All references to ”Personal Data”, “Processing”, “Data Subject”, “Sub-processor”, “Personal Data Breach”, “Supervisory Authority” and any other capitalized terms not defined herein shall have the same meaning in this Agreement as stated in article 4 of the GDPR.

• App: TmpChannel app (with Slack app id A03A01J7PG8).
• GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
• SCC: Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
• Website: tmpchannel.com

Both the Controller and the Processor shall each comply with their respective obligations under all applicable regulations, legal requirements and laws relating to the storage, use, security, collection, transfer, disposal, disclosure and other processing of Personal Data (“Privacy Laws”). The Processor will comply with the obligations under the GDPR and any subordinate legislation and regulation implementing the GDPR and/or SCC which may apply (collectively, with Privacy Laws, the “Data Protection Requirements”).

The Controller hereby instructs the Processor to Process the Personal Data only in accordance with the Data Protection Requirements and the instructions given herein, in order to a) fulfill contractual obligations regarding the provision of the service, b) fulfill all legal obligations and c) as further instructed by the Controller in its use of the App.

Categories of Data Subjects

Individuals who use the App, individuals that are mentioned within a message that is scheduled within the App and recipients of messages that are scheduled within the App.

Categories of personal data processed

first and last name, title, contact information (e-mail address, telephone number, company and other metadata that is shared with the App when the Controller grants the App access to the Controllers Slack Workspace or individual Slack user account. E-mail address is only processed when a Data Subject signs in using Slack on the Website.

Duration of processing

The Personal data may be Processed as long as it is necessary to fulfill the purpose of the Process and the legal obligations.

Storage of personal data

The Processor is located in The Netherlands (EU) and may store and Process Personal Data in EU/EEA or anywhere the Processor or its Sub-processors maintains facilities, provided that the storage takes place in accordance with the GDPR.

The Controller is obliged to comply with its data security, personal data protection and any other obligations stated in the applicable Data Protection Requirements for the Controller with regard to the Processing of Personal Data. The Controller hereby confirms that the Controller:

• Processes Personal Data in accordance with the requirements of the Data Protection Requirements;
• has an established procedure for the exercise of the rights of the Data Subjects whose Personal Data is Processed by the Processor on behalf of the Controller;
• has the legal basis according to the applicable Data Protection Requirements to Process and disclose the Personal Data in question to the Processor, including to any Sub-processor that Processes Personal Data on behalf of the Processor;
• is solely responsible for the accuracy, integrity, content, reliability and legality of the Personal Data provided to the Processor;
• agrees that the Processor’s implementation of technical and organizational security measures is sufficient to protect the privacy and Personal Data of Data Subjects;

The PROCESSOR shall:

• at the Controller’s request correct, delete or transmit incorrect, incomplete or outdated Personal Data without undue delay.
• ensure the confidentiality, integrity and accessibility of the Personal Data, and ensures that its personnel who are authorized to Process Personal Data under this DPA have undertaken an obligation to observe confidentiality of the Personal Data.
• implement systematic, organizational and technical measures to ensure an appropriate level of security, taking into account the latest technology and implementation costs in relation to the risk involved in the Processing and the type of Personal Data to be protected.
• The Processor may not, without the prior written consent of the Controller, respond directly to requests from other Data Subjects, disclose or otherwise make the Personal Data available to third parties, unless otherwise provided by GDPR, applicable law, governmental or judicial decisions. The Processor shall, to the extent practicable and lawful, notify the Controller of requests for disclosure of Personal Data obtained from a Data Subject and requests from authorities for disclosure of Personal Data. The Processor shall notify the Controller if the Controller becomes aware of any notice, investigation or inquiry by a Supervisory Authority with respect to Personal Data, unless otherwise prohibited.

The Processor shall assist the Controller with appropriate technical and organizational measures, as far as possible taking into account the nature of the treatment and the information available to the Processor, in order for the Controller to fulfill its obligations under the GDPR regarding requests from Data Subjects, respond to the request for exercise of the Data Subject’s rights and general data protection pursuant to Articles 32-36 of the GDPR.

The Processor shall enable the Controller to comply with all legal obligations regarding information to be provided to relevant data protection authorities and Data Subjects in Personal Data Breaches.

The Processor has the right to engage Sub-processors to fulfill the obligations under the agreement between the Parties. The Controller agrees to the Sub-processors listed below. If the Processor intends to change, remove or add a Sub-processor, the Controller must be informed of this in advance and given the opportunity to object to the changes. The Controller has the right to terminate the agreement, if the Controller does not approve a certain Sub-processor or a certain type of treatment.

Approved Sub-processors:

• Google Cloud, Application platform, Database storage, United States (DPA)

The transfer of Personal Data to a Sub-processor is made at the Processor’s risk and does not entail any change in the division of responsibilities that applies between Processor and Controller. If the Sub-processor does not fulfill its obligations regarding data protection, the Processor shall be fully responsible to the Controller for the performance of the Sub-processor’s obligations.

The Processor shall enter into a legally binding data processor agreement with the Sub-processors, regarding the Sub-processors Processing of the Personal Data. Such agreement shall ensure that the Sub-processor agree to responsibilities and obligations that at least correspond to the obligations and conditions of the Processor that are set forth in this DPA.

Notwithstanding the above clause, if Personal Data is transferred by the Processor to a Sub-processor outside the EU/EEA, the Processor shall be obligated to enter into a supplementary agreement containing the SCC with the Sub-processor, before any Personal Data is transferred to such Sub-processor.

The Processor undertakes to take the technical and organizational measures required under the GDPR to ensure a level of security appropriate to the risk, in particular in relation to risks of unauthorized access, destruction or alteration of the Personal Data covered by the Processing.

The Processor undertakes not to disclose to third parties such information as the Processor has been informed of as a Processor from the Controller. The Processor shall ensure that all employees, consultants and others involved in the Processing of Personal Data are bound by confidentiality and that they are informed of how the Personal Data may be Processed in accordance with instructions from the Controller.

The Controller has the right to carry out an audit of the Processor ’s compliance with the terms of this DPA, to verify that the Processor fulfills its obligations. The Processor has the right to request that such audit shall be performed by a neutral third party working under confidentiality.

The Processor undertakes to provide all information required to prove compliance with the obligations under the DPA and to participate in any audit and to provide the assistance needed to carry out such audit.

In the case of a Personal Data Breach, which includes Personal Data Processed by the Processor on behalf of the Controller, the Processor shall immediately take appropriate measures to mitigate its potential negative effects and prevent it from being repeated. The Processor shall notify the Controller of any Personal Data Breach without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach. The Processor shall also assist the Controller in complying with the terms of Articles 33-34 of the GDPR.

This DPA is valid from the day the Controller approves the Terms and is valid as long as the User have granted the App access to the Controller’s Slack Workspace. When the Controller removes the App from the Controller’s Slack Workspace, the Processor shall cease the Processing of Personal Data and, in accordance with Controller’s instructions, delete or return all data containing Personal Data to the Controller and delete all existing copies within thirty (30) days, unless Processing of Personal Data is required according to applicable legislation.

The Processor may retain Personal Data after the Controller has removed the App from the Controller’s Slack Workspace to the extent required by applicable law, with the same type of technical and organizational security measures as described in this DPA.

This DPA shall be interpreted in accordance with the Dutch law. Any disputes arising out of or in connection with this agreement will be resolved by the Amsterdam District Court following proceedings in English before the Chamber for International Commercial Matters (“Netherlands Commercial Court” or “NCC District Court”), to the exclusion of the jurisdiction of any other courts. An action for interim measures, including protective measures, available under Dutch law may be brought in the NCC’s Court in Summary Proceedings (CSP) in proceedings in English. Any appeals against NCC or CSP judgments will be submitted to the Amsterdam Court of Appeal’s Chamber for International Commercial Matters (“Netherlands Commercial Court of Appeal” or “NCCA”). The NCC Rules of Procedure apply.