Data processing agreement
This Data Processing Agreement is between you, the Customer, also referred to as the ‘ Controller’hereinafter referred to as: ‘Controller’ or ‘Customer’; and
CerQlar B.V., having its registered seat at the address Strawinskylaan 3127, in (1077 ZX) Amsterdam, the Netherlands, hereinafter referred to as: ‘Processor’ or ’CerQlar’;(hereinafter jointly referred to as the ‘Parties’) contains terms to establish the Parties’ respective responsibilities under laws and regulations applicable to the processing of Personal Data, including the GDPR, with respect to Personal Data to be processed by CerQlar as a processor.
WHEREAS:
a. CerQlar (as Processor) provides services to Customer (as Controller) related to the management of trades and inventory in environmental commodities (‘Services’) via a software platform made available on a software-as-a-service basis (the ‘CerQlar Platform’);
b. the Processor performs activities on the instructions of the Controller pursuant to this Processing Agreement. The Processor to this end processes certain personal data as defined in article 4.1 of the GDPR (‘Personal Data’) for which the Controller is responsible;
c. the Parties recognize and wish to respect the applicability of any laws and regulations relating to the use or processing of personal data including (i) EU General Data Protection Regulation (2016/679) (‘GDPR‘); and (ii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR from time to time including, in the Netherlands, the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming) (hereinafter together ‘Applicable Data Protection Laws‘);
d. the Parties wish to lay down agreements with regard to the processing of personal data in accordance with article 28 of the GDPR regulation in this Processing Agreement.
1. Scope Of The Processing Agreement
1.1. The Controller hereby instructs the Processor to process Personal Data on its behalf subject to the conditions in this Processing Agreement. The Processor will process the Personal Data as a processor exclusively based on this Processing Agreement, as further detailed in Annex 1 to this Processing Agreement. The Processor will process the Personal Data in order to provide the Services and will act only in accordance with Controller’s written instructions thereto. This Processing Agreement, and Controller’s use of the CerQlar Platform’s features and functionality, are Controller’s written instructions to Processor in relation to the processing of Personal Data.
1.2. In the event of any conflict between the terms of this Processing Agreement and terms of any other agreement between the Parties, the terms of this Processing Agreement will prevail insofar as the subject matter concerns the Processing of Personal Data. The processor has no control of the purpose and the means for the processing of the Personal Data. Control of the Personal Data will never be vested in the Processor.
1.3. As between the parties, Controller is solely responsible for obtaining and has obtained or will obtain, all necessary consents, licenses, and approvals for the processing, or otherwise has a valid legal basis under GDPR and other Applicable Data Protection Laws for the processing of Personal Data (the ‘Controller Legal Basis Assurance’). Without limiting the Controller Legal Basis Assurance, each Controller and Processor warrant in relation to Personal Data that it will comply with (and will ensure that any of its personnel comply with), other Applicable Data Protection Laws.
1.4. The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR regulation or other Applicable Data Protection Laws.
1.5. Other than in accordance with Article 7, the Processor will process the Personal Data exclusively in the European Economic Area.
2. Confidentiality
2.1. The Processor will keep strictly confidential the Personal Data of which it becomes aware and therefore in no circumstances share it with or provide it to third parties (other than any permitted Sub-Processor(s) in accordance with Section 7), except if and insofar as: a. the Processor gets prior written approval or instructions to this effect from the Controller; orb. if any mandatory law, regulation or public authority obliges it to provide the Personal Data.
2.2. If based on any mandatory law provision the Processor is obliged to share the Personal Data with or provide it to third parties, the Processor will inform the Controller thereof in advance, unless it is not permitted to do so based on the regulation referred to.2.3. The Processor warrants that the persons authorized to process the Personal Data, including its employees and any Sub-Processors, have undertaken in advance to observe confidentiality.
3. Security Measures
3.1. Taking into account the state of the art, the performance costs, and the nature, size, context and purposes of the processing and the risks to rights and freedoms of persons that vary in probability and seriousness, the Processor will take appropriate technical and organizational measures to guarantee a security level that is appropriate for the risk in accordance with article 32 GDPR to protect the Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Personal Data. The security measures are described on our Security page.
4. Providing Assistance
4.1. The Processor will:
a. taking into account the nature of the processing, provide reasonable assistance to the Controller, with the Controller’s obligation to perform a data protection impact assessment or in the prior consultation of the Dutch Data Protection Authority;
b. provide to the Controller all information that the Controller reasonably needs to fulfil the legal and contractual obligations it is under in the context of the processing of the Personal Data by the Processor;
c. upon reasonable request of the Controller, provide assistance to the Controller in the fulfillment of its duty to answer requests to exercise the statutory rights of the data subject as laid down in Chapter III of the GDPR regulation, including, but not limited to, the right of access, rectification, erasure, restriction of processing and right to data portability.
5. Monitoring Of Compliance
5.1. Processor will, once per calendar year, engage an internal or external auditor to test, assess and evaluate the effectiveness of the security measures in place by Processor. Upon reasonable written request thereto of the Controller, the Processor shall provide the Controller with the relevant audit report to allow the Controller to check whether the Processor complies with this Processing Agreement, and in particular the security measures set out in Article 3 and our Security and Trust Center pages(the Processor’s Compliance).
5.2. If the audit report as referred to in Article 5.1 reveals that Processor has violated thisProcessing Agreement or any of the security measures, the Processor will enable the Controller to conduct an audit to check the Processor’s Compliance during normal working days and normal working hours, giving fourteen (14) calendar days prior notice.
5.3. For the purposes of clause 5.2, the Processor will grant access to the Controller and/or the auditors hired by the Controller to relevant parts of the spaces, systems and/or service in which or with which the processing of the Personal Data takes place and will provide all relevant information to the Controller or to the auditors hired by the Controller to allow them to check the Processor’s Compliance unless any applicable legal or contractual requirement would prevent Processor from doing so.
5.4. The costs of any audit or inspection at the Processor are for the account of the Controller, unless the (results of) the audit or inspection reveal(s) that Processor has violated thisProcessing Agreement, in which case Processor shall bear the reasonable costs of the audit or inspection.
6. Personal Data Breach
6.1. Without undue delay after the Processor becomes aware of a breach relating to Personal Data, the Processor will inform the Controller thereof and will in any case provide information about the following:
i) the nature of the breach in relation to Personal Data, where possible while reporting the categories of the data subjects and an approximation of the number of data subjects;
ii) the established and expected consequences of the breach relating to Personal Data;
iii) the measures the Processor has taken and will take to tackle the breach relating to Personal Data, including, as appropriate, the measures to limit any adverse consequences thereof.
6.2. The Processor will take any reasonable appropriate measures to limit the possible adverse consequences of the breach relating to the Personal Data and prevent any repeat and will provide reasonable support to the Controller in any reports to the data subjects and/or the competent supervisory authorities.
7. Addition or Replacement of Processors And Engagement Of Sub-Processors
7.1. Authorization of New Sub-Processors. The Controller hereby grants a general written authorization to Processor for the engagement of sub-processors for the provision of certain aspects of the CerQlar Services (‘Sub-Processor(s)’), under the condition that the Processor shall remain fully liable to the Controller as regards the processing of Personal Data by the Sub-Processor and that the Processor and the Sub-Processor have entered into an agreement that imposes obligations on the Sub-Processor that are similar to those imposed on the Processor in this Processing Agreement.
7.2. Processor shall inform Controller in writing of any intended changes concerning the addition or replacement of Sub-Processors at least ten (10) calendar days in advance, thereby giving the Controller the opportunity to object to such changes prior to the engagement of the concerned Sub-Processor(s). The Sub-Processors listed in our Trust Center page which are hereby approved by the Controller.
7.3. Data Transfers. If, in the performance of this Processing Agreement, the Processor transfers any Personal Data to a Sub-Processor (including any the Processor Affiliate that acts as aSub-Processor) where such Sub-Processor will process Personal Data outside the EEA(other than exclusively in a country or territory that is recognized under applicable data protection laws as providing adequate protection for Personal Data), then the Processor will, prior to any such transfer, ensure that such transfer is, covered by one of the following measures:
a. an adequacy decision of the European Commission determining that an adequate level of data protection is provided pursuant to article 45 GDPR;
b. binding corporate rules approved by a competent supervisory authority in accordance with article 47 GDPR;
c. an approved code of conduct or certification mechanism pursuant to article 46 GDPR; and
d. Standard Contractual Clauses pursuant to article 46 GDPR.
8. Liability
8.1. Nothing in this Processing Agreement shall exclude or limit a Party’s liability for any damages which cannot be excluded or limited by applicable law.
8.2. Subject to clause 9.1, a Party shall only be liable to another Party for any breach of its obligations under this Processing Agreement, to the extent that it has intentionally, wilfully, recklessly or negligently acted (or failed to act) in breach of those obligations.
9. Duration and termination
9.1. This Processing Agreement is valid for as long as the Processor processes Personal Data on behalf of the Controller. On termination of this Processing Agreement, Processor will destroy, or at Controller’s choice and in accordance with any instructions from Controller, return to Controller, all personal data obtained from Controller under this Processing Agreement, except for such information that must be retained by Processor under applicable laws.
10. Jurisdiction And Applicable Law
10.1. This Agreement shall be exclusively governed and construed in accordance with the law of the Netherlands.
10.2. All disputes regarding or resulting from this Processing Agreement, shall be settled exclusively by the competent court in Amsterdam, the Netherlands.
CerQlar B.V.
Timo Pentner 
ANNEX 1 DETAILS OF PROCESSING ACTIVITIES
Subject matter of the processing
CerQlar provides services for Post-Trade Settlement Automation. This includes Trade capture, Inventory management, Position Management, Contract Automation, User/Org/Role Management, Counterparty Invitation, etc.
Purpose and nature of the processing
Main purpose of processing is to provide end-2-end automation of the trade capture and settlement process (see subject matter of the processing).
Nature of processing includes but is not limited to:
Capture of counterparty information during Trade Capture (offline and online)
Capture of Trade information during Trade Capture
Generation of Contract between trading counterparties
Inventory Synchronisation (API and non-API)
Transfer of inventory between counterparties
Invitation of new members to the platform
User/Org/Role management on the platform
Types of personal data
Name, e-mail address, telephone number, business address
Categories of data subjects
Employees or consultants of clients, business contacts at clients, suppliers prospects, and employees of prospect companies.
Approved sub-processors
An overview of approved sub-processors; Data Transfers and safeguards (if applicable) are available via our Trust Center page.