January 11, 2023
Data Processing Agreement
These terms and conditions, referred to as “General Terms,” apply to all domain registration and hosting services offered by PRAM IT Solutions and are a part of every Agreement between PRAM IT Solutions and the Client. Any provisions or conditions set by the Client that differ from or are not included in these General Terms will only be binding on PRAM IT Solutions if they have been explicitly accepted in writing by Pram IT Solutions.
Article 1: Purpose of Processing
1.1 The Processor shall, on behalf of and under the responsibility of the Client, only process data that is necessary for the proper execution of the Agreement and shall not use it for any other purpose than for which it was obtained, even if it has been transformed into a form that cannot be linked back to the data subjects.
Article 2: Overview of Personal Data Processed
2.1 In order to execute the Agreement correctly, the following personal data shall be processed:
- Name and address information
- Email addresses
- Company data (including VAT identification numbers)
- IP addresses
- Other possible categories of non-special personal data
Article 3: Transfer of Personal Data
3.1 The Processor may process personal data in countries within the European Union. Transfer to countries outside of the European Union is prohibited.
3.2 Upon request, the Processor will inform the Client of which country or countries within the European Union are involved in the processing.
Article 4: Division of Responsibility
4.1 The authorized processing will be carried out by employees of the Processor within an automated environment.
4.2 The Processor is solely responsible for the handling of personal data under this Data Processing Agreement, in accordance with the instructions of the Client.
4.3 The Client guarantees that the content, use, and order of processing of personal data as described in the agreement are lawful and do not infringe upon the rights of any third parties.
Article 5: Security
5.1 The Processor will take reasonable technical and organizational measures to protect the personal data that is being processed from loss or any unauthorized processing (such as unauthorized access, damage, alteration, or disclosure of personal data).
5.2 The Processor has implemented the following measures:
- Encryption of digital files containing personal data
- Secure network connections via Secure Socket Layer (SSL) technology
- A secure internal network
- Backup system in geographically separated locations
- Multiple backups taken per day
- Dual implementation of internal systems
5.3 Only authorized personnel have access to the personal data and are bound by a legal duty of confidentiality. This duty of confidentiality does not apply if the Client has given explicit permission to disclose the information to third parties, if disclosure to third parties is necessary in light of the nature of the assignment given, and the performance of this agreement or if there is a legal obligation to disclose the information to a third party.
5.4 The Client deems the security measures described to provide an adequate level of security.
Article 6: Reporting Obligation
6.1 The Client is at all times responsible for reporting any security breaches or data leaks to the supervisor and/or those involved. To enable the Client to comply with this legal obligation, the Processor will inform the Client of a security breach or data breach within a reasonable period of time.
- Reporting the fact that there has been a breach
- Identifying the cause of the breach
- Identifying the consequences of the breach
- Identifying the proposed solution
- Identifying who has been informed
Article 7: Handling Requests from Data Subjects
Article 7: Handling Requests from Data Subjects
Article 8: Data Protection Impact Assessment (DPIA) and Audit
8.1 The Client has the right to have a DPIA or Audit carried out by an independent third party who is bound by confidentiality to check compliance with all aspects of the Data Processing Agreement.
8.2 The audit may take place if there is a concrete suspicion of misuse of personal data.
8.3 The Processor will cooperate with the DPIA/Audit and make all reasonably relevant information, including supporting data such as system logs and employees available as soon as possible.
8.4 The findings from the DPIA/Audit will be assessed by both parties in mutual consultation and, as a result, will or will not be implemented by one or both parties.
8.5 The costs of a DPIA and/or Audit shall be borne by the Client.
Article 9: Sub-processors
9.1 The Processor is allowed to use Sub-processors within the scope of this agreement, and the Processor will impose the same requirements and obligations on Sub-processors as apply to the Processor under this Data Processing Agreement.
Article 10: Liability
10.1 PRAM IT Solutions shall not be liable for compensation in the context of the conclusion, fulfilment, or implementation of this Data Processing Agreement, regardless of the grounds on which an action for compensation would be based, except in the cases specified below and up to the limits stated therein.
10.2 The total liability of PRAM IT Solutions for damages suffered by the client as a result of a breach of contract by PRAM IT Solutions, including any breach of guarantee obligations agreed with the client, or due to an unlawful act by PRAM IT Solutions, its employees or third parties engaged by it, shall be limited to an amount equal to the total of the fees (excluding VAT) that the client shall owe under the Agreement.
10.3 PRAM IT Solutions shall not be liable for indirect damages, which include but are not limited to consequential damages, lost profits, lost savings, reduced goodwill, damages due to business interruption, damages due to failure to meet marketing objectives, damages related to the use of data or data files provided by the client, or loss, mutilation, or destruction of data or data files.
10.4 Unless compliance by PRAM IT Solutions is permanently impossible, PRAM IT Solutions’ liability for a breach of contract shall only arise if the client immediately provides written notice of default, allowing a reasonable time for the rectification of the breach, and PRAM IT Solutions continues to be in breach after that period. The notice of default must contain a description of the breach that is as complete and detailed as possible, so that PRAM IT Solutions can respond appropriately.
10.5 Any claim for damages by the client against PRAM IT Solutions that has not been specified and explicitly reported, shall expire after 12 months after the claim arose.
10.6 The client shall indemnify PRAM IT Solutions against any legal claim from third parties if that claim, in any form, is related to the processing of personal data, as well as against any fines imposed on the client by the Dutch Data Protection Authority or other supervisory authorities.
Article 11: Duration and Termination
11.1 This Data Processing Agreement shall remain in effect for the duration as stipulated in the agreement. Upon termination of the agreement, the Data Processor Agreement shall also end and vice versa.
11.2 Upon termination of the agreement, the client has 30 days to request any personal data provided.
11.3 The Processor shall store any personal data as required by the fiscal retention obligation. This legal obligation requires that source, derived, and fixed data must be kept for at least 7 years. Personal data that does not fall under this requirement will be removed from the Processor’s servers and systems after 30 days.
Article 12: Applicable Law and Dispute Resolution
12.1 This Data Processing Agreement and its implementation shall be governed by Dutch law.
12.2 Any disputes arising between the Processor and the client in relation to this Data Processing Agreement shall be submitted to the competent court in the district in which the Processor is established.
