Data Processing Agreement
Our terms when we process data on your behalf (GDPR art. 28).
1. Roles
In some engagements Ruimtemeesters processes personal data on behalf of and at the instruction of a client. In that case the client is the controller and Ruimtemeesters acts as processor within the meaning of GDPR art. 28. For those situations we offer a data processing agreement; this page summarises the key terms.
2. Processing on instruction
We process personal data only on the documented instructions of the controller and for the agreed purposes, and not for our own purposes.
3. Security
We take appropriate technical and organisational measures (GDPR art. 32), as described on our security page.
4. Subprocessors
We engage subprocessors as listed on our subprocessors page. With each subprocessor we conclude equivalent obligations. Changes are announced in advance, so the controller can object if desired.
5. Assistance and data subject rights
We provide reasonable assistance with data subject requests (access, erasure, etc.) and with obligations regarding security, data breaches and data protection impact assessments.
6. Data breaches
We report a data breach without undue delay to the controller, with the information needed to meet their notification obligation.
7. Return and deletion
After the engagement ends we delete or return the personal data, at the controller's choice, subject to any statutory retention obligation.
8. Audits
The controller may verify compliance in a reasonable manner, through information and — within reasonable limits — audits.
9. Requesting a data processing agreement
Request a signable data processing agreement via welkom@ruimtemeesters.nl. Add link to standard DPA (PDF) ‹to complete›.