GENERAL DATA PROCESSING AGREEMENT PRIPOST B.V.

1. Parties

1. PriPost B.V. - Registered office at Laan van Waalhaven 139a, 2497GK The Hague, registered with the Chamber of Commerce under number 65007956. Hereinafter referred to as: "Processor".
2. Customer - The natural or legal person who enters into an agreement with the Processor for (among other things) mail processing and makes use of the scanning service for this purpose. Hereinafter referred to as: "Controller".
3. The Controller and Processor are hereinafter collectively referred to as the "Parties".

2. Definitions

1. GDPR: The General Data Protection Regulation (EU) 2016/679.
2. Personal data: Any data that can be traced, directly or indirectly, to an identified or identifiable natural person and that may be in the Customer's mail when it is scanned.
3. Processing (or "Processing"): Any operation or set of operations which is performed on personal data, such as storage, transmission, making available, etc.
4. Data Breach / Security Incident: A breach of security that (potentially) leads to the destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, forwarded, stored or otherwise processed personal data.
5. Where this agreement refers to definitions from the GDPR, those terms have the same meaning as in Article 4 of the GDPR.

3. Purpose and scope

1. This Data Processing Agreement only applies when the Controller makes use of the Processor's scanning service.
2. As a controller, the Controller has personal data. The Processor processes these personal data only on behalf of the Controller, by scanning (digitizing) and, if necessary, forwarding mail items that may contain personal data.

4. Roles and responsibilities

1. Responsible:
   • determines the purposes and means of the processing of personal data in the postal service;
   • is and remains ultimately responsible for the lawfulness of the processing and compliance with the GDPR;
   • only instructs the Processor to scan personal data and make it available via the agreed systems.
2. Processor:
   • only carries out processing on behalf of and under the responsibility of the Controller, as stipulated in this Agreement and the underlying Service-Specific Agreement;
   • has no independent control over the purpose and means of the processing.

5. Obligations of the processor

The Processor guarantees the following obligations in accordance with Article 28 GDPR:

5.1 Confidentiality

1. The Processor and its affiliated employees (and any sub-processors) shall treat the personal data of which they become aware confidentially.
2. This duty of confidentiality will also continue to apply after termination of this Data Processing Agreement.

5.2 Appropriate security measures

1. The Processor shall take appropriate technical and organisational security measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
2. Technical measures include, for example, firewalls, virus scanners, strong passwords and (where relevant) encryption according to the ISO 27001 and ISO 27701 standards. Organizational measures include access restrictions, screening of staff and closure of areas where data is processed.
3. The security measures are at least in accordance with the requirements of Article 32 of the GDPR and appropriate to the nature of the data processed (this may vary per postal item).

5.3 Processing within the EU/EEA

1. The Processor will not allow the processing of personal data to take place outside the European Economic Area (EEA), unless otherwise agreed in writing with the Controller or a legal obligation requires this.
2. For transfer outside the EEA, the Processor will first request permission from the Controller and arrange any additional safeguards (such as SCCs).

5.4 No Further Processing

1. The Processor shall only process the personal data in accordance with the instructions of the Controller. Use for other purposes (e.g. own marketing) is not permitted.

5.5 Assistance in the fulfilment of obligations

1. To the extent reasonably possible, the Processor will assist the Controller in complying with obligations under the GDPR, such as handling requests from data subjects or conducting data protection impact assessments (DPIA).

5.6 Provision of information and audit

1. Providing information
   The Processor shall, upon first request and to the extent reasonably necessary, provide the Controller with all information necessary to demonstrate compliance with the Obligations under this Data Processing Agreement and the GDPR.
2. Compliance support
   If the Controller has well-founded reasons to do so (e.g. periodic check or suspicion of irregularities), the Processor will cooperate with audits or inspections, including (where appropriate) the provision of technical documentation or reports.
3. Audit conditions
   
   The Controller shall announce an intended audit or inspection in writing at least 30 working days in advance, with a clear description of the scope and purpose, so that the Processor can prepare and the continuity of the service is not unnecessarily compromised.
   • Audits will not affect the confidentiality of other customers or the security of systems that also contain third-party data. The Controller agrees that the audit may be carried out by an independent third party, under confidentiality, in order to protect the privacy of other customers.
   • The costs of an audit, including man-hours of the Processor, shall be borne by the Controller, unless it is established that the Processor is acting in violation of this Data Processing Agreement or the GDPR, in which case the Processor shall bear the reasonable audit costs.
4. Outcomes and improvements
   The Processor shall inform the Controller of relevant findings from an audit or inspection and, if applicable, propose or implement improvement measures to continue to ensure compliance with this Data Processing Agreement and the GDPR.

6. Sub-processors

6.1 No Activation Without Permission

1. The Processor shall not engage any additional third parties (sub-processors) for the actual processing of personal data without the (specific or general) consent of the Controller.
2. If the Processor has a general permission from the Controller, the Processor shall inform the Controller at least 14 days before the addition or replacement of a sub-processor, so that the Controller can object to this. If the Controller does not object within this period, the Controller will be deemed to have agreed to the new sub-processor.

6.2 Current Sub-processor for Scanning

1. The Controller acknowledges and agrees that the Processor already engages a sub-processor for the scanning and digitization of mail items. This sub-processor is bound by the same (privacy) obligations as included in this Data Processing Agreement, so that it also complies with the GDPR.
2. The Controller may request information from the Processor about the identity and location of this sub-processor, as well as the way in which appropriate safeguards are ensured.

6.3 Agreements with sub-processors

1. If the Processor engages a sub-processor, the Processor will provide a written agreement with that sub-processor, which includes at least the same (privacy) obligations as in this Processing Agreement, so that the sub-processor complies with the GDPR.
2. The Processor remains the primary point of contact for the Controller at all times and retains (contractual) responsibility for the processing by the sub-processor.

7. Data Breaches (Security Incidents)

7.1 Obligation to report

1. In the event of an established or suspected security incident (possible data breach) that relates to the personal data processed by the Processor, the Processor will report this to the Controller without delay without undue delay.
2. The Processor shall provide as much relevant information as possible, so that the Controller can comply with its own obligation to report to the supervisor (and any data subjects).

7.2 Support

1. The Processor will support the Controller in any investigations or measures that need to be taken as a result of the data breach (such as forensic investigations, remedial measures).

8. Data Subject Requests

8.1 Handling by the Controller

1. If the Processor receives a request (e.g. inspection, correction, deletion) directly from a data subject, the Processor will forward this request to the Controller without unreasonable delay.
2. The Controller is responsible for the further processing of these requests.

8.2 Cooperation

1. The Processor shall, to the extent reasonably possible, cooperate to enable the Controller to fulfil its obligations (Articles 12–22 GDPR).

9. Term and Termination

9.1 Duration

1. This Data Processing Agreement enters into force upon the commencement of the main agreement (Customer ↔ Processor) and remains valid as long as the Processor processes personal data in the context of the scan service.

9.2 Termination

1. End of main agreement
   As soon as the main agreement ends and the Controller no longer uses the scanning service, the Processor will handle the relevant personal data (such as mail items and scans) in accordance with the Processor's internal procedures.
2. Retention period upon termination
   
   • If the Controller does not have an active digital archive with the Processor, all scans will be deleted or destroyed within four (4) weeks after termination of the scanning service at the latest, unless a statutory retention obligation applies or the Controller instructs the transfer in writing.
   • If the Controller does have a digital archive at the Processor, the Processor will keep the scans for a maximum of three (3) months from the date of termination. Thereafter, the personal data will be deleted or destroyed, unless there is a legal basis for further storage or the Controller expressly orders the transfer.
3. Exceptions and legal retention
   If the Controller and Processor are obliged by law (e.g. tax or administrative) to retain certain data for a longer period of time, the Processor may – after consultation with the Controller – continue to retain the data for that specific (legal) period.
4. Transfer request
   The Controller may request the transfer of the scans in a digital file or other agreed form within the period referred to in paragraph 2. The Processor will cooperate with this – to the extent reasonably possible. Costs associated with this may be charged to the Controller, unless otherwise agreed.
5. Guarantee of removal
   After the periods referred to in this article, the Processor will ensure that the personal data (scans) are completely deleted or destroyed, so that they are no longer accessible or recoverable. The Processor can provide a confirmation of destruction upon request.

10. Liability

1. The liability provisions from the main or general terms and conditions of the Processor apply, insofar as they are not in conflict with this Data Processing Agreement and the GDPR.
2. The Controller remains ultimately responsible for the personal data and the assessment of whether processing is lawful.

11. Miscellaneous

1. Any changes to this Agreement must be in writing (including electronic form) and accepted by both Parties (e.g., via electronic acceptance mechanisms).
2. The parties make joint efforts to comply with the GDPR and other applicable privacy legislation.
3. This Data Processing Agreement is governed by Dutch law. Disputes will be submitted to the competent court in The Hague, unless the Parties agree otherwise.
4. In the event of any contradictions or differences between the Dutch version of these terms and conditions and the translations into other languages, the Dutch version shall prevail.