EX-10.4 5 fs12019ex10-4_naturinter.htm DISTRIBUTION AGREEMENT WITH LEEN MENKEN FOOD SERVICE LOGISTICS
(1) NFF Trading BV, having its registered office and registered office at Jachthavenweg 124, Amsterdam, hereby legally represented by I. Siemes in the position of Director, hereinafter referred to as “NL juice online B.V.” or “Responsible”;
(2) Leen Menken Foodservice Logistics B.V., having its registered office and registered office in Zoetermeer, legally represented by Leen Menken in the position of Director, hereinafter referred to as: “LEEN MENKEN” or “Processor”;
and hereinafter referred to collectively as: “Parties”
taking into account that:
a. NFF Trading BV has concluded a processor agreement dated 21-04-16 (“Agreement”) with LEEN MENKEN for the processing of personal data;
b. The Parties provide that in the context of the implementation of the Agreement by LEEN MENKEN personal data within the meaning of Article 1 under a Personal Data Protection Act as further described in Appendix 1 (“Personal Data”) will be processed;
c. NFF Trading B.V. determine the purpose and means of the processing of personal data and therefore must be qualified as Responsible within the meaning of Article 1 under d of the Personal Data Protection Act (“Wbp”);
d. LEEN MENKEN does not have any control over the Personal Data and will process them pursuant to the Agreement on the basis of which LEEN MENKEN must be qualified as a Processor within the meaning of Article 1 under the Wbp;
e. NFF Trading B.V. if the Responsible Party is obliged under Article 14 Wbp to enter into a processor agreement with the Processor;
f. The Parties wish to record the conditions and the mutual rights and obligations regarding the processing of the Personal Data by the Processor in accordance with the Wbp in writing;
declare the following to be agreed:
Article 1. Data processing
1.1. The Processor processes the Personal Data for the benefit of the Controller and under his instructions in the context of performing services and / or making deliveries as agreed in the Agreement.
1.2. The Controller guarantees that, with regard to the Personal Data that he provides to the Processor, he has complied with all applicable laws and regulations regarding the protection of personal data and that this legislation and regulations allow the Personal Data to be provided to the Processor and that the Personal data are processed by the Processor.
1.3. The Controller has and maintains full control over the Personal Data.
1.4. Processor processes the Personal Data in a proper and careful manner. The Personal Data provided to the Processor are described in Appendix 1.
1.5. The Processor will only process the Personal Data in the context of the Agreement and not for its own or other purposes and / or provide it to third parties. The Processor will keep the Personal Data separate from data that it processes for itself or for third parties.
1.6. When processing the Personal Data, Processor will comply with all applicable laws and regulations (such as the Wbp and the Telecommunications Act) and the applicable codes of conduct on the protection of personal data.
1.7. The transfer of Personal Data by the Processor outside the Netherlands is only permitted with due observance of the applicable legal obligations and with the prior written consent of the Controller.
Article 2. Security and duty to report data leaks
2.1. The Processor shall take, maintain and, if necessary, adapt appropriate technical and organizational measures to protect the personal data against loss, forgery, unauthorized distribution or access, or any other form of unlawful processing. These measures guarantee, taking into account the state of the art and the costs of implementation, an appropriate level of security in view of the risks involved in the processing and the nature of the Personal Data to be protected.
2.2. If the technical and organizational measures taken by the Processor need to be adapted and / or supplemented, the Processor will determine which technical and organizational measures will be taken in consultation with the Controller.
2.3. The Processor ensures that its (own or hired) employees who are involved in the processing of the Personal Data, understand the obligations of the Processor included in this Processor Agreement and are obliged to comply with them.
2.4. The Processor will inform the Controller immediately, but in any case within 24 hours after discovery, of:
a. a violation of one of the obligations included in this Processor Agreement;
b. any incident that pertains or may have to the Processing of Personal Data, including but not limited to detected or suspected unauthorized or unlawful processing, deletion and loss of personal data, data leaks within the meaning of Article 34a Wbp, breaches of the security, confidentiality or integrity of systems, infrastructure and / or Personal Data (hereafter: “Incident”).
1.1. The Processor guarantees that it has implemented such internal protocols and regulations that it meets its obligations under Article 2.4. under b of this Processor Agreement can comply within the stipulated deadlines.
1.2. The Processor guarantees that he will immediately provide all relevant information about an Incident to the Controller and that he will provide all cooperation requested by the responsible party. Processor will also keep the Controller informed of any new developments concerning an Incident.
1.3. The Processor will take all reasonable measures after detection of an Incident in order to remedy the Incident and to limit the (possible) consequences thereof as much as possible. Processor will also take the necessary measures to prevent a repetition of the Incident.
1.4. The Processor will not, unless otherwise agreed in writing between the Parties, report Incidents to the relevant supervisor and the parties involved.
1.5. The Processor will fully cooperate with the Controller in order to be able to implement a request from a Data Subject to announce whether personal data are collected about him as referred to in Section 35 (1) of the Dutch Data Protection Act.
Article 2. Confidentiality
2.1. The Processor is obliged to keep the Personal Data confidential and not to make them available directly or indirectly to third parties, unless otherwise required by law and / or a court order.
2.2. The Processor will ensure that its employees and any third party (s) who must necessarily learn of the Personal Data must comply with the confidentiality obligation included in this article.
2.3. The Processor will immediately inform the Controller of any request for access, provision or other form of retrieval and communication of the Personal Data that conflict with the duty of confidentiality mentioned in this article.
Article 3. Engaging third parties
3.1. The Processor will not outsource the execution of the Processing on the instructions of the Controller in full and / or in part to third parties without the prior written consent of the Controller.
3.2. The Processor ensures that the third party in question takes on at least the same obligations as those for the Processor in this Processor Agreement.
3.3. The Processor will always remain the contact point in the relationship between the parties and responsible and liable for compliance with the provisions of this Processor Agreement.
Article 4. Inspection
4.1. The controller has the right to (periodically) check compliance with the provisions of this Processor Agreement.
4.2. The Processor will cooperate with this and make all information relevant to the inspection available in a timely manner.
4.3. Processor can, after consultation with and approval of the Controller, choose to replace the inspection with a Third Party Declaration.
4.4. The persons carrying out an inspection at the Processor must comply with the security procedures as they apply to the Processor, insofar as these security procedures have been made known to the Controller. An inspection may not unnecessarily disrupt the operations of the Processor.
4.5. The controller bears the costs of the inspection, with the exception of the costs of the employees of the Processor who supervise the inspection. If the inspection shows that the Processor has seriously and materially failed to comply with this Processor Agreement, the costs of the inspection shall be borne by the Processor.
4.6. The Processor is familiar with the independent audit powers of the Dutch Data Protection Authority and any other supervisors under whose supervision the Controller is responsible and will, where appropriate, grant access to and cooperate with an investigation with regard to the Personal Data processed pursuant to the Agreement.
Article 5. Rights of data subjects
5.1. Processor gives the Controller full cooperation to comply with the obligations under the Wbp within the statutory periods, in particular the rights of data subjects, such as a request for inspection, correction, supplementation, removal or protection of personal data and the execution of a honored registered resistance.
5.2. The Processor will immediately inform the Controller of the written requests made to the Processor by the parties concerned.
Article 6. Liability
6.1. If the Processor imputably fails in the performance of the obligations arising from this Processor Agreement and / or the Agreement, or acts in violation of the law and relevant regulations, in particular the Wbp, is the Processor liable for all damage in accordance with what has been agreed between the parties in the Agreement.
6.2. Processor indemnifies Responsible against claims from third parties, including fines from regulators, which derive in any way from the violation by the Processor of this Processor Agreement and / or the Agreement, or which result from a violation by the Processor of the law and relevant regulations, in particular the Wbp.
Article 7. Transfer and destruction of data
7.1. Without prejudice to the provisions elsewhere in this Processor Agreement, at the request of the Controller, the Processor will hand over to the Controller all information originating from the Controller and / or in the framework of the Processor Agreement relating to Responsible Party.
7.2. Processor is at all times obliged at the request of the Responsible Party to destroy all copies and copies of the Responsible originating from the Responsible within the reasonable time specified by the Responsible Party and / or within the framework of the Agreement with regard to the Controller.
7.3. As soon as the Processor Agreement has been terminated, the Processor is in principle obliged to return all personal data and / or other relevant information provided to it to the Controller within a reasonable period specified by the Controller and to destroy all digital copies of personal data. Parties will make further agreements about this in due course. In this respect, the Processor will issue a written statement to the Controller that he has executed the agreements.
7.4. Processor may deviate from the provisions in the previous paragraphs, insofar as a legal (storage) term applies to the Personal Data or insofar as this is necessary in order to be able to prove compliance with his obligations towards the Responsible Party.
Article 8. Duration, termination and change
8.1. This Processor Agreement is an addition to the Agreement and has the same term as the Agreement and ends as soon as the Agreement ends.
8.2. Amendments to this Processor Agreement are only valid if agreed between the Parties in writing.
Article 9. Final provisions
9.1. Unless stipulated otherwise in the Agreement, Dutch law applies to this Processor Agreement.
9.2. All disputes arising from or related to this Processor Agreement will only be submitted to the competent court in Haarlem.
Thus agreed and signed in duplicate
after man Responsible: after man Processor:
Name: Ingrid Siems Name: ____________________
Function: CEO NL Position: ____________________
Date: ____________________ __ Date: ____________________ __
City: Amsterdam Place: ____________________
Appendix 1 Overview of personal data to be processed