Data Processing Agreement

Home / Data Processing Agreement

Note about this web page

This document is the default all-encompassing Data Processing Agreement related to the activities performed LEF marketing & events. The Data Pro Statement contains descriptions of all possible forms of data processing, services and third-party suppliers used by LEF marketing & events.

In regards to events or services performed by LEF marketing & events for its’ customers, a unique Data Processing Agreement will always be created. The unique documents’ aim to provide an exact description of which data is processed and how, while excluding information that is not relevant.

For that reason, please use this document as reference only.

This document does not relate to the LEF marketing & events official website at www.lefmarketing.com.

PART 1: DATA PRO STATEMENT

Along with the Standard Clauses for Data Processing, this Data Pro Statement constitutes the data processing agreement for the product or service provided by the company that has drawn up this Data Pro Statement.

GENERAL INFORMATION

1. This Data Pro Statement was drawn up by
LEF marketing & events
Markt 7
4527 CM Aardenburg
The Netherlands
If you have any queries about this Data Pro Statement or data protection in general, please contact:
Willem van Vugt
wvanvugt@lefmarketing.com
+31 (0) 117 712 606

2. This Data Pro Statement has entered into force on 8 May 2018
We regularly revise the security measures outlined in this Data Pro Statement to ensure that we are always fully prepared and up to date with regard to data protection. If this document is updated, we will notify you of the revised versions through our regular channels.

3. This Data Pro Statement applies to the following products and services
LEF marketing & events uses the below products and services to provide its agency services:

A. E-mail campaign system “Mailchimp”
B. Event registration and ticketing system “Eventbrite”
C. Event registration and ticketing system “Eventpartners”
D. Event website on WordPress, including Contact Form DB plug-in

4. Description of products and services
The following descriptions apply for the products and services used by LEF marketing & events:

A. Mailchimp: marketing automation platform and e-mail marketing service used to send targeted e-mails.
B. Eventbrite: event technology platform used to create, share and find events or meetings.
C. Eventpartners: provides the invitation, online registration and visitor registration for fairs, congresses and events.
D. WordPress: including Contact Form DB plug-in: plug-in for WordPress websites to create contact forms and store data input into said forms.

5. Intended use
Product/service A was designed and built to process the following types of data:

A. Mailchimp is used by LEF marketing & events to create lists of contacts and send targeted e-mails to these contacts. Reasons to e-mail include invitations, updates and post-event communication about events. Only relevant contact data is saved that is required for targeting. This includes but is not limited to: First Name, Last Name, Gender, Birth Data, Address Data (Address, ZIP, City, Country), Phone Number, E-Mail Address, IP-Address, Business Sector, Job Title, Company Name, Interests, Dietary Preferences, Bank Account Number, Hotel Stay Details, Social Media Channels.

B. Eventbrite is used by LEF marketing & events to provide registration and payment options to people registering for an event. Registered contacts are sent e-mails from Eventbrite related to the event. All data is gathered on Eventbrite, there is no pre-input. Stored data includes but is not limited to: First Name, Last Name, Gender, Birth Data, Address Data (Address, ZIP, City, Country), Phone Number, E-Mail Address, IP-Address, Business Sector, Job Title, Company Name, Interests, Dietary Preferences, Bank Account Number, Hotel Stay Details, Social Media Channels.

C. Eventpartners is used by LEF marketing & events to send e-tickets (PDF, image, Pass for Wallet app) to registering or pre-registered contacts. Contacts are delivered to LEF marketing & events and uploaded into Eventpartners, or register on an Eventpartners website. Stored data includes but is not limited to: First Name, Last Name, Gender, Birth Data, Address Data (Address, ZIP, City, Country), Phone Number, E-Mail Address, IP-Address, Business Sector, Job Title, Company Name, Interests, Dietary Preferences, Bank Account Number, Hotel Stay Details, Social Media Channels. Data collected on Eventpartners is shared externally in some circumstances, for instance but not limited to : Opt-In by contacts to share their data for commercials reasons with Event Sponsors, Personal Data including CreditCard information with Hotels. LEF marketing & events does never share any personal data with anyone but its’ trusted third party suppliers or other external parties without explicit prior consent by the person whose data is processed. Prior consent is requested through opt-in forms or presented by e-mail.

D. Contact Form DB (WordPress): Contact Form DB (WordPress) is a plug-in used by LEF marketing & events on WordPress websites. The plug-in is used to create contact forms. Data input in the contact form by a user is stored in a database on WordPress. Data stored includes but is not limited to: First Name, Last Name, Gender, Birth Data, Address Data (Address, ZIP, City, Country), Phone Number, E-Mail Address, IP-Address, Business Sector, Job Title, Company Name, Interests, Dietary Preferences, Bank Account Number, Hotel Stay Details, Social Media Channels.

All data processed by LEF marketing & events and Eventpartners is based on input by registered contacts. Contacts have either registered with a customer of LEF marketing & events, on an Eventpartners website or directly at LEF marketing & events. Data collected on Eventpartners is shared externally in some circumstances, for instance but not limited to: Opt-In by contacts to share their data for commercials reasons with Event Sponsors, Personal Data including CreditCard information with Hotels.

LEF marketing & events does not gather other details, unless agreed upon in writing with its’ customers, and never before agreeing the usage of data in an amended Data Processing Agreement.
It is up to the client to determine whether or not it will use the aforementioned product or service to process such data. Not all products and services are used at the same time or for the same project.

Note on event visitors’ data related to exhibitors:
This note related to the specific situation in which LEF marketing & events facilitates event exhibitors to scan visitors’ badges with the goal of lead retrieval.
LEF marketing & events supplies persons’ data to exhibitors. Exhibitors only receive data of persons who opted-in for sharing data, and only receive data of persons who they interacted with. Interaction between exhibitors and other persons exists of badge scanning.

Persons can at any time deny their badge being scanned. Badge scanning is never mandatory by LEF marketing & events.

Data supplied to exhibitors is only shared with the specific exhibitor who interacted with a person. This specific data is never shared the customer or other exhibitors.

Badges worn by persons attending the event contain a barcode. The barcode is related to the persons’ data. Barcodes printed on badges only contain a numerical value. The numerical value contain no personal data. In the unlikely situation of an unwanted party gaining access to scanned barcodes, the data is of no use. The third-party supplier Eventpartners matches barcode numbers to personal data.

6. When the data processor designed the product or service, it applied the privacy-by-design approach in the following manner:

  • When employing one of the beforementioned products/services, LEF marketing & events thinks of privacy first.
  • LEF marketing & events only gathers relevant data to the project.

7. The data processor adheres to the Data Processing Standard Clauses for Data Processing, which can be found in PART 2 of this document.

8. The data processor will process the personal data provided by its clients inside the EU/EEA.

9. The data processor uses the following sub-processors:

  • Mailchimp (automation)
  • Eventbrite (automation)
  • Eventpartners (human intervention / automation hybrid)
  • Contact Form DB plug-in (on WordPress) (automation)
  • IBC Communicatie (long time agent providing services to LEF marketing & events)

10. The data processor will support its clients in the following way when they receive requests from data subjects:

  • LEF marketing & events provides the full record of an individual’s data, and can amend and delete when so requested.
  • LEF marketing & events can provide a written description of how data is collected.

11. Once an agreement with a client has been terminated, the data processor will delete the personal data it processes on behalf of the client within 3 months, in such a manner that they will no longer be able to be used and will be rendered inaccessible. When an event organized by LEF marketing & events ends, this is regarded a terminated agreement.

12. Once the agreement with the client has been terminated, the data processor will return all the personal data it processes on behalf of the client within three months, in the following manner:

  • LEF marketing & events e-mails an Excel file with all collected personal data to the client.
  • All Excel files are encrypted upon sending.
  • Passwords to unlock encryption are sent by another way than e-mail.

SECURITY POLICY

13. The data processor has implemented the following security measures to protect its product or service:

  • The products/services used by LEF marketing & events each employ their own security measures.
    • Mailchimp: click here to read more
    • Eventbrite: click here to read more
    • Eventpartners: click here to read more
    • Contact Form DB plug-in (on WordPress): no data is stored within the plug-in, data is instead stored at IBC Communicatie (Oscar van Beest). Click here to read more (currently only available in Dutch)
  • Personal data will not be pseudonomised

All products/services used by LEF marketing & events employ data privacy and security regulations adhering to the 2018 EU GDPR regulations. Refer to above web links to read more about their regulations. This includes but is not limited to encryption and server back-up.

14. The data processor conforms to the principles of the following Information Security Management System (ISMS):
Data Pro Code by Nederland ICT: click here to read more

DATA LEAK PROTOCOL

15. In the unfortunate event of a data breach, the data processor will follow the following data breach protocol to ensure that clients are notified of incidents:

  • In case of a data breach, LEF marketing & events informs its clients within 48 hours of discovering the breach, including a written description of the leaked data.
  • LEF marketing & events first contacts their main contact person and when available an IT specialist by sending an e-mail.
  • LEF marketing & events provides as much information about the data leak as possible, such as description of the incident, nature of the breach, type of data leaked, estimate number of affected contacts, relevant databases, estimated date and time of the incident.
  • Potentials results of a data breach include loss of data, including 1 or more of the records and fields collected. This can be any of the previously mentioned contact data.
  • To prevent further escalation and future breaches, LEF marketing & events takes the following steps: change of all passwords, deactivation of all accounts, removal of data, migration of data to other destination.
  • LEF marketing & events also ensures all products/services used are taking the same steps.

PART 2: STANDARD CLAUSES FOR DATA PROCESSING

Version 2: 15 June 2018

Along with the Data Pro Statement, these standard clauses constitute the data processing agreement. They also constitute an annex to the Agreement and to the appendices to this Agreement, e.g. any general terms and conditions which may apply.

ARTICLE 1. DEFINITIONS

The following terms have the following meanings ascribed to them in the present Standard Clauses for Data Processing , in the Data Pro Statement and in the Agreement:

1.1 Dutch Data Protection Authority (AP): the regulatory agency outlined in Section 4.21 of the GDPR.
1.2 GDPR: the General Data Protection Regulation.
1.3 Data Processor: the party which, in its capacity as an ICT supplier, processes Personal Data on behalf of its Client as part of the performance of the Agreement.
1.4 Data Pro Statement: a statement issued by the Data Processor in which it provides information on the intended use of its product or service, any security measures which have been implemented, sub-processors, data breach, certification and dealing with the rights of Data Subjects, among other things.
1.5 Data Subject: a natural person who can be identified, directly or indirectly.
1.6 Client: the party on whose behalf the Data Processor processes Personal Data. The Client may be either the controller (the party who determines the purpose and means of the processing) or another data processor.
1.7 Agreement: the agreement concluded between the Client and the Data Processor, on whose basis the ICT supplier provides services and/or products to the Client, the data processing agreement being part of this agreement.
1.8 Personal Data any and all information regarding a natural person who has been or can be identified, as outlined in Article 4.1 of the GDPR, processed by the Data Processor to meet its requirements under the Agreement.
1.9 Data Processing Agreement: the present Standard Clauses for Data Processing , which, along with the Data Processor’s Data Pro Statement (or similar such information), constitute the data processing agreement within the meaning of Article 28.3 of the GDPR.

ARTICLE 2. GENERAL PROVISIONS

2.1 The present Standard Clauses for Data Processing apply to all Personal Data processing operations carried out by the Data Processor in providing its products and services, as well as to all Agreements and offers. The applicability of the Client’s data processing agreements is expressly rejected.
2.2 The Data Pro Statement, and particularly the security measures outlined in it, may be adapted from time to time to changing circumstances by the Data Processor. The Data Processor will notify the Client in the event of significant revisions. If the Client cannot reasonably agree to the revisions, the Client will be entitled to terminate the data processing agreement in writing, stating its reasons for doing so, within thirty days of having been served notice of the revisions.
2.3 The Data Processor will process the Personal Data on behalf and on behalf of the Client, in accordance with the written instructions provided by the Client and accepted by the Data Processor.
2.4 The Client or its customer will serve as the controller within the meaning of the GDPR, will have control over the processing of the Personal Data and will determine the purpose and means of processing the Personal Data.
2.5 The Data Processor will serve as the processor within the meaning of the GDPR and will therefore not have control over the purpose and means of processing the Personal Data, and will not make any decisions on the use of the Personal Data and other such matters.
2.6 The Data Processor will give effect to the GDPR as laid down in the present Standard Clauses for Data Processing, the Data Pro Statement and the Agreement. It is up to the Client to judge, on the basis of this information, whether the Data Processor is providing sufficient guarantees with regard to the implementation of appropriate technical and organisational measures so as to ensure that the processing operations meet the requirements of the GDPR and that Data Subjects’ rights are sufficiently protected.
2.7 The Client will guarantee to the Data Processor that it acts in accordance with the GDPR, that it provides a high level of protection for its systems and infrastructure at all time, that the nature, use and/or processing of the Personal Data are not unlawful and that they do not violate any third party’s rights.
2.8 Administrative fines imposed on the Client by the Dutch Data Protection Authority will not be able to be recouped from the Data Processor, except in the event of wilful misconduct or gross negligence on the part of the Data Processor’s management team.

ARTICLE 3. SECURITY

3.1 The Data Processor will implement the technical and organisational security measures outlined in its Data Pro Statement. In implementing the technical and organisational security measures, the Data Processor will take into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of the processing operations and the intended use of its products and services, the risks inherent in processing the data and risks of various degrees of likelihood and severity to the rights and freedoms of Data Subjects that are to be expected considering the nature of the intended use of the Data Processor’s products and services.
3.2 Unless explicitly stated otherwise in the Data Pro Statement, the product or service provided by the Data Processor will not be equipped to process special categories of personal data or data relating to criminal convictions and offences.
3.3 The Data Processor seeks to ensure that the security measures it will implement are appropriate for the manner in which the Data Processor intends to use the product or service.
3.4 In the Client’s opinion, said security measures provide a level of security that is tailored to the risks inherent in the processing of the Personal Data used or provided by the Client, taking into account the factors referred to in Article 3.1.
3.5 The Data Processor will be entitled to adjust the security measures it has implemented if it feels that such is necessary for a continued provision of an appropriate level of security. The Data Processor will record any significant adjustments it chooses to make, e.g. in a revised Data Pro Statement, and will notify the Client of said adjustments where relevant.
3.6 The Client may request the Data Processor to implement further security measures. The Data Processor will not be obliged to honour such requests to adjust its security measures. If the Data Processor makes any adjustments to its security measures at the Client’s request, the Data Processor will be allowed to invoice the Client for the costs associated with said adjustments. The Data Processor will not be required to actually implement these security measures until both Parties have agreed in writing and signed off on the security measures requested by the Client.

ARTICLE 4. DATA BREACHES

4.1 The Data Processor does not guarantee that its security measures will be effective under all conditions. If the Data Processor discovers a data breach within the meaning of Article 4.12 of the GDPR, it will notify the Client without undue delay. The “Data Breach Protocol” section of the Data Pro Statement outlines the way in which the Data Processor will notify the Client of data breaches.
4.2 It is up to the Controller (the Client or its customer) to assess whether the data breach of which the Data Processor has notified the Controller must be reported to the Dutch Data Protection Authority or to the Data Subject concerned. The Controller (the Client or its customer) will at all times remain responsible for reporting data breaches which must be reported to the Dutch Data Protection Authority and/or Data Subjects pursuant to Articles 33 and 34 of the GDPR. The Data Processor is not obliged to report data breaches to the Dutch Data Protection Authority and/or to the Data Subject.
4.3 Where necessary, the Data Processor will provide more information on the data breach and will help the Client meet its breach notification requirements within the meaning of Articles 33 and 34 of the GDPR by providing all the necessary information.
4.4 If the Data Processor incurs any reasonable costs in doing so, it will be allowed to invoice the Client for these, at the rates applicable at the time.

ARTICLE 5. CONFIDENTIALITY

5.1 The Data Processor will ensure that the persons processing Personal Data under its responsibility are subject to a duty of confidentiality.
5.2 The Data Processor will be entitled to furnish third parties with Personal Data if and insofar as such is necessary due to a court order, statutory provision or legal order to do so issued by a government agency.

5.3 Any and all access and/or identification codes, certificates, information regarding access and/or password policies provided by the Data Processor to the Client, and any and all information provided by the Data Processor to the Client which gives effect to the technical and organisational security measures included in the Data Pro Statement are confidential and will be treated as such by the Client and will only be disclosed to authorised employees of the Client. The Client will ensure that its employees comply with the requirements outlined in this article.

ARTICLE 6. TERM AND TERMINATION

6.1 This data processing agreement constitutes part of the Agreement, and any new or subsequent agreement arising from it and will enter into force at the time of the conclusion of the Agreement and will remain effective until terminated.
6.2 This data processing agreement will end by operation of law when the Agreement or any new or subsequent agreement between the parties is terminated.
6.3 If the data processing agreement is terminated, the Data Processor will delete all Personal Data it currently stores and which it has obtained from the Client within the timeframe laid down in the Data Pro Statement, in such a way that the Personal Data will no longer be able to be used and will have been rendered inaccessible. Alternatively, if such has been agreed, the Data Processor will return the Personal Data to the Client in a machine-readable format.
6.4 If the Data Processor incurs any costs associated with the provisions of Article 6.3, it will be entitled to invoice the Client for said costs. Further arrangements relating to this subject can be laid down in the Data Pro Statement.
6.5 The provisions of Article 6.3 do not apply if the Data Processor is prevented from removing or returning the Personal Data in full or in part by a statutory provision. In such cases, the Data Processor will only continue to process the Personal Data insofar as such is necessary by virtue of its statutory obligations. Furthermore, the provisions of Article 6.3 will not apply if the Data Processor is the Controller of the Personal Data within the meaning of the GDPR.

ARTICLE 7. THE RIGHTS OF DATA SUBJECTS, DATA PROTECTION IMPACT ASSESSMENTS (DPIA) AND AUDITING RIGHTS

7.1 Where possible, the Data Processor will cooperate with reasonable requests made by the Client relating to Data Subjects claiming alleged rights from the Client. If the Data Processor is directly approached by a Data Subject, it will refer the Data Subject to the Client where possible.
7.2 If the Client is required to carry out a Data Protection Impact Assessment or a subsequent consultation within the meaning of Articles 35 and 36 of the GDPR, the Data Processor will cooperate with such, following a reasonable request to do so.
7.3 The Data Processor will be able to demonstrate its compliance with its requirements under the data processing agreement by means of a valid Data Processing Certificate or an equivalent certificate or audit report (third-party memorandum) issued by an independent expert.
7.4 In addition, at the Client’s request, the Data Processor will provide all other information that is reasonably required to demonstrate compliance with the arrangements made in this data processing agreement. If, in spite of the foregoing, the Client has grounds to believe that the Personal Data are not processed in accordance with the data processing agreement, the Client will be entitled to have an audit performed (at its own expense) not more than once every year by an independent, fully certified, external expert who has demonstrable experience with the type of data processing operations carried out under the Agreement. The audit will be limited to verifying that the Data Processor is complying with the arrangements made regarding the processing of the Personal Data as laid down in the present data processing agreement. The expert will be subject to a duty of confidentiality with regard to his/her findings and will only notify the Client of matters which cause the Data Processor to fail to comply with its obligations under the data processing agreement. The expert will furnish the Data Processor with a copy of his/her report. The Data Processor will be entitled to reject an audit or instruction issued by the expert if it feels that the audit or instruction is inconsistent with the GDPR or any other law, or that it constitutes an unacceptable breach of the security measures it has implemented.
7.5 The parties will consult each other on the findings of the report at their earliest convenience. The parties will implement the measures for improvement suggested in the report insofar as they can be reasonably expected to do so. The Data Processor will implement the proposed measures for improvement insofar as it feels these are appropriate, taking into account the processing risks associated with its product or service, the state of the art, the costs of implementation, the market in which it operates, and the intended use of the product or service.
7.6 The Data Processor will be entitled to invoice the Client for any costs it incurs in implementing the measures referred to in this article.

ARTICLE 8. SUB-PROCESSORS

8.1. The Data Processor has outlined in the Data Pro Statement whether the Data Processor uses any third parties (sub-processors) to help it process the Personal Data, and if so, which third parties.
8.2. The Client authorises the Data Processor to hire other sub-processors to meet its obligations under the Agreement.
8.3. The Data Processor will notify the Client if there is a change with regard to the third parties hired by the Data Processor, e.g. through a revised Data Pro Statement. The Client will be entitled to object to the aforementioned change implemented by the Data Processor. The Data Processor will ensure that any third parties it hires will commit to ensuring the same level of Personal Data protection as the security level the Data Processor is bound to provide to the Client pursuant to the Data Pro Statement.

ARTICLE 9. OTHER PROVISIONS

These Standard Clauses for Data Processing, along with the Data Pro Statement, constitute an integral part of the Agreement. Therefore, any and all rights and requirements arising from the Agreement, including any general terms and conditions and/or limitations of liability which may apply, will also apply to the data processing agreement.