headquarters

Ubbo Emmiussingel 21
9711 BB Groningen
The Netherlands