Processing Terms

These Processing Terms (‘Processing Terms’) are applicable to the provision of services by GPTW Netherland B.V. (‘GPTW’) to her customers (‘Customers’) as described in- and in the context of the order form (‘Order Form’) entered into with the Customer. In addition to the Processing Terms, the General Terms also apply to the Order Form.

In the context of the provision of services as described in the Order Form, GPTW will process personal data on behalf of the Customer. For the processing of personal data by GPTW on behalf- and for the benefit of the Customer, GPTW will act as processor (‘Processor). The Customer will act as controller (‘Controller’) within the meaning of the GDPR (defined below).

Given that the Parties qualify as Controller and Processor in relation to each other, the Parties are obliged to ensure compliance with Article 28 GDPR. These Processing Terms are intended to guarantee the obligations under Article 28 GDPR between GPTW and the Customer.

1. Definitions

Uncapitalized definitions used in these Processing Terms that are defined in the GDPR, such as "processing" and "data subject", have the same meaning as in the GDPR. Furthermore, in addition to this, the following definitions shall apply:

General Data Protection Regulation (GDPR): Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Annex: an appendix attached to these Processing Terms that forms an integral part of these Processing Terms.
Applicable Law: the applicable law of the European Union or another country within the European Economic Area (‘EEA’).
Employees: persons who work for the Controller or the Processor, either on the basis of an employment contract or engaged on another basis, including on the basis of a temporary contract.
Sub-Processors: processors that have been engaged by the Processor to carry out (part of) the data processing carried out by the Processor on behalf of the Controller.
Third Country: a country outside of the EEA or an international organisation.
Transfer: personal data that are being processed in or are accessible from a Third Country.

2. Privacy positions and the main obligations of the Parties

Privacy positions. For the processing of personal data by GPTW on behalf and for the benefit of the Customer, GPTW will act as Processor on behalf of the Customer, who acts as the Controller. If a competent supervisory authority or judicial authority nevertheless takes a different decision regarding the privacy position of the Parties, the Controller will carry all costs relating to the inaccurate privacy qualification of the Parties, including any compensation awarded and fines imposed, insofar as the Processor has acted in accordance with these Processing Terms.

Controller. The Controller is responsible for ensuring that the processing of personal data is done in accordance with the GDPR (refer to Article 24 of the GDPR), the applicable data protection provisions under the Applicable Law, and these Processing Terms. The Controller has the right and obligation to make decisions regarding the purpose and the means of the processing of the personal data that falls within the scope of these Processing Terms. The Controller will be responsible for, amongst other things, ensuring that the processing of personal data, which the Processor is instructed to carry out, has a legal basis under the GDPR.

Processor.

Documented instructions. The Processor will only process the personal data on the basis of the documented instructions of the Controller as specified in the Appendixes – under which in particular Appendix 1 concerning the details of the data processing – unless laws to which the Processor is subject otherwise oblige the processing of personal data, in which case the Processor informs the Controller about this insofar providing such information is not prohibited.
Internal processes. Parties acknowledge that GPTW acts as Controller for the processing of personal data in the context of certain internal processes such as ensuring compliance with the rules and regulations applicable to GPTW, risk management, the own internal financial accounting, and IT-related and other administrative supporting processes within GPTW; these processing purposes fall outside of the scope of these Processing Terms.
Subsequent instructions. Subsequent instructions can be given by the Controller during the entire duration of the processing of personal data in the context of the Order Form, but these instructions will always be recorded and kept in writing – including electronically. This also applies to requests or instructions based on these Processing Terms. In the event that the instructions do not match, directly contradict with, or fall outside of the scope of these Processing Terms, these instructions will be included in a written addendum to the Order Form, undersigned and documented by both Parties. Depending on the kind of instruction, the Processor may decide as well that it is necessary to edit the underlying Order Form.
Unlawful instructions. The Processor will inform the Controller without undue delay if the instructions given by the Controller are, according to the Processor, in violation of the GDPR or other data protection provisions under the Applicable Law to which the Processor is subject. In that case, the Controller has four (4) weeks to revise its written instructions that are deemed to be unlawful by the Processor. If the Controller has not provided the revised instructions within the aforementioned four (4) weeks, or if the Processor deems the revised instructions to violate the GDPR or other data protection provisions under the Applicable Law as well, the Processor has the right to terminate (the relevant part of) the Order Form.

3. Assistance to the Controller

Assistance. The Processor will offer the Controller assistance to fulfil its obligations under the GDPR, insofar is required under Article 28 paragraph 3 sub e and 28 paragraph 3 sub f GDPR, and as specified in Appendix 4.

Costs. The Processor is entitled to charge the Controller the reasonable costs it incurs for the implementation of the measures referred to in this provision of the Privacy Conditions, insofar as these additional costs do not reasonably fall under the standard costs that the Processor incurs for the performance of its services.

4. Engagement of Sub-Processors

General authorization. The Processor shall meet the requirements set forth in Article 28 paragraph 2 and 4 GDPR in order to engage another processor (a Sub-Processor). The Controller hereby provides the Processor with its general written authorization to engage Sub-Processors. The list of Sub-Processors currently authorized by the Controller is included in Appendix 3: authorized Sub-Processors.

Change of Sub-Processors. The Processor will inform the Controller at least thirty (30) days before the processing of personal data by a new Sub-Processor on behalf of the Controller about any intended changes regarding the addition or modification of Sub-Processors. The Controller has the possibility, for the duration of fifteen (15) days after the receipt of the notification, to object in writing to the change of a Sub-Processor under the mention of “I am objecting to […]”. If the Controller objects to the proposed new Sub-Processor, the Parties will discuss a solution with each other which is deemed acceptable by both Parties. If Parties are not able to find such a solution, the Controller has the right to terminate the part of the Order Form that relates to the services that Processor cannot provide without the services of the new Sub-Processor. If the Controller has not objected to the intended change of the Sub-Processor within the objection period of fifteen (15) days, the Controller is deemed to have given written consent for the processing of personal data by the new Sub-Processor on behalf of the Controller.

Processing agreement Sub-Processor. If Processor employs a Sub-Processor for carrying out specific processing activities on behalf of the Controller, Processor will ensure that this Sub-Processor, by means of an agreement, ensures the same level of data protection as requires under these Processing Terms, insofar as relevant in the context of the services provided by the relevant Sub-Processor.

Liability. If a Sub-Processor fails to comply with its data protection obligations, the Processor will remain fully liable to the Controller with regard to the fulfilment of the obligations of the Sub-Processor. This is without prejudice to the data subject's rights under the GDPR, in particular those under Articles 79 and 82 of the GDPR.

5. Cross-border transfers

Documented instructions. Any Transfer will always take place in accordance with Chapter V of the GDPR. Transfers only take place on the basis of documented instructions of the Controller, unless otherwise mandatory based on the Applicable Law to which the Controller is subject.

Transfer mechanism. The instructions of the Controller for Transfer, including, if applicable, the transfer tool by virtue of chapter V of the GDPR on which the Transfer is based, are included in these Processing Terms (see Annex III regarding the sub-processors). If it does not concern a Third Country for which the European Commission has established that it offers an adequate level of data protection, the transfer will be legitimized based on another transfer tool, such as through the European Commission’s model contracts legitimizing transfers (C(2021) 3972). If so, an assessment will be made as to whether and – if so – how the legislation or practice of the Third Country concerned may compromise the effectiveness of the appropriate safeguards of the transfer instrument invoked. If this is the case, additional measures will be taken to ensure that the level of protection of the personal data transferred meets the requirements applicable to it under Chapter V of the GDPR.

Change in transfer mechanism. If the Controller or Processor relies on a specific legal mechanism to legitimize the transfer and such mechanism is subsequently modified, revoked or invalidated by a court of competent jurisdiction, the Parties agree to cooperate in good faith to terminate the transfer or to legitimize the transfer by alternative means.

6. Confidentiality

Obligation of confidentiality. The Processor shall only grant access to personal data processed on behalf of the Processor on a need-to-know basis to its Employees who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Security of the processing

Adequate security measures. Parties evaluated the risks to the rights and freedoms of natural persons inherent in the processing and implement appropriate measures to mitigate those risks. Where relevant, the measures mentioned in Article 32(1) of the GDPR have been considered:

pseudonymization and encryption of personal data;
the ability to ensure the confidentiality, integrity, availability and resilience of the processing systems and services;
the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

Also taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Parties have determined that the Processor shall apply the security measures detailed in Appendix 2 In the Controller’s opinion, said security measures provide a level of security that is tailored to the risk inherent to the processing of the personal data processed by the Processor on behalf of the Controller, taking into account the factors referred to in this Article.

The Processor shall be entitled to adjust the security measures it has implemented insofar as these are measures that ensure the same or higher level of data security. The Processor shall document the adjustments in question.

8. Audit and inspection

Audits. The Controller shall implement appropriate audit controls, restrict the access to applications and systems and thus prevent their misuse or compromise.

Additional Audit. The Processor shall provide the Controller no more than once (1) per year with the opportunity to periodically audit the Processor's compliance with these Processing Terms and the provisions of Applicable Law applicable to the processing by the Processor on behalf of the Controller. This periodic audit shall be limited to the Processor answering questions from the Controller regarding the Processor's compliance with Applicable Law relating to data protection and, where necessary, the Controller being allowed to question the Processor's IT employee(s).

Additional measures. The Parties will consult with each other as soon as possible on the results of an audit. The Processor shall implement the proposed improvement measures to the extent it deems appropriate, taking into account the processing risks associated with its product or service, the state of the art, the cost of implementation, the market in which it operates and the intended use of the product or service.

9. Notification of a data breach

Notification to Controller. In the event of a data breach, the Processor shall notify the Controller immediately, no later than 24 hours, after becoming aware of it and no later than within 72 hours, in order to enable the Controller to comply with its obligation to report a data breach to the competent supervisory authority in accordance with Article 33 of the GDPR.

Notification to supervisory authority. The Processor shall assist the Controller in reporting the data breach to the competent supervisory authority, which includes assisting the Controller in obtaining the information to be included in the data breach notification form used by the competent supervisory authority or otherwise required by such authority, to the extent that the Controller is technically unable to obtain such information without the Processor's assistance.

Duty to report. It is the Controller's responsibility to assess whether a data breach must be reported to a competent supervisory authority and/or the data subject(s). It is also the Controller's responsibility to maintain a data breach register in accordance with Article 33(5) of the GDPR.

Costs. The Processor is entitled to charge the Controller the reasonable costs it incurs in carrying out the obligations referred to in this provision of the Privacy Conditions, insofar as these additional costs do not reasonably fall under the standard costs that the Processor incurs for the implementation of its services.

10. Applicability

Applicability. These Processing Terms are applicable from the moment the underlying Order Form takes effect, in particular by Customer's signing thereof.

Duration. These Processing Terms shall apply for the duration that the Processor processes personal data on behalf of the Controller in the context of the Order Form.

Termination. These Processing Terms shall cease to apply if the Processor's services to the Controller have ended, and if the Processor and/or any of its Sub-Processors - where applicable - cease to process personal data for the benefit of the Controller in the context of the Order Form and related terms and conditions. Termination of the applicability of the Processing Terms shall not affect any part of these Processing Terms that is expressly or implicitly intended to become or remain in effect upon termination, such as confidentiality obligations.

11. Deletion and return of data

Deletion. Upon termination of the Order Form, the Processor shall delete or destroy all personal data it currently retains and obtained from the Processor within sixty (60) days, such that the personal data can no longer be used and has been rendered inaccessible. Upon request by the Controller, the Processor shall return the personal data to the Controller in a machine-readable format prior to deletion.

12. Indemnification

Indemnification. The Controller shall indemnify the Processor against claims by third parties based on damages they suffer due to the Controller’s failure to comply with the GDPR or other laws or regulations. The indemnification shall apply not only to the damages that third parties may have suffered (both material and immaterial), but also to the costs incurred by the Processor in connection therewith, for example in any legal proceedings, and to the costs of any fines imposed on the Processor as a result of the Controller’s acts or omissions.

Conditionality. It shall be a condition of indemnification that the Party to be indemnified (i) promptly notifies the other Party of any claim, and (ii) provides the other Party with reasonable cooperation and assistance in defending such claim.

13. Miscellaneous

Ranking. These Processing Terms take precedence over any similar provisions in other agreements between the Parties, including any terms and conditions applicable to the Order Form.

Severability. If any provision of these Processing Terms is found to be invalid, this shall not affect the validity of the remaining provisions of these Processing Terms. The parties will then consult to jointly draft a new provision to replace the invalidated provision. This replacement provision shall be in the spirit of the invalidated provision to the extent possible.

Applicable law and jurisdiction. These Processing Terms are governed by Dutch law. Any dispute arising out of or relating to these Processing Terms, whether in tort, contract or otherwise, shall be brought exclusively before the competent court in Amsterdam, the Netherlands.

Appendix 1: Details of the Processing

I.1. The purpose(s) of the processing by the Processor on behalf of the Controller is/are:

Controller has an interest in knowing what is going on amongst its employees. This stems from the desire to improve the quality of organizational management and the ‘working climate’ for the employees of the Controller (‘to promote good employment practices’).

I.2. The processing by the Processor on behalf of the Controller is mainly focused on (nature of the processing):

Measuring the quality of organizational management and the ‘work climate’ among all employees in the countries where the Controller has offices.

I.3. The processing includes the following types of personal data of the data subject:

Name (first name, surname), e-mail address, position in the reporting structure (mostly in line with the position in the organizational structure), sex, age category, length of employment category, type of employment category, hierarchical position category, main motivator for work category.

I.4. The processing concerns the following categories of data subjects:

Employees.

I.5. The data processing by the Processor on behalf of the Controller may be carried out when the underlying Order Form is signed, and the Processing Terms have become applicable. The processing has the following duration:

Personal data will be stored for up to one year, after which the personal data will be automatically deleted by the Processor. At the request of the Controller, personal data will be deleted earlier in the interim.

I.6. Competent supervisory authority

The Autoriteit Persoonsgegevens (Dutch DPA) is the competent supervisory authority.

Appendix 2: Security

GPTW has implemented technical and organizational measures to protect its products and services, taking into account the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of natural persons. GPTW has implemented, among others, the following measures.

Information security certifications:

GPTW considers it important to demonstrably comply with international information security requirements. GPTW is certified in accordance with NEN-ISO/IEC 27001:2013. The certificate can be accessed here.

Technical measures:

GPTW has, among others, implemented the following technical measures:

GTPW uses secure messaging. Outgoing messages are sent encrypted to ensure the security and confidentiality of the content of the message.
Within the survey tool and reporting tool, personal data are stored in a separate dataset. This dataset is deleted within 1 year from the time the personal data is processed.
Backups of our database(s) take place continuously.
All data in transit, between components of our applications, are encrypted.
All data is stored encrypted in our databases.
Administrators only have access to the applications and systems through a secure network.
Personal data we receive during the login process is encrypted and sent over secure connections.
Users of our platform use Multi-Factor Authentication.
We have implemented a procedure to delete personal data if requested by users.

Organizational measures:

GPTW has implemented the following organizational measures:

Individuals employed by GPTW participate annually in privacy and security awareness training.
GPTW has appointed a Security Officer who is responsible within the organization for information security.
GPTW has established processes for periodically testing the implemented technical and organizational measures. In addition, an annual audit is conducted by an independent auditor.
Employees of GPTW have been assigned roles. Based on the assigned roles, rights (e.g., access rights) in the GPTW systems are assigned. Roles and assigned rights are documented and reviewed periodically.
Employees are bound by confidentiality. This is included in the employment contract between GPTW and the respective employee.
GPTW has established an information security policy and a document with the most important information security processes (Redbook).
All information security incidents are recorded and handled by the Security Officer of GPTW.

Privacy by design and by default:

GPTW has performed a general risk analysis on the processing of personal data in its survey tool. GPTW reviews this risk analysis periodically and, in any case, in the event of changes with potential impact on the risks of processing.

Appendix 3: Authorized Sub-Processors

Authorized Sub-Processors

Upon commencement of the Processing Terms, the Controller authorizes the Processor to engage the following Sub-Processors listed in the schedule below for data processing.

Full legal name	Number chamber of commerce	Address	Description data processing
Metricality AB	Org No: 559243-1844	Löjtnantsgatan 8 A lgh 1301, 211 50 Malmö, Sweden Email: info@metricality.Io VAT: SE559243184401	Metricality AB owns the Waves platform. As a platform, Waves offers the functionality to conduct surveys and analyze the responses. The survey invitation is conducted via the (business) email addresses of the Customer's employees. In addition, Metricality AB processes personal data, in the form of e-mail addresses, to provide access to the platform. Metricality AB itself has access to the systems for support, troubleshooting and maintenance.
Zivver B.V.	KvK: 64894665	Koningin Wilhelminaplein 30, 1062 KR Amsterdam, Nederland	Zivver provides software to securely share data between the Controller and the Processor
Microsoft Ireland Operations Limited	Reg. No: 256796	70 Sir John Rogerson's Quay, Dublin 2, Dublin, D02R296	Controller uses Microsoft OneDrive for the storage of files.
Great Place To Work Institute Inc. (GPTW Inc.)	TIN: 91-1917672	1999 Harrison Street, Suite 2070 Oakland, CA 94612	GPTW Inc. owns the Emprising platform. As a platform, Emprising offers the functionality to conduct surveys and analyze the responses. The survey invitation can be conducted via the (business) email addresses of the Customer's employees. In addition, GPTW Inc. processes personal data, in the form of e-mail addresses, to provide access to the platform. GPTW Inc. itself has access to the systems for support, troubleshooting and maintenance. GPTW Inc. is SOC2 certified.

Appendix 4: Assistance

Data subject rights. Taking into account the nature of the processing, the Processor shall assist the Controller with appropriate technical and organizational measures, to the extent possible, in fulfilling the Controller’s obligations to respond to requests to exercise the data subject rights set forth in Chapter III of the GDPR. This implies that the Processor shall:

forward requests received from data subjects in connection with its processing of personal data on behalf of the Controller (automatically) without undue delay, insofar as the Controller does not already have access to such a request;
will provide the Controller, upon its request, without undue delay, with information about the processing taking place that is necessary to satisfy a data subject's request, to the extent that the Controller is not technically capable of obtaining such information without the Processor's assistance;
rectify, erase or restrict certain personal data in order to satisfy a request of the data subject, to the extent that the Controller is technically unable to perform this operation without the assistance of the Processor.

The Processor shall, taking into account the nature of the processing and the information available to the Processor, assist the Controller in complying with its following obligations under the GDPR:

Data Security. The obligation of the Controller under Article 32 of the GDPR, as specified in these Processing Terms.
Data Breach Notification. The obligation of the Controller as described in Articles 33 and 34 of the GDPR. The obligations of the Processor in this respect are specified in Article 9 of the Processing Terms.
Data Protection Impact Assessment. The obligation of the Controller to conduct a personal data protection impact assessment in respect of proposed data processing operations: data protection impact assessments (‘DPIAs’). This implies that the Processor will provide answers upon the Controller’s request to questions raised in relation to DPIAs carried out by the Processor for data processing operations carried out by the Processor on behalf of the Controller, to the extent that the Controller is unable to formulate these answers without additional input from the Processor.
Prior consultation. The obligation of the Controller to consult the competent supervisory authority prior to a data processing operation when a DPIA indicates that the processing results in a high risk in the absence of measures taken to adequately mitigate the relevant privacy risks. For the sake of clarity, a prior consultation will only take place if the Controller deems it necessary. In such case, the Processor shall provide information about its processing of personal data on behalf of the Controller as requested by the competent supervisory authority under Applicable Law in the context of the prior consultation, to the extent that the Controller is unable to provide such information without additional input from the Processor.