Privacy Statement

download
1. Introduction

This is the privacy statement of Familienet B.V., established in Groningen on Verlengde Hereweg 174 and listed in the trade register under number 04022404. You can contact us in the manners described on our website (https://www.familienet.nl/contact.html.).

It is explained in this privacy statement in what way Familienet B.V. processes personal data of data subjects, as classified according to the various processing activities.

We attach great value to everyone’s privacy and therefore process personal data in accordance with the privacy regulations which are effective in the Netherlands and the European Union. We also keep privacy-records and as a part of this, we register our processing activities in a register of processing activities.

2. Cookies

Upon visiting our website (https://www.familienet.nl) a number of cookies are used. wordt gebruik gemaakt van een aantal cookies.

For the shielded part of the website, this regards session cookies and security cookies (both types are so-called functional cookies), which are necessary to let our service function properly and safely.

In addition, we use a few cookies on the public part of our website for web statistics. For this, we use Google Analytics, by which cookies are placed to track visitors. We have selected settings for Google Analytics which are so privacy-friendly that no prior permission from visitors is required. For example, the last octet of the IP address is masked and we do not share any data with Google and we do not combine the Google Analytics cookies with other Google services. We have concluded an appropriate processor agreement with Google for this service. Read more about the privacy policy of Google on their website (https://policies.google.com/privacy?hl=nl).

The legal grounds for our use of cookies is our necessity to conduct said actions in our legitimate interest. We do not require consent from the visitor for this.

In principle, we do not provide personal data to third parties, unless this is necessary to comply with an official order or legal obligation, for instance in the context of an investigation of criminal conduct.

3. Newsletter

When you receive a newsletter from us, we only process your name and e-mail address for this. We have signed an appropriate processor agreement with our newsletter provider.

The legal grounds for our use of the newsletter is the necessity to inform recipients on news about our provision of services. It is always possible for recipients to easily unsubscribe for the newsletter.

4. Use of our service

Of users of our on-line service ‘Familynet’, we process the following information:

  • name;
  • e-mail address;
  • IP address;
  • relation to other users;
  • preferences regarding language and notifications;
  • information which is shared by or on the user, such as photos and text.

In principle, sharing medical or health information through our service.

For healthcare institution or organisations in the capacity of data controller, we also use data to maintain contact with their collaborators for the execution of our service, for example:

  • name;
  • position;
  • e-mail address;
  • IP address;
  • relation to other users;
  • preferences regarding language and notifications;
  • information which is shared by or on the collaborator through the service, such as photos and text.

In addition, we expressly establish with all users that they will act with diligence as well and will take appropriate security measures, both technical and organisational, so as to prevent unnecessary or excessive processing of (special categories of) personal data and to assure confidentiality.

The personal data of users are removed as soon as possible after the service is terminated by the healthcare institution acting as data controller, or at all times by the user himself or by the person who manages the user’s page for him. This means in practice 30 days after termination, because we also use a back-up system in which personal data may still appear after termination of the service.

Data controllers and users are furthermore enabled themselves to peruse, modify, and remove (personal) data through our service. In this manner, the rights of data subjects to peruse, correct, and remove personal data which are no longer necessary are met.

The legal grounds for the above processing of personal data is their necessity for the implementation of the agreement with the users who are data subjects or otherwise our legitimate interest to carry out said actions in the event the user is authorised by the healthcare institution acting as data controller.

5. Rights of data subjects

Data subjects have the right, when we are responsible for the processing in case, to request us for the perusal, correction, or removal of personal data or for the limitation of their processing. Data subjects also have the right to object to processing and the right to the transferability of the personal data. These rights, however, cannot always be conceded as such, because the privacy rules impose limits for this as well.

6. Further information

For further questions about our privacy policy, you can contact us in the manners described on our website (https://www.familienet.nl/contact.html). The Netherlands data protection agency ‘Autoriteit Persoonsgegevens’ is the competent monitoring authority where any possible complaints can be filed regarding our processing of personal data (https://autoriteitpersoonsgegevens.nl).

General Terms and Conditions

download
General conditions of Familienet (May 2018)

These are the general conditions of Familienet B.V., registered at the Netherlands Chamber of Commerce under number 04022404, in the following called ‘Supplier’.

1. General conditions Familienet

1.1 “Familienet” is the service which offers the secured on-line platform for communication and collaboration between Page-holder, family, acquaintances, and possibly professionals.

1.2 “Paginahouder” “Page-holder” is the person whom a page on Familienet concerns.

1.3 “Page administrator” is the Page-holder or authorised third party who obtains access to the page of Page-holder and who has the authority to invite users to the page of Page-holder and to attribute roles to these users.

1.4 An on-line page is opened for Page-holder on Familienet by Page-holder himself or by someone else with the consent of Page-holder. This secured on-line page offers Page-holder, Page administrator, and users with access to the relevant page the possibility to stay in contact with each other by posting messages, photos and other content, by sharing an agenda, and other matters. For this page, family, acquaintances, and possibly professionals can be invited.

1.5 Supplier only offers Familienet to Page-holder directly or indirectly through an organisation (in that case ‘the purchaser’) which appoints one or more Page administrators, and thereby access to Familienet is granted to Page-holder and Page administrators to increase the involvement of loved ones with the Page-holder. Supplier is not responsible for what users share with each other on the page of Page-holder.

1.6 Supplier reserves himself the right to modify or supplement these general conditions. The continued use after modification or supplementation of the general conditions is considered acceptance of the new general conditions.

2. Subscription

2.1 Supplier offers his services in the form of a subscription. A distinction is made between subscriptions which are taken out by private individuals themselves or by organisations for their clients. The current price list of the subscriptions, both for private individuals and for organisations, can be viewed on the website of Supplier.

2.2 A private individual can take a subscription on Familienet whereby he can create one page for himself as Page-holder or, if he is legally authorised to do so, for another Page-holder.

2.3 An organisation can take a subscription for a bundle of pages for it clients. The organisation distributes the pages through the administrator environment of Familienet over the Page administrators to be appointed by it, and over their clients through e-mail or electronically in another form. The client in case then creates himself, or with the aid of a Page administrator, the page and will be its Page-holder.

2.4 The subscription starts at the moment of creation of the page or alternatively when a bundle of pages is made available for allocation, depending on what moment occurs sooner, and is tacitly extended upon the end of the subscription. In case of a periodic payment obligation, it applies that Supplier has the right to modify the applicable prices and rates at the term indicated in the agreement. If the agreement does not emphatically provide for the possibility of Supplier to modify the prices or rates, it applies that Supplier always has the right to modify the applicable prices and rates. If purchaser in the latter case does not wish to accept the modification, within thirty days after notification of the adjustment the agreement can be cancelled in writing, as of the date on which the new prices and/or rates become effective.

2.5 The subscription and consequently the subscription fee as well, in conformity with the rates applied by Supplier, can be extended by the Page administrator in accordance with article 3.4.

2.6 Supplier has the right to render inaccessible and/or remove the stored and processed information immediately after termination of the agreement.

3. Pages and administration

3.1 Before a page can be created by someone other than the Page-holder himself, the Page administrator must ascertain that the Page-holder has given permission for this.

3.2 All users who post content of whatever nature on a page must make sure that the Page-holder has granted permission for this. The Page-holder can always delete his own data.

3.3 When an organisation has taken out a subscription to provide pages to multiple Page-holders, the organisation appoints collaborators from their midst to attribute roles to clients, their loved ones, and collaborators of the organisation regarding the access to the pages of relevant Page-holders. Supplier only offers the options to organisations, in conformity with the selected subscription, to attribute roles through the administration environment and to distribute (access to) pages over Page-holders and Page administrators and their own collaborators and to subsequently manage them jointly with Page-holders and Page administrators, but Supplier himself will not act as administrator for an organisation or as an editor of pages.

3.4 Supplier proposes extension for the subscription in the form of applications or extra functionalities which can be added on the page of Page-holder. The subscription can be upgraded at all times with extra applications or extra functionalities. The rates which apply for aforementioned extensions can be viewed on the website of Supplier. Extensions can only be unsubscribed for towards the end of the effective time of the subscription.

4. Payment

4.1 All prices are in the stated currencies and exclusive of VAT and other government-imposed levies, unless it is expressly stated otherwise. Supplier does not accept any payments in another currency than indicated. In case of the omission of an indication of currency, all prices are in Euros. All offers or price quotations regarding Familienet are non-committal and revocable until the moment that Supplier confirms through electronic channels that the agreement with Page-holder is adopted, or when Supplier has started with the implementation of the agreement between parties.

4.2 Amounts owed are invoiced and collected each month from a private individual by Supplier by way of direct debit. For organisations, an invoice is sent which must be settled within 30 days. The private individual authorises Supplier to collect the amount automatically, unless it is established otherwise in writing.

4.3 The compensation is also owed if no use is made of Familienet. The compensation is paid prior to a term. Supplier is not obligated to refund subscription fees if no use is made of Familienet.

4.4 Supplier may immediately suspend his services if the payment obligations are not complied with. In case during the three subsequent months the payments are not settled, then Supplier will be authorised to remove the page(s) and the content. The blocking is removed at the moment that all payments have been settled.

4.5 With regard to the performances conducted by Supplier, and the amounts owed for this by payer, the information from the records of Supplier constitute full proof, without prejudice to the right of the purchaser to present evidence to the contrary.

5. Duration and cancellation

5.1 The subscription is tacitly extended after expiry of the term for the same duration as was established upon adoption of the subscription. After the tacit extension, the subscription can be cancelled at any time towards the end of the current term, with due regard for a notice period of 10 days.

5.2 A page can be cancelled on-line through the page of Page-holder, by Page-holder or Page administrator.

5.3 The page which is distributed and/or administered by an organisation to/for a Page-holder must be cancelled through the relevant organisation.

5.4 A Page-holder or Page administrator may not refuse to remove a page, unless this is necessary pursuant to a legal obligation or court order.

5.5 The cancellation of a subscription agreement between Supplier and an organisation is only possible in writing and with due regard for a notice period of 30 days prior to the end of the duration of the subscription.

6. Suspension and/or termination provision of services

6.1 Supplier reserves himself the right to send users a warning immediately, to block their page, or to further suspend access to Familienet and/or terminate it, if a user:

  • a. Does not observe the rules and conditions which are applicable at Familienet, or the documents which are an integral part of it.
  • b. Posts special categories of personal data, including health-related information, on the page of Page-holder, without parties having emphatically entered into a written agreement to that effect which prescribes appropriate measures and without taking these measures.
  • c. Processes information which is not in accordance with the purpose of Familienet. This at the discretion of Supplier.
  • d. Damages the image of Familienet illegitimately or uselessly.
  • e. Has created, made use of or modified a profile under a false name, or by using false data.
  • f. Has a page for which payments are no longer made to Supplier, for example because the relevant organisation has terminated its subscription with Supplier.
  • g. Has come to pass.

6.2 Supplier reserves himself the right to remove (parts of) the added information on Familienet, if it is illegitimate or inappropriate or if it violates third-party rights, whether or not after complaints by third parties.

6.3 Supplier emphatically is not under the obligation to proactively enforce the rules pursuant to the law or this agreement and will in principle not carry out any controls or interventions, otherwise than after the receipt of complaints of third parties.

7. Liability and force majeure

7.1 Supplier is not liable for the actions or lack thereof by users, also including the sharing and the content of files, information and/or material which are made available through Familienet.

7.2 Supplier is not liable for damage resulting from force majeure, including technical malfunctions or an attributable shortcoming of users, or from the illegitimate actions of users

7.3 Supplier is not liable in any case for consequential damage, including purely financial losses, loss of turnover and profit, loss of data and immaterial damage, which is related to or is the consequence of the services which Supplier implements and/or the use of Familienet.

7.4 Users safeguard Supplier against all third-party claims with regard to the added information. What information is added and shared is the responsibility of users. The purchaser of Supplier safeguards Supplier against all third-party claims regarding the use of Familienet by the collaborators of purchaser.

7.5 All exceptions and limitations to liability which are stipulated in these general conditions also apply to the benefit of all (legal) persons whose services Supplier makes use of for the implementation of the agreement come to lapse if and to the extent the damage is the result of intent or gross negligence on the part of management of Supplier.

8. Personal data and security

8.1 Supplier protects personal data in accordance with the applicable law in the Netherlands and the European Union, more specifically in conformity with his own privacy statement and the general data protection regulation or its Netherlands version ‘Algemene Verordening Gegevensbescherming’ (AVG). Supplier only uses the data in the context of the provision of services regarding Familienet. The personal data are not provided to third parties, with the exception of personal data which are required for the conclusion and implementation of the agreement between Supplier and Page-holder or the organisation.

8.2 Supplier only is the ‘processor’ in the sense of the applicable legislation in the Netherlands and the European Union. Supplier processes the data by order and at the expense of the page-holder or the organisation. The independent Page-holder and/or the organisation where Page-holder is a client are the ‘data controllers’ which determine the purpose of and means for the use of Familienet. Between parties, the processor agreement applies, as it is published on the website of Supplier.

8.3 All users of Familienet must take appropriate security measures, both technical and organisational, to prevent unnecessary or excessive processing of (special categories of) personal data and to assure confidentiality. The log-in data must be handled with due diligence by all users. All users must take into account the wishes of the persons involved as well when posting pictures and other personal data.

8.4 The Page administrator makes sure that the Page-holder has emphatically given permission for the processing of his data on Familienet. The Page administrator makes sure that the Page-holder is fully involved in the processing of the data and is informed completely regarding the purposes of Familienet and the processing of his data. In case of legal incapacity, this emphatic permission will have to be obtained from the legal representative.

8.5 In principle, users of Familienet, such as Page administrators and Page-holders and any possible collaborators of the purchaser, grant permission to the other users to use their personal data in the context of Familienet. In the event they withdraw their permission for certain types of processing of their personal data, users can (let) remove parts or the entire page themselves, or (let) establish limitations to the use thereof. Page administrators and the collaborators of purchaser always take into account the wishes of Page-holders.

8.6 In principle, it is not permitted to use Familienet for the processing of special categories of personal data, such as health-related data. This is only different in case prior to the processing of the special data, parties have expressly entered into a written agreement to that effect which prescribes appropriate measures and parties also take these measures.

8.7 In addition, users may solely process special categories of personal data with Familienet, if the relevant Page-holder has granted his express consent for this and for well-defined purposes.

9. Intellectual property

9.1 The user who posts or has posted text and/or pictures and/or other content on the page of Page-holder, guarantees Supplier he is copyrights holder of the text and/or pictures and/or other content. If he is not the copyrights holder, he guarantees he has permission of the rights holder to post the text and/or pictures and/or other content. The person who posts text and/or pictures and/or other content safeguards Supplier beforehand completely against any possible third-party claims which somehow result from or are related to the posted material.

9.2 The user who in the capacity of rights holder posts text and/or pictures and/or other content, grants permission to the other users on the page of Page-holder to use that material for personal purposes. The user who is rights holder of the material also grants permission to Supplier to process the information in the context of Familienet.

9.3 Supplier may remove or have remove messages in which he is mentioned by a user at all times.

9.4 After a complaint about an (alleged) violation of the intellectual property of a third party, or in the event of reasonable doubt regarding the content of a message of a user, Supplier may block and/or remove the message.

10. Complaints

10.1 Complaints which regard Familienet must be communicated to Supplier in writing, through the website of Supplier or by e-mail.

10.2 Supplier exerts himself to respond within 14 days following receipt of the written complaint. If the complaint is legitimate, Supplier will do everything which can reasonably be expected of him to correct the situation.

10.3 Complaints do not confer the right to suspension of the payment obligation for still payable subscription fees and/or the refund of payments already made.

10.4 Page-holder or Page administrator can request the organisation to correct or supplement the information. Supplier will exert himself to handle this request as soon as possible. Due to technical limitations, this request may take a few days.

11. Other provisions

11.1 Supplier is not a party to the agreement which is concluded between an organisation and Page-holder and/or Page administrator. In case of disputes, they must resolve matters through mutual agreement.

11.2 To this agreement, Netherlands legislation is applicable.

11.3 Disputes which arise in connection with the agreement concluded between parties and/or in connection with further agreements which are its result, are settled by the competent court in the district in which Supplier is established.

11.4 Through the adoption of the agreement, Supplier obtains the express consent of the purchasers, in the event these are organisations, to publicise their company names and logos in the communications which Supplier posts on his website and social media.

11.5 These general conditions are applicable to all quotations, agreements, and contracts between parties, of whatever nature. The general (purchasing) conditions of Supplier or users of Familienet are not applicable.

Processor Agreement

download
PROCESSOR AGREEMENT (May 2018)

THE PARTIES TO THE AGREEMENT:

  • 1. The healthcare institution or user which/who purchases services from Familienet B.V. (in the following: “Data controller”); and
  • 2. Familienet B.V., established on Verlengde Hereweg 174 in Groningen and listed in the register of the Chamber of Commerce under number 04022404, for the present purpose legally represented by Maarten Bloemink Sr., director (subsequently “Processor”).

In the following also jointly referred to as: “Parties” and individually as “Party”.

CONSIDERING THAT:

  • (a) Processor carries out services for the benefit of Data controller, as described in the agreements described in Appendix 1.
  • (b) The services entail that Personal data are processed, including data regarding health.
  • (c) Processor processes the data in question exclusively by order of Data controller and not for own purposes.
  • (d) As of 25 May 2018 is applicable the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 (GDPR or its Dutch ratification AVG).
  • (e) Parties wish to establish the arrangements regarding the processing of Personal data in the context of the services in this Processor agreement.
  • (f) This Processor agreement, if applicable, replaces all previous Agreement(s) of equal tenor.

DECLARE TO HAVE AGREED AS FOLLOWS:

Article 1. Definitions

1.1. In this Processor agreement, by the concepts below with a capital letter is intended as follows:

  • a) ‘Algemene Verordening Gegevens Bescherming’ (AVG) or GDPR

    Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 regarding the protection of natural persons in connection with the processing of personal data and regarding the free traffic of those data, in replacement of Guideline 95/46/EC.
  • b) Data Subject

    An identified or identifiable natural person (article 4 sub 1 AVG/GDPR).
  • c)Third party

    A third party as intended in article 4 sub 10 AVG/GDPR.
  • d) Data Protection Officer

    An official as intended in article 37 ff. AVG/GDPR.
  • e) Incident

    • i A complaint or request (for information) of a Data subject regarding the processing of Personal data by Processor;
    • ii An investigation or seizure by government officials of the Personal data or a suspicion that this will take place;
    • iii A breach in connection with Personal data as intended in article 4 under 12 AVG/GDPR;
    • iv Any unauthorised access, removal, maiming, loss or any other form of illegitimate processing of the Personal data.
  • f) Collaborator

    The natural person engaged by Parties for the implementation of this Processor agreement who works at or for one of the Parties.
  • g) Agreement(s)

    The agreement(s) indicated in Appendix regarding the supply of products and/or services.
  • h) Party

    All information on an identified or identifiable natural person in the sense of article 4 under 1 AVG/GDPR.
  • i) Parties

    Data controller and Processor.
  • j) Personal data

    All information on an identified or identifiable natural person in the sense of article 4 under 1 AVG/GDPR.
  • k) Sub-processor

    Every non-subordinate third party which is involved by Processor in the processing of Personal data in the context of the Agreement, not being Collaborators.
  • l) Processor

    The processor as intended in article 4 sub 8 AVG/GDPR
  • m) Processor agreement

    The underlying agreement.
  • n) Data controller

    The data controller as intended in article 4 sub 7 AVG/GDPR
  • o) ‘Wet bescherming Persoonsgegevens’ (Wbp), Netherlands data protection legislation

    Law of 6 July 2000, comprising rules regarding the protection of personal data (Wbp), including later amendments.

1.2. The aforementioned and other concepts are interpreted in accordance with AVG/GDPR. Until 25 May 2018, concepts are interpreted in accordance with the comparable provision from Wbp.

  • 1.3. Wherever reference is made in this Processor agreement to certain standards (such as NEN7510) always intended is its most recent version. To the extent the relevant standard is no longer maintained, in its stead must be read the most recent version of the logical successor of the standard in case.

  • 1.4. Any possible deviations from the text are only effective to the extent they have been specified in appendix 4. What is stipulated in appendix 4 prevails over what is otherwise stipulated in this processor agreement.

    Article 2. Object of this Processor agreement

    2.1.This Processor agreement regards the processing of Personal data by Processor by order of the Data controller in the context of the implementation of the Agreement(s).

    2.2.Parties conclude the Agreement(s) to use the expertise which Processor has in the matter of the processing and protecting of Personal data, for the purposes resulting from the Agreement(s) which are further described in this Processor agreement. Processor guarantees that he is qualified to that effect.

    2.3.This Processor agreement is an integral part of the Agreement(s). To the extent what is stipulated in this Processor agreement is in conflict with the provisions in the Agreement(s), what is stipulated in the Processor agreement prevails.

    Article 3. Implementation processing

    3.1.Processor guarantees that he will exclusively process personal data for Data controller to the extent:

    • a.)this is necessary for the implementation of the Agreement (within the context as specified in Appendix 1); or
    • b.)Data controller has given further instructions to that effect;

    3.2.In the context of what is stipulated in the first section of article 3 under a) Processor will exclusively process the Personal data specified in Appendix 1 in the context of the nature and purposes of the processing described in that appendix.

    3.3.Processor will follow all reasonable instructions of Data controller in connection with the processing of the Personal data. Processor immediately informs Data controller if in his opinion instructions violate the applicable legislation regarding the processing of Personal data.

    3.4.Without prejudice to what is stipulated in the first section of this article 3, it is permitted to Processor to process Personal data if a legal requirement (also including court or administrative orders based on it) obliges him to process. In that case, the Processor informs Data controller prior to the processing of the intended processing and the legal requirement, unless that legislation prohibits this notification on weighty grounds of public interest. Processor will enable Data controller, wherever possible, to defend themselves against this mandatory processing and will also otherwise limit the mandatory processing to

    3.5.Processor will process the Personal data demonstrably in an adequate and diligent manner, and in accordance with the obligations he is subject to as a Processor pursuant to AVG/GDPR, to the extent still applicable Wbp, and other legislation and regulations. In that context, Processor will at least maintain a register of processing as intended in article 30 AVG/GDPR and provide Data controller upon first request with a copy of that register.

    3.6.If the provision of services by Processor implies the processing of health-related data or other special Personal data, Processor guarantees that he will not act in violation of health-related legislation.

    3.7.Processor will not, unless he has obtained emphatic prior written permission from Data controller, process Personal data nor have it processed either by himself or by third parties located outside the European Economic Area (“EEA”).

    3.8.Processor assures that the involved Collaborators have signed a non-disclosure agreement and on request lets Data controller peruse this non-disclosure agreement.

    Article 4. Protection Personal data and control

    4.1.Processor will demonstrably take appropriate and effective technical and organisational security measures which, in view of the current state of the art and the associated costs, correspond with the nature (as specified in Appendix 1) of the Personal data to be processed, to protect the Personal data against loss, unauthorised cognisance, maiming or any form of illegitimate processing, as well as to guarantee the (temporary) availability of the data. Included in these security measures are such measures as may have been stipulated in the Agreement. The measures comprise in any case:

    • a.)measures to assure that only authorised Collaborators have access to the Personal data for the purposes which have been explained;
    • b.)measures whereby the Processor exclusively grants his Collaborators and Sub-processors access to Personal data by way of accounts made out to name, whereby the usage of those accounts is adequately logged and whereby the relevant accounts only give access to those Personal data the access to which is necessary for the relevant (legal) persons;
    • c.)measures to protect the Personal data against inadvertent or illegitimate destruction, inadvertent loss or modification, unauthorised or illegitimate storage, processing, access or disclosure;
    • d.)measures to identify weak spots regarding the processing of Personal data in the systems which are deployed for the provision of services to Data controller;
    • e.)measures to guarantee the timely availability of the Personal data;
    • f.)measures to assure that Personal data are processed in a logically separate manner from the Personal data which he processes for himself or on behalf of third parties;
    • g.)the other measures which Parties have agreed on as established in Appendix 2.

    4.2.Processor demonstrably works in accordance with ISO27001 and/or NEN 7510 and has implemented an appropriate, written security policy for the processing of Personal data, in which the measures mentioned in the first section of this article 4 have at least been stipulated.

    4.3.Processor is demonstrably compliant with the security measures for network connections as described in NEN7512.

    4.4.Processor is demonstrably compliant with the requirements regarding logging as described in NEN7513.

    4.5.Processor is demonstrably compliant with the requirements of other NEN-standards, to the extent they have been declared applicable to healthcare.

    4.6.Upon first request of Data controller, Processor will present a valid certificate issued by an independent third party with expertise in the matter, if he has such at his disposal, which evinces that Processor is compliant with the obligations from this article.

    4.7.Data controller has the right to (let) monitor compliance with the measures mentioned in the preceding under article 4.1 through 4.4. If Data controller so requests, Processor enables the former at least once a year to (let) control matters at a time to be further established by Parties through mutual agreement, and additionally in the event Data controller sees grounds for doing so in connection with (suspicion of) information or privacy-incidents. Processor will provide all reasonable assistance for such an investigation. Processor will follow any possible instructions issued reasonably by Data controller in connection with such an investigation, regarding the modification of the security policy, within a reasonable term.

    4.8.Parties acknowledge that security requirements change constantly and that an effective security requires frequent evaluation and regular improvement of obsolete security measures. Processor will therefore evaluate the measures as they have been implemented pursuant to this article 4 periodically and, where necessary, improve the measures to remain compliant with the obligations pursuant to this article 4. The preceding leaves unaffected the instruction authorisation of Data controller to (let) take additional measures wherever necessary.

    Article 5. Monitoring, information obligations, and incident management

    5.1.Processor will monitor actively for breaches of the security measures and report on the results of the monitoring in accordance with this article 5 to Data controller.

    5.2.As soon as an Incident occurs, has occurred or may occur, Processor is obligated to immediately inform Data controller accordingly and thereby to provide all relevant information about:

    • 1)the nature of the Incident;
    • 2)the Personal data which are (possibly) affected;
    • 3)the identified and the probable consequences of the Incident; and
    • 4)the measures which have been or will be taken to resolve the Incident or alternatively to limit the consequences/damage as much as possible.

    5.3.Processor is obligated, without prejudice to the other obligations from this article, to take measures which can reasonably be expected of him to resolve the Incident as soon as possible or otherwise to limit further consequences as much as possible. Without any delay, Processor enters into consultation with Data controller so as to make further arrangements concerning.

    5.4.Processor will give Data controller assistance at all times and will follow the instructions of Data controller and enables Data controller to conduct an adequate investigation of the Incident, formulate a correct response and take appropriate follow-up steps with regard to the Incident, also including informing the monitoring authority ‘Autoriteit Persoonsgegevens’ (AP) and/or the Data subject, as stipulated in article 5.8.

    5.5.Processor will have available at all times written procedures which enable him to provide Data controller with an immediate response regarding an Incident, and to effectively cooperate with Data controller to settle the Incident. Processor will provide Data controller with a copy of such procedures if Data controller so requests.

    5.6.Reports made pursuant to article 5.2 are immediately directed at Data controller or, if relevant, to Collaborators of Data controller indicated by the latter curing the effective time of this Processor agreement in writing. If Data controller has appointed a Data Protection Officer (DPO), the reports are directed at this DPO.

    5.7.It is not permitted to Processor to provide information about Incidents to data subjects or other third parties, barring to the extent that Processor is legally obliged to do so or if Parties have established otherwise.

    5.8.If and to the extent Parties have established that Processor maintains direct contact with the authorities or other third parties with regard to an Incident, then Processor will constantly keep the Data controller informed.

    Article 6. Assistance obligations

    6.1.AVG/GDPR and other (privacy) legislation attributes certain rights to the Data Subject. Processor will offer his full and timely assistance to Data controller for compliance with the obligations which Data controller is subject to pursuant to these rights.

    6.2.A complaint received by Processor or a request of Data subject with regard to the processing of Personal data is forwarded by Processor without delay to Data controller.

    6.3.Upon the first request to that effect of Data controller, Processor will provide Data controller with all relevant information regarding the aspects of the aspects of the processing of Personal data conducted by him, so that Data controller, also by way of that information, can prove that they are compliant with the applicable (privacy) legislation.

    6.4.Processor will furthermore, upon first request of Data controller provide all necessary assistance for compliance with the legal obligations to which Data controller is subject pursuant to the applicable privacy legislation (such as the conducting of a privacy impact assessment).

    Article 7. Deployment of sub-processors

    7.1.Processor will not outsource his activities which consist of the processing of Personal data or the requiring of the processing of Personal data to a Sub-processor without the prior written consent of Data controller. The preceding is not applicable to the Sub-processors indicated in Appendix 1.

    7.2.To the extent Data controller agrees with the deployment of a Sub-processor, Processor will impose on this Sub-processor the same or stricter obligations than those resulting for him from this Processor agreement and legislation. Processor will record these arrangements in writing and will monitor compliance with it by the Sub-processor. Upon request, Processor will provide Data controller with a copy of the agreement(s) concluded with the Sub-processor.

    7.3.Despite the permission of Data controller for the deployment of a Sub-processor who (partially) processes data by order of the Processor, Processor remains fully liable towards Data controller for the consequences of the outsourcing of activities to a Sub-processor. The consent of Data controller for the outsourcing of activities to a Sub-processor does not affect the fact that for the deployment of Sub-processors in a country outside the European Economic Area permission is required in accordance with article 3.7 of this Processor agreement.

    Article 8. Liability

    8.1.Parties are both responsible and liable for their own actions.

    8.2.Any limitation of liability in the Agreement, mutatis mutandis, is also applicable to this Processor agreement, under the proviso that:

    • a.)Any possible (implicit or explicit) exclusions of liability for loss and/or maiming of Personal data are precluded;
    • b.)Any possible (implicit or explicit) exclusions of liability for fines imposed by AP or another monitoring agency which are directly related to an attributable shortcoming of Processor, or to an action or lack thereof attributable to Processor, are precluded.

    8.3.Processor safeguards Data controller against and indemnifies the Data controller for all claims, actions, third-party claims, as well as fines from AP, which flow directly from an attributable shortcoming by Processor and/or his sub-contractors/Sub-processors in complying with his obligations under this Processor agreement and/or any violation by Processor and/or his sub-contractors/Sub-processors of the applicable legislation in the field of the processing of Personal data.

    8.4.To the extent Parties are severally and jointly liable towards third parties, also including the data subject, or if a fine is imposed on them jointly by AP they are obligated towards each other, each for the part of the debt which concerns them in their mutual relationship, in accordance with what is stipulated in Volume 6, Title 1, Department 2 of the Netherlands Civil Code, ‘Burgerlijk Wetboek’, to contribute to the debt and the costs, unless AVG/GDPR stipulates otherwise, in which case AVG/GDPR prevails.

    8.5.To the extent no limitation of liability for Data controller is stipulated in the Agreement, the limitation included in section 2 for Processor also applies to the Data controller.

    8.6.Any limitation of liability furthermore comes to lapse for the relevant Party in case of intent or gross negligence on the part of the relevant Party.

    8.7.Parties take care of sufficient coverage for the liability.

    Article 9. Costs

    9.1.The costs for the processing of data which are inherent to the normal implementation of the Agreement are supposed to be comprised in the remunerations already owed pursuant to the Agreement.

    9.2.Any support or any other additional services which Processor must provide on grounds of this Processor agreement, or which is requested by Data controller, including all requests for additional information, will be charged to Data controller in accordance with the rates specified in Appendix 3.

    9.3.The preceding provision is not applicable if the activities are related to a shortcoming of Processor under this Processor agreement. The activities will in that case be conducted free of charges (without prejudice to the right of Data controller to claim the damage effectively incurred from Processor).

    Article 10. Duration and termination

    10.1.This Processor agreement enters into effect on the date of signing and the duration of this Processor agreement is equal to the duration of the Agreement(s) mentioned in Appendix 1, including any possible extensions thereof.

    10.2.After its signing by both Parties, the Processor agreement is an integral and inextricable part of the Agreement(s). Termination of the Agreement(s), on whatever grounds (cancellation/rescission), results in the Processor agreement being terminated on the same grounds (and vice versa), unless Parties in such case as may occur establish otherwise.

    10.3.Obligations which by their nature are intended to continue after termination of this processor agreement as well, remain effective after termination of the Processor agreement. Included in these provisions are, for instance, those which result from the clauses regarding non-disclosure, liability, disputes settlement, and applicable law.

    10.4.Each of the Parties has the right, without prejudice to what is stipulated regarding in the Agreement, to suspend the implementation of this Processor agreement and the associated Agreement, or to rescind it without judicial intervention with immediate effect, if:

    • a.)the other Party is liquidated or otherwise ceases to exist;
    • b.)the other Party demonstrably falls short (gravely) in the fulfilling of the obligations which flow from this Processor agreement and this attributable shortcoming has not been corrected within 30 days following a written default notice to that effect;
    • c.)a Party has been declared bankrupt or applies for suspension of payment.

    10.5.Considering the great dependence of Data controller on Processor, as well as the risk of continuity in the event of incidents and calamities (such as bankruptcy), Processor presently declares himself willing for such case, upon first request of Data controller, to make additional arrangements with Data controller to reduce aforementioned risks. These additional arrangements may, for example, consist of:

    • a.)the making of arrangements for the supplying periodically back or to a third party of the data processed by Processor; and/or
    • b.)the conclusion with a third party of an agreement which serves for the relevant third party severally and jointly committing itself for or lodging security for compliance with the Agreement; and/or
    • c.)hthe conclusion with a third party of a (tri-partite) agreement which provides for the relevant third party (constantly) acquiring control over all required information to, in such case as may occur, (start) conduct (a part of) the performances to be implemented pursuant to the Agreement – whether or not on grounds of a new agreement – instead of or parallel to Processor.

    10.6.Processor has an exit-plan for compliance with all obligations from this Processor agreement, in case the Agreement or the Processor agreement is terminated (prematurely). Upon first request of Data controller, Processor hands over a copy of this plan.

    10.7.Data controller has the right to rescind this Processor agreement and the Agreement with immediate effect if Processor indicates he cannot (any longer) comply with the reliability requirements which are established for the processing of Personal data pursuant to developments in legislation and/or jurisprudence.

    10.8.Processor must inform Data controller beforehand and on time about an intended take-over or transfer of property.

    10.9.It is not permitted to Processor without the emphatic and written permission of Data controller to transfer this Processor agreement and the rights and obligations which are associated with this Processor agreement to a third party.

    Article 11. Retention periods, returning and destruction of Personal data

    11.1.Processor does not retain the Personal data for any longer than is strictly necessary, including the statutory retention periods or any arrangement regarding retention terms as may have been concluded between Parties, as established in Appendix 1. Under no circumstance does Processor keep the Personal data for any longer than until the end of this Processor agreement. Data controller decides whether and if so for how long data must be kept.

    11.2.Upon termination of the Processor agreement, or if applicable at the end of the established retention periods, or upon written request of Data controller, Processor will, against reasonable costs, at the discretion of Data controller, (let) destroy or return to Data controller the Personal data definitively. Upon request of Data controller, Processor provides evidence for the fact that the data have been definitively destroyed or removed. The returning of data as may occur will be in a generally customary, structured and documented data-format, through electronical channels. If the returning, definitive destruction or removal is not possible, Processor will immediately inform Data controller accordingly. In that case, Processor guarantees that he will handle the Personal data with confidentiality and will no longer process them.

    Article 12. Intellectual property rights

    12.1.To the extent the (collection of) Personal data is protected by any intellectual property right, Data controller grants permission to Processor to use the Personal data in the context of the implementation of this Processor agreement.

    Article 13. Final provisions

    13.1.The considerations are a part of this Processor agreement.

    13.2.In case of the nullity and/or annullability of one or more provisions from this Processor agreement, the other provisions remain fully effective.

    13.3.In all cases for which this Processor agreement does not provide, Parties decide through mutual agreement.

    13.4.To this Processor agreement, Netherlands legislation is applicable.

    13.5.Parties will exert themselves to resolve conflicts through mutual agreement. Included here is the possibility to terminate the dispute through mediation or arbitration established through mutual agreement.

    13.6.Disputes about or in connection with this Processor agreement are exclusively submitted to the court or arbiter(s) indicated for this purpose in the Agreement.

    Appendix 1 : Agreements, description Personal data, nature processing, etc.

    This Processor agreement is an appendix to the subsequent Agreements and regards the following types of processing of Personal data.

    • Effective date contract

      See Agreement
    • Reference/number/title contract

      See Agreement
    • Short description services

      Delivery of the on-line platform ‘Familienet’ for communications with and about clients.
    • Nature of the processing

      All clients of the healthcare institution have a secure personal page. Here, Collaborators and family share message, pictures, videos, an agenda, and the book of life. In this way, everyone is well-informed and cooperation improves.
    • Type of Personal data

      Names, pictures, videos, text, documents, and other messages of and about data subjects, but in principle no health-related information.
    • Categories of data subjects

      Clients, family-members, collaborators.
    • Purposes of the processing

      The enabling of communication between healthcare institution, client, and family.
    • Approved sub-processors

      See appendix 4.
    • Arrangements retention periods

      For as long as the Agreement is effective, plus a term of a maximum of 30 days after, in connection with the back-up-systems of Processor.
    Appendix 2 : Description further security measures

    More specifically, Processor also applies the following security measures:

    • - The use of encrypted connections (also including the HTTPS-connection of the website of the Processor);
    • - control of the OWASP top-10 security threats (www.owasp.org) during the Assignment and upon the development of new services;
    • - access to personal data by staff of Processor only if required for the execution of their tasks and under contractual non-disclosure obligation;
    • - the use of authorisation systems for access to the service and the Personal data;
    • - the adoption of appropriate processor agreements with suppliers;
    • - the application of alarm systems, also with a connection to security services or the police;
    • - the application of user-profiles with the attribution of user rights;
    • - the use of authorisation and authentication systems;
    • - the use of secured SSL/TLS-connections for transmissions;
    • - the application of anti-virus software;
    • - a strict selection of hosting providers which are compliant with NEN 7510 and ISO 27001, with which appropriate (sub-)processor agreements are concluded.
    Appendix 3 : Specific rates

    Not applicable. See Agreement.

    Bijlage 4: Aanpassingen t.o.v. standaard tekst

    Partijen komen uitdrukkelijk de navolgende afwijkingen op de standaardtekst van de verwerkersovereenkomst overeen:

    • Art. 4.2 through 4.7
      Text lapsing The entire article sections.

      Substitute text Processor only deploys hosting providers which have demonstrably implemented an appropriate, written security policy, in conformity with ISO27001 and/or NEN 7510, for the processing of Personal data deriving from Processor.

      Reason Processor will in principle not process medical or health-related data with their general communication platform.

    • Art. 7.1
      Text lapsing Processor will not outsource activities consisting of the processing of Personal data to nor demand that Personal data will be processed by a Sub-processor without the prior written consent of Data controller. The preceding is not applicable to the Sub-processors indicated in Appendix 1.

      Substitute text Processor will only outsource his activities consisting of the processing of Personal data to or require that Personal data will be processed by, a Sub-processor if the latter is established within the European Union and the latter has not signed an appropriate processor agreement with Processor.

      Reason New editors provide sufficient assurances and prevents that parties in case of changes to, for example, communication and hosting services, must first arrange for a written contract.

    • Art.10.6
      Text lapsing The entire article section.

      Substitute text None.

      Reason The service of Processor enables Data controller to download their own data. This renders superfluous an exit-plan.

    • Art. 11.2
      Text lapsing On request of Data controller, Processor provides proof of the fact that the data have been definitively destroyed or removed. The possible returning of data will take place in a generally current, structured and documented data-format, through electronic channels.

      Substitute text None.

      Reason Proof of destruction (demonstrating that something is not present) is impossible to provide. In addition, the service of Processor enables Data controller to download the data themselves in a current format.

    • Art. 13.6
      Text lapsing None.

      Substitute text In addition: If no competent court has been selected, the court of law in the district of Processor will be exclusively competent.

      Reason Solely additional clarity regarding the competent court of law.