Data Processing Agreement with System One

GDPR requires you to have a Data Processing Agreement with System One to govern how we process your data. 



1. The privately held company Van Engelenburg Impresariaat, located at Ostadestraat 1-3 zwart, 2023 XA Haarlem, Nederland, hereby legally represented by Henrike van Engelenburg, hereinafter referred to as: "The Controller" and

2. The privately held company System One SaaS GmbH, with registered place of business at (10245) Berlin at Helmerdingstrasse 4, hereby legally represented by Bartho Valk, hereinafter referred to as: "The Processor" Jointly hereinafter also referred to as "Parties,"

Consider the following:

A. The processor shall make available IT services, and process personal data for The Controller within that framework; B. Responsible for the processing of personal data as the Controller in the sense of Article 4 salutation and under 7 of the General Data Protection Regulation to be considered; C. The processor is in respect of the storage and processing of the personal data as The Controller in the sense of article 4 preamble and under 8 AVG; D. The Parties also wish – with regard to the provisions of Article 28, third paragraph of the General Data Protection Regulation - to establish in this agreement specific conditions that apply to their relationship in connection with the processing of personal data for the Controller. And have agrees as follows:

Article 1. Definitions

1. In this Agreement, the following terms with capitalized terms have the following meanings:

AVG: the General Data Protection Regulation; Data breach: a breach of the security of Personal Data that inadvertently or unlawfully leads to the destruction, loss, modification or unauthorized disclosure of or unauthorized access to transmitted, stored or otherwise processed data Agreement: the agreement concluded between the Controller and the Processor, under which the Processor will Process Responsible Personal Data; Personal data: all data that can be traced directly or indirectly to a natural person as referred to in Article 4 preamble and under 1 AVG; Processing: the processing of Personal Data as referred to in Article 4 preamble and under 2 AVG; Processor Agreement: the present agreement which forms part of the Agreement;

Processing: the processing of Personal Data by Processor for the Controller based on the Agreement;

2. The provisions of the Agreement apply in full to the Data Processor Agreement. With regard to the processing of Personal Data, the provisions of this Processor Agreement always apply.

Article 2. Data Controller and Data Processor of Personal Data

1. Processor shall process on behalf of the Controller Personal Data in the execution of the Agreement. The provisions of this Processing Agreement shall apply to this Processing. 2. The processing shall take place for the following purposes and concerns the following categories of personal data:

Purposes: To support the Controller in all his artist booking needs; Categories of personal data: a. All personal data entered by the Controller into the Processor’s artist booking agency software tool, including names of artists, venues, bookings, contact information, and any other personal data submitted by the the Controller

3. The Processor shall only process the Personal Data for the activities mentioned in this Processor Agreement or the Agreement. The Processor shall not make use of the Personal Data in any other way unless the Controller has given explicit and written permission otherwise, or a statutory provision obliges the Processor to do so. In that case, the Processor shall inform the Controller, before the Processing takes place, of the statutory provision, unless not permitted by this legislation.

Article 3. General duty of care Processor

1. The processor must ensure compliance with this Processor Agreement and the statutory rules (such as the AVG) that apply to the Processor. If the Controller so requests, the Processor will inform the Controller of the actions and measures taken by the Processor within the framework of this general duty of care of the Processor.

Article 4. Technical and organizational measures

1. The Processor shall take appropriate technical and organizational measures to secure Personal Data against loss or unlawful Processing. The processor must ensure that the security level sufficiently addresses the risks. These measures will take into account the current state of and the costs of the security measures. 2. The processor shall in any case take measures to protect Personal Data against destruction, against accidental and intentional loss, forgery, unauthorized distribution or access, or against any other form of unlawful Processing. 3. The processor will assist the Responsible in fulfilling the security obligations that rest on the Controller himself. 4. The technical and organizational measures that Processor takes to secure the Personal Data are described on our website.

Article 5. Confidentiality

1. The Processor shall have all employees sign a confidentiality agreement who are involved in the execution of the Agreement - whether or not resulting from or included in the employment contract with those employees - which in any case states that these employees must observe confidentiality with regard to the Personal Data. The Processor shall take all necessary measures, such as screening of employees and security of data carriers, to ensure that confidentiality is maintained.

Article 6. Data processing outside the European Economic Area (EEA)

1. The Processor shall not process the Personal Data outside the EEA.

Article 7. Sub-processors

1. The Processor will use sub-processors as permitted within the framework of this Processor Agreement and the Agreement. The Controller grants permission to the Processor to engage the following parties as subprocessor:

Name Type Region

Microsoft Azure Cloud Service Provider West Europe / Germany

2. The processor shall obligate each sub-processor to substantially fulfill the same confidentiality obligations, notification obligations and security measures in relation to the Processing of Personal Data, as the obligations and measures contained in this Processor Agreement.

Article 8. Liability

1. The liability of Processor towards the Controller is regulated in the Agreement.

Article 9. Infringement in connection with Personal Data (Data breach)

1. If the Contractor becomes aware of a Data breach, it will (i) inform the Controller thereof without unreasonable delay after the Contractor has become aware of the existence of the Data breach and (ii) take all reasonable measures to (further) to prevent and / or limit the breach. When taking the aforementioned measures, the Processor will, wherever possible, refrain from taking measures that are irreversible and / or seriously impede an investigation into the causes of the Data breach. 2. The Processor will cooperate with the Controller and support the Controller in the performance of its legal obligations with respect to the identified incident. 3. The Processor will support the Controller with the reporting obligation to report to the competent data protection authority ("DPA") and / or the person concerned, as referred to in Article 33 paragraph 3 and 34 paragraph 1 AVG. Processor will refrain from independently performing a report of an infringement in connection with Personal Data with the DPA and / or the concerned.

Article 10. Assistance to Controller

1. Under the AVG, the person concerned has a number of rights, including the right of access (Article 15 of the AVG), rectification (Article 16 of the AVG), data change (Article 17 of the AVG), restriction (Article 18 of the AVG), transferability (Art. 20 AVG) and the right of objection (Articles 21 and 22 AVG). The controller must answer requests for the exercise of those rights and the Controller will support the Controller in so far as reasonably possible. For example, if the complaint is submitted to the Processor, the Processor will forward a complaint or request from a data subject as quickly as possible to the Controller. 2. The processor shall support the Controller, as far as reasonably possible, in fulfilling its duty under the GDPR to carry out a data protection impact assessment (articles 35 and 36 AVG). The processor shall provide the controller with all information necessary to demonstrate that the processor complies with its obligations under the AVG. In addition, at the request of the Controller, the Processor will make and contribute to audits, including inspections, by the Controller or a party authorized by the Controller. The controller will inform the Processor in time that, and when, he will make use of this audit right. The number of audits is limited to a maximum of one per year. 3. The processor may charge its reasonable costs for the assistance referred to in this article to the Controller.

Article 11. Termination & Miscellaneous

1. With regard to the termination of this Processor Agreement, the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, the Processor will delete all Personal Data at the first request of the Controller or return them to him, and delete existing copies, unless the Processor is legally obliged to store the Personal Data. 2. The Controller will be responsible to adequately inform about (legal) retention periods that apply to the Processing of Personal Data for Processors. Processor will not Process the Personal Data for longer than according to these retention periods. 3. The obligations arising from this Processor Agreement which by their nature are intended to survive termination shall also remain in force after termination of this Processor Agreement.

Validly agreed and digitally signed by Henrike van Engelenburg on di, 22 mei 2018 10:04