LinQR® is a trade name of QR8.

This Processor Agreement forms an integral part of the agreements between you (counterparty) and QR8. QR8 is the processor (hereinafter: “Processor”) of the personal data and the counterparty is the controller (hereinafter: “Controller”) of the personal data.

hereinafter individually referred to as “Party” and collectively referred to as “Parties”,

considering that:

1. The Controller holds personal data of various customers or customers of customers (hereinafter: Data Subjects);
2. The Controller uses an invoice program to manage debtors and creditors, create invoices, send quotations to customers, maintain a customer database, or export the accounting;
3. By using the online invoice program of the Processor, the Controller has the Processor process personal data, whereby the Controller determines the purpose and means. This is within the framework of the agreement between the Parties (hereinafter referred to as: Main Agreement);
4. The Processor is willing to comply with the obligations regarding security and other aspects of the Personal Data Protection Act (Wbp), to the extent within its power;
5. The Parties, also in view of the requirement of Article 14, paragraph 5 of the Wbp, wish to record their rights and obligations in this Processor Agreement (hereinafter: Processor Agreement) in writing;
6. In the performance of the Main Agreement, the Processor may be designated as Processor within the meaning of Article 1, sub e of the Wbp;
7. The Controller is designated as Controller within the meaning of Article 1, sub d of the Wbp;
8. Where in this Processor Agreement reference is made to personal data, this means personal data within the meaning of Article 1, sub a of the Wbp;
9. Where in this Processor Agreement terms from the Wbp or General Data Protection Regulation (GDPR) are mentioned, the corresponding terms from the Wbp or GDPR are meant;
10. Where in this Processor Agreement reference is made to the Wbp, from May 25, 2018, reference is made to (the corresponding provisions from) the GDPR.

agree as follows:

Article 1 – Purposes of Processing

1.1 Processor undertakes under the conditions of this Processor Agreement to process personal data on behalf of the Controller. Processing will only take place within the framework of this Processor Agreement and for the purposes stated in the Main Agreement. The categories of data subjects and personal data concerned are specified in Annex 1A of this Processor Agreement. The Controller will inform the Processor in writing of the processing purposes insofar as they are not already mentioned in this Processor Agreement.
1.2 Processor has no control over the purpose and means of processing personal data. The Processor does not make independent decisions about the receipt and use of the personal data, the provision to third parties, and the duration of the storage of personal data.
1.3 Processor has no control over the purpose and means of processing personal data. The Processor does not make independent decisions about the receipt and use of the personal data, the provision to third parties, and the duration of the storage of personal data.
1.4 The Controller guarantees that, from May 25, 2018, when the GDPR becomes applicable, it will maintain a register of the processing operations regulated under this Processor Agreement. The Controller indemnifies the Processor against all claims and claims related to the incorrect compliance with this registration obligation.

Article 2 – Division of Responsibility

2.1 The Parties will ensure compliance with applicable privacy laws and regulations.
2.2 The permitted processing operations will be carried out by the Processor within a (semi-) automated environment.
2.3 The Processor is solely responsible for processing personal data under this Processor Agreement, in accordance with the instructions of the Controller and under the explicit (final) responsibility of the Controller. The Processor is not responsible for all other processing of personal data, including but not limited to the collection of personal data by the Controller, processing for purposes not reported to the Processor by the Controller, processing by third parties and/or other purposes. The responsibility for these processing operations rests solely with the Controller.
2.4 The Controller guarantees that the content, use, and order of processing personal data, as intended in this Processor Agreement, is not unlawful and does not infringe any rights of third parties.

Article 3 – Obligations of the Processor

3.1 Regarding the processing operations mentioned in Article 1, the Processor will ensure compliance with the conditions imposed on the processing of personal data by the Processor based on the Wbp and GDPR.
3.2 The Processor will inform the Controller, at its first request and within a reasonable period, about the measures taken concerning its obligations under this Processor Agreement.
3.3 The Processor will inform the Controller if, in its opinion, an instruction from the Controller is in conflict with relevant privacy laws and regulations.
3.4 The Processor will provide the necessary cooperation to the Controller when a data protection impact assessment or prior consultation of the supervisor is necessary within the framework of the processing.
3.5 The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.

Article 4 – Transfer of Personal Data

4.1 Processor processes personal data in countries within the European Union (EU). The Controller also gives the Processor, if applicable, permission to process personal data in countries outside the European Union, in compliance with the relevant laws and regulations.
4.2 The Processor will inform the Controller, at its first request, about which country or countries are involved.

Article 5 – Engagement of Third Parties or Sub-processors

5.1 The Controller hereby grants the Processor permission to engage third parties (sub-processors) for processing, in compliance with applicable privacy legislation.
5.2 The Processor will inform the Controller as soon as possible about the sub-processors it engages. The Controller has the right to object to the engagement of the sub-processor. This objection must be submitted in writing, within two weeks, and supported by arguments. If the Controller objects to a sub-processor engaged by the Processor, the Parties will enter into discussions to reach a solution.
5.3 The Processor will ensure that sub-processors commit in writing to at least the same obligations as agreed between the Controller and the Processor. The Processor is responsible for proper compliance with these obligations by these sub-processors and is liable to the Controller for all damages in case of errors by these sub-processors as if it had committed the error(s) itself.

Article 6 – Security

6.1 The Processor will make efforts to take appropriate technical and organizational measures to protect personal data against loss or any form of unlawful processing (such as unauthorized access, alteration, disclosure, or use of personal data). The Processor has taken the security measures mentioned in Annex 1B.
6.2 The Processor will strive to ensure that security meets a level that, considering the state of the art, the sensitivity of the personal data, and the costs of implementing security measures, is not unreasonable.
6.3 The Controller will only provide personal data to the Processor for processing if it has ensured that the required security measures have been taken. The Controller is responsible for compliance with the measures agreed upon by the Parties.

Article 7 – Data Breach Notification

7.1 In the event of a security breach and/or data breach (understood to mean a breach of the security of personal data leading to a substantial risk of serious consequences, or having serious adverse consequences, for the protection of personal data, as referred to in Article 34a Wbp), the Processor will make every effort to inform the Controller thereof without delay, but no later than within 48 hours, following which the Controller will assess whether to inform the supervisory authorities and/or data subjects or not. The Processor will make every effort to ensure that the information provided is complete, correct, and accurate. The notification obligation applies only if the breach has actually occurred.
7.2 The Controller will ensure compliance with any (statutory) notification obligations. If required by law and/or regulations, the Processor will cooperate in informing the relevant authorities and, where applicable, data subjects.
7.3 The notification obligation includes at least reporting the fact that there has been a breach, as well as:
a. the (alleged) cause of the data breach;
b. the (known and/or expected) consequence;
c. the (proposed) solution;
d. contact details for follow-up on the report;
e. who has been informed (such as the data subject, Controller, supervisor).

Article 8 – Handling Requests from Data Subjects

If a data subject makes a request regarding their personal data to the Processor, the Processor will forward the request to the Controller. The Processor may notify the data subject thereof. The Processor will provide the necessary cooperation to the Controller in handling the request. If it turns out that the Controller needs the assistance of the Processor to fulfill a data subject’s request, the Processor may charge costs for this.

Article 9 – Confidentiality and Secrecy

9.1 All personal data that the Processor receives from the Controller and/or collects itself within the framework of this Processor Agreement is subject to a duty of confidentiality towards third parties. The Processor will not use this information for any purpose other than that for which it was obtained, unless it has been rendered in such a form that it cannot be traced back to the data subjects.
9.2 This duty of confidentiality does not apply:
a. insofar as the Controller has given explicit permission to provide the information to third parties; or
b. if providing the information to third parties is logically necessary for the execution of the Main Agreement or this Processor Agreement; and
c. if there is a legal obligation to provide the information to a third party.

Article 10 – Audit

10.1 The Controller has the right to conduct an audit, or have one conducted by an expert independent third party bound by confidentiality, to verify compliance with all points of this Processor Agreement and everything directly related to it.
10.2 This audit will only take place after the Controller has requested, reviewed, and provided reasonable arguments justifying an audit initiated by the Controller, the similar relevant audit reports available from the Processor. Such an audit is justified when the similar audit reports available from the Processor do not provide or insufficiently provide clarity on the Processor’s compliance with this Processor Agreement. The audit initiated by the Controller will take place two weeks after the previous announcement by the Controller, at most once per calendar year.
10.3 The Processor will cooperate with the audit and provide all reasonably relevant information for the audit, including supporting data such as system logs, and employees as promptly as possible and within a reasonable period, with a maximum period of two weeks being reasonable unless an urgent interest opposes this.
10.4 The findings of the audit will be assessed by the Parties in mutual consultation. Consequently, changes may or may not be made to the security by one or both Parties jointly.
10.5 All audit costs will be borne by the Controller, including the (internal) costs incurred by the Processor, provided that the costs of the third party to be hired will always be borne by the Controller.

Article 11 – Liability

11.1 The liability of the Parties for damages resulting from an attributable shortcoming in the performance of this Processor Agreement, or from a tort or otherwise, is limited to the amount of the last invoice paid by the Controller.
11.2 A condition for any right to compensation to arise is that the Controller notifies the Processor in writing of the damage as soon as possible after it becomes known, by registered mail. Any claim for compensation by the Controller lapses three months after the Controller becomes aware of the fact that they have suffered damage.
11.3 The Processor is explicitly not liable for damages of the Controller resulting from a fine imposed by any national supervisory authority, including the Dutch Data Protection Authority, in the context of statutory notification obligations.

Article 12 – Duration and Termination

12.1 This Processor Agreement is concluded by agreeing to this agreement when placing an order.
12.2 This Processor Agreement is entered into for the duration specified in the Main Agreement between the Parties, and in the absence thereof, at least for the duration of the collaboration.
12.3 Once the Processor Agreement is terminated for any reason and in any manner, the Processor will provide the option to download or export all personal data in its possession in original or copy form in an Excel, CSV, or PDF file to the Controller, and subsequently delete and/or destroy these and any copies thereof.
12.4 The Parties may only amend this Processor Agreement with mutual written consent.

Article 13 – Miscellaneous Provisions

13.1 The Processor Agreement and its execution are governed by Dutch law.
13.2 Any disputes arising between the Parties in connection with the Processor Agreement will be submitted to the competent court in the district where the Processor is established.
13.3 Logs and measurements taken by the Processor serve as conclusive evidence, unless proven otherwise by the Controller.
13.4 In the event of conflict between different documents or their annexes, the following order of precedence applies:
a. the Main Agreement;
b. the General Terms and Conditions;
c. this Processor Agreement;
d. any additional conditions.

Annex 1A – Specification of Personal Data and Data Subjects

In the context of the Main Agreement, the Processor will process the following (special) personal data on behalf of the Controller:

The Processor will process the following types of personal data on behalf of the Controller:
a. Name and address details;
b. Contact details;
c. IP address;
d. Payment details;
e. Login details.
The following categories of data subjects are involved:
a. (Potential) customers;
b. Suppliers;
c. Employees.
The Controller guarantees that the personal data and categories of data subjects described in this Annex 1 of the Processor Agreement are complete and correct and indemnifies the Processor against any defects and claims resulting from incorrect representation by the Controller.

Annex 1B – Security Measures

The Processor has taken the following security measures:
1. Logical access control using strong passwords;
2. IP restrictions for access security of the database and files at the Processor;
3. Encryption of personal data stored in the database;
4. Organizational measures for access security;
5. Securing network connections via Secure Socket Layer (SSL) technology;
6. Confidentiality obligations for employees and engaged third parties.