Processing agreement

Preface

Autosoft BV processes, among other things, personal data for and on behalf of the customer. Autosoft BV and the customer are therefore obliged under the General Data Protection Regulation (GDPR) to conclude a Processor Agreement. According to the GDPR, Autosoft BV is a 'processor' and the customer is a 'controller'. This Processor Agreement also describes how Autosoft BV handles the data breach notification obligation.

Processing agreement

Consisting of:
Part 1: Data Pro Statement
Part 2: Standard Processing Clauses

Part 1: Data Pro Statement

General Information

1). This Data Pro Statement has been drawn up by the following data processor (processor):

• Autosoft BV
  Hengelosestraat 547
  7521 AG Enschede

For questions about this Data Pro Statement or data protection, please contact:
Arthur van der Lek: arthur@autosoft.eu / +31 (0)53 – 428 00 98

2). This Data Pro Statement applies from August 1, 2021
We regularly adjust this Data Pro Statement and the security measures described therein to ensure that we are always prepared and up-to-date with regard to data protection. We will keep you informed of new versions through our normal channels.

3). This Data Pro Statement applies to the following data processor products and services

• AutoWebsite
• AutoCommerce

4). Description Car website
Car companies use Autowebsite. With Autowebsite, car companies can present themselves on the internet.

5). Intended use Car website
Autowebsite is designed and equipped to process the following types of data:
Visitors to websites developed by Autosoft with Autowebsite have the option to leave their contact details there so that the car company has the opportunity to approach the visitor for further services. These contact details are not stored with Autosoft, but are forwarded directly via e-mail to the e-mail address of the car company.

• This service does not take into account the processing of special personal data, or data relating to criminal convictions and offenses or government issued personal numbers.

6). Description Autocommerce
Car companies use Autocommerce. With Autocommerce, car companies can manage and present their vehicles on their own website and internet search portals of third parties.

7). Intended Use Autocommerce
Autocommerce is designed and equipped to process the following types of data:
Car companies can place their registered vehicles via Autocommerce on their own Car website. These registered vehicles do not contain any data that can be traced back to personal data in any form. Visitors to the Car website have the option to leave their contact details there so that the car company has the opportunity to approach the visitor for further services. The contact details left by the visitor on their own Auto website are stored in Autocommerce.

• This service does not take into account the processing of special personal data, or data relating to criminal convictions and offenses or government issued personal numbers.

8). Data processor uses the Standard Clauses for processing for Autowebsite and Autocommerce, which can be found as an appendix to the Agreement.

9). Data processor processes the personal data of its clients within the EU/EEA for Autowebsite and Autocommerce.

10). Data processor uses the following sub-processors for Autocommerce:
In some cases, Autosoft sends its registered vehicles via Autocommerce to the internet search portals of third parties or sub-processors on behalf of the Car Company. A list of sub-processors is available on request at support@autosoft.eu.

11). After termination of the Agreement with a client, the data processor will in principle remove the personal data that it processes for the client within 3 months in such a way that they can no longer be used and are no longer accessible (render inaccessible).

Security policy

Summary the following security measures that Data processor has taken to protect its product or service:

Incident management and response policy
Incident management and response policies in the field of information security include the monitoring and detection of security incidents on a computer or IT infrastructure, but also the observation of suspicious activities by the personnel, and the implementation of the correct responses to these events.

The primary goal of this policy is to develop a well-understood and predictable response to malicious events and computer intrusions in the broadest sense of the word.

Incident management and response policy is the process of managing and protecting computers, networks and information systems and the information stored therein. Autosoft is aware of its responsibilities when it comes to protecting this information for the benefit of its customers and supply chain partners. This responsibility extends to having an Incident procedure. Incident management is a set of activities that define and implement a process that an organization can use to promote its own well-being and the safety of the public.

IT and security
The ICT structure of Autosoft BV is adequately secured with a firewall and the virus scanning software is kept up-to-date. Every employee has a login profile. When starting up a computer, the employees must enter a login name and password and where possible with 2-step authentication.

Certain software also asks for a login name and password and where possible with 2-step authentication. Awareness among employees about working safely is stimulated, such as drawing attention to not opening suspicious emails, not clicking on suspicious links, logging out when leaving the workplace for a long time, and so on.

The files are backed up during the days and every night. For security reasons, the further storage procedure surrounding the backup is confidential. Autosoft BV has concluded service contracts for this with computer suppliers and internet hosting providers.

Data protection policy
Autosoft BV takes appropriate technical and organizational measures to protect the customer's personal data against loss or any form of unlawful processing. These technical and organizational measures are regarded as an appropriate security level within the meaning of Article 1 of the GDPR and are stored as documents in the central Basecamp (Project: Organisation/Data Protection Policy) of Autosoft BV

Technical and organizational

1. Measures to ensure that only authorized personnel have access to the Personal Data processed in the context of the Processor Agreement;
2. Measures to protect the Personal Data in particular against accidental or unlawful destruction, loss, accidental alteration, unauthorized or unlawful storage, access or disclosure;
3. Measures to protect the Personal Data in particular against accidental or unlawful destruction, loss, accidental alteration, unauthorized or unlawful storage, access or disclosure during data exchange/transport;
4. Measures to ensure the ability to ensure the confidentiality, integrity, availability and resilience of the editing systems and services on an ongoing basis;
5. Measures to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
6. Measures to identify vulnerabilities with regard to the processing of Personal Data in the systems used to provide the services under the contract;

Organizational such as:

• Limiting the circle of officials who have access to certain personal data to those persons who need the data for the performance of their duties;
• granting these persons access to only personal data that they need for the performance of their duties;
• agreeing a confidentiality clause with a penalty clause with all persons to whom access to personal data will be granted;
• storing personal data on servers in a closed space;
• keeping paper files in lockable cabinets;
• creating information security awareness among employees;
• establishing clear protocols and procedures for the timely and effective handling of information security incidents and security vulnerabilities;

Data processor uses its own methodologies and procedures for management that fit within the working method of the organization:

• Within Basecamp, relevant documents are managed and periodically evaluated.

Data breach protocol

In the event that something does go wrong, the data processor uses the following data leak protocol to ensure that the client is aware of incidents:

Autosoft BV – Data breach procedure

What is a data breach and when do I have to report it to the AP?
A data breach is an information security incident involving a breach of the security of personal data through exposure to loss or unlawful processing such as (but not exhaustively):

• Adjusting and/or changing personal data and unauthorized access to this personal data;
• In the event of a break-in by a hacker;
• Losing a USB stick, theft of a laptop;
• Sending sensitive data to an incorrect email address;

According to the law, a 'serious' data breach must be reported to the Dutch Data Protection Authority without undue delay, and if possible no later than 72 hours after the discovery.

Autosoft BV does not have to report to the Dutch Data Protection Authority if actual identification of individual natural persons is reasonably excluded.
All suspicions of an information security incident will be addressed in the first instance support@autosoft.eu reported and registered. Support reports the incident to the Management Team and determines what follow-up actions should be taken.

Follow-up procedure

When do I have to notify the data subjects?
A data breach must be reported to the data subject if, in the event of a breach, there is a high risk that the breach will have adverse consequences for his or her private life. Unfavorable consequences for the data subject are: damage to his reputation and reputation, identity fraud or discrimination. If Autosoft BV has taken appropriate technical protection measures, as a result of which the personal data concerned are made incomprehensible or inaccessible, the notification to the data subject is not necessary. The notification to the data subject shall contain a description, in clear and plain language, of the nature of the personal data breach and at least:

• the name and contact details of the data protection officer or other contact point where more information can be obtained;
• the likely consequences of the personal data breach;
• the measures proposed or taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate any adverse effects thereof. The assessment of whether a data breach must be reported to the Dutch Data Protection Authority and/or the affected persons is always up to Autosoft BV. In order to determine whether an incident must be reported, the Dutch Data Protection Authority has drawn up policy rules (https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/thematic-beleidsreglement/beleidsreglement-meldspraak-datareken-2015) and the working group 29 of the European supervisors guidelines published on the reporting obligation in the GDPR. If Autosoft BV has not reported the data breach, the Dutch Data Protection Authority may require that Autosoft BV still make a report. Failure to report can be punished with an administrative fine.

How do I report a data breach?
The Dutch Data Protection Authority makes a web form available that must be used for reporting data breaches (https://dataleks.autoriteitpersoonsgegevens.nl/). The Dutch Data Protection Authority keeps a register of the data breach notifications received. This register is not public. If a fine is imposed by the Dutch Data Protection Authority as a result of the data breach, this decision will be made public. A data breach is also made public when data subjects need to be informed about the data breach. The notification to the data subject must in any case indicate the nature of the infringement and the authorities where the data subject can obtain more information about the infringement. It must also be stated what the data subject can do himself to limit the negative consequences of the data breach. For example, changing usernames and passwords when they may have been compromised by the breach.

What should I report?
A notification to the Dutch Data Protection Authority includes:

• The reporter of the data breach.
• The person whom the Dutch Data Protection Authority can contact for further information about the report.
• A summary of the incident where the personal data security breach occurred.
• The time of the infringement.
• The nature of the infringement.
• The type of personal data concerned.
• The consequences that the infringement may have for the privacy of those involved.
• The technical and organizational measures that Autosoft BV has taken to tackle the infringement and to prevent further infringements.
• Whether Autosoft BV has reported the data breach to the data subjects and if not, whether Autosoft BV intends to do so:
• If so, the content of the notification to the data subjects.
• If not, the reason why Autosoft BV refrains from reporting the data breach to the data subjects.
• Have the personal data been encrypted, hashed or otherwise made incomprehensible or inaccessible to unauthorized persons?

Part 2: Standard Processing Clauses

Version: September 2019
Together with the Data Pro Statement, forms the processing agreement and is an appendix to the Agreement and the accompanying appendices such as applicable general terms and conditions.

Article 1. Definitions

The terms below have the following meanings in these Standard Clauses for processing, in the Data Pro Statement and in the agreement:

• 1.1 Dutch Data Protection Authority (AP): supervisory authority, as described in Article 4, sub 21 of the Avg.
• 1.2 AVG: the General Data Protection Regulation.
• 1.3 Data Processor: party that, as an ICT supplier, processes Personal Data for the benefit of its Client in the context of the execution of the Agreement.
• 1.4 Data Pro Statement: statement of Data Processor in which it provides information with regard to the intended use of its product or service, security measures taken, sub-processors, data leaks, certifications and handling of rights of Data Subjects.
• 1.5 Data subject (data subject): an identified or identifiable natural person.
• 1.6 Client: party on whose behalf Data Processor processes personal data. The Client can be either a controller (“controller”) or another processor.
• 1.7 Agreement: the agreement between the Client and Data Processor, on the basis of which the ICT supplier supplies services and/or products to the Client, of which the processor agreement forms part.
• 1.8 Personal data: all information about an identified or identifiable natural person, as described in Article 4, sub 1 AVG, which Data Processor processes in the context of the performance of its obligations arising from the Agreement.
• 1.9 Processing agreement: these Standard Clauses for processing, which together with the Data Pro Statement (or comparable information) of Data Processor form the processing agreement as referred to in Article 28, paragraph 3 of the GDPR.

Article 2. General

• 2.1 These Standard Processing Clauses apply to all processing of Personal Data that Data Processor does in the context of the delivery of its products and services and to all Agreements and offers. The applicability of the Client's processing agreements is expressly rejected.
• 2.2 The Data Pro Statement, and in particular the security measures contained therein, may be amended by Data Processor from time to time to reflect changing circumstances. Data Processor will inform Client of significant changes. If the Client cannot reasonably agree to the adjustments, the Client is entitled to terminate the processing agreement in writing within 30 days of notification of the adjustments.
• 2.3 Data Processor processes the Personal Data on behalf of and on behalf of Client in accordance with the written instructions of Client agreed with Data Processor.
• 2.4 The Client, or its customer, is the controller within the meaning of the GDPR, has control over the processing of the Personal Data and has determined the purpose and means of processing the Personal Data.
• 2.5 Data Processor is a processor within the meaning of the GDPR and therefore has no control over the purpose and means of processing the Personal Data and therefore does not make any decisions about, among other things, the use of the Personal Data.
• 2.6 Data Processor implements the GDPR as laid down in these Standard Clauses for Processing, the Data Pro Statement and the Agreement. It is up to the Client to assess on the basis of this information whether Data Processor offers sufficient guarantees with regard to the application of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and the protection of the rights of Data subjects is sufficient. guaranteed.
• 2.7 The Client guarantees to the Data Processor that it acts in accordance with the GDPR, that it adequately protects its systems and infrastructure at all times and that the content, use and/or processing of the Personal Data are not unlawful and do not infringe any right of a third party.
• 2.8 An administrative fine imposed on the Client by the AP cannot be recovered from Data Processor.

Article 3. Security

• 3.1 Data Processor takes the technical and organizational security measures, as described in its Data Pro Statement. When taking the technical and organizational security measures, Data Processor has taken into account the state of the art, the implementation costs of the security measures, the nature, scope and context of the processing, the purposes and the intended use of its products and services, the processing risks and the risks that differ in probability and seriousness for the rights and freedoms of Data Subjects that he could expect in view of the intended use of his products and services.
• 3.2 Unless explicitly stated otherwise in the Data Pro Statement, Data Processor's product or service is not designed to process special categories of Personal Data or data regarding criminal convictions or offenses or government-issued personal numbers.
• 3.3 Data Processor strives to ensure that the security measures to be taken by it are appropriate for the intended use of the product or service by Data Processor.
• 3.4 In the opinion of the Client, the described security measures offer a level of security tailored to the risk of the processing of the Personal Data used or provided by the Client, taking into account the factors referred to in Article 3.1.
• 3.5 Data Processor may make changes to the security measures taken if in its opinion this is necessary to continue to provide an appropriate level of security. Data Processor will record important changes, for example in an amended Data Pro Statement, and will inform Client of those changes where relevant.
• 3.6 Client can request Data Processor to take further security measures. Data Processor is under no obligation to make changes to its security measures upon such request. Data Processor can charge the costs related to the changes made at the request of the Client to the Client. Only after the amended security measures desired by the Client have been agreed in writing and signed by the Parties, Data Processor is obliged to actually implement these security measures.

Article 4. Personal Data Breach

• 4.1 Data Processor does not guarantee that the security measures are effective under all circumstances. If Data Processor discovers a breach in connection with Personal Data (as referred to in Article 4 sub 12 Avg), it will inform the Client without undue delay. The Data Pro Statement (under data leak protocol) sets out how the Data Processor informs the Client about breaches in connection with Personal Data.
• 4.2 It is up to the controller (Client, or its customer) to assess whether the Personal Data breach that Data Processor has informed about must be reported to the AP or Data subject. The reporting of breaches in connection with Personal Data, which must be reported to the AP and/or Data Subjects pursuant to Articles 33 and 34 GDPR, remains the responsibility of the controller (Client or its customer) at all times. Data Processor is not obliged to report personal data breaches to the AP and/or the Data Subject.
• 4.3 Data Processor will, if necessary, provide further information about the breach in connection with Personal Data and will cooperate in the necessary provision of information to the Client for the purpose of a notification as referred to in Articles 33 and 34 Avg.
• 4.4 Data Processor can charge the reasonable costs it incurs in this context to the Client at its then applicable rates.

Article 5. confidentiality

• 5.1 Data Processor guarantees that the persons who process Personal Data under its responsibility have a duty of confidentiality.
• 5.2 Data Processor is entitled to provide the Personal Data to third parties, if and insofar as provision is necessary pursuant to a court decision, a legal regulation or on the basis of an authorized order from a government authority.
• 5.3 All access and/or identification codes, certificates, information regarding access and/or password policy provided by Data Processor to Client and all information provided by Data Processor to Client that implements the technical and organizational security measures included in the Data Pro Statement are confidential. and will be treated as such by the Client and only made known to authorized employees of the Client. The Client ensures that its employees comply with the obligations under this article.

Article 6. Term and termination

• 6.1 This processor agreement forms part of the Agreement and any new or further agreement arising from it, comes into effect at the time of conclusion of the Agreement and is concluded for an indefinite period of time.
• 6.2 This processor agreement ends by operation of law upon termination of the Agreement or any new or further agreement between the parties.
• 6.3 In the event of the end of the processing agreement, Data Processor will delete all Personal Data in its possession and received from the Client within the term included in the Data Pro Statement in such a way that it can no longer be used and is no longer accessible (render inaccessable). , or, if agreed, return it to the Client in a machine-readable format.
• 6.4 Data Processor can charge any costs it incurs in the context of the provisions of Article 6.3 to the Client. Further agreements about this can be laid down in the Data Pro Statement.
• 6.5 The provisions of Article 6.3 do not apply if a statutory regulation prevents the Data Processor from completely or partially removing or returning the Personal Data. In such a case, Data Processor will only continue to process the Personal Data to the extent necessary under its legal obligations. The provisions of Article 6.3 also do not apply if the Data Processor is the controller within the meaning of the GDPR with regard to the Personal Data.

Article 7. Rights of Data Subjects, Data Protection Impact Assessment (DPIA) and Audit Rights

• 7.1 Data Processor will, where possible, cooperate with reasonable requests from Client that are related to the rights of Data Subjects invoked from Client by Data Subjects. If Data Processor is approached directly by a Data subject, he will refer this person to the Client where possible.
• 7.2 If the Client is obliged to do so, Data Processor will cooperate with a data protection impact assessment (DPIA) or a subsequent prior consultation as referred to in Articles 35 and 36 Avg.
• 7.3 Data Processor will cooperate with requests from Client for the removal of personal data insofar as Client cannot perform this itself.
• 7.4 At the request of the Client, Data Processor will also make all further information available that is reasonably necessary to demonstrate compliance with the agreements made in this processing agreement. If the Client nevertheless has reason to believe that the processing of Personal Data does not take place in accordance with the processing agreement, it can be consulted at most once a year by an independent, certified, external expert who has demonstrable experience with the type of processing that is carried out on the basis of the Agreement. , have an audit carried out at the expense of the Client. The audit will be limited to checking compliance with the agreements regarding the processing of Personal Data as laid down in this Processor Agreement. The expert will have a duty of confidentiality with regard to what he finds and will only report to the Client that which results in a shortcoming in the fulfillment of obligations that Data Processor has under this processor agreement. The expert will provide a copy of his report to Data Processor. Data Processor may refuse an audit or instruction from the expert if, in its opinion, this violates the GDPR or other legislation or constitutes an impermissible breach of the security measures it has taken.
• 7.5 The parties will consult as soon as possible about the results of the report. The parties will follow the proposed improvement measures laid down in the report insofar as this can reasonably be expected of them. Data Processor will implement the proposed improvement measures to the extent that they are appropriate in its opinion, taking into account the processing risks associated with its product or service, the state of the art, the implementation costs, the market in which it operates, and the intended use of the product or service. the service.
• 7.6 Data Processor has the right to charge the costs it incurs in the context of the provisions of this article to the Client.

Article 8. Sub-Processors

• 8.1 Data Processor has stated in the Data Pro Statement whether, and if so which third parties (sub-processors or sub-processors) Data Processor engages in the processing of the Personal Data.
• 8.2 Client gives permission to Data Processor to engage other sub-processors to perform its obligations arising from the Agreement.
• 8.3 The Data Processor will inform the Client about a change in the third parties engaged by the Data Processor, for example by means of an amended Data Pro Statement. The Client has the right to object to the aforementioned change by Data Processor. Data Processor ensures that the third parties engaged by it commit to the same security level with regard to the protection of Personal Data as the security level to which Data Processor is bound towards the Client on the basis of the Data Pro Statement.

Article 9. Other

These Standard Processing Clauses, together with the Data Pro Statement, form an integral part of the Agreement. All rights and obligations under the Agreement, including the applicable general terms and conditions and/or limitations of liability, therefore also apply to the processing agreement.