Processor Agreement

Concerning agreements on the legitimate processing of personal data

Version: 2022

The Parties:

  1. The private limited company Payt B.V., hereinafter called the ‘Processor’;


  1. Customer of Payt B.V., hereinafter called the ‘Controller‘;

Hereinafter collectively called the ‘Parties’ and individually the ‘Party’. 


  • The Processor has developed an online platform for receivables management and debt collection services;
  • The Controller uses or wishes to make use of the Processor’s services;
  • This use entails that the Processor processes or will process Personal Data on instruction of the Controller;
  • The Controller and the Processor wish to record the mutual rights, obligations and agreements in this Processing Agreement with regard to the Processing of Personal Data in the framework of these services;
  • The following Appendices form an integral part of this Processing Agreement:
    • APPENDIX 1 Personal Data; processing purpose, method and means;
    • APPENDIX 2 Security measures;
  • If any provision of an Appendix cannot be reconciled with or is contrary to a provision from the Processing Agreement, the provision in the Appendix shall prevail.

1. Definitions

  1. In this Processing Agreement the following terms, always written with a capital letter, both in the singular and the plural, have the following meaning:

    1. Data Subject: natural person to whom personal data relate or his/her representative.
    2. Processor: the party that processes Personal Data on behalf of the Controller, without being subject to the Controller’s direct authority. In this Processing Agreement this is Payt B.V.
    3. Appendix: part of the Processing Agreement in which further explanation and information is provided about a specific component or part of the services.
    4. Personal Data: every detail concerning an identified or identifiable natural person.
    5. Controller: the natural person, legal entity or every person who, or the administrative body that, alone or together with others, determines the purposes of and the means for the Processing of Personal Data.
    6. Processing: every action or every whole of actions relating to Personal Data, including in any event the gathering, recording, organising, saving, updating, editing, accessing, viewing, using, providing by means of forwarding, distribution or any other form of availability, bringing together, connecting with each other, as well as restricting, erasing or destroying of Personal Data.

2. Duration and termination

  1. This Processing Agreement remains in effect as long as the Processor processes Personal Data on behalf of the Controller and cannot be prematurely terminated.
  2. The Processor shall place all Personal Data at the disposition of the Controller upon first request, but at latest within ten working days after the end of this Processing Agreement.
  3. As soon as this Processing Agreement has ended, the Processor shall delete and/or destroy all Personal Data in its possession as well as any copies thereof. 
  4. The Processor can deviate from the provisions of the two preceding paragraphs, insofar as with regard to Personal Data there is a statutory retention period or insofar as this is necessary to prove performance of its obligations to the Controller.

3. Subject

  1. The Processor shall process Personal Data on behalf of the Controller. In this context the Controller shall make Personal Data available to the Processor.
  2. The Controller has determined the purposes of the Processing of Personal Data and informed the Processor of these processing purposes. 
  3. The Processor shall not process the Personal Data for any other purposes than the established processing purposes set out in Appendix 1.
  4. The Personal Data, howsoever obtained, to be processed by the Processor on the Controller’s instruction, remain the property of the Controller and/or the relevant Data Subject.
  5. The Controller guarantees to the Processor that the content, the use and/or the processing of the Personal Data is not unlawful and does not infringe any right of a Third Party, that these Personal Data are lawfully gathered and shared and indemnifies the Processor against any legal claim of a Third Party, under whatever heading, in connection with the processing of these Personal Data, unless the Controller proves that the facts forming the basis of the claim are attributable to the Processor.

4. Execution of processing

  1. The Processor is only responsible for the processing of Personal Data which it processes in the framework of the offered services on the conditions laid down in this Processing Agreement. The Processor is explicitly not responsible for other Processing of Personal Data, including the gathering of Personal Data by the Controller and/or third parties. 
  2. Unless the Processor has obtained the Controller’s explicit prior written consent therefore and the statutory requirements are satisfied, the Processor shall not process any Personal Data in countries outside of the European Economic Area (‘EEA’) which do not offer a suitable level of protection. Forwarding of Personal Data to countries outside the EEA which do not have a suitable level of protection is not permitted.
  3. The Processor shall store and process the Personal Data relating to the Controller separately from the Personal Data which it processes for itself or on behalf of third parties.
  4. The Processor shall process the Personal Data in a proper and careful manner and in accordance with the obligations to which it is subject as Processor on the basis of the privacy legislation, such as the General Data Protection Regulation.
  5. The Controller shall furnish the Processor with the data that are necessary for the execution of the tasks. The Controller shall only furnish the (Personal) Data which are necessary for the execution of the Processor’s tasks and may be furnished by the Controller for that purpose.

5. Securing Personal Data

  1. The Parties agree that the Processor shall take suitable technical and organisational security measures which in view of the state of the art and the related costs, correspond with the nature of the Personal Data to be processed, in order to protect the Personal Data against loss, unauthorised access, corruption or unlawful processing, as well as to guarantee the (timely) availability of the Personal Data.
  2. The Parties acknowledge that security requirements change continually and that effective security, frequent evaluation and regular improvement of outdated security measures is required. The Processor shall therefore continually assess the security measures to keep Personal Data protected and if necessary tighten, supplement or improve them in order to continue performing its obligations.
  3. In addition to the provisions in this clause, the Processor shall take the security measures as specified in further detail in Appendix 2.
  4. The Processor does not guarantee that the security shall be effective under all circumstances.

6. Monitoring

  1. The Controller has the right to carry out a (penetration) test once a year to monitor the agreements under this Processing Agreement. The Controller can do this itself or have such done by an independent chartered accountant, chartered IT specialist or other certified auditor.
  2. The Controller shall save the supporting data such as system logs required for the (penetration) tests referred to in this clause. 
  3. The persons who execute the test shall act in accordance with the Processor’s security procedures.
  4. The Processor undertakes to cooperate and to make all information which is reasonably relevant for the test available in due time.
  5. The costs of such test shall be borne by the Controller, unless otherwise agreed in writing. 
  6. The Controller shall announce an intended test in writing, after which the Processor shall ensure that this test can start within a reasonable period of time.

7. Duty of notification of data breaches & monitoring

  1. In the case of an infringement in connection with personal data within the Processor’s control, the Processor shall immediately notify the Controller of such breach after it has been determined.
  2. The notification duty in any event encompasses the notification of the fact that there has been a breach or incident, as well as of the (alleged) cause of the breach or the incident, the consequence that is known and/or expected for the time being and the (proposed) solution.
  3. The Controller shall, if such is necessary in its opinion, notify Data Subjects and other third parties, including the Data Protection Authority (Autoriteit Persoonsgegevens) about a data breach or other incidents. The Processor is not permitted to directly provide information on a data breach or other incidents to Data Subjects or other third parties, except insofar as the Processor is legally obliged to do so or has obtained the consent of the Controller.

8. Confidentiality

  1. All Personal Data that the Processor receives from the Controller and/or gathers itself in the framework of this Processing Agreement are subject to a duty of confidentiality with regard to third parties.
  2. The Processor shall ensure that its personnel is subject to the duty of confidentiality laid down in this clause.
  3. The duty of confidentiality does not apply insofar as the Controller has explicitly given consent to provide the information to third parties, if the provision of the information to third parties is logically necessary in view of the nature of the assignment which has been granted and the performance of this Processing Agreement, or if there is a statutory obligation to provide the information to a third party. In the case of providing information to third parties on the basis of a statutory obligation, the Processor shall notify the Controller thereof as soon as possible and in any event prior to providing such information.

9. Rights of the Data Subjects

  1. The Processor shall fully cooperate with the Controller to, after the approval of and on instruction of the Controller:
  2. Grant Data Subjects access to their Personal Data in a structured, common and machine-readable form; 
  3. Temporarily limit the processing of Personal Data to the retention thereof, or to the processing for which the Data Subject gives consent, until the Controller stipulates that the limiting of the processing is to be lifted.
  4. Erase or correct Personal Data of Data Subjects; 
  5. Demonstrate that Personal Data have been removed or corrected if they were incorrect (or, in the event the Controller does not agree that Personal Data are incorrect, to record the fact that the Data Subject deems his/her Personal Data to be incorrect). 

On the Controller’s first request, the Processor shall furthermore as soon as possible, but at latest within five working days after a request has been made to this effect, proceed to:

    1. Provide all necessary information that the Controller might need, in writing;
    2. Improve, add to, erase or restrict Personal Data.
  1. Insofar as possible the Processor shall fully cooperate with the Controller to comply with the obligations to which it is subject under the applicable legislation in the area of processing of Personal Data.

10. Engaging of and sharing personal data with a sub-processor

  1. The Processor is entitled in the Processing of the Personal Data to engage third parties if:

    1. The Processor has announced this in writing; or
    2. The Processor has received the Controller’s consent therefore; or
    3. If the engaging of third parties is logically necessary in view of the nature of the assignment and/or the performance of this Processing Agreement. 
  2. The Processor shall ensure that the relevant third party or third parties take(s) on at least the same obligations as laid down for the Processor in this Processing Agreement.

  3. For the correct provision of the services the Processor shall engage third parties and the Processor shall share the personal data gathered on instruction of the Controller with in any event (but not exclusively) the partners as specified in APPENDIX 1. 

  4. If the third party that the Processor wishes to engage is based outside of the EEA, the Processor must first obtain the consent of the Controller before engaging such third party. In addition, without prejudice to the above, the Processor guarantees that such third party guarantees a suitable level of protection and safety of Personal Data as referred to in the General Data Protection Regulation.

  5. The Processor is responsible with regard to the Controller for the third party or parties engaged by the Processor.

  6. In the event the Controller asks the Processor to share Personal Data with a third party that is not already on the list of names of parties with which the Processor shares data as referred to in APPENDIX 1, the provisions in this clause do not apply and the Controller is fully liable for any loss directly or indirectly ensuing therefrom. 

  7. The Processor can also provide Personal Data to third parties if the Processor, on the basis of a request or a competent order of a government agency or judicial authority or in connection with a statutory obligation, must provide the data to a third party.

11. Retention period

  1. Payt’s goal is to store as few data as possible that are no longer relevant. At the same time, historical data offer options for better insight, for financing options and reference works for annual reports.
  2. In view of the nature of the services, the retention period shall start as soon as an invoice has been paid.
  3. The Processor has a standard retention period of 25 months.
  4. Deviation therefrom is possible via the application or the service desk.

12. Final provisions

  1. Changes to this Processing Agreement are only valid if they have been agreed between the Parties in writing.
  2. This Processing Agreement prevails over all other agreements between the Controller and the Processor with regard to the processing of Personal Data. 
  3. This Processing Agreement is exclusively governed by Dutch law.
  4. Disputes regarding or in connection with this Processing Agreement shall exclusively be presented to the competent court in the district where the Processor has its place of business.

APPENDIX 1 Personal Data; purpose, method and means; retention periods

Processed Personal Data

Data relating to accounts receivable of the Controller:

  1. Name, address, city, telephone number, email address, gender, accounts receivable and invoice data.

Categories of Data Subjects

  1. Accounts Receivable

The purposes, method and means of processing 

The Personal Data are processed by the Processor with the purpose of: 

a) achieving payment of the claims offered by the Controller via the Processor;

b) on the basis of current and historical data relating to debt collection, establishing a credit score, which allows the chance of recovery to be determined;

c) making a contribution to the prevention of excessive lending and other problematic debt situations on the part of data subjects;

d) providing the services agreed between the Controller and the Processor. 

These Personal Data are processed and stored in the relevant software systems of the Processor. 

For the correct provision of the services the Processor shall engage third parties and the Processor shall share the Personal Data gathered on instruction of the Controller with:

  • Parties that take care of hosting and maintenance of the website, parties whose cookies, plug-ins, applications and/or other software we use on the website, post processors, bailiffs, suppliers of email, text messages and telephone transmission services and banks or other financial institutions with which the Processor works together in the framework of offering financing to customers of the Processor.

An up-to-date list with the names of parties with which the Processor shares data, as well as an indication of the data and the purpose of sharing of said data can be obtained via

APPENDIX 2 Security measures

The Processor shall take security measures in, inter alia, the following areas, as laid down in its information security policy. The Processor has an ISO 27001 certification for its information security policy.

  1. Safe personnel;
  2. Management of business materials;
  3. Access security;
  4. Cryptography;
  5. Physical security;
  6. Securing of business activities;
  7. Communication security;
  8. Acquisition, etc. of systems;
  9. Supplier relationships;
  10. Management of Information Security Incidents;
  11. Aspects of business continuity management;
  12. Compliance.

We will be happy to make the statement of applicability available to you confidentially and upon request.


KvK: 08155915
BTW: NL817576320B01


Ubbo Emmiussingel 21
9711 BB Groningen
The Netherlands