Data Processing Agreement

This Data Processing Agreement, together with the Terms and Conditions, forms an integral part of every agreement regarding services between Lazentis B.V. and the Client, where personal data is processed.

2.1. The Processor commits under the conditions of this Data Processing Agreement to process personal data on behalf of the Controller. This processing takes place exclusively in the context of the execution of the assignment and purposes reasonably related thereto.

3.1. The Processor uses the personal data solely for the execution of the assignment as described in Article 2 and refrains from processing for its own commercial purposes.

3.2. The Processor carries out the work in accordance with the requirements of the GDPR and under the express (final) responsibility of the Controller. If a specific instruction is, in the opinion of the Processor, in conflict with the law, it shall consult the Controller without delay.

5.2. At the request of the Controller, the Processor shall inform the Controller as soon as possible about the sub-processors engaged by it. The Controller may, within a period of fourteen days, object in writing and with reasons to this change, after which the parties shall enter into consultation.

6.2. The duty of confidentiality does not apply insofar as the Controller expressly gives permission to provide the information to third parties, providing the information to third parties is logically necessary for the execution of the assignment or if the information is provided pursuant to a legal obligation.

7.1. The Processor shall endeavor to take appropriate technical and organizational measures to protect processed personal data of the Controller against loss or against any form of unlawful processing.

10.1. The Controller may have an audit carried out once a year at most by an independent expert third party bound by confidentiality, on condition of a substantiated suspicion of violation of this Data Processing Agreement communicated in writing to the Processor.

10.2. If an audit by an independent third party has already been carried out in a year, the Processor may, contrary to what is regulated in the preceding paragraph, suffice with providing access to the relevant parts of the report, if another audit of compliance with the obligations of the Processor in the Data Processing Agreement is requested within the same year.