PROCESSOR AGREEMENT SOLAR MONKEY B.V.

Version 1.1
Date: 17 October 2019

PROCESSING AGREEMENT

This Processor Agreement applies to all forms of Processing of Personal Data that Solar Monkey B.V., registered at the Chamber of Commerce under number 64301400, (hereinafter: Processor) performs for the benefit of a counterparty to whom it provides services (hereinafter: Controller). Processing Controller and Processor are collectively referred to below as Parties.

ARTICLE 1. DEFINITIONS

In this Processor Agreement, the following definitions apply:

a. “Personal Data”: any information concerning an identified or identifiable natural person;
b. “Process” or “Processing”: any and all of actions relating to Personal Data, including but not limited to the collection, recording, organizing, storing, updating, changing, retrieving, consulting, using, providing by means of transmission, distribution or any other form of making available, bringing together, connecting to each other, as well as protecting, erasing or destroying such data;

c. “Data Breach”: a breach of the security of Personal Data that accidentally or unlawfully leads to – or where it cannot reasonably be ruled out that it could lead to – the destruction, loss, change of or the unauthorized provision of or unauthorized access to Personal Data transmitted, stored or otherwise processed, and which is likely to present a risk to the rights and freedoms of any Data Subject;

d. “Data Subject”: the person to whom the Personal Data relates;e. “AP”: the Dutch data protection authority (Autoriteit Persoonsgegevens), the independent
administrative body that is appointed by law in the Netherlands as a supervisor with
respect to the Processing of Personal Data;

f. “AVG”: the Dutch general data protection regulation (Algemene Verordening Gegevensbescherming); and
g. “Main agreement”: the service agreement concluded between the Parties and/or the terms and conditions of Solar Monkey B.V.

ARTICLE 2. SCOPE OF PROCESSING AGREEMENT

2.1 The Processing Agreement applies to the Processing of Personal Data by Processor on behalf of Controller which take place as part of the services provided by Processor to Controller, as further specified in the service agreement concluded between Parties and/or the Terms and Conditions of Solar Monkey B.V.

2.2 The Controller determines which Personal Data will be processed by the Processor under the agreed conditions. A more detailed description of the Personal Data to be processed, prepared by the Controller, is included in Appendix A.

2.3 The Parties acknowledge that the Processor also processes Personal Data as part of the services for which it itself determines the purpose and resources. This applies, for example, to Personal Data of contact persons at the Controller’s. This Processing Agreement does not apply to the Processing of such Personal Data, which must comply with the AVG.

2.4 The Processing of Personal Data under this Processing Agreement does not result in the Controller transferring any intellectual property rights or other claims to the Personal Data to the Processor, nor is it in any way intended to prejudice the rights of Data Subject.

ARTICLE 3. OBLIGATIONS OF THE PROCESSOR

3.1 Processor will process the Personal Data exclusively for the Controller, and only to the extent necessary for the services provided by Processor to Controller, including for those purposes that are reasonably related to this or that are agreed in writing between the Parties.

3.2 The Processor will immediately inform the Controller if, in its opinion, an instruction from the Controller is contrary to the AVG or other relevant laws and regulations.

3.3 Processor will ensure that its obligations under this Processing Agreement are imposed on those who process Personal Data under the authority of Processor, including but not limited to its employees.
3.4 Processor will, to the extent it is within its control, assist the Controller in complying with its obligations by:
i) responding to requests from a Data Subject exercising its rights under the AVG;
ii) with regard to the security of the Processing of the Personal Data, reporting any Data Breaches to the AP and the Data Subject;
iii) assisting on a potentially required data protection impact assessment (“Privacy Impact Assessment”) and prior consultation of the AP.

3.5 Any costs associated with this assistance are not included in the agreed prices and compensation of Processor. Processor is entitled to pass on to the Controller any reasonable costs incurred as a result of providing this assistance. For any such costs Processor will, where possible, inform the Controller in advance.

3.6 In the event that a Data Subject makes a request to Processor to exercise its legal rights, Processor will forward the request to Controller, and Controller will further process the request, without prejudice to the provisions of Clause 3.4.(i). Processor may inform the Data Subject thereof.

Article 4. OBLIGATIONS OF THE CONTROLLER

4.1. The Controller will inform the Processor of the identity of its data protection officer and/or representative, insofar as it has appointed such officer and/or representative. Changes must immediately be passed on to Processor. If the Controller does not specify an official  or representative, the Processor will assume that no such person has been appointed by Controller.

4.2. Controller guarantees that the content of, the use of and any instructions relating to the Processing of Personal Data under this Processing Agreement are lawful and do not breach any rights of third parties.

4.3 The Controller is responsible for determining the retention periods with regard to the Personal Data. Insofar as the Personal Data are under the control of the Controller, the Controller is solely responsible for deleting the such Personal Data.

Article 5. Use Of Sub-processors

5.1. Processor may use third parties in the context of this Processing Agreement. An up-to-date list of sub-processors engaged by Processor for the Processing of Personal Data under this Agreement is made available by Processor. The Controller has taken note of the current list of sub-processors and confirms its agreement with it.
5.2. Controller hereby authorizes Processor, for the duration of this Agreement, to outsource parts of the Processing of Personal Data to other sub-processors that fall into thencategories of sub-processors listed in Appendix B.

5.3. When a new sub-processor is used, Processor will inform the Controller of this. The Controller has a right to object to the use of a specific reported third party if it is unacceptable to it. Where possible and reasonable, the Processor will consult with the Controller regarding alternatives.

5.4. Processor shall impose the obligations of Processor under applicable laws and regulations and as contained in this Processing Agreement on all sub-processors it engages in relation to the implementation of the Processing Agreement. If a sub-processor does not wish to accept (certain) obligations arising under this Processing Agreement, the Controller may, to the extent permitted by law, decide to release the Processor from those Processing obligations so as to enable the Processor to conclude an agreement with the relevant subprocessor. In such case the Controller shall not be able to hold the Processor liable for the relevant sub-processor’s failure to comply with the relevant obligations arising from this Processing Agreement.

5.5. Processor may process the Personal Data in jurisdictions within the European Economic Area (EEA). A transfer to a jurisdiction outside the EEA is only permitted if such jurisdiction is recognized by the European Commission as “having adequate protection”. See https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outsideeu/adequacy-protection-personal-data-non-eu-countries_en for an up-to-date list.

5.6 Sub-processors have deletion periods, i.e. the time it takes for Personal Data to be completely removed from a sub-processor’s system. For some sub-processors this period can take up to 180 days. The deletion period starts from the moment that Processor marks the data as permanently deleted to sub-processor.

5.7 If the Controller requests for any Personal Data to be exchanged with a third party processor, it is the Controller’s sole responsibility to agree a processing agreement with  such third party processor. Under no circumstance will the third party processor qualify as a sub-processor of Processor under this Processing Agreement.

Article 6. Security

6.1. Processor shall take appropriate technical and organizational measures against loss or against any form of unlawful Processing (such as unauthorized Processing access to, or unauthorized use, change or disclosure of the Personal Data), taking into account the current standard of technology, implementation costs and the nature of the processing purposes.

6.2 Processor must work in accordance with technology standards that are deemed to meet
protection requirements based on current technology standards.

ARTICLE 7. REPORTING DUTY

7.1. Controller is at all times responsible for any legally required notification of a Data Breach to the AP and/or a Data Subject.

7.2. In order to enable Controller to comply with its legal obligations, Processor must inform the Controller immediately and where possible within two business days of a possible Data Breach after its occurrence has been established. The Processor will submit a notification to its known contact, or will submit the notification via the usual communication channels that are intended for this purpose.

7.3. The Processor must notify the fact that there has been a Data Breach. In addition, the notification should describe:
a. the nature of the Data Breach, where possible stating the categories of Persons involved and the approximate the duration and scope of the Data Breach;
b. the name and contact details of the Processor’s data protection officer or another point of contact where more information may be obtained;
c. the likely consequences of the Data Breach;
d. any measures proposed or taken by the Processor to address the Data Breach, including, where appropriate, any measures to limit any potential adverse consequences thereof.

ARTICLE 8. CONFIDENTIALITY

8.1 The Processor must at all times keep the Personal Data confidential, unless te applicable law or the regulations of any government agency require otherwise. In that case, the Processor will consult, to the extent possible, with the Controller about the time and content of any disclosure.

8.2 Processor will ensure that the persons authorized by Processor to process the Personal Data, including employees of Processor, are bound by confidentiality obligations.

Article 9. AUDIT

9.1. The Controller has the right to on a yearly basis audit the Processor’s compliance with its obligations pursuant to this Processing Agreement and to applicable laws and regulations regarding the processing and protection of Personal Data (an “Audit”), or to have an independent expert who is bound by confidentiality perform such Audit.

9.2. Upon request Processor will provide Controller with the necessary information required to enable Controller to form an opinion on Processor’s compliance with the provisions of the Processing Agreement and applicable laws and regulations in the field of processing and protection of personal data. Processor will immediately inform Controller if, in the opinion of Processor, an instruction in connection with an Audit constitutes a violation of the provisions of the AVG or other applicable laws and regulations regarding the processing and protection of Personal Data.

9.3. The Audit will be limited to the Processor’s systems that are used for Processing. The Controller will keep confidential any information obtained at the Audit and will only use it for the purposes of auditing the Processor’s compliance with the obligations arising from the Processing Agreement and applicable laws and regulations regarding the processing and protection of Personal Data and the Controller will delete this information as soon as possible. The Controller will ensure that any third parties engaged for the Audit will also abide by these obligations.

9.4. All costs related to the Audit are borne by the Controller. Any costs associated with the cooperation by Processor are not included in the Processor’s agreed prices and fees. Processor is entitled to pass on reasonable costs to the Controller for providing its assistance. Processor will, where possible, notify Controller of any such costs in advance.

Article 10. Liability

10.1. Controller is solely responsible and liable for the Processing and its purposes, for the use and content of the Personal Data, and for the provision of Personal Data to third parties.

10.2 Controller is responsible for the retention periods of the Personal Data, it being understood and agreed that Processor needs up to 60 days to remove Personal Data from all backups and that data can subseqently be present for a longer period with subprocessors, as set out in Clause 5.6.

10.3 Controller guarantees to Processor that any Processing of data takes place in accordance with the law. Controller indemnifies Processor against any costs and damage in case a Data Subject accuses Processor of unlawful processing. Controller indemnifies Processor against any claims from third parties based on or arising from (i) a violation of the Dutch Data Protection Act, AVG or other applicable laws and regulations in the field of processing and protecting personal data, which parties explicitly include supervisors such as the AP or a Data Subject and/or (ii) a shortcoming in compliance with this Processing Agreement that can be attributed to the Controller.

10.4. Processor is only liable towards Processor for a shortcoming attributable to Processor under the Processing Agreement.

Article 11. Duration and termination

11.1. This Processing Agreement is concluded either by the signing of the Main Agreement by the Parties, or by active and unambiguous consent obtained digitally by the Processor from the Controller. The date of commencement is the date of commencement of the Main Agreement or date of digital consent, as the case may be.

11.2. This Processing Agreement has been entered into for the duration set out in the Main Agreement between the Parties and in the absence thereof at least for the duration of the Parties’ cooperation, i.e. for as long as the Controller uses the services of the Processor whereby the Processor Processes Personal Data for the Controller.

11.3. Upon termination of the Processing Agreement, for whatever reason and in whatever manner, Processor will provide the Controller with a reasonable opportunity to make an electronic copy of all Personal Data that is has obtained. Processor will delete the relevant Personal Data within 30 days after the Processing Agreement has been terminated. Processor has the right to make backups or copies to guarantee a continuous delivery of services. Backups and copies containing Personal Data are deleted at the latest 60 days after creation. Personal data may therefore be present at the Processor’s for up to a maximum of 90 days after the termination of the Processing Agreement.

Article 12. Miscellaneous Provisions

12.1. This Processing Agreement expresses the only applicable agreement between the Controller and Processor regarding the processing of Personal Data by Processor and replaces all previous Processing Agreements and other written or oral agreements and correspondence on that subject.

12.2. Solar Monkey’s Terms and Conditions apply to the Processing Agreement. In the event of a conflict between the provisions of this Processing Agreement and the Terms and Conditions of the Processor, this Processing Agreement shall prevail.

12.3. Communications relating to this Processing Agreement are provided in writing, which also includes electronic communication.

12.4. This Processing Agreement has been entered into with the aim of meeting the requirements set by the AVG for the Processing of Personal Data by the Processor for the Controller. If any legal requirements require this Processing Agreement to be amended, either Party may draft a proposal for an amendment, after which the Parties shall enter into negotiations in good faith to reach agreement, with the aim to ensure continued compliance with applicable law.

12.5. Processor is entitled to unilaterally revise this Processing Agreement from time to time. It will notify the Controller of such revision at least one month in advance. The controller may terminate the Processing Agreement by the end of such month in case it does not agree with the changes. An agreement with the amended conditions may be given electronically. If the Controller continues to use the services of the Processor to which the Processing Agreement relates for one month after the announcement of the amended  conditions, the Processor may assume the Controller has consented to the amended conditions.

Article 13. Transfer Of Personal Data

13.1 Processor offers services that, if agreed, may be offered by Controller to Data Subject, for example Zonnegarant monitoring or a Zonnegarant yield guarantee. When offering these services, the Processor becomes the Controller of the Data Subject with regard to these services.

13.2 Controller is responsible for obtaining the Data Subject’s consent for the Processor to offer
the relevant service or services.

Article 14. Governing Law And Jurisdiction

14.1. This Processing Agreement and its implementation are governed by the laws of the Netherlands.

14.2. Any disputes that may arise between the Parties in connection with this Processing Agreement will be submitted to the competent court at the location of establishment ofthe Processor.

ANNEX A. OVERVIEW OF PROCESSING

This appendix details the processing activities carried out by the Processor on behalf of the Controller.

Processor processes for Controller data of customers or potential customers of Controller (each, a “Data Subject”), with the aim of being able to offer a suitable solar panel system, or to issue a report to compare one or more solar panel systems. Processor provides Controller
with the option of storing, editing and downloading data related to such quotation or reporting. This may include the following data from Data

  1. Name, address, city
  2. Phone number
  3. Email address
  4. Date of birth
  5. Address
  6. Data regarding possible purchase of solar panel systems and related services

APPENDIX B. OVERVIEW OF SUBPROCESSORS AND CATEGORIES OF SUBPROCESSOR

Not every sub-processor comes into contact with the same (amount of) personal data. Subprocessors currently used are:

  • CloudVPS (cloudvps.nl)
  • Google Cloud Platform (cloud.google.com)
  • Postmark (postmarkapp.com)
  • Intercom ( www.intercom.com ) (only insofar as users of the Data Controller enter personal data here)
  • Pipedrive (pipedrive.com) *
  • Zapier, Inc. (zapier.com) *

*Processor only uses these sub-processors for data from Data Subject at the request of Controller.

Categories of sub-processors that Solar Monkey may use in the future, in accordance with Clause 5:

  • Hosting providers & Cloud platforms
  • Other service providers at the request of the Controller