Processor Agreement

Regarding arrangements concerning the legitimate processing of personal data

Version: 2018


  1. The private limited liability company Payt B.V., subsequently called ‘Processor’; and
  2. Client, in the following referred to as ‘Data Controller’;

In the following jointly referred to as ‘Parties’ and individually as ‘Party’.

Considering that:

  • Processor has developed an on-line platform for debtor control and collection services;

  • Data Controller makes use of or wants to make use of the services of Processor;

  • This usage entails that Processor processes or will process Personal Data by order of Data Controller;

  • Data Controller and Processor wish to establish their mutual rights, obligations, and arrangements regarding the Processing of Personal Data in the context of these service in this Processor Agreement.

  • The following Appendices are an integral part of this Processor Agreement:

    • APPENDIX 1: Personal Data; purpose, manner, and means of processing; retention periods.
    • APPENDIX 2: Security measures.
  • If any provision from an Appendix is incompatible with or in breach of a provision from the Processor Agreement, what is stipulated in the Appendix prevails.

Article 1: Definitions

In this Processor Agreement, the following terms, always indicated with a capital letter, both in the singular and in the plural, have the following meaning:

1.1 Data Subject: the natural person whom personal data are in regard to, or his representative.

1.2 Processor: the entity which processes Personal Data for the benefit of the Data Controller, without being subject to the latter’s direct authority. In this Processor Agreement, it is Payt B.V.

1.3 Appendix: a part of the Processor Agreement in which more explanations and information are given regarding a specific part or components of the services.

1.4 Personal Data: any data regarding an identified or identifiable natural person.

1.5 Data Controller: the natural person, legal person or any other entity which, or the governing body which, alone or jointly with others, establishes the purpose of and the means for the Processing of Personal Data. In this Processor Agreement it is the Client.

1.6 Processing: any action or whole set of actions regarding Personal Data, including in any case the collecting, ordering, storing, updating, modification, requesting, perusing, using, provision by way of forwarding, distribution or any other manner of rendering available, aggregating, linking, as well as the shielding, deleting, or destroying of Personal Data.

Article 2: Duration and termination

2.1 This Processor Agreement is concluded after its signing by Parties on the date of its most recent undersigning.

2.2 This Processor Agreement is in effect for as long as Processor processes Personal Data for the benefit of Data Controller and cannot be prematurely cancelled.

2.3 Processor provides all Personal Data upon the first request to Data Controller, though no later than within ten business days after the end of this Processor Agreement.

2.4 As soon as this Processor Agreement has ended, Processor will remove and/or destroy all Personal Data and any possible copy thereof present with them.

Processor can deviate from what is stipulated in both of the preceding sections, to the extent regarding Personal Data a statutory retention period were to apply or to the extent, it is necessary to prove compliance with his undertakings towards Data Controller.

Article 3: Object

3.1 Processor will process Personal Data for the benefit of Data Controller. Data Controller provides Personal Data to Processor in that connection.

3.2 Data Controller has established the purposes for the Processing of Personal Data and informed Processor of these processing purposes.

3.3 Processor will not process the Personal Data for any other purpose than for the processing purposes as described in APPENDIX 1.

3.4 The Personal Data to be processed by Processor by order of Data Controller, regardless of how they were obtained, remain the property of Data Controller and/or the Data Subject in question.

3.5 Data Controller guarantees towards Processor that the content, the use and/or the processing of the Personal Data is not illegitimate and does not violate any rights of a Third Party, that these Personal Data are collected and shared legitimately and safeguards Processor against any legal claim by a Third Party, on any account whatsoever, in connection with the processing of these Personal Data, unless Data Controller proves that the facts on which the claim is based are attributable to Processor.

Article 4: Implementation processing

4.1 Processor is only responsible for the processing of Personal Data which he processes in the context of the proposed services, under the conditions mentioned in this Processor Agreement. For the other Processing of Personal Data, including the collection of Personal Data by Data Controller and/or third parties, Processor is emphatically not responsible.

4.2 Processor will not, unless he has obtained the emphatic prior written permission of Data Controller for this and the legal requirements are met, process Personal Data in countries outside the European Economic Area (‘EEA’) that do not offer an adequate level of protection. The transmission of Personal Data to countries outside the EEA which do not have an appropriate level of security is not permitted.

4.3 Processor will store and process the Personal Data regarding Data Controller separately from the Personal Data he processes for himself or on behalf of third parties.

4.4 Processor will process the Personal Data in a proper and diligent manner and in accordance with the obligations he is subject to as a Processor pursuant to privacy legislation, such as the General Data Protection Regulation.

4.5 Data Controller provides Processor with the data which are required for the implementation of the tasks. Data Controller only provides the (Personal) Data which are necessary for the implementation of the tasks of Processor and which may be provided for that purpose by Data Controller.

Article 5: Security Personal Data

5.1 Parties establish that Processor will take appropriate technical and organizational security measures which, considering the state of the art and the associated costs, are in line with the nature of the Personal Data to be processed, to protect the Personal Data against loss, illegitimate cognisance, corruption, or illegitimate processing, as well as to assure the (timely) availability of the Personal Data.

5.2 Parties acknowledge that security requirements are constantly changing and that an effective, frequent evaluation and regular improvement of obsolete security measures is necessary. For that reason, Processor will constantly evaluate the security measures for the protection of Personal Data and if necessary tighten them, supplement or improve them, to remain compliant with his obligations.

5.3 In addition to what is stipulated in this article, Processor takes the security measures as further specified in Appendix 2.

5.4 Processor does not guarantee that the security is effective under all circumstances.

Article 6: Control

6.1 Data Controller has the right to (let) carry out a (penetration) test once a year to control the arrangements under this Processor Agreement. Data Controller can do this himself or have it done by an independent registered accountant, registered information technician or another auditor certified for this.

6.2 Processor saves the supporting data required for the (penetration) tests of this article, such as system logs.

6.3 The persons carrying out the test will comply with the security procedures as they apply at Processor.

6.4 Processor commits himself to give his assistance as well as to timely provide all information reasonably relevant for the test.

6.5 The costs of a test are borne by Data Controller, unless it is established otherwise in writing.

6.6 Data Controller will announce an intended test in writing, after which Processor makes sure that this test can commence within a reasonable term.

Article 7: Reporting duty data leaks & monitoring

7.1 In case of a breach in connection with personal data within the sphere of influence of Processor, Processor will inform Data Controller accordingly immediately after detection.

7.2 The reporting duty comprises in any case the reporting of the fact that a leak or incident has occurred, as well as the (supposed) cause of the leak or the incident, the presently known and/or expected consequence and the (proposed) solution.

7.3 Data Controller will, if in its opinion necessary, inform Data Subjects and other third parties, including the monitoring authority ‘Autoriteit Persoonsgegevens’ regarding a data leak or other incidents. It is not permitted to Processor to provide information directly regarding a data leak or other incidents to Data Subjects or other third parties, barring to the extent Processor is legally obliged to do so or has obtained permission from the Data Controller.

Article 8: Non-disclosure

8.1 All Personal Data which Processor receives from Data Controller and/or collects himself in the context of this processor agreement, is subject to a non-disclosure obligation towards third parties.

8.2 Processor makes sure that his staff is bound by the non-disclosure obligation stipulated in this article.

8.3 The non-disclosure obligation is not applicable to the extent Data Controller has given express permission to provide the information to third parties, if the provision of the information to third parties is logically necessary considering the nature of the granted assignment and the implementation of this Processor Agreement, or if there is a legal obligation to furnish the information to a third party. In case of the provision of information to third parties pursuant to a legal obligation, Processor will accordingly inform Data Controller as soon as possible and in any case prior to such provision.

Article 9: Rights of Data Subjects

9.1 Processor provides full assistance to Data Controller, so as, following approval and by order of Data Controller, to:

a) Grant Data Subjects access to the Personal Data regarding them in a structured, current, and machine-readable form;

b) limit the processing of Personal Data to their storage or to the processing for which Data Subject has granted permission, until Controller decides that the limitation to the processing must be lifted;

c) remove or correct Personal Data of Data Subjects;

d) demonstrate that Personal Data has been removed or corrected if it is incorrect (or, in case Data Controller does not agree that Personal Data is incorrect, to establish the fact that the Data Subject considers his/her Personal Data as incorrect).

9.2 Processor will furthermore upon first request of Data Controller as soon as possible though no later than within five business days after a request to that effect has been made, proceed with:

a) The provision in writing of all necessary information which Data Controller may require;

b) The improvement, supplementing, removal, or shielding of Personal Data.

9.3 As far as possible, Processor provides full assistance to Data Controller to help them comply with the obligations they are subject to pursuant to the applicable legislation in the field of the processing of Personal Data.

Article 10: Deployment and sharing of personal data with sub-processor

10.1 Processor has the right to deploy third parties upon the Processing of the Personal Data if:

a) Processor has announced such in advance in writing; or

b) Processor has obtained permission for this from Data Controller; or

c) If the deployment of third parties is logically required considering the nature of the assignment and/or the implementation of this Processor Agreement.

10.2 Processor makes sure that the relevant third party(/-ies) take upon themselves at least the same obligations as Processor is subject to pursuant to this Processor Agreement.

10.3 For the correct implementation of the services, Processor deploys third parties and Processor shares the personal data collected by order of Data Controller in any case with (though not exclusively with) the partners as specified in APPENDIX 1.

10.4 In case the third party which Processor wishes to deploy is established outside the EEA, Processor assures, without prejudice to the preceding, that this third party guarantees an appropriate level of protection and security of Personal Data in the sense of General Data Protection Regulation.

10.5 Processor is responsible towards Data Controller for the third party(/-ies) deployed by him.

10.6 In case Data Controller requests Processor to share Personal Data with a third party which does not already appear on the list with names of parties with which Processor shares data as intended in APPENDIX 1, then what is stipulated in this article is not applicable and Data Controller is fully liable for any possible damage which either directly or indirectly results.

10.7 Processor can also provide Personal Data to third parties if Processor on grounds of a request or a competently issued order of a government body or judicial authority, or in connection with a legal obligation, must provide the data to a third party.

Article 11: Final provisions

11.1 Modifications to this Processor Agreement are only effective if they have been established between Parties in writing.

11.2 This Processor Agreement prevails over all other agreements between Data Controller and Processor regarding the processing of Personal Data.

11.3 To this Processor Agreement Netherlands legislation is exclusively applicable.

11.4 Disputes about or in connection with this Processor Agreement are exclusively submitted to the court of law which is competent in the place of establishment of Processor.

Appendix 1: Personal Data; purpose, method and means of processing; retention periods

Processed Personal Data

Data concerning debtors of Data Controller:
a) Name, address, place of residence, phone number, email address, gender, debtor data and invoicing data.

Categories of Data Subjects
a) Debtors

The purposes, method, and means of processing

The Personal Data are processed by Processor with the purpose of:
a) obtaining payment by Data Controller of the claims submitted via Payt;
b) determining, based on current and historical data concerning collection, a score value according to which the probability of recoverability can be established;
c) contributing to the prevention of excessive credit, as well as other problematic debt situations, being incurred by the data subjects;
d) enabling the implementation of the services as agreed between Data Controller and Processor.
These Personal Data are processed and stored in the relevant software systems of Processor.

For the correct implementation of the services, Processor engages third parties and shares the Personal Data collected by order of Data Controller with:

● Parties that provide hosting and maintenance of the website, parties of whom we use cookies, plug-ins, applications and/or other software on the website, post Processors, bailiffs, suppliers of e-mail-,SMS- and telephonic forwarding services, and banks or other financial institutions with which Payt collaborates in the context of the providing financing to its clients.

A current list with the names of parties with which Payt shares data, as well as an interpretation of the data and the purpose of sharing those data can be requested through

Appendix 2: Security measures

Processor adopts, among other things, security measures, in the following fields, as stated in its information security policy. Payt holds an ISO 27001 certification for its information security policy.

a) Safe staff;
b) Control of company resources;
c) Access security;
d) Cryptography;
e) Physical security;
f) Security of operations;
g) Communications security;
h) Acquisition etc. of systems;
i) Supplier relations;
j) Administration of information security incidents;
k) Aspects of operational continuity administration;
l) Compliance.

Please contact us if you wish to receive, confidentially, any information concerning the security policy and the statement of applicability.


KvK: 08155915
BTW: NL817576320B01

HeadquartersUbbo Emmiussingel 21
9711 BB Groningen
The Netherlands