Version: 1.2 Last change: May 1, 2024

KLERQ – Data Processing Agreement

This is the KLERQ Data Processing Agreement, relevant for those wishing to create an account and utilize the services provided by KLERQ.

Effective starting May 1, 2023

Please read this Agreement carefully and immediately cease using the Services if you do not agree to it.

KLERQ, a product of BlueKnows B.V., a private company with limited liability, located in Tilburg, and having its office at Burgemeester Brokxlaan 12, 5041 SB, registered in the Chamber of Commerce under number 88431614, 


The entity agreeing to this Data Processing Agreement as part of using KLERQ services, herein after referred to as ‘the Data Controller’;

hereinafter collectively referred to as: the “Parties”.

Considering that:

The Parties have entered into an agreement under which the Processor provides services related to marketing and process optimization to the Data Controller (hereinafter: the “Main Agreement”), and pursuant to which the Processor will Process Personal Data for which the Data Controller is responsible;

The Processor, in connection with the execution of this Main Agreement for the benefit of the Data Controller, will obtain, use, or otherwise Process Personal Data within the meaning of the General Data Protection Regulation (hereinafter: “GDPR”);

The Parties, in view of the provisions of Article 28(3) of the General Data Protection Regulation (GDPR), wish to establish the conditions for the Processing of Personal Data by the Processor for the Main Agreement in this data processing agreement (hereinafter: the “Data Processing Agreement” or “Agreement”);

This Data Processing Agreement forms an integral and inseparable part of the Agreement.

Have agreed as follows:

Section 1:Definitions & Interpretation

1.1 Definitions:

All terms in this Data Processing Agreement have the meaning assigned to them in the GDPR unless otherwise defined in this Data Processing Agreement.

1.2 Interpretation:

References to articles are references to articles and annexes in this Data Processing Agreement unless stated otherwise.
Headings in this Data Processing Agreement are inserted for convenience only and shall not affect the interpretation of this Agreement.
Singular and plural nouns and verbs are deemed to include the plural and singular, respectively, as far as the context requires.
The annexes and appendices to this Data Processing Agreement form an integral part of this Agreement.

Section 2: Subject and Hierarchy

The Parties hereby agree that from the date of signing this Data Processing Agreement, the Processor will Process Personal Data under the conditions and terms set in this Agreement in the execution of the Main Agreement. The Data Controller retains and maintains full control over this Personal Data.

This Data Processing Agreement is an integral part of the Main Agreement. In case of any conflict between the provisions of this Data Processing Agreement and the Main Agreement, the provisions of this Data Processing Agreement shall prevail.

Section 3:Purpose and Means

3.1 The Data Controller determines the purpose and means for processing the Personal Data.

3.2 The categories of Data Subjects and Personal Data to be processed under the Principal Agreement are described in Article 4.14.

3.3 The Processor shall process Personal Data solely based on written instructions from the Data Controller, exclusively for fulfilling its obligations under the Principal Agreement, unless a law applicable to the Processor requires processing.

Section 4: Security Measures

4.1 The Processor shall implement appropriate technical and organizational measures to ensure processing meets GDPR requirements and protects the rights of the Data Subject.

4.2 At a minimum, the Processor shall implement measures mentioned in the Cyber Security Policy.

4.3 Considering the nature of the processing and the information available, the Processor shall assist the Data Controller in complying with GDPR Articles 32 to 36.

Section 5: Sub-processors and Third Parties

5.1 The Data Controller authorizes the Processor to engage other (sub-) processors for processing Personal Data.

5.2 A list of (sub-) processors engaged by the Processor can be found here.

5.3 The Processor shall inform the Data Controller of any changes regarding (sub-) processors, allowing the Data Controller to object within thirty (30) business days prior to any changes being implemented.

5.4 The Processor must impose the same data protection obligations on every Sub-processor through a contract or other legal act as set out in this Processor Agreement.

Section 6: Transfer

6.1 The Processor may only transfer Personal Data outside the European Economic Area if specific approved by the Data Controller in writing and there is an adequate level of protection for the processing of Personal Data and the transfer complies with other obligations under this Processor Agreement and the GDPR.

Section 7: Liability

7.1 The liability clause from the Principal Agreement, including all limitations of liability for damages and penalties from any cause, applies correspondingly to this Processor Agreement and the processing of Personal Data by the Processor.

Section 8: Notification Duty and Supervision

8.1 The processor shall inform the Data Controller without unreasonable delay, no later than within 48 hours, upon becoming aware of a Personal Data breach.

8.2 The Data Controller shall assess whether the Personal Data breach reported by the Processor needs to be reported to the Supervisory Authority. Reporting such breaches in accordance with Articles 33 and 34 of the GDPR is the responsibility of the Data Controller.

8.3 The Processor shall, if possible , provide further information regarding the Personal Data breach and shall cooperate to the extent reasonable for reporting under Articles 33 and 34 of the GDPR.

8.4 The Processor is obliged to follow any recommendation or directive from a supervisory authority within the set term. The Data Controller shall notify the Processor as soon as possible of any such recommendation or directive if it is directly or indirectly related to the Principal Agreement or its execution.

8.5 The Parties shall endeavor to, if the recommendation or directive implies that the Principal Agreement or this Processor Agreement does not comply with applicable law, amend such agreements to continue their execution in compliance with the law.

Section 9:Retention Periods

9.1 The Data Controller is responsible for determining the retention periods for the Personal Data as defined in Annex 5.

Section 10: Rights of Data Subjects and DPIA

10.1 The Processor shall, where possible, assist the Data Controller with reasonable requests related to rights invoked by Data Subjects with the Data Controller. If the Processor is directly approached by a Data Subject, it shall, where possible, direct the Data Subject to the Data Controller.

10.2 Upon a reasonable request, the Processor shall assist with a data protection impact assessment as mentioned in Articles 35 and 36 of the GDPR, if the Data Controller is obliged to conduct one.

Section 11: Confidentiality

11.1 The Processor must maintain confidentiality regarding the Personal Data. The Processor is not permitted to disclose Personal Data to third parties, except: (a) if allowed under this Processor Agreement; (b) with the Data Controller’s prior written consent; or (c) if the Processor or a Sub-processor is required by a Dutch or foreign supervisory authority to provide access to Personal Data.

11.2 The Processor must limit the disclosure of Personal Data to those employees who are assigned Personal Data processing under this Processor Agreement, and only as necessary for the execution of this Processor Agreement (“need to know” basis).

11.3 The Processor declares and warrants that every employee is bound by a confidentiality obligation that aligns with the confidentiality obligations set out in this Processor Agreement and that remains in effect after the termination or expiration of their employment contract.

Section 12: Audit

12.1 The Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and this Processor Agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

12.2 The Processor shall obtain an annual audit report of the SOC2 or equivalent from an independent third party at its own expense regarding the Processor’s compliance with the GDPR, data protection provisions in other EU or Member State law and this Processor Agreement.

12.3 If the audit is carried out by someone other than the Data Controller itself, this other auditor must be independent and non-competitive in relation to the Processor and otherwise be subject to confidentiality and secrecy obligations either by law or as a result of a confidentiality agreement on which the Processor can rely directly against the other auditor in question.

12.4 The Processor shall immediately inform the Data Controller if an instruction to provide information or allow audits and inspections is, in the opinion of the Processor, contrary to the GDPR or data protection provisions in other EU or national law.

Section 13:Duration & Termination

13.1 Start and Duration
– The duration of this Processor Agreement is equal to the duration of the Principal Agreement, including any extensions thereof.
– This Processor Agreement terminates by law upon the termination of the Principal Agreement.

13.2 Consequences
– Termination of this Processor Agreement does not affect obligations and arrangements from this Processor Agreement that are intended to survive its termination, such as, but not limited to, confidentiality and dispute resolution provisions.
– All Personal Data shall be deleted or returned at the choice of the Processor after the end of the provision of processing services, and existing copies shall be deleted unless the retention of the Personal Data is required by Union or Member State law.

Section 14: Final Provisions

14.1 Amendments and Additions
– This Processor Agreement may only be amended or supplemented in writing. If this Processor Agreement does not provide a regulation or provision for a particular situation, the Parties shall consult to reach an agreement on an amendment to this Processor Agreement, in line with the agreements currently set forth herein.

14.2 Applicable Law
– This Processor Agreement is exclusively governed by Dutch law.

14.3 Jurisdiction
– Any dispute arising from or related to this Processor Agreement shall be submitted to the competent court in Breda, without prejudice to the Parties’ right to request a preliminary injunction.

Section 15: Categories of Data Subjects and Personal Data

The Processor processes the following categories of Personal Data for the Data Controller:
– (Former) employees of the Data Controller
– (Former) customers of the Data Controller
– References of the Data Controller
– Suppliers of the Data Controller
– Relations of the Data Controller

The Personal Data categories include:
– Name, address, and other contact information
– Telephone numbers
– Email addresses
– Usernames, passwords, and other login data
– Profession/position
– Data obtained from social profiles and public websites (LinkedIn, Facebook, news websites, company website)
– Photographs of individuals

Through the following activities:
– Entering of (personal) data
– Periodically creating backups
– Providing user support
– Updating (patching) of systems
– Restoring user accounts
– Creating or deleting (personal) data

Section 16: List of Transfers and Sub-processors

The Data Controller hereby authorizes the Processor to engage the following sub-processors and/or categories of sub-processors for processing Personal Data:

The Processor commits to maintaining a current list of engaged sub-processors, which will be sent to the Data Controller by e-mail if the list is updated or changed in any way. This list may include, but is not limited to:
– Entities involved in data hosting and storage services
– IT support and maintenance service providers
– Security and incident management service providers
– Other processors necessary for the provision of the KLERQ services

General Provisions for Sub-processor Engagement:
1. Notification and Objection: The Processor shall notify the Data Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Data Controller the opportunity to object to such changes within a thirty (30) business days.
2. Sub-processor Agreements: The Processor ensures that a contract is in place with each sub-processor, binding them to the same data protection obligations specified in this Data Processing Agreement. Upon the Data Controller’s request, the Processor shall provide a summary of such obligations and, where available, evidence of the sub-processor’s compliance.
3. Liability: The Processor remains fully liable to the Data Controller for the performance of the sub-processor’s obligations.
4. Transfers of Personal Data: Any transfer of Personal Data to a sub-processor outside the European Economic Area (EEA) shall be conducted in compliance with Chapter V of the GDPR, ensuring an adequate level of data protection.
5. Data Center Locations: When applicable, the Processor will inform the Data Controller of the countries or regions where the Personal Data will be processed or stored.