Ublion processor agreement

Ublion is a brand of Cocon BV
Paradijslaan 32, Eindhoven, The Netherlands
Chamber of Commerce: 66318874, VAT: NL856492838B01

Publication date: 10 January 2020
Effective date: 1 February 2020

Ublion processes personal data for and on behalf of the customer, among other things, because the customer has a subscription with Ublion. Ublion and the customer are therefore obliged to conclude a Processor Agreement in accordance with the General Data Protection Regulation (GDPR). Because Ublion provides a standard cloud service with the associated standard services, Ublion has included this processing agreement in the General Terms and Conditions. Ublion is the ‘processor’ and the customer the ‘controller’.

Ublion and the customer undertake mutually to comply with the General Data Protection Regulation (GDPR). For the definitions of terms, a link is made to the GDPR. Ublion will only process the personal data for and on behalf of the customer and to implement the agreement.

Ublion is a Dutch company with an international cloud service for customers. Documents are supplied and processed worldwide by the Ublion service on behalf of customers (controller).

The processing consists of making the Ublion service available with the data entered and generated by the customer. Ublion will not add, modify or remove any data without specific instructions from the customer. That instruction can be given via a request.

  • The customer is the Controller
  • Ublion is the Processor

Different types of personal data can be processed by Ublion. The customer and Ublion are aware that the customer can enter all these, and possibly still personal data or categories to be created, and that Ublion will then process them. The customer is responsible for assessing whether the purpose and nature of the processing fits in with Ublion’s services.

The processing will only take place within the framework of the Agreement (which can be found at www.ublion.com/ublion-agreement/) – on the basis of which, among other things, data (of Responsible Party) is hosted and cloud conversion services are provided to Responsible Party – and those purposes that are reasonably related to this or that are determined with further consent.

The terms used in this Processor Agreement (hereinafter: “Processor Agreement”), such as: “Processor”, “Responsible Party”, “processing” and “personal data”, have the meaning and meaning that they have in Article 1 of the Personal Data Protection Act (hereinafter: “Wbp”), and from 25 May 2018 the General Data Protection Regulation (hereinafter AVG) (EU 2016/679).

The processor is prepared to comply with obligations regarding security and other aspects of the Wbp and GDPR, insofar as this is within its power. Processor offers sufficient guarantees with regard to technical and organizational security measures with regard to the processing of controllers data and with regard to the reporting of a security breach. In addition, the Wbp and GDPR impose an obligation on the Controller to monitor compliance with those measures. Both parties, wish to record their rights and obligations in writing through this Processor Agreement.

Both parties has agreed as follows

Article 1. Purposes of processing

1.1 Processor processes, under the conditions of this Processor Agreement, personal data from invoices for conversion to an electronic format and / or exchange. Processing will only take place within the framework of the Agreement and those purposes that are reasonably related to it or that are determined with further approval.

1.2 The invoices with personal data are and remain the property of the controller.

1.3 Processor guarantees that the processing of personal data from Article 1.1 falls under one of the exemptions under the Wbp or GDPR, or if this is not the case, a notification has been made to the Dutch Data Protection Authority.

1.4 The processor has no control over the purpose and means for the processing of personal data from Article 1.1. by Controller. Processor does not make any decisions about the receipt and use of the personal data, the provision to third parties and the duration of the storage of personal data by the Controller.

Article 2. Obligations of the Processor

2.1 With regard to the processing operations referred to in Article 1, Processor will ensure compliance with the applicable laws and regulations, including at least the laws and regulations regarding the protection of personal data, such as the Wbp and GDPR.

2.2 The obligations of Processor that arise from this Processor Agreement also apply to those who process personal data under the authority of Processor, including but not limited to employees, in the broadest sense of the word.

Article 3. Transfer of personal data

3.1 Processor processes the personal data in the Netherlands, Germany and / or France, but may, after written permission from the Controller, process the personal data that fall under the responsibility of the Controller in other countries within the European Union. Transfer to countries outside the European Union is only permitted with the written permission of the Controller.

3.2 Processor will, if explicitly requested by it, report to which country or countries the personal data from Article 3.1 will be processed.

Article 4. Division of responsibility

4.1 Processor is solely responsible for the processing of the personal data under this Processor Agreement. For the other processing of personal data, including at least including but not limited to the collection of the personal data by the Controller, processing for purposes not reported by the Controller to the Processor, processing by third parties and / or for other purposes, the Processor is expressly not responsible.

4.2. The controller keeps a register of the processing activities that take place under her responsibility.

Article 5. Engaging third parties or subcontractors

5.1. Processor does not use third parties in the context of the Processor Agreement.

6. Security

6.1 Processor shall endeavor to take sufficient and appropriate technical and organizational measures with regard to the processing of personal data, against loss or against any form of unlawful processing (such as unauthorized access, encroachment, alteration or provision of personal data). Processor guarantees that the protection is effective under all circumstances.

6.2 The Controller has assured herself that the required security measures have been taken. Processor and Controller are jointly responsible for compliance with the measures agreed by the Parties.

Article 7. Confidentiality

7.1 All personal data is subject to an obligation of confidentiality towards third parties.

7.2 This duty of confidentiality does not apply if the provision of the information to third parties is logically necessary in view of the nature of the assignment given and the implementation of this Processor Agreement or if there is a legal obligation to provide the information to a third party.

Article 8. Processing requests from involved parties

8.1 In the event that a data subject submits a request for inspection, as referred to in Article 35 of the Wbp or Article 36 of the GPR, or improvement, supplementation, modification or shielding, as referred to in Article 36 of the Wbp, to Processor, Processor will forward this request to the Controller , and Responsible person will further process the request. Processor may inform the data subject thereof.

Article 9. Reporting obligation

9.1 In the event of a security breach and / or a data breach (which is understood to mean: a breach of the security of personal data – as referred to in Article 13 of the Wbp and Article 33 GPC), Processor will make every effort to ensure that the Data Subject and the Responsible Person are responsible. to inform without delay. A security breach occurs if the personal data is exposed to loss or unlawful processing and it cannot reasonably be excluded that personal data has been lost or processed unlawfully. The controller is then and remains responsible for assessing whether the reported breach of the Processor’s security leads to a significant risk of serious adverse consequences or serious adverse consequences for the protection of personal data and whether there is an obligation to detect the data breach. report to the Dutch Data Protection Authority.

9.2 A report of a data breach by the Processor to the Controller as referred to in Article 9.1 must only be made for events with a major impact, and only if the event has actually occurred.

9.3 Processor is never responsible and / or liable for reports that the Controller should have made to a data subject according to the data subject, third parties / and or the Dutch Data Protection Authority.

Article 10. Duration and termination

10.1. This Processor Agreement is entered into for the duration as stipulated in the Agreement and, in the absence thereof, for the duration of the cooperation.

10.2. The Processor Agreement cannot be canceled in the interim.

10.3. Parties may only change this Processor Agreement with mutual consent. Changes are only valid if they have been agreed in writing between the parties and can only be proved with this.

Article 11. Other provisions

11.1 The Processor Agreement and its implementation are governed by Dutch law.

11.2 The Processor Agreement forms an integral part of the General Terms and Conditions of Ublion.

11.3 All disputes that may arise between the Parties in connection with the Processor Agreement, will, insofar as not required otherwise, be submitted to the competent court in Arnhem.

11.4 Logs and measurements taken by the Processor are binding evidence, subject to proof to the contrary to be supplied by the Controller.