DATA PROCESSING AGREEMENT OF THE BIG DATA CHEF B.V. (BDC) 

PREAMBLE

(A) The Customer and BDC entered into an agreement regarding the provision of software in the field of cloud reporting, which is marketed under the product name “The Big Data Chef” (the Order). Under the Order, BDC will process Personal Data on behalf of and for the benefit of the Customer in accordance with the Customer’s documented instructions.

(B) The Parties recognize the importance of proper Personal Data processing. The Customer acts as the controller for the processing of the Personal Data and BDC acts as the processor on behalf of the Customer under Applicable Law.

(C) The Parties wish to lay down their agreements regarding the processing of Personal Data by BDC on behalf of the Customer in this Data Processing Agreement in accordance with Applicable Law and this Data Processing Agreement shall be applicable to all Orders.

BDC and the Customer are hereinafter collectively referred to as the Parties and individually as a Party. Terms not defined in this Agreement but capitalized and defined under Applicable Law, such as processing, controller, and processor, shall have the meaning assigned to them by Applicable Law. All definitions in the Order shall apply mutatis mutandis to this Data Processing Agreement unless otherwise provided in this Data Processing Agreement. In addition, the following definitions apply to this Data Processing Agreement:

1.1 Annex: appendix to this Data Processing Agreement, which forms part of this Data Processing Agreement.

2. Definitions

2.1 Applicable Law: the (local) law(s) or any other (local) regulations, guidelines or policies, instructions or recommendations of any competent governmental authority applicable to the processing of the Personal Data, including any amendments, replacements, updates or other subsequent versions thereof.

2.2 BDC: The Big Data Chef B.V., a private company with limited liability under the laws of the Netherlands, having its corporate seat in Amsterdam, with its registered office at James Wattstraat 100, 1097 DM, Amsterdam, registered with the Chamber of Commerce under number 72524707.

2.3 Data Processing Agreement: this Data Processing Agreement including recitals and Annexes, as well as any amendment, replacement, update or other subsequent versions thereof.

2.4 Third Country: a country where there is no adequate level of data protection under Applicable Law.

2.5 Services: the services provided or to be provided by BDC and its subcontractor(s) pursuant to the Order.

2.6 Personal Data: any data relating to an identified or identifiable living natural person, as referred to in the Applicable Law, processed by BDC or its subcontractors on behalf of the Customer in the context of the performance of the Order.

3. Subject of this Data Processing Agreement

3.1 In the context of the performance of the Order, the Customer shall be deemed to be the controller for the processing of the Personal Data as stipulated in the Applicable Law and BDC shall be deemed to be the processor of the Personal Data on behalf of the Customer.

3.2 This Data Processing Agreement is agreed upon on behalf of and for the benefit of Customer and Customer’s affiliates. Where this Data Processing Agreement refers to Customer, it also means any affiliate of Customer.

3.3 This Data Processing Agreement supplements the Order and sets aside any previously concluded (oral and/or written) agreements between the Customer in its capacity as a controller and BDC in its capacity as a processor with respect to the processing of Personal Data. BDC’s general terms and conditions applicable to the Order are also fully applicable to this Data Processing Agreement.

3.4 This Data Processing Agreement applies in addition to the provisions on the processing of Personal Data, as included in the Order. In case of discrepancies between the provisions of this Data Processing Agreement and (the content of) the Order and/or annexes to the Order (e.g. the processing of data clause in BDC’s general terms and conditions), the provisions of this Data Processing Agreement shall prevail, unless expressly provided otherwise in this Data Processing Agreement or agreed in writing.

3.5 The Customer shall process the Personal Data in accordance with this Data Processing Agreement and Applicable Law. The Customer shall provide all relevant information to BDC upon BDC’s first request. BDC shall not be liable for the Customer’s compliance with Applicable Law.

3.6 BDC shall process the Personal Data on behalf of the Customer and according to the Customer’s written instructions, unless a statutory regulation applicable to BDC requires it to process. In that case, BDC shall notify the Customer, prior to processing, of that statutory requirement, unless legislation prohibits it for important reasons of public interest. BDC shall notify the Customer immediately if, in its opinion, any of the Customer’s instructions violate Applicable Law.

4. Processing of Personal Data

4.1 In performance of the Order, BDC processes the Personal Data of data subjects as further set out in Annex A.

4.2 BDC shall ensure that its employees and other appointed persons maintain confidentiality insofar not already bound by a confidentiality obligation.

4.3 Taking into account the nature of the processing and the information available to BDC, the Parties shall provide each other with the necessary cooperation, e.g., by taking appropriate technical and organizational measures, to comply with the obligations incumbent on the Parties under Applicable Law, including the obligations relating to the protection of data by design and by default, the obligations relating to notification and documentation requirements, the performance of data protection impact assessments and prior consultation by competent public authorit(y)(ies).

5. Sub-processors

5.1 BDC has the Customer’s general written consent to engage sub-processors. A list of sub-processors, acting as sub-processors, in effect on the effective date of the Order is made available to the Customer without undue delay upon the Customer’s written request.

5.2 BDC shall provide the Customer with up-to-date information regarding sub-processors upon written request and without undue delay. The Customer is responsible for regularly reviewing this information. BDC shall maintain an updated list of engaged sub-processors, including any planned additions or replacements, and shall provide the Customer with an opportunity to object to such changes. If the Customer does not object within five days, BDC may proceed with engaging the sub-processor. If the Customer objects within five days, BDC shall make reasonable efforts to address the Customer’s concerns. If BDC is unable to resolve the Customer’s reasonable objections, the Customer may terminate the Order for the affected Services that require the involvement of the new or modified sub-processor.

5.3 BDC shall enter into a written sub-data processing agreement with each sub-processor, imposing on the sub-processor substantially the same obligations as are incumbent upon it under this Data Processing Agreement with the Customer. BDC will ensure that the sub-processor complies with the obligations arising under this Data Processing Agreement and Applicable Law.

5.4 If BDC engages a sub-processor, it shall remain fully responsible to the Customer for ensuring the sub-processor fulfills its contractual obligations. If the sub-processor fails to comply with these obligations, BDC shall notify the Customer without undue delay.

6. Security measures

6.1 BDC will implement all appropriate technical and organizational security measures with respect to the Personal Data to ensure an adequate level of protection in accordance with Applicable Law taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of individuals, which vary in their likelihood and severity.

6.2 If the processing involves Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or involves genetic data or biometric data for the purpose of uniquely identifying an individual, or data relating to health, data relating to an individual’s sexual behaviour or sexual orientation, or data relating to criminal convictions and offenses (sensitive data), BDC shall provide specific restrictions and/or additional safeguards.

7. Reporting data breaches

7.1 BDC’s obligation to report and act on a data breach to the Customer shall not constitute an admission of any failure or liability on the part of BDC with respect to that data breach.

7.2 If BDC detects a data breach of which the Customer was not already aware, BDC shall without undue delay, upon detection or reasonable suspicion of a data breach, notify the Customer. BDC will notify the Customer by email or telephone using the contact details listed in the Order. Should BDC be unable to reach the Customer due to obsolete contact details of the Customer, this shall be at the Customer’s risk.

7.3 Upon discovery or reasonable suspicion of a data breach, BDC shall provide reasonable cooperation to the Customer and share all information necessary or requested by the Customer so that the Customer can, among other things, timely notify the affected or potentially affected data subject(s) and/or relevant government authorities in accordance with Applicable Law.

7.4 If the Customer detects a data breach in BDC’s Services or relevant to provision of the Services by BDC to the Customer, the Customer shall without undue delay notify BDC of such data breach.

8. Audit right of the Customer

8.1 The Customer may, at its own expense, once a year and subject to two weeks’ prior written notice to BDC, conduct or arrange for an audit of the technical and organizational security measures taken.

8.2 The Customer may rely on third parties for the exercise of its audit rights, provided they are not competitors of BDC and are bound by an appropriate confidentiality obligation.

9. Transfer of Personal Data

9.1 BDC processes all Personal Data within the European Economic Area and shall not transfer Personal Data to a Third Country.

9.2 The parties will ensure that an appropriate data transfer mechanism exists in accordance with Applicable Law if the Personal Data is transferred to a third party or sub-processor located in a Third Country. If no more appropriate data transfer mechanism is applicable, any transfer of Personal Data to a third party or sub-processor in a Third Country shall be governed by the applicable EU Standard Contractual Clauses. In the event standard contractual clauses are agreed upon, nothing in this Data Processing Agreement or the Order shall be construed to prevail over any conflicting provision of the applicable standard contractual clauses.

10. Requests from data subjects

10.1 BDC shall notify the Customer of any request received from any data subject. BDC itself shall not respond to the request unless the Customer has given its consent.

10.2 Upon reasonable request of the Customer, BDC shall provide all reasonable cooperation to enable the Customer to comply with its obligations as a controller when a data subject exercises any of its rights under Applicable Law.

11. Costs

11.1 The performance of this Data Processing Agreement may result in additional work which shall be charged by BDC to the Customer. If this is the case, BDC will notify the Customer and shall not perform such work without the Customer’s written consent.

12. Duration and termination

12.1 This Data Processing Agreement shall enter into force when BDC first processes Personal Data on behalf of the Customer in the context of the performance of the Order.

12.2 This Data Processing Agreement shall remain in effect during the term of the Order. Upon termination of the Order, this Data Processing Agreement terminates by operation of law without any further (legal) act being required.

12.3 Unless BDC is required by Applicable Law to retain Personal Data, upon termination of this Processing Agreement, BDC shall ensure that the Personal Data is returned or, as the case may be, provided to the Customer or, if specifically requested by the Customer in writing, destroy the Personal Data.

12.4 Obligations under this Data Processing Agreement which by their nature are intended to continue beyond the end of this Data Processing Agreement shall survive the end of this Data Processing Agreement.

13. Other provisions

13.1 This Data Processing Agreement shall be governed by and interpreted in accordance with the laws of the Netherlands, and the Parties submit to the exclusive jurisdiction of the competent court of Amsterdam without prejudice to the possibility of appeal.