Appendix on data processing EasyPrint
1.1. This appendix on data processing or data processing agreement within the meaning of Article 28.3 General Data Protection Regulation (GDPR) (hereinafter: “Appendix”) will be added to the Agreement concluded between the Parties to form an integral part thereof. In the event of a conflict between the Agreement and this Appendix, the provisions of the Appendix will always take precedence. The provisions of the Agreement that are not affected by this Appendix remain unchanged and apply in full.
1.2. The provisions of this Appendix apply only if and insofar as EasyPrint, within the framework of the Agreement, Processes Personal Data of Data Subjects for the benefit of and in accordance with the instructions of the Principal, whereby EasyPrint qualifies as “processor” and the Principal as “controller” within the meaning of Article 4 GDPR.
1.3. This Appendix is entered into for a period equal to the term of the Agreement concluded between the Parties or as long as the Services are performed.
2.1. In this Appendix, the following words or expressions, when capitalised, shall have the following meanings:
“Appendix”: this appendix on data processing (as data processing agreement within the meaning of Article 28 GDPR) that forms an integral part of the Agreement;
“GDPR”: Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation);
“Data Protection Legislation”: the GDPR, together with other legislation arising from the GDPR and/or any other legislation of any other country regarding the protection of personal data or privacy.
2.2. “Personal Data”, “Processing”, “Process” or “Processed”, “Controller”, “Processor” and “Data Subject(s)” shall have the meaning as defined in Article 4 GDPR and as further defined in Article 3 below. “Data Breach” has the meaning of a “personal data breach” within the meaning of Article 4, 12) GDPR.
2.3. The other capitalised words or phrases shall have the meanings defined in the Agreement.
3. Description of the Processing
3.1. Subject – nature: for the performance of the Agreement, EasyPrint can Process certain Personal Data of Data Subjects in accordance with the instructions and for the benefit of the Principal. This is done in the context of the Services, in particular optimising the outgoing mail of the Principal, including mail collection and processing (weighing, sorting, labelling, enveloping and franking), internal courier services, the services of EasyPrint (if applicable) and the delivery to the Universal Postal Service Provider or other engaged Postal Service Providers, as further described in the Agreement or in other agreements with EasyPrint (e.g. with regard to the EasyPost services). The Personal Data are Processed via the systems, tools and software of EasyPrint (including the EasyPrint portal).
3.2. Personal Data: the Personal Data Processed by EasyPrint are the Personal Data of Data Subjects that are submitted by the Principal to EasyPrint to enable or facilitate the performance of the relevant Services. In the first place these are the name and address details (name, address, place of residence), possibly telephone number and e-mail address of the Data Subjects, as stated on the Mail Items and/or acknowledgements of receipt. Documents or information made available digitally by the Principal to EasyPrint within the framework of the Services may also contain other Personal Data than name and address details of certain Data Subjects which are not consulted by EasyPrint and/or its appointees. These Personal Data are processed via a secure environment and only if necessary for the performance of the Services.
3.3. Data Subjects: the Data Subjects are the contact persons, addressees, senders and correspondents of the Principal. In principle, these are all persons with whom the Principal comes into contact during or as a result of its business operations or activities, who receive Mail Items from the Principal and whose Personal Data are Processed by EasyPrint. These may also be persons to whom the contents of the Mail Items of the Principal relate (and not only the relevant addressees of the Mail Items), without prejudice to what is stipulated in this regard in Article 3.2.
3.4. Purposes: The purpose of the Processing of Personal Data by EasyPrint is to (be able to) provide the relevant Services to the Principal as described under Article 3.1 above.
3.5. Duration: as a rule, the Personal Data will only be Processed by EasyPrint for the duration of the Agreement and/or this Appendix, and will not be kept longer than necessary for the purposes stated in Article 3.4, unless special legal provisions apply to its storage or Processing, or longer storage is necessary for the performance of the Agreement. In any case, the Personal Data will be stored no longer than ten (10) years after the termination of the Agreement with the Principal (being the limitation period for contractual claims).
4. Instructions from the Principal
4.1. EasyPrint Processes the Personal Data exclusively in accordance with the (documented or written) instructions from the Principal, except in the case of deviating legal obligations, in which case the Principal shall inform EasyPrint thereof prior to the Processing, unless such notification is prohibited by law. The Principal hereby authorises and instructs EasyPrint to Process Personal Data in accordance with this Appendix and the Agreement. This Appendix and the Agreement together contain the full instructions from the Principal to EasyPrint regarding the Processing of Personal Data. All additional or alternative instructions must be given separately in writing and agreed upon by the Parties.
4.2. The Principal represents and warrants that it is and remains authorised to give the aforementioned instructions on behalf of any affiliated company that, if applicable, is or may be responsible for the Processing of Personal Data of Data Subjects (whether or not jointly with the Principal).
5. Obligations of the Principal
5.1. The Principal shall comply with the Data Protection Legislation. It shall take all appropriate and organisational measures to ensure that the Processing of Personal Data of Data Subjects complies with the GDPR. In particular, the Principal will take the necessary measures with regard to components that the Principal provides, manages or controls, including workstations from which the Services of EasyPrint are connected (such as the EasyPrint portal), systems used for data transfer and for its personnel or appointees (including employees, subcontractors and self-employed workers).
5.2. The Principal is responsible for the legality of the (collection and/or Processing of the) Personal Data Processed by EasyPrint in the context of the Agreement. The Principal will take all necessary measures to update the Personal Data and to erase and/or rectify incomplete or incorrect Personal Data.
5.3. The Principal represents and warrants that:
- it has complied with applicable Data Protection Legislation when collecting and Processing Personal Data of Data Subjects;
- it has adequately informed the Data Subjects about their rights and obligations (in accordance with Articles 13-14 GDPR), in particular about the Processing by EasyPrint (or a category of service providers such as EasyPrint) for and on the instructions of the Principal;
- the Processing of Personal Data under the Agreement is lawful;
- its personnel and appointees (including employees, subcontractors and the self-employed workers) know and will comply with the obligations under the Agreement and the Data Protection Legislation.
5.4. If compliance with Data Protection Legislation requires any action or measure on the part of EasyPrint, in addition to the obligations under this Agreement, EasyPrint will take such action or measure after prior consultation and agreement with the Principal. The latter will in any case inform EasyPrint in advance of the required actions or measures, fully cooperate and provide assistance to EasyPrint in this respect, and compensate EasyPrint according to the rates applicable at that time, the Price List or prices agreed upon between Parties for services in this regard that require additional services, investments or modifications to the Services.
5.5. However, EasyPrint is not responsible for compliance with any legislation applicable to the Principal or its activities that is not generally or specifically applicable to EasyPrint.
6. Transfer of Personal Data outside the European Economic Area (EEA)
6.1. Any possible transfer of Personal Data to ((group) companies, third parties, service providers or servers in) countries outside the EEA will be done in accordance with the Data Protection Legislation.
6.2.EasyPrint will Process the Personal Data it Processes for the benefit of the Principal in any country in which EasyPrint, its affiliated companies and/or authorised sub-processors pursuant to Article 9 below have facilities. The Principal expressly authorises EasyPrint to carry out any transfer of Personal Data to, and to perform any Processing in, such country under the Agreement.
6.3. EasyPrint does not control and is not responsible for the location from which the Principal or its end users (can) Process Personal Data. In any case, the Principal will fully indemnify and hold EasyPrint harmless against any damage suffered by third parties in this regard.
7. Transfer or disclosure of Personal Data
7.1. EasyPrint will not pass on or transfer Personal Data to third parties, except:
- on the instruction(s) of the Principal;
- if required for the Processing of Personal Data by a sub-processor in accordance with Article 9 below;
- if required by law.
7.2. In the case of passing on or transferring Personal Data to a third party on the instruction(s) of the Principal, only the latter is responsible for concluding written agreements with this third party regarding the protection and Processing of Personal Data. In any case, the Principal will fully indemnify EasyPrint and hold it harmless against any damage resulting from such passing on or transfer by EasyPrint to a third party, unless the aforementioned damage is due only to a proven shortcoming on the part of EasyPrint.
7.3. EasyPrint guarantees that its personnel acting under its authority, who are authorised to process Personal Data and have access to it, will observe the confidentiality of the Personal Data.
8. Security measures
8.1. EasyPrint takes all appropriate technical and organisational measures regarding the security of the Processing required by Article 32 GDPR. These security measures will ensure a level of protection appropriate to the risks associated with the Processing and the nature of the Personal Data to be protected, taking into account the state of the art and the costs of its implementation.
8.2. At the request of the Principal, EasyPrint can provide an updated description of the implemented security measures.
9. Use of sub-processors
9.1. The Principal acknowledges and expressly authorises EasyPrint to engage sub-processors for the Processing of Personal Data and to pass on Personal Data to them.
9.2. EasyPrint will inform the Principal about any change of sub-processor(s). If the Principal does not agree to the Processing of Personal Data by one or more sub-processors, the Principal will inform EasyPrint in writing within fifteen (15) calendar days after receiving the aforementioned notification. If necessary, EasyPrint will make reasonable efforts to propose changes to the Principal with a view to avoiding Processing of Personal Data by the sub-processor(s) in question.
9.3. EasyPrint will enter into written agreements with any such sub-processor containing obligations no less protective than EasyPrint’s obligations under this Agreement and in particular with regard to the obligation to take appropriate security measures to ensure that the Processing complies with Data Protection Legislation.
9.4. In any case, EasyPrint at all times remains the relevant point of contact for the Principal. In the event that the respective sub-processor fails to fulfil its data protection obligations, EasyPrint remains responsible for this sub-processor’s compliance with the obligations under this Agreement.
10. Rights of the Data Subjects
10.1. Taking into account the nature of the Processing of Personal Data and insofar as possible, EasyPrint will provide assistance and cooperation to the Principal in fulfilling its obligations under the Data Protection Legislation, in particular so that the Principal can comply with its obligation(s) to respond to requests from Data Subjects exercising their rights. The Principal shall make it possible for the Data Subjects to exercise their rights. The Principal shall provide all the necessary information about the Processing of Personal Data to the Data Subjects in accordance with Articles 13-14 GDPR.
10.2. If a Data Subject should contact EasyPrint directly to access/copy, rectify, erase or limit the Processing of his/her Personal Data, EasyPrint will refer the Data Subject in question to the Principal. EasyPrint will not respond to the request itself. However, EasyPrint can provide the Data Subject in question with the basic contact details of the Principal for support purposes. The Client shall inform the Data Subjects that they can only exercise their rights directly with the Principal. The Principal will respond to any such request from a Data Subject and fulfil its obligations under the Data Protection Legislation.
11. Notifications, inspections and audits
11.1. Unless prohibited by law, EasyPrint will notify the Principal without unreasonable delay if EasyPrint or any of its sub-processors receives a question, subpoena, or request for inspection or audit from a competent governmental or supervisory authority in connection with the Processing of Personal Data. EasyPrint will also inform the Principal if EasyPrint intends to provide Personal Data to a competent governmental or supervisory authority outside the scope of the Services. Finally, EasyPrint will immediately notify the Principal if, in its opinion, an instruction or order from the Principal violates the Data Protection Legislation.
11.2. At the request of the Principal, EasyPrint will provide the former with all information so that it can meet its obligations under Article 28 GDPR.
11.3. The Principal has the right to monitor compliance with the Data Protection Legislation. To this end, the Principal may, upon written request, once every twelve (12) months – unless (i) the audit is requested by a competent supervisory authority in accordance with Data Protection Legislation or (ii) after a Data Breach – and subject to prior written notification of thirty (30) calendar days, have an audit or inspection carried out at EasyPrint by an expert.
11.4. Prior to such an audit or inspection, the Principal will inform EasyPrint of its scope and duration, and coordinate its procedures in mutual consultation with EasyPrint.
11.5. EasyPrint will provide the necessary reasonable assistance and cooperation in such inspections or audits. All assistance in this regard will be reimbursed by the Principal according to the currently applicable rates, the Price List or prices agreed between the Parties.
11.6. The Parties agree that the performance of such inspections or audits may not unduly delay, disrupt or limit the business activities of EasyPrint and/or the performance of the Services. In the event of such a delay, disruption or limitation, EasyPrint will notify the Principal thereof and the Parties will try to mutually agree on a solution as soon as possible.
11.7. The Principal will immediately inform EasyPrint in writing of any shortcomings identified during an inspection or audit. The Principal will provide a draft (audit) report to EasyPrint free of charge. This report, as well as any other information to which the Principal or the designated expert has access in the context of an inspection or audit, is and remains strictly confidential.
11.8. The costs resulting from an inspection or audit by the Principal are fully for the expense of the Principal. The Principal may not request any compensation from EasyPrint for these costs.
12. Data Breaches
12.1. EasyPrint will inform the Principal without unreasonable delay as soon as it has become aware of a Data Breach, regardless of the cause.
12.2. The Principal will immediately notify EasyPrint of any security incident or security issue, including a Data Breach, that is in any way related to the Services.
12.3. The Party responsible for the Data Breach will further investigate the Data Breach and keep the other Party informed of new developments as well as of the measures being taken and to be taken to limit and prevent the Data Breach from occurring.
12.4. Both Parties will cooperate in such an investigation and will provide mutual assistance in fulfilling their obligations under Data Protection Legislation, in particular the obligation to report a Data Breach to the Data Protection Authority pursuant to Article 33 GDPR.
12.5. A notification or announcement on the basis of current Article 12 and/or the Data Protection Legislation always takes place without (adverse) acknowledgement of any error or liability with regard to the Data Breach.
13. Data Protection Impact Assessments (DPIAs)
In the case that the Principal is obliged to provide a DPIA pursuant to Article 35 GDPR, EasyPrint will provide the necessary cooperation and assistance to the Principal so that the Principal is able to fulfil its obligations in this regard. Such assistance is reimbursed to EasyPrint at the rates currently applicable, the Price List or prices agreed between the Parties.
14. Erasure and return of Personal Data
14.1. In the event of termination of the Agreement and/or this Appendix, EasyPrint will delete or anonymise all Personal Data on its systems (except in the case of any backup or archives) within sixty (60) days of the aforementioned termination, unless the Principal instructs otherwise or (further) storage or retention of the Personal Data is required by law, is necessary in the context of legal proceedings or is imposed by (judicial or supervisory) authorities. The aforementioned article applies without prejudice to Article 3.5 above.
14.2. If the Principal requests this in writing no later than thirty (30) days before termination of the Agreement and/or this Appendix, EasyPrint will provide it with a copy of the Personal Data on its systems, with (all) expenses for the Principal.
15. Intellectual property rights
All intellectual property rights, including copyrights, database rights, trademark rights, trade names, domain names and software rights, on or in connection with the Services or processing activities (excluding the Personal Data themselves), as well as on or in connection with copies or adaptations thereof, at all times remain the property of EasyPrint and/or its licensor(s). No provision of this Agreement can be construed as a full or partial transfer of the rights – ownership as well as (sub)license – to the Principal.
Without prejudice to Article 10 of the general terms and conditions of EasyPrint, the Principal is liable and fully indemnifies EasyPrint with respect to principal, interest and (lawyers) costs for all damage (including sanctions imposed by supervisory authorities (such as the Data Protection Authority) and administrative penalties) and damage suffered by Data Subjects or EasyPrint) as a result of the Principal’s failure to comply with its obligations under this Agreement, internal policies, procedures and/or best practices of EasyPrint regarding the processing of personal data and/or the Data Protection Legislation.