GDPR Data Processing Agreement
MUSTHAVE web applications, among other things, processes personal data for and on behalf of the customer because the customer has a software user agreement with MUSTHAVE web applications. MUSTHAVE web applications and the customer are therefore required by the General Data Protection Regulation (GDPR) to conclude a Processor Agreement. Because MUSTHAVE web applications provides a standard application (WATCH Project Management) with the associated standard services, MUSTHAVE web applications has included the processing agreement in the General Terms and Conditions
MUSTHAVE web applications is the 'processor' and the customer the 'controller'. MUSTHAVE web applications and the client commit themselves comply with the General Data Protection Regulation (GDPR). For the definitions of terms, a link is made to the GDPR. MUSTHAVE web applications will only process the personal data for and on behalf of the customer and to implement the software user agreement.
The processing consists of making the WATCH Project Management web application available with the data entered and generated by the customer. MUSTHAVE web applications will not add, modify or remove any data without the customer's specific instructions.
Within the applications that MUSTHAVE web applications make available, different types of personal data can be recorded (customer, contact and employee data). MUSTHAVE web applications is aware that the customer can enter all these, and possibly personal details or categories to be created, and that MUSTHAVE web applications will then process them. The customer is responsible for assessing whether the purpose and nature of the processing fits in with the services provided by MUSTHAVE web applications.
MUSTHAVE web applications is aware that the information that the customer shares with MUSTHAVE web applications and stores within WATCH Project Management is of a secret and business-sensitive nature. All MUSTHAVE employees will handle customer information responsibly during their employment and afterwards.
Employees with access to customer data
System administrators of MUSTHAVE web applications have full access to customer data for:
- Installing a new version;
- the implementation of patches and hotfixes;
- making the daily backup;
- moving data between servers used by MUSTHAVE.
Consultants, support staff and other MUSTHAVE employees only have access to the customer data if they have received permission from the customer and for as long as they have permission from the customer.
MUSTHAVE web applications takes appropriate technical and organizational measures to protect the personal data of the customer against loss or any form of unlawful processing. The customer is entitled, in consultation with MUSTHAVE web applications, to check compliance by an independent expert during the term of the agreement, for example by performing an audit. The customer will bear all costs associated with this check.
MUSTHAVE web applications is liable for damage in the context of personal data due to acts or omissions of the sub-processor where the limitation of liability from the general terms and conditions (article 10) applies. The applicable liability limitation does not apply if there is gross negligence or wilful misconduct on the part of the sub-processor. MUSTHAVE web applications is also not liable in case of force majeure (as defined in the general conditions article 11) on its own or on the part of the sub-processor.
If the Autoriteit Persoonsgegevens (Personal Data Authority) will give the processor responsible a binding instruction, the customer must immediately inform MUSTHAVE web applications of this binding instruction. MUSTHAVE web applications will do everything it can reasonably be expected of it to make compliance possible. If MUSTHAVE web applications does not do what is reasonably expected of it, resulting in a fine, or if the Dutch Data Protection Authority immediately imposes a fine because of intent or serious culpable negligence on the part of MUSTHAVE web applications, then the applicable liability limitation in the general terms and conditions (article 10) does not apply.
MUSTHAVE web applications processes customer data in the data centres of Mihosnet B.V. and this makes it a sub-processor. The data centres that MUSTHAVE web applications use are exclusively located in the Netherlands (Almere) and are subject to Dutch laws and regulations and comply with strict Dutch and European legislation regarding logical and physical access security and continuity. The data centres are at least ISO 27001 certified. The processor agreement between MUSTHAVE web applications and Mihosnet B.V. is available on request for the customers of MUSTHAVE web applications.
The (personal) data is processed exclusively by MUSTHAVE web applications and sub-processors within the European Economic Area.
MUSTHAVE web applications will not allow new sub-processors to process data without informing the customer in a timely manner. The customer can object to MUSTHAVE web applications against the sub-processor. Should MUSTHAVE web applications decide to have data processed by the new sub-processor, the customer has the option to terminate the agreement.
MUSTHAVE web applications has no control over the personal data made available by the customer. Without necessity, given the nature of the assignment given by the customer, explicit permission from the customer or legal obligation, MUSTHAVE web applications will not provide the data to third parties or process it for other purposes than for the agreed purposes. The customer guarantees that the personal data may be processed on the basis of a rules stated in the GDPR.
The customer is responsible for the data entered by those involved and thereby for informing and assisting the rights of those involved. MUSTHAVE web applications will never respond to requests from those involved and will always refer to the responsible party. MUSTHAVE web applications will, to the extent that is possible within the application, lend its cooperation to the customer so that he can comply with his legal obligations in the event that a data subject exercises her rights under the GDPR or other applicable regulations concerning the processing of personal data.
Data breach reporting obligation
The GDPR requires that any data breaches are reported to the Dutch Data Protection Authority by the data controller. MUSTHAVE web applications will therefore not report to the Dutch Data Protection Authority itself. Naturally, MUSTHAVE web applications will correctly, timely and fully inform the customer about relevant incidents, so that the customer can meet his legal obligations as a controller. The Policy Rules for the reporting of data breaches of the Dutch Data Protection Authority provide more information about this.
If the customer makes a (provisional) report to the Data Protection Authority and / or the person (s) concerned about a data breach at MUSTHAVE web applications, without the customer having previously discussed this with MUSTHAVE web applications, then the customer is liable for MUSTHAVE web applications suffered damage and costs. The customer is also obliged to immediately withdraw such a notification.
Determination of a data breach
In October 2017, the European privacy regulators published guidelines on the reporting obligation for data breaches under the GDPR. To determine a data breach, MUSTHAVE web applications uses these guidelines.
Report to the customer
If it turns out that MUSTHAVE web applications have a security incident or data breach, MUSTHAVE web applications will inform the customer about this as soon as possible after MUSTHAVE web applications has become aware of the data breach. To realize this, MUSTHAVE web applications ensures that all its employees are and remain able to detect a data breach and MUSTHAVE web applications expects its contractors to enable MUSTHAVE web applications to comply with this. To be clear: if there is a data breach at a supplier of MUSTHAVE web applications, then MUSTHAVE web applications will of course also report this. MUSTHAVE web applications is the contact point for the customer. The customer does not have to contact the suppliers of MUSTHAVE web applications.
Inform customer (set contact person)
In the first instance, MUSTHAVE web applications will inform the main contact person of the application about a data breach. On the WATCH support website it is also possible to indicate who is the contact person for GDPR related matters. In the event of a data breach, both the main contact and the GDPR contact will be informed.
MUSTHAVE web applications immediately tries to provide the customer with all information that the customer needs to make a possible report to the Dutch Data Protection Authority and / or the person (s) involved.
Term of information
The GDPR indicates that data breaches must be reported "immediately". According to the Dutch Data Protection Authority, this is without unnecessary delay and, if possible, no later than 72 hours after discovery by the controller. If a security incident occurs, MUSTHAVE web applications will inform the customer as soon as possible, but no later than within 48 hours after discovery by MUSTHAVE web applications. The customer will have to make the assessment himself whether the security incident falls under the term "data breach" and whether a report must be made to the Dutch Data Protection Authority. The customer has 72 hours to do this after the customer has been informed of this.
Progress and measures
MUSTHAVE web applications will keep the customer informed about the progress and the measures being taken. MUSTHAVE web applications makes agreements about this with the primary contact person at the initial notification. In any case, MUSTHAVE web applications keeps the customer informed in the event of a change in the situation, the disclosure of further information and the measures being taken.
MUSTHAVE web applications will, after the end of the agreement, delete all customer data. If the customer wants to have the data removed earlier, a request can be submitted. MUSTHAVE web applications are obliged to comply.