Standard Data Processing Terms for Individuals
Effective on 17th, February 2021
Updated on 17th, February 2021
PARTIES
- “Processor”: An individual identified in a contract that incorporates these “Terms”
- “Controller”: The legal entity identified as “We” or the “Company” in a contract that incorporates these “Terms.
BACKGROUND
A. These “Terms” are for part-time ALI staff and Processors that process personal data having a low risk to the data subjects.
B. These Terms are an abbreviated, plain-English set of data protection terms intended for use only with an individual (such as an intern or an independent Processor trading as a sole proprietor) who is processing data incidentally to some other function, such as providing administrative support.
AGREED TERMS
1. Interpretation
1.1 In these Terms:
Annex – means a numbered annex attached to these Terms;
Data Breach – means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data;
Data Protection Legislation – means any applicable legislation or regulations of any jurisdiction that governs the processing of personal data processed under these Terms; accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data
GDPR – means the General Data Protection Regulation (EU Regulation 2016/679);
1.2 Any terms defined in the GDPR have the same meaning in these Terms. These Terms must be interpreted in a manner consistent with the GDPR.
1.3 If these Terms conflict with a provision of another agreement between the parties, then the conflicting provision in these Terms takes precedence.
2. Processing of personal data
2.1 In performing work for the Controller, the Processor will process the personal data described in Annex 1.
2.2 The Processor must process this personal data only:
2.2.1 for the specific purposes set out in Annex 1;
2.2.2 according to these Terms; and
2.2.3 as otherwise instructed in writing by the Controller.
2.3 The Processor must:
2.3.1 not act as a Controller in their own right of any personal data they process on behalf of the Controller;
2.3.2 respond promptly to all Controller’s enquiries relating to the personal data;
2.3.3 not use a sub-processor to process the personal data without the Controller’s written approval;
2.3.4 provide all information reasonably requested by the Controller or a supervisory authority to demonstrate the Processor’s compliance with these Terms;
2.3.5 notify the Controller immediately if the Processor:
a) is unable to follow the Controller’s instructions or comply with these Terms;
b) receives a legally binding request from a public authority for access to the personal data; or
c) believes a third party, including a public authority, has accessed the personal data.
2.4 If required by law to disclose personal data to a third party, the Processor may disclose only the minimum amount of data possible while obeying the legal requirement.
3. Transparency, Accuracy, Erasure and return
3.1 The parties must provide a copy of these Terms to a data subject with upon request. If necessary, the copy may be redacted to protect confidential information. However, the redacted copy must describe the processing meaningfully to the data subject.
3.2 Either party must inform the other party if the personal data is or becomes inaccurate. The parties must cooperate to erase or rectify inaccurate data held by the Processor.
3.3 Once the purposes in Annex 1 are complete, the Processor must stop processing the personal data and, as instructed by the Controller, either:
3.3.1 irretrievably delete the personal data, and certify having done so to the Controller; or
3.3.2 return personal data to the Controller and irretrievably delete all other copies.
4. Security of processing
4.1 The Processor must protect the personal data against Data Breaches during storage and transmission back to the Controller, using at least the security measures specified in Annex 2.
4.2 The Processor must not allow a third party to access the personal data without the written authorisation of the Controller.
4.3 If personal data processed by the Processor is involved in a Data Breach, the Processor must:
4.3.1 act immediately to stop the Data Breach and mitigate its effects;
4.3.2 notify the Controller promptly, providing the following details:
4.3.3 what data was breached, and how many people are affected;
a) what the Processor is doing to reduce the impact of the breach;
b) contact details for the Processor.
4.3.4 help the Controller to notify the authorities and the affected data subjects, but only if the Controller requests this.
5. Rights of the data subjects under these Terms
5.1 The Controller warrants to each data subject that the Processor will process their personal data according to these Terms and the applicable Data Protection Legislation.
5.2 The Processor must notify the Controller promptly of any enquiry from a data subject about the processing of their personal data by the Processor. The Processor must assist the Controller, at the Controller’s instructions, to reply to the data subject.
6. General
6.1 At any time and for any reason, the Controller may:
6.1.1 suspend the Processor’s access to the personal data; and
6.1.2 require the Processor to return or permanently delete the personal data.
6.2 If the law governing the Contract allows a third party to enforce rights under the Contract, then the same law governs these Terms. Otherwise, these Terms are governed by the law of the Netherlands. (In this clause, the “Contract” means a binding contract that incorporates these Terms by an explicit reference.)
ANNEX 1 – DESCRIPTION OF THE TRANSFERS
Categories of data subjects whose personal data is transferred
- customers of the Controller
- employees and Processors of the Controller
- prospective customers of the Controller
Categories of personal data transferred
- contact details
- email and other correspondence
- academic performance
- work history (including CVs)
- no “special category” data will be transferred
Purpose(s) of the data transfer and further processing
- to carry out day-to-day internal operations of the Controller
- to provide service and support to customers of the Controller
ANNEX 2 – SECURITY MEASURES
1. If the Processor uses a device owned or supplied by the Controller to process personal data, then:
a) the Controller is responsible for providing adequate security of that device; and
b) the Processor must promptly follow all instructions from the Controller to keep the security features and other software on the Controller’s device updated.
2. When processing personal data on behalf of the Controller, the Processor must only use devices that:
a) are equipped with current versions of anti-virus and malware detection software;
b) use a current operating system that is still supported by its manufacturer;
c) keep the device updated with security-related patches and updates;
d) always keep the anti-virus and anti-malware definitions up to date; and
e) configure the device to check automatically for operating system updates at least daily, and to install all operating software updates immediately.
3. The Processor must:
a) not store local copies of personal data – data must always be stored and processed within cloud-based services accessed via encrypted connections, as instructed by the Controller;
b) avoid emailing data files whenever possible (share access to the file instead); and
c) only share access to personal data as instructed by the Controller.
4. Confidentiality: the Processor must retain all personal data in strict confidence, to protect the security, integrity, and confidentiality of such data, and not permit unauthorized access to or unauthorized use, disclosure, publication, or dissemination of the data.
