Data processing

This data processing appendix is part of HandiHow's terms of delivery.

Article 1 - Definitions

Capitalized names and terms on this page have the following meanings:

1.1 Personal data: all information about an identified or an identifiable natural person;

1.2 Processing: an operation or a set of operations with regard to Personal Data or a set of Personal Data, whether or not performed automatically, such as collecting, recording, organizing, structuring, storing, updating or changing, requesting, consulting, using, providing by by forwarding, disseminating or otherwise making available, aligning or combining, blocking, deleting or destroying data;

1.3 Privacy legislation: all applicable laws and regulations on the processing of personal data - but not limited to - the General Data Protection Regulation;

1.4 Data breach (s): a breach of personal data, i.e. any breach of security that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorized disclosure of or unauthorized access to stored or otherwise forwarded processed data.

1.5 Controller: Client, being the (legal) person who (alone or together with others) determines the purpose and means for the Processing of personal data and is obliged on the basis of Privacy Legislation to take the guarantees necessary for that Processing;

1.6 Processor: HandiHow, being the (legal) person who processes Personal Data on behalf of the Controller;

1.7 Sub-processor: the (legal) person who in turn processes Personal Data on behalf of HandiHow;

1.8 Agreement: the Agreement concluded between the Parties with regard to the services provided by HandiHow to the Client, of which this Annex forms an appendix;

Article 2 - Subject

2.1 HandiHow will process Personal Data on behalf of the Client during or in connection with the performance of its Services.

2.2 On the basis of Privacy Legislation, the Client is in this capacity regarded as the Controller of the Processing of the Personal Data and HandiHow as the Processor. This Appendix contains the terms and conditions of this Processing of Personal Data by HandiHow.

Article 3 - Obligations of HandiHow

3.1 HandiHow only processes Personal Data to the extent necessary during or in connection with the implementation of the Agreement concluded between the Parties. The Processing of Personal Data by HandiHow takes place in a proper and careful manner, in accordance with Privacy Legislation and in accordance with the (written) instructions of the Client. The Client guarantees that the instructions it has given are in accordance with Privacy Legislation.

Article 4 - Sub-processors

4.1 HandiHow is entitled to engage Sub-processors for the Processing of Personal Data, provided HandiHow ensures that Sub-processors to be engaged assume at least the same obligations as those imposed on HandiHow on the basis of this Appendix.

4.2 HandiHow remains the Client's point of contact in this relationship.

Article 5 - Transfer of Personal Data

5.1 HandiHow will only transfer Personal Data to a country outside the European Economic Area, provided that that country guarantees an adequate level of protection and it complies with the other obligations imposed on it by virtue of this Annex and Privacy Legislation.

5.2 HandiHow will only transfer Personal Data to the United States on the basis of an EU model contract or to companies certified by the US Department of Commerce on the basis of the Privacy Shield.

Article 6 - Security

6.1 HandiHow will endeavor to take sufficient appropriate technical and organizational measures to protect the servers (hardware) and the Personal Data stored thereon against loss and against any form of unlawful Processing. Taking into account the state of the art, the implementation costs, these measures guarantee an appropriate level of security in view of the risks of the Processing and the nature, scope and context of the Personal Data to be protected.

6.2 The Client is responsible for taking appropriate technical and organizational security measures with regard to the software and applications used.

Article 7 - Duty to report

7.1 In order to enable the Client to comply with the statutory Data Breach Reporting Obligation, HandiHow will notify the Client immediately after it has become aware of a Data Breach. This notice includes a description of:

• the data breach;

• the nature of the infringement (including copying, changing, deleting, theft, unknown);

• when the Data Breach has taken place;

• the technical measures taken by HandiHow to stop the breach and prevent future breaches.

7.2 At the request of the Client, HandiHow will provide further information about the Data Breach, insofar as necessary for the Client to comply with its legal obligations regarding notification to the Dutch Data Protection Authority and Data Subjects.

7.3 HandiHow may, on the basis of the Telecommunications Act, be obliged to independently report (security) incidents and Data Leaks to the Reporting Obligation Desk for the Telecom Act.

Article 8 - Rights of the Data Subject (s)

8.1 Taking into account the nature of the processing, HandiHow will, as far as possible, assist the Controller in fulfilling its duty to respond to requests for the exercise of the Data Subject's rights set out in Chapter III GDPR, by means of appropriate technical and organizational measures.

8.2 HandiHow will immediately notify the Client of a request (s) from the Data Subjects addressed directly to HandiHow. HandiHow will ensure that sub-Processors engaged by it do not independently respond to requests as referred to in Article 8.1 of this Processor Agreement, unless written instructions have been issued to this effect.

Article 9 - Data protection impact assessment

9.1 HandiHow provides the Client with assistance as far as possible in carrying out a data protection impact assessment by making all relevant information available to assess the effect of the intended processing activities on the protection of Personal Data.

Article 10 - Audits

10.1 If the information and documentation made available by HandiHow does not sufficiently demonstrate compliance with this Processing Agreement by HandiHow, the customer has the right to have an audit carried out or to have it carried out. The costs of the audit are borne by the Client.

10.2 An audit initiated by the Client will take place once a year no later than two weeks after prior announcement, together with a description of the parts to which the audit relates and the process.

10.3 Processor will cooperate with the audit and make all reasonably relevant information, including supporting data, available as timely as possible and within a reasonable period of time. The parties will assess the outcome of the audit in mutual consultation.

Article 11 - Confidentiality

11.1 HandiHow undertakes, unconditionally and irrevocably, to observe secrecy during and after termination of this Agreement of all Personal Data of which it knows or can reasonably suspect the confidential nature.

11.2 HandiHow guarantees that persons employed by or working for HandiHow and (possible) have access to Personal Data, are bound by the obligation of confidentiality described in this article and that they refrain from copying, transmitting, transferring or otherwise distributing Personal Data. To third parties.

11.3 This obligation only does not apply if and insofar as disclosure is required by law and / or court decision, in which case the information to be disclosed will be kept as limited as possible.

Article 12 - Liability

12.1 If HandiHow fails to fulfill the obligation under this Processor Agreement, the Client can give HandiHow notice of default. Notice of default must be given in writing, whereby HandiHow is granted a reasonable period of time to still fulfill its obligations.

12.2 HandiHow is liable on the basis of the provisions of article 82 GDPR, for damage or loss resulting from non-compliance with this Processor Agreement. This liability is limited to the amount referred to in Article 14a of the General Terms and Conditions.

12.3 The Parties indemnify each other against all claims from third parties (including fines from the Authorities) with regard to an act or omission in violation of the Privacy Legislation of the other Party.

Article 13 - Duration and termination

13.1 HandiHow's obligations also continue in full after termination of the Agreement, if and insofar as HandiHow still has access to Personal Data.

13.2 Upon termination of the Agreement, the Client itself is responsible for the export of personal data. Thirty (30) days after termination or dissolution of the Agreement, HandiHow will delete the data and Personal Data present on its servers and (backup) systems.

13.3 HandiHow may deviate insofar as certain Personal Data is subject to a statutory retention period applicable to it (including the Telecommunications Data Retention Act) or insofar as this is necessary to prove compliance with its obligations to the Client.


Contact HandiHow for an informal exploratory meeting.