Data Processing Agreement Founders Finance B.V.

The private limited liability company Founders Finance B.V. with its registered office and principal place of business at Nieuwe Teertuinen 25a in (1013 LV) Amsterdam, registered with the Chamber of Commerce under commercial register number 69951276 (hereinafter also referred to as “Service Provider” or “we” or “us“), processes personal data. 

We are committed to protecting your privacy and therefore processes personal data in strict accordance with the General Data Protection Regulation (hereinafter also referred to as “GDPR”), which is in force in all EU Member States as from 25 May 2018.

When a controller (you as a business owner) engages a processor (a party such as Service Provider in this case) to process personal data, you are obliged by law, in your capacity as controller, to enter into written (or equivalent) agreements with the processor (Service Provider) on a number of matters as stipulated in the GDPR.

For your convenience, we have drawn up this processing agreement to ensure that you and we act in accordance with the GDPR. 

The parties to this agreement are therefore Service Provider and the Client (hereinafter referred to as the “Controller“), as stated in the initial Assignment that the Controller has given to Service Provider (hereinafter also referred to as the “Processor“). Processor and the Controller are hereinafter jointly referred to as the “Parties“.

WHEREAS:

A. Service Provider operates a financial and administrative consultancy firm and provides services to the Controller;

B. Service Provider, in the performance of the Assignment, uses the digital platform developed by a group company for the recognition, processing and archiving of administrative documents in an accounting environment;

C. Service Provider, uses the payroll software applications developed by Nmbrs in the performance of the Assignment;

D. Service Provider uses the tax software applications developed by Exact in the performance of the Assignment;

E. The provision of services necessarily entails that personal data originating from or channelled through the Controller are made available to Service Provider and are processed by Service Provider in the software applications as referred to at B, C and D;

F. The Controller wishes to have certain forms of processing of the Personal Data carried out by Service Provider and Service Provider is willing to process the Personal Data;

G. Service Provider will process the Personal Data concerned solely on the instructions of the Controller and not for its own purposes;

H. In view of the provisions of the GDPR regarding the processing of personal data, the Parties wish to set out their agreements on the work and the legal relationship between them in this processing agreement (hereinafter also referred to as the “Processing Agreement“). 

HAVE AGREED AS FOLLOWS:

1. Definitions:

GDPR: The General Data Protection Regulation (2016/679), including its implementation Act;

Data Subject: an identified or identifiable natural person; The person to whom the Personal Data relates.

Data Breach: any situation in which, due to a security incident, Personal Data is inadvertently accessed by an unauthorised person, lost, destroyed, changed or unlawfully processed, as defined in Article 4.12 GDPR.

Assignment: the services that Service Provider provides to the Controller, including the processing of the Controller’s administrative accounts and related services, and any other form of cooperation, in which Service Provider processes Personal Data for which the Controller is responsible within the meaning of the GDPR, regardless of the legal nature of the agreement under which this is done.

DPIA: Data Protection Impact Assessment as referred to in the GDPR.

Personal Data: any information about an identified or identifiable natural person that the Processor obtains from the Controller in connection with the performance of the Assignment.

Subprocessor: any party engaged by Service Provider to process, on the instruction of Service Provider, the Personal Data in respect of which Service Provider has been authorised by the Controller on the basis of this Processing Agreement.

2. The Data Subjects

1. In the performance of the Assignment, Service Provider processes Personal Data of Data Subjects. The Data Subjects whose Personal Data are processed are:

  • Employees in the service of the Controller
  • Clients of the Controller
  • Visitors to the Controller’s website
  • Suppliers providing goods or services to the Controller
  • Partners and/or other family members of the Controller

2. Data of other Data Subjects will not be processed by Service Provider for the Controller.

 

3. Processing

1. Service Provider undertakes to carry out the Assignment for the Controller subject to the conditions of this Processing Agreement and in accordance with the GDPR and/or other applicable laws and regulations.

2. The Controller will have and retain full control over the Personal Data. Service Provider will process the Personal Data in a proper and careful manner. 

3. Service Provider will process the Personal Data solely for the Assignment in accordance with the written instructions given by the Controller, in accordance with the purposes and means determined by the Controller and with due observance of the retention periods determined by the Controller.

4. Service Provider will not engage any Subprocessor(s) other than those already referred to at B, C and D without the prior written consent of the Controller. The Controller hereby gives Service Provider its written consent to engage the Subprocessors referred to at B, C and D for the processing of Personal Data.

5. KbB will impose the same obligations on the Subprocessors as the Controller has imposed on Service Provider in this Processing Agreement.

6. Service Provider will remain responsible toward the Controller for the proper performance of this Processing Agreement.

7. Service Provider will inform the Controller at the time Service Provider starts sharing Personal Data with the Subprocessor.

4. Rights of data subjects 

1. In so far as possible, Service Provider will assist the Controller in performing its obligations to handle requests regarding the exercise of rights of Data Subjects. If Service Provider receives requests directly from Data Subject(s) to exercise their rights (e.g. accessing, changing or deleting Personal Data), Service Provider will forward these requests to the Controller. The Controller will handle these requests itself, with Service Provider providing assistance if it has access to the Personal Data concerned in the context of the Assignment. Service Provider may charge costs for this.

5. Data Protection Impact Assessment

1. Service Provider will support and cooperate with the Controller to comply with the implementation of a DPIA in the event that the Controller is required to carry out a DPIA.

2. Service Provider will support and cooperate with the Controller in the implementation of new security or other measures to be taken following a DPIA. 

3. Service Provider will only charge the Controller reasonable costs incurred in performing these obligations. These reasonable costs amount to EUR 60 per hour (price level as of July 1, 2024, and annually indexed based on the service price index as determined and published by the CBS). 

4. Service Provider will support and cooperate with the Controller in the implementation of new security and other measures to be taken following other analyses and changes, such as amendments to – or provide information about amendments to – legislation.

6. Security Measures

1. Service Provider will take all appropriate technical and organisational measures to adequately secure the Personal Data and keep it secure against loss or any form of careless, incompetent or unlawful use or processing, taking into account the prior art. The technical and organisational measures are listed in Appendix 2. By entering into this processing agreement, the Controller declares that it has taken note of the technical and organisational measures taken by Service Provider and that these measures are appropriate in the opinion of the Controller.

2. Service Provider guarantees that persons acting under its authority are contractually bound to confidentiality and will only process Personal Data lawfully and in accordance with this Processing Agreement, the GDPR and/or other applicable laws and regulations. 

3. If Service Provider fails to take appropriate technical and organisational security measures and subsequently fails to take appropriate measures within a reasonable period set by the Controller, the Controller will be entitled, without prejudice to its other rights arising from this Processing Agreement and/or the law, to implement these measures, or have them implemented, at the expense of Service Provider.

4. Service Provider will immediately notify the Controller in detail of any Data Breach concerning the Personal Data. Service Provider will do so within 24 hours after discovery of the Data Breach. Service Provider will not charge any costs for this.

5. At the Controller’s request, Service Provider will provide the Controller with information regarding the measures taken to comply with the obligations under the GDPR and/or other applicable laws and regulations, this Processing Agreement and the Controller’s other instructions. 

6. The Controller is responsible for reporting Data Breaches to the Dutch Data Protection Authority and any Data Subjects, and for the prompt handling of requests from Data Subjects. 

7. Overview of processing 

1. If necessary, Service Provider will keep a processing register of all Personal Data it processes for the Controller in the context of the Assignment. This overview will in any event include its name, contact details and the name of the Controller for which it processes Personal Data, the categories of Personal Data it processes for the Controller and a description of the security measures taken. 

8. Liability

1. If Service Provider incurs a loss as a result of an attributable failure on the part of the Controller in the performance of this Processing Agreement, the Controller will be liable toward Service Provider.    

2. By signing this Processing Agreement, the Controller declares that it has taken out adequate insurance against any liability toward Service Provider or third parties, including but not limited to Data Subject(s).  

3. Service Provider will not be liable toward the Controller for any loss incurred by the Controller as a result of the performance and/or termination of this Processing Agreement and/or the Assignment, including but not limited to any fines imposed by the Dutch Data Protection Authority. Service Provider will also not be liable toward the Controller for indirect loss, including but not limited to consequential loss, lost profit, loss due to business interruption and/or loss incurred by third parties. 

4. Furthermore, Service Provider will not be liable toward the Controller for any other loss incurred by the Controller that in any way relates to or arises from this Processing Agreement, or at least its performance, except in so far as intent or gross negligence on the part of Service Provider exists.   

5. Service Provider’s liability toward the Controller will in any event be limited to the amount that will be paid out under Service Provider’s liability insurance in the relevant case.  

6. If Service Provider’s liability insurance does not payout, Service Provider’s liability will in any event be limited to the total amount of the compensation the Controller will receive pursuant to the Assignment. 

7. The Controller will indemnify Service Provider against claims brought by any party against the Controller that relate to or arise from the performance of the services provided by Service Provider to the Controller or third parties. 

9. Transfer of Personal Data

1. Service Provider will only process the Personal Data in countries located in the European Union, unless the Controller has given its consent for a transfer of personal data outside of the European Union. 

2. Service Provider will notify the Controller of the country or countries in which the Personal Data will be processed. Service Provider will also do so if the Personal Data have erroneously been transferred to a country due to a Data Breach or otherwise.

10. Confidentiality

1. All Personal Data that Service Provider receives and/or collects in the context of the Assignment is subject to a duty of confidentiality toward third parties. Service Provider and all persons employed by or working for Service Provider are obliged to maintain confidentially with regard to the Personal Data. 

2. Service Provider will ensure that all people who work for Service Provider are obliged to maintain confidentiality.

3. This duty of confidentiality will not apply if the Processing Agreement provides otherwise and/or in so far as any statutory provision or judgment obliges disclosure. 

4. Service Provider will notify the Controller immediately of any request for inspection or provision of the Personal Data or any other type of request for and notification of the Personal Data that is contrary the duty of confidentiality laid down in this clause. Service Provider will do so within 24 hours after discovery of the Data Breach.

11. Duration and termination

1  This Processing Agreement will enter into effect between the Parties on the date the Controller has accepted this Processing Agreement in agreement online via Service Provider’s dashboard. 

2. This Processing Agreement is entered into for a period equal to the period of the Assignment. If the period of the Assignment is extended, this Processing Agreement will be extended by the same period. Termination of the Contract for Services will cause this Processing Agreement to end at the same time.

3. If this Processing Agreement ends or is dissolved, the provisions of this Processing Agreement regarding confidentiality, liability and all other provisions, which by their nature are intended to continue after termination or dissolution of this Processing Agreement, will remain in force.

12. Destruction of Personal Data

1. Service Provider will make all Personal Data available to the Controller at the Controller’s first request, but no later than within ten working days after the end of this Processing Agreement or the Assignment.

2. At the Controller’s first request, Service Provider will be obliged to completely and irrevocably delete all Personal Data.

3. As soon as it has been established that the Controller has all Personal Data at its disposal in a format accepted in writing by the Controller, Service Provider will completely and irrevocably delete all Personal Data within fourteen days.

4. Service Provider may deviate from the provisions of paragraphs 1 and 2 of this clause in so far as there is a statutory retention period regarding the Personal Data or in so far as this is necessary to prove performance of its obligations toward the Controller.

13. Audit

1. The Controller is entitled to audit compliance with the provisions of this Processing Agreement at most once per year. After Service Provider has given its consent, the Controller may perform the audit itself or have it performed by an independent registered accountant, a registered information scientist or another auditor certified for this purpose. 

2. The Controller will bear the costs of the audit. If Service Provider fails in the performance of an obligation pursuant to this processing agreement, Service Provider will remedy that failure in the shortest possible period.

3. The Controller will inform Service Provider of the audit at least ten days in advance, accompanied by a description of the parts the audit pertains to and the auditing process.

14. Non-binding provision

1. If one or more provisions of this Processing Agreement are declared non-binding in court or are otherwise found non-binding for whatever reason, this will not affect the validity of the other provisions of the Processor Agreement. In such case, the Parties will i hold discussions in order to replace the non-binding provision or provisions with binding provisions that deviate as little as possible from the provision or provisions deemed non-binding, taking due account of the purpose and scope of the original provisions and this Processing Agreement.

15. Other

1. This Processing Agreement may only be amended in writing between the Parties.  

2. This Processing Agreement contains the entire agreement between the Parties with regard to the subjects and agreements laid down in this Processing Agreement. This Processing Agreement supersedes all other previous written or oral agreement between the Parties.

16. Applicable law and choice of forum

1. This Processing Agreement and all amendments thereto will be governed by Dutch law. 

2. The Parties declare that the District Court of Amsterdam has exclusive jurisdiction to hear any disputes arising , directly or indirectly, from this Processing Agreement.

Click here for the appendix.