Processing personal data (privacy law GDPR / AVG) QenTest B.V.

If the Supplier processes Personal Data for the benefit of the Client during the performance of the Agreement, the following conditions apply in addition to the General Terms and Conditions.

Article 1. General

1. The terms defined in this section in the General Data Protection Regulation (hereinafter: " GDPR") have the meaning assigned to them in the GDPR. In Dutch this is called the Algemene verordening gegevensbescherming ("AVG").

2. The processing of Personal Data is on the first place a responsibility of Qentest.

3. But under certain circumstances the Client can be designated as "Processing Officer" and responsible for the data and QenTest as "Processor". This will then be written down in a Processing agreement.

4. If the Client processes or transmits the Personal Data for the benefit of a third party as a Processor, the Client must cover this privacy legislation with his Client and this is not the responsibility of Qentest. The Client fulfills (depending on the capacity in which the Client processes Personal Data) the role of Processor and Qentest the role as sub processor.

5. In principle, the Supplier's system does not use privacy information outside the order process. All entered privacy information under a user or service portal is therefore the responsibility of the Client.

6. The Personal Data of an employee will only be used internally and with the acknowledgement of the employee.

Article 2. Purposes of processing

1. The Supplier undertakes to process Personal Data under the terms of the Agreement on the instructions of the Client. The processing will only take place within the framework of the execution of the Agreement, plus those purposes that are reasonably related thereto or that are determined with further consent.

2. The Supplier shall not process the personal data for any other purpose than as determined by the Client. The Client will inform the Supplier of the processing objectives insofar as these have not already been mentioned in this Appendix.

Article 3. Obligations supplier

1. With regard to the processing operations referred to in Article 2, the Supplier shall ensure compliance with the conditions that, on the basis of the GDPR, are set for the processing of Personal Data.

2. The Supplier will process Personal Data and other data that will be delivered to the Supplier by or on behalf of the Client.

3. The Supplier shall inform the Client, at his request and within a reasonable period of time, of the measures taken by him regarding his obligations under this Annex.

4. The Supplier's obligations arising from this Annex also apply to those who process Personal Data under the authority of the Supplier.

5. The Supplier shall inform the Client if in his opinion an instruction from the Client is in conflict with relevant privacy laws and regulations.

6. The Supplier shall render the necessary cooperation to the Client if a data protection impact assessment, or prior consultation of the Supervisor, is necessary in the context of the processing.

Article 4. Transfer of personal data

1. The supplier may process the personal data in countries within and outside the European Union, subject to the relevant legislation and regulations.

2. The Supplier shall inform the Client at his request to which country or countries it concerns.

Article 5. Distribution of responsibility

1. The parties will ensure compliance with applicable privacy laws and regulations.

2. The permitted processing operations will be carried out by Supplier within a (semi) automated environment.

3. The Supplier is solely responsible for the processing of the Personal Data under this Annex, in accordance with the instructions of the Client and under the explicit (ultimate) responsibility of the Client. For all other processing of Personal Data, including in any case but not limited to the collection of the Personal Data by the Client, processing for purposes not reported by the Client to the Supplier, processing by third parties and / or for other purposes, the Supplier is not responsible. The responsibility for these processing operations rests exclusively with the Client.

4. The Client guarantees that the content, the use and the instructions for processing Personal Data, as referred to in this Appendix, are not unlawful and do not infringe any right of third parties.

5. In principle, the Supplier's system does not use privacy information outside the order process. All entered privacy information under a user or service portal is therefore the responsibility of the Client.

Article 6. Enabling third parties or subcontractors

1. The Client hereby grants the Supplier permission to engage third parties (sub-processors) during the processing if necessary.

2. At the request of the Client, the Supplier shall inform the Client as soon as possible about the sub-processors it has engaged. Client has the right to object to the use of a sub processor. This objection must be submitted in writing, within two weeks and supported by arguments.

3. The Supplier unconditionally ensures that these third parties take on the same obligations in writing as agreed between the Client and the Supplier. Supplier guarantees correct compliance with these obligations by these third parties.

Article 7. Security

1. Supplier shall endeavor to take appropriate technical and organizational measures with regard to the processing of Personal Data, against loss or against any form of unlawful processing (such as unauthorized inspection, violation, alteration or provision of personal data).

2. The supplier does not guarantee that the security is effective under all circumstances. The Supplier shall endeavor to ensure that the security meets a level that, in view of the state of the technology, the sensitivity of the Personal Data and the costs associated with securing security, is not unreasonable.

3. The Client will only make Personal Data available to the Supplier for processing, if the Client has ensured that the required security measures have been taken. The Client is responsible for compliance with the measures agreed by the Parties.

Article 8. Reporting duty

1. In the case of a security breach and / or a data breach (which means: a breach of security that accidentally or unlawfully song to the destruction, loss, modification or unauthorized disclosure of or unauthorized access to forwarded, stored or otherwise generated data) Supplier will make every effort to inform Client as soon as possible as a result of which Client assesses whether or not it will inform the supervisory authorities and / or data subjects. Supplier will make every effort to make the information provided complete, correct and accurate.

2. If required by law and / or regulation, the Supplier shall cooperate in informing the relevant authorities and any parties involved. The client is responsible for reporting to the relevant authorities.

3. The duty to report in any case includes the reporting of the fact that there has been a leak, as well as:

What is the (alleged) cause of the leak;

What is the (as yet known and / or expected) consequence;

What is the (proposed) solution;

What the measures already taken are;

Contact details for the follow-up of the report;

Who is informed (such as the person concerned, the client, the supervisor).

Article 9. Handling requests from those involved

1. In the event that an involved person sends a request about his personal data to the Supplier, the Supplier will forward the request to the Client and inform the involved person accordingly. The Client will then continue to process the request independently. If it turns out that the Client requires assistance from the Supplier for the execution of a request from a data subject, the Supplier will cooperate and the Supplier may charge costs for this.

Article 10. Secrecy and confidentiality

1. All Personal Data that the Supplier receives from the Client and / or collects himself in the context of this Appendix, is subject to a confidentiality obligation towards third parties. The Supplier shall not use this information for any purpose other than the purpose for which it was obtained, unless it has been formulated in such a way that it can not be traced back to data subjects.

2. This confidentiality obligation does not apply:

Insofar as the Client has given express permission to provide the information to third parties;


If the provision of the information to third parties is logically necessary for the execution of the Main Agreement or this Appendix;


If there is a legal obligation to provide the information to a third party.

Article 11. Duration and cancellation

1. The Annex has been entered into for the duration as stipulated in the Agreement between the Parties and in the absence thereof in any case for the duration of the cooperation.

2. The Appendix can not be canceled prematurely.

3. Parties may only amend this Annex by mutual agreement.

4. After termination of the Appendix, the Supplier shall immediately destroy the Personal Data received from the Client, unless the Parties agree otherwise.

For more information please send an email to: