This data processing agreement is an appendix to the Master Buyer Agreement between Customer and LeanLinking ApS entered into by the Parties (the “Master Agreement”).
1 Scope of the Agreement
1.1 The Supplier is the Customer’s data processor, as the Supplier carries out the data processing tasks described in Appendix 1 (below) on behalf of the Customer.
1.2 The personal data processed by the Supplier, the purposes of the processing, the categories of personal data and the categories of data subjects are specified in Appendix 1 (below).
1.3 The Agreement only governs the processing of personal data performed by the Supplier on behalf of the Customer.
1.4 “Personal data” is defined as any information relating to an identified or identifiable natural person, in accordance with article 4(1) of the Regulation (EU) 2016/679 of 27 April 2016 (the “General Data Protection Regulation”).
2 Processing of Personal Data
2.1 The Supplier will only process personal data on instruction from the Customer.
2.2 Instruction: The Supplier is instructed only to process personal data with the purpose to carry out the data processing tasks specified in Appendix 1. The Supplier may not process or use the personal data for purposes other than the ones specified in the instruction, including transferring personal data to a third country or an international organisation, unless EU law or the legislation of a state to which the Supplier is subject requires the Supplies to do so, in which case the Supplier must inform the Customer in writing of this legal obligation before the processing is commenced, unless the legislation concerned prohibits such notification on important grounds of public interests.
2.3 If the Supplier considers an instruction given by the Customer to be incompatible with the General Personal Data Regulation, other EU data protection legislation or data protection legislation of an EU member state, the Supplier must inform the Customer in writing.
2.4 The Customer warrants that the Customer has all necessary rights to process all personal data governed by the Agreement and to let the Supplier process such personal data on behalf of the Customer, including but not limited to having acquired relevant consents.
3 Requirements for the Supplier
3.1 The Supplier must process personal data in compliance with applicable EU data protection regulation, including the General Personal Data Regulation, once it enters into force.
3.2 The Supplier must ensure that the persons authorised to process personal data have committed themselves to confidentiality or are bound by an appropriate statutory professional secrecy obligation.
3.3 The Supplier must implement appropriate technical and organisational security measures to protect the processed personal data against (i) accidental or unlawful destruction, loss or alteration, (ii) unauthorised disclosure or access, or (iii) processing in breach of applicable legislation including the General Personal Data Regulation.
3.4 The Supplier must also comply with any legally binding standards on security measures, which bind the Supplier directly, including any standards on security measures in the country in which the Supplier is established or in the country in which the data processing takes place.
3.5 The appropriate technical and organisational security measures must be determined with consideration given to (i) the current technical level, (ii) the implementation costs, (iii) the character, extent, context and purpose of the processing as well as the risks of varying probability and seriousness posed to the rights and freedoms of natural persons.
3.6 At the request of the Customer, the Supplier must provide the Customer with the information necessary to ensure that the Supplier complies with the obligations under the Agreement, including that the necessary documentation of technical and organisational security measures have been implemented.
3.7 The Supplier must, without undue delay after becoming aware of such circumstances, inform the Customer in writing about (i) any request of an authority for disclosure of personal data covered by the Agreement unless the Supplier is prohibited to inform the Customer pursuant to EU law or the legislation of a state that applies to the Supplier, (ii) any suspicion or observation of (a) security breaches leading to accidental or unlawful destruction, loss or alteration, unauthorised disclosure or access to personal data transmitted, preserved or in any other way processed by the Supplier under this Agreement, or (b) any other noncompliance with the obligations of the Supplier under clause 3.3 and 3.4, or (iii) any request for access to personal data received directly from a data subject or from a third party.
3.8 The Supplier must assist the Customer in the handling of any request from a data subject covered by chapter III of the General Data Protection Regulation, including requests for access, rectification, blocking and erasure.
3.9 The Supplier must assist the Customer in ensuring compliance with the Customer’s obligations pursuant to articles 32 to 36 of the General Data protection Regulation and the legislation of a member state under which the assistance of the Supplier is required to the extent that the assistance of the Supplier is necessary for the Customer to comply with such obligations. This includes all necessary information for the use of an impact assessment under article 35-36 of the General Data Protection Regulation, to the extent the Supplier has access to such information.
3.10 The physical locations of servers, service centers etc. that are used for the processing of personal data are listed by the Supplier in Appendix 1 (below). The Supplier is obligated to inform the Customer in writing before changing the physical location. This does not require a formal amendment of Appendix 1. A prior written notice by mail or email is sufficient.
3.11 The Customer pays the Supplier for the time and material spent on any services, which the Customer requests the Supplier to carry out under chapter 3 and 7 of the Agreement. The cost of the services follows the standard price list for services.
4.1 The Supplier is entitled to use sub-processors. At the time when the Agreement enters into force, the Supplier uses the sub-processors specified in Appendix 2 (below), which must be updated by Customer with additional or replacement of sub-processors. The change of sub-processors must be updated in Appendix 2 below no later than two months before the change takes place.
4.2 Before using a sub-processor, the Supplier must enter into a written agreement with the sub-processor, in which at least equivalent obligations as assumed by the Supplier under the Agreement are imposed on the sub-processor, including the obligation to carry out appropriate technical and organisational measures to ensure that the processing satisfies the requirements of the general data protection regulation.
4.3 The Customer is entitled to be provided with a copy of all parts of agreements between the Supplier and sub-processors regulating data protection obligations mandatory under clause 4.2. The fact that the Customer has consented to the Supplier entering into a contract with a sub-processor is without prejudice to the Supplier’s obligation to comply with the Agreement.
5.1 The Supplier must treat personal data confidentially.
5.2 The Supplier may not disclose personal data to any third party unless this is necessary to be able to carry out the Supplier’s obligations towards the Customer, provided the person to whom the personal data is disclosed is aware of the information’s confidential nature and has agreed to keep the information confidential according to this Agreement, or if such disclosure is required by law.
5.3 The Supplier must limit access to the personal data to employees and sub-contractors for whom it is necessary to have access to personal data to be able to perform the obligations of the Supplier to the Customer.
5.4 The obligations of the Supplier under clause 5 are not subject to any time barring irrespective of whether the parties’ cooperation is terminated.
6 Amendments and Transfers
6.1 The Supplier may transfer its rights and obligations under the Agreement without consent of the Customer, provided the entity to which the rights and obligations are transferred commits to process personal data in compliance with the Agreement.
7 Duration and Termination
7.1 The term of the Agreement will be the same as the term of the Master Agreement. Upon termination of the Master Agreement, the Agreement will terminate.
7.2 Either Party may terminate the Agreement on the same terms that apply to the Master Agreement.
7.3 Regardless of the formal agreement period, the Agreement remains in force as long as the Supplier processes personal data on behalf of the Customer for which the Customer is the data controller.
7.4 In the event of termination and upon request of the Agreement, the Supplier must loyally help that the data processing is passed to another supplier or transferred back to the Customer.
7.5 At the request of the Customer and by termination of the Agreement, the Supplier must transfer personal data processed by the Supplier on behalf of the Customer to the Customer or delete such personal data unless EU law or the legislation of an EU member state requires data preservation.
8.1 When a Party is required to provide written notice to the other Party under the Agreement, such obligation may be fulfilled by providing such notice via email to the other Party’s most recently announced email address.
This appendix constitutes the Customer’s instruction to the Supplier relating to the processing of data carried out by the Supplier on behalf of the Customer, and it is an integral part of the Agreement.
Purpose and nature of the data processing
The purpose of entrusting the data processing activities to the Supplier is to let the Customer use LeanLinking, which is an IT-system accessed by the Customer online, hosted and run by the Supplier. LeanLinking helps facilitating the Customer’s data and documentation relating to Customer’s trading partners (suppliers). This also entails transfer of personal data to Customer’s suppliers on behalf of the Customer.
Categories of registered data subjects
I. The Customer’s suppliers’ employees if the Customer enters details about such supplier’s employees in LeanLinking.
II. The Customer’s current employees if the Customer enters details about such persons in LeanLinking.
III. The Customer’s former employees if the Customer enters details about such persons in LeanLinking.
Categories of personal data processed
For the above-mentioned categories of registered data subjects, the following personal data is processed: Name, email, phone number and title.
Data processing locations
Microsoft Azure, Dublin, Ireland
Microsoft Azure, Amsterdam, The Netherlands
The Supplier use Microsoft Azure as hosting partner for hosting and data processing. The Microsoft data centre facilities used by Supplier are located in Dublin, Ireland and Amsterdam, The Netherlands.