Data Processing Addendum
This Data Processing Addendum forms an integral and inseparable part of the part of the Rodeo Conditions. This annex is used to lay down the rights and obligations of parties according to the requirements of article 28(3) of the General Data Protection Regulation (‘GDPR’).
The user (Company) of the Rodeo Software product ( https://drive.getrodeo.io ) hereinafter “Controller”;
Rodeo Software, Rodeo Software B.V., a private limited liability company, registered with the Chamber of Commerce under number 34257666, having its registered office in Amsterdam, the Netherlands, as well as all its legal successors or Rodeo US Inc, registered under corporation number 5392696, located at 288 East 45th Street Suite 9E, New York, NY 10017, duly represented in this matter Mr. P.S. Vos (director/president), hereinafter “Processor”;
hereinafter jointly referred as “Parties” and separately as “Party”;
wish to lay down their agreements concerning the processing of personal data by the Processor by means of this Data Processing Addendum as referred to in Article 28 (3) of the GDPR.
Article 1: Definitions
1.1. All capitalized terms are defined in the body of the Rodeo Conditions or in this Data Processing Addendum. If a term is not defined in the Rodeo Conditions or this Data Processing Addendum, it will have the meaning as described in the GDPR.
1.2. The words or formulations used in this Data Processing Addendum have the following meanings, both singular and plural:
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (as referred to in Article 4 (12) GDPR);
Subprocessor: the Party that processes the personal data for Controller on behalf of Processor.
1.3. Where in this Data Processing Addendum the term Main User is used this term will have the following meaning: the main user designated by the Controller, who is entitled, among other things, to grant rights to Rodeo users designated by the Controller.
Article 2: Purpose of processing
2.1. Processor undertakes to process personal data on behalf of Controller according to the provisions laid down in this Data Processing Addendum. Data processing shall only take place in the context of the execution of the Agreement, as well as those purposes that are reasonably related to it or that are determined in the Agreement.
2.2. Appendix A defines the categories of Personal Data processed and the categories of Data Subjects.
2.3. Processor will not process the Personal Data for any purpose other than as determined by Controller. Controller will inform Processor by email of the processing purposes insofar as they have not already been mentioned in this annex. However, Processor may use the Personal Data for quality purposes, provided that Processor only processes the relevant data for these purposes in anonymized form as much as possible.
Article 3: Processor obligations
3.1. Processor shall only process the personal data for the purposes as mentioned in the Agreement.
3.2. Regarding the processing operations as referred to in article 2, Processor shall comply with all applicable legislation, including at least all data processing legislation, such as the GDPR.
3.3 Processor shall inform Controller without undue delay if in its opinion an instruction of Controller would violate the applicable legislation as referred to in the first clause of this article or is otherwise unreasonable.
3.4. Processor shall provide assistance to Controller to fulfill Controller’s legal obligations under the GDPR. This concerns the provision of assistance in the fulfillment of its obligations under Articles 32 to 36 of the GDPR.
3.5. All obligations of Processor under this Data Processing Addendum shall apply equally to any persons processing personal data under the supervision of Processor, including but not limited to employees in the broadest sense of the term.
Article 4: Confidentiality obligations
4.1. Processor shall maintain the confidentiality of the personal data provided by Controller. Processor ensures that the persons who are authorized with processing the personal data, are contractually obliged to maintain the confidentiality of the personal data of which he or she takes note.
4.2. In case Processor is required, due to a legal obligation or judicial decision, to provide a third party with the personal data Processor processes on behalf of Controller, Processor shall inform Controller thereof, unless this is prohibited by law.
Article 5: Notification and communication of Personal Data Breaches
5.1. Controller is always responsible for notification of any Personal Data Breaches, to the competent supervisory authority, and for possible communication about the Personal Data Breach to data subjects.
5.2. To enable Controller to comply with this legal requirement, Processor shall notify Controller without undue delay after discovering a Personal Data Breach. Processor will take reasonable measures to limit the consequences of the Personal Data Breach and to prevent further and future Personal Data Breaches.
5.3. Processor shall help Controller, taking into account the reasonableness of the request, nature of the processing, and the information available to him, in regard to (new developments about) the Personal Data Breach.
5.4. The notification to Controller will be provided to the e-mail address of the Main User known to the Processor and shall include at least the fact that a Personal Data Breach has occurred. In addition, the notification shall, as far as known at that moment, describe:
- the nature of the Personal Data Breach;
- the (likely) consequences of the Personal Data Breach;
- the categories and approximate number of personal data concerned;
- if and which security measures have been taken to protect the personal data;
- the measures taken or proposed to be taken to address the Personal Data Breach and prevent future Personal Data Breaches, including, where appropriate, measures to mitigate its possible adverse effects;
- the categories and approximate number of data subjects concerned; and
- name and contact details of the data privacy officer (if appointed) or a contact person regarding privacy subject.
Article 6: Rights of data subjects
6.1. In the event a data subject makes a request to exercise his or her legal rights under the GDPR (Articles 15-22) to Processor, Processor shall pass on such request to Controller. Processor may inform the data subject of such request being forwarded. Controller will then further process the request.
6.2. If a data subject makes a request to exercise his or her legal rights to Controller, Processor will, if Controller requires this, provide assistance.
Article 7: Security measures
7.1. Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk related to the processing operations involved, against loss or any form of unlawful processing (in particular against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed).
Article 8: Audit
8.1. Controller has the right to verify compliance by Processor, of all points under this Data Processing Addendum and everything directly related to it, by means of an audit performed by an independent third-party auditor, who is bound by confidentiality obligations.
8.2 Controller may perform an audit once every two years, as well as in the event of a concrete suspicion of a breach of this annex or misuse of personal data.
8.3 Processor and Controller jointly decide a date, time and scope of the audit.
8.4 The audit findings shall be assessed by the parties in joint consultation and may or may not be implemented by either Party or jointly.
8.5 The costs of the audit shall be borne by Processor in case the audit reveals material discrepancies in the compliance of Processor to this annex, which are directly attributable to Processor. In all other cases the costs of the audit shall be borne by Controller.
8.6 The audit and the results thereof will be treated confidentially by Controller.
Article 9: Involvement of Subprocessor(s)
9.1. Controller hereby grants Processor specific written authorization to engage the third parties and/or subcontractors (‘Subprocessors’) as detailed in Appendix B when processing Personal Data, on the basis of this Data Processing Addendum.
9.2. Controller hereby grants general written permission for the engagement of other Subprocessors. Processor will inform Controller by email about intended changes regarding the addition or replacement of Subprocessors.
9.3 Controller is entitled to object in writing on reasonable grounds to a specific new, or changing of, subprocessor(s) within two weeks after Processor has sent the notification. If Controller makes an objection, the parties will consult to reach a solution.
9.4 Processor imposes at least the same obligations on the engaged subprocessor(s) as agreed between Controller and Processor in this annex.
9.5 Processor shall ensure that these third parties shall comply with the obligations under this annex and is liable for any damages caused by violations by these third parties as if it committed the violation itself.
Article 10: Transfer of personal data
10.1. Processor may process the personal data in any country within the European Economic Area (EEA).
10.2 In addition, Processor may transfer the personal data to a country outside the EEA, provided that the country ensures an adequate level of protection of personal data and complies with other obligations imposed on it under this annex and the GDPR, including the availability of appropriate safeguards and enforceable data subject rights and effective legal remedies for data subjects.
10.3 A list of the processing locations at the time of entering into the Agreement is set out in Appendix B to this Data Processing Agreement.
Article 11: Liability
11.1. The Parties explicitly agree that any liability arising in connection with personal data processing shall be as provided in the main body of the Rodeo Conditions.
Article 12: Term and termination
12.1. This Data Processing Addendum is effective for as long as the term of the Agreement.
12.2 This Data Processing Addendum may be changed in the same manner as the Rodeo Conditions.
12.3 Upon termination of the Agreement, Processor shall, based on the choice of Controller:
- return to Controller in original format all personal data available to it; or
- destroy all personal data available to it.
The following appendices have been added to the Data Processing Agreement:
Appendix A: Specification of personal data and data subjects
Appendix B: Subprocessors and locations
Appendix A: Specification of personal data and data subjects
Personal data and data subjects
Processor shall process the following types of personal data, under the supervision of Controller, for the purposes as specified in article 1 of this Data Processing Addendum:
- Email address
- City of residence
- Invoicing details
- Any other type of personal data that Controller provides to Processor in the Rodeo Software for the purposes of processing by Processor
Of the following categories of data subjects:
- Customers and/or their employees
- Suppliers/vendors and/or their employees
- Any other category of data subjects of which Controller provides personal data of to Processor in the Rodeo Software for the purposes of processing by Processor
Appendix B Subprocessors and locations
The following Subprocessors are engaged by Processor at the time of entering into the Agreement:
- Google Cloud EMEA Limited – Location: Belgium
Click here to download a copy of Rodeo Conditions and DPA.