Data Processing Agreement

Parties:

1. Controller: The natural person or legal entity who creates an account on the octanist website (https://octanist.nl) and agrees to this data processing agreement.
2. Processor: octanist, a trade name of Online Aannemer BV, located at Turnhoutseweg 22, 5541 NX Reusel, The Netherlands, registered with the Chamber of Commerce under number 88511065.

Whereas:

• The parties have entered into an agreement under which the Processor processes (personal) data of the Controller as referred to in Article 4(1) and (2) of the GDPR, hereinafter referred to as: "the main agreement."
• Pursuant to Article 28(3) GDPR, the parties are obliged to make arrangements to safeguard the privacy of personal data and to record these in a data processing agreement, hereinafter referred to as: "the Agreement."
• The parties shall provide each other in a timely manner with all the necessary information to enable proper compliance with the applicable privacy laws and regulations.
• The provisions of this Agreement take precedence over all other arrangements between the parties with respect to the processing of personal data, insofar as they differ from what is laid down in this Agreement.

Have agreed as follows:

Article 1 – Duration of the Agreement

1. This Agreement takes effect from the moment it is signed by the parties and ends after the Processor has deleted and/or returned all personal data covered by this Agreement in accordance with Article 13.
2. This Agreement cannot be terminated prematurely.
3. The provisions set out in Article 4 remain in force even after termination of this Agreement.

Article 2 – Subject of the Agreement

1. For the performance of the main agreement, the Controller has provided the Processor with details regarding:
   • the nature and purpose of the agreed processing;
   • the categories of personal data being processed;
   • the categories of data subjects;
   • the categories of recipients/users of personal data.
2. The details referred to in paragraph 1 are attached as an appendix to this Agreement.

Article 3 – The Processing and Use of the Personal Data

1. The Controller determines the purpose of the processing and which personal data will be processed for that purpose.
2. To this end, the Controller issues written instructions to the Processor.
3. The Processor shall use the obtained personal data solely for the purposes for which they were provided and only in accordance with the Controller's written instructions.
4. If the Controller instructs the Processor to process the personal data in a way that, in the Processor's opinion, violates statutory obligations, the Processor shall inform the Controller and consult with the Controller to find a solution that does not contravene legal obligations.
5. The Processor bears its own responsibility to ensure that data is not processed in violation of applicable laws and regulations.
6. The Processor shall not disclose the personal data to third parties, unless this is done at the Controller's request or is necessary to comply with a legal obligation.
7. The Processor ensures that personal data is not processed outside the European Economic Area unless the Controller has given prior written consent.

Article 4 – Confidentiality

1. The Processor shall take all necessary measures to ensure confidentiality of the Controller's personal data.
2. The obligation set out in paragraph 1 does not apply if the Controller has given prior written permission to disclose the personal data to a third party, or if the Processor is legally obliged to do so.
3. The Processor shall impose the same duty of confidentiality on its staff and any persons or sub-processors it engages.
4. In the event of a breach of this article, the Processor shall incur an immediately payable penalty of €5,000 per violation, without prejudice to the Controller's right to claim full compensation.

Article 5 – Security

1. The Controller and the Processor shall both implement appropriate technical and organizational measures as referred to in Article 32 GDPR to ensure a level of security appropriate to the risk.
2. The Controller shall inform the Processor of the statutory reliability requirements applicable to the processing, based on the possible consequences for data subjects in the event of loss, corruption, or unlawful processing, and shall provide all necessary information to enable the Processor to comply.
3. If the Controller desires a higher level of security than is legally required, the Processor may charge the reasonable costs thereof to the Controller separately.
4. When adopting security measures, the Processor shall take into account the state of the art, implementation costs, as well as the nature, scope, context, purposes, and the likelihood and severity of the risks to the rights and freedoms of individuals, in accordance with Article 28(3)(f) GDPR.
5. If the Controller wishes to carry out an assessment of a proposed processing activity, the Processor shall provide all reasonable cooperation to conduct this assessment in accordance with applicable laws and regulations.
6. The Processor also provides all reasonable cooperation in any prior consultation with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
7. The parties have made concrete agreements regarding the technical and organizational security measures necessary for the execution of this Agreement, which the Controller currently deems appropriate.
8. These agreements cover at least:
   • the reliability requirements;
   • the agreed security level (if applicable);
   • the measures taken by the Processor to ensure that only authorized personnel have access to the personal data;
   • measures to protect against loss, alteration, unauthorized or unlawful processing, access, or disclosure;
   • measures for detecting vulnerabilities and managing incidents.
9. The parties shall periodically evaluate these agreements and adjust them if necessary.
10. These agreements are attached as an appendix to this Agreement.

Article 6 – Audit

1. The Controller has the right to conduct an audit annually, at its own expense, to verify compliance with this Agreement.
2. The Processor shall provide all reasonable cooperation with the audit referred to in paragraph 1, including granting access to databases and providing all relevant information.
3. The Processor shall implement the recommendations arising from the audit as soon as possible in consultation with the Controller.
4. If the adjustments resulting from paragraph 3 arise from changed insights or legislation, the reasonable costs of these adjustments shall be borne by the Controller.
5. If the adjustments resulting from paragraph 3 arise from a failure to comply with the agreed security requirements, these costs shall be borne by the Processor.
6. If the Dutch Data Protection Authority or another competent authority wishes to conduct an investigation, the Processor shall provide all reasonable cooperation and shall notify the Controller as soon as possible.

Article 7 – Data Breach

1. If a data breach as defined in Article 4(12) GDPR occurs, the Processor shall inform the Controller thereof in the manner described in Article 8.
2. In the event of a data breach, the Processor shall take all reasonable and necessary measures to limit the consequences and prevent a new breach.
3. The Processor shall provide the Controller with all necessary cooperation to assess the scope and consequences of the data breach and to comply with any obligation to report data breaches to the Dutch Data Protection Authority, as well as the obligation to inform affected data subjects.
4. The parties have laid down their arrangements regarding the procedure to be followed in the event of a data breach in the data breach notification procedure described in Article 8. This procedure may be amended if required by the state of the art or changes in data breach notification regulations.
5. If the Processor fails to report the data breach in a timely manner in accordance with the data breach notification procedure referred to in Article 8, it shall pay an immediately due fine of €2,500 to the Controller plus an additional 2% of this amount for each hour of delay.

Article 8 – Data Breach Notification Procedure

In the event of a data breach, the following procedure applies:

1. The Processor records all security incidents in a manner accessible to the Controller.
2. This record shall include at least:
   • a description of the incident;
   • the approximate number of affected individuals;
   • the group(s) of individuals affected;
   • the date and time of the incident;
   • the nature of the breach;
   • the type of data affected;
   • the possible consequences for the data subjects;
   • the technical and organizational measures taken in response to the incident;
   • how the leaked data is secured;
   • whether the data is hashed, rendered inaccessible or can be/were remotely deleted;
   • whether and which data of persons in other EU countries were affected by the breach.
3. The Processor shall inform the Controller within 70 hours of becoming aware of the incident and shall simultaneously provide the record described above.
4. For the first 24 hours after informing the Controller of a data breach, the Processor shall remain continuously available for consultation with the Controller or any experts appointed by the Controller.
5. The Controller shall consult with the Processor to determine whether the incident must be reported to the Dutch Data Protection Authority.
6. The Controller shall inform the Processor in advance if it decides to report the breach to the Dutch Data Protection Authority.
7. The Processor shall provide all necessary cooperation to enable the Controller to file a data breach notification with the Dutch Data Protection Authority in compliance with statutory requirements.
8. The Processor shall provide all cooperation necessary to enable the Controller to inform the affected individuals of the data breach in accordance with Article 34 GDPR.

Article 9 – Requests from Data Subjects

1. Any request for access, rectification, erasure, restriction of processing, data portability, or objection as referred to in Articles 15 through 21 GDPR that the Processor receives shall be forwarded to the Controller without delay.
2. The Processor shall provide all reasonable cooperation to the Controller so that the Controller can comply with such a request within the statutory time limits.
3. The Controller shall reimburse the Processor for the reasonable costs associated with such cooperation.

Article 10 – Sub-processors

1. The Processor uses the following sub-processor(s) for processing personal data: Hetzner Cloud, located in Falkenstein, and Cloudflare, located in Munich, and shall not engage any other sub-processors unless prior consent has been obtained.
2. The Processor is responsible and liable for the actions of the sub-processors it engages.
3. If the Processor engages a sub-processor, it must require that this sub-processor complies with all the obligations imposed on the Processor under this Agreement and therefore shall enter into an agreement with the sub-processor that is in line with this Agreement.
4. If the Processor engages sub-processors without the consent referred to in paragraph 1, the Processor shall owe a fine of €500, without prejudice to the Controller's right to full compensation.

Article 11 – Access to Personal Data

The Processor shall ensure that the Controller always retains access to the relevant personal data, even in the event of the Processor's bankruptcy or suspension of payments.

Article 12 – Liability and Indemnification

1. The Processor is not responsible for damage resulting from breaches of any laws or regulations by the Controller.
2. The Controller indemnifies the Processor against claims by third parties and costs incurred by the Processor as a result of a breach as referred to in paragraph 1.
3. The Controller is not responsible for damage resulting from breaches of any laws or regulations by the Processor.
4. The Processor indemnifies the Controller against claims by third parties and costs incurred by the Controller as a result of a breach as referred to in paragraph 3.
5. In the event of a situation as referred to in paragraph 1 or 3, the other party is entitled to terminate the main agreement with immediate effect.

Article 13 – Termination and Consequences of Termination

1. This Agreement only ends after the underlying assignment has been terminated and the Processor has transferred all personal data provided to it back to the Controller or to a third party designated in writing in advance by the Controller, and has also destroyed all remaining data held by the Processor and its possible sub-processors.
2. At the Controller's request, the Processor shall make the provided personal data available in a different format than originally supplied, against reimbursement of reasonable costs.
3. Instead of transferring the data, the Controller may also request the Processor to destroy the data.
4. Destruction of the data as referred to in paragraph 3 may only take place after the Controller's prior written consent.
5. The provisions of Article 4 remain in full force.

Article 14 – Consequences of Nullity or Voidability

If any part of the Agreement is null or voidable, this shall not affect the other provisions of the Agreement. A provision that is null or voidable shall be replaced by a provision that most closely reflects the intention of the parties at the time the Agreement was concluded.

Article 15 – Online Signature

If the Parties use an online signature service for this electronic contract, they declare that this contract is the original version and that it is legally binding on the Parties. The Parties will receive an email once all Parties have signed this contract, which constitutes evidence that this contract has been validly concluded.

Article 16 – Applicable Law and Competent Court

1. This Agreement is governed by Dutch law.
2. Any disputes arising from this Agreement that cannot be resolved amicably shall be submitted to the competent court in the district where the Controller is established.