GDPR Policy - ARSA FOOD

Data Processing Agreement

Consider the following

A. The Processor shall make IT services available to the Data Controller, and process (special categories of) personal data for the Data Controller within this context;

B. The Data Controller carries responsibility for the processing of personal data and is recognized as the Data Controller within the meaning of Article 4 of the General Data Protection Regulation;

C. The Data Processor, in respect of the storage and processing of the personal data for the Data Controller, is recognized as the Data Processor within the meaning of Article 4 GDPR;

D. The Parties wish – with regard to the provisions of Article 28, third paragraph of the General Data Protection Regulation – to establish in this agreement specific conditions that apply to their relationship in connection with the processing of personal data for the Data Controller.

And agree to the following:

Article 1. Definitions

1. The following capitalized terms have the following meanings:

AP: the Dutch supervisory authority Autoriteit Persoonsgegevens;

GDPR: The General Data Protection Regulation;

Personal Data Breach: a breach of the security of Personal Data that inadvertently or unlawfully leads to the destruction, loss, modification or unauthorized disclosure of or unauthorized access to transmitted, stored or otherwise processed data;

Agreement: the agreement concluded between the Data Controller and the Data Processor, under which the Data Processor shall Process Personal Data for the Data Controller;

Personal Data: all data that can be traced directly or indirectly to a natural person as referred to in Article 4 GDPR;

to Process: to process Personal Data as referred to in Article 4 GDPR;

Data Processing Agreement: the present agreement which forms part of the Agreement;

Processing: the processing of Personal Data by the Data Processor for the Data Controller based on the Agreement;

2. The provisions of the Agreement shall apply in full to the Data Processing Agreement. With regard to the processing of Personal Data, the provisions of this Data Processing Agreement always apply.

Article 2. Data Controller and Data Processor of Personal Data

1. The Data Processor shall process Personal Data on behalf of the Data Controller in the execution of the Agreement. The provisions of this Data Processing Agreement shall apply to this Processing.

2. The Processing relates to the following categories of persons involved:

– Visitors of the website of the Data Controller

– Users of the service of the Data Controller

– The (potential) customers of the Data Controller

– The employees of the Data Controller

– Vulnerable people, such as children, the elderly or the mentally handicapped

3. The processing shall take place for the following purposes and concerns the following categories of Personal Data:

Financial Administration

Purpose: Accountancy

Categories of Personal Data: Name, Company name, Billing address, Bank details, and Payment information

General business activity

Purpose: CRM Payroll Administration Personnel File

Categories of Personal Data: Name, Address, Email address, Order history, Username, C.V., Application letter, Salary, Social securities, Pension data, Hours worked, Evaluation, Sick leave, Warnings, Employment contract, and Copy of I.D.

Product sales

Purpose: Order Management

Handling complaints

Billing

Categories of Personal Data: Name and address, Shipping address, Billing address, Company name, Chamber of commerce number, Client number, Email address, Telephone number, Payment information, Account number, and Order number

Service

Purpose: Providing the service Handling complaints Billing

Categories of Personal Data: Name and address, Email address, File information, Financial information, Information necessary to provide the service, Telephone number, Account number, Order number, Billing address, Company name, Chamber of commerce number, and Client number

Digital services

Purpose: Providing the service

Account

Submitting reviews or messages

Chat feature

Categories of Personal Data: Account name, Email address, Username, Name, Password, and Chat messages

Marketing

Purpose: Direct marketing

Affiliate marketing

Newsletter

Retargeting

Social media marketing

Behavioural targeting

Loyalty program

Categories of Personal Data: Name, Email address, Name and address, Telephone number, Click behaviour, Surf behaviour, Social media account, Username, Order history, and Address

Website

Purpose: Providing the website

Website analytics

A/B testing

Account

Submitting reviews or messages

Chat feature

Categories of Personal Data: Surf behaviour and Location

Security and fraud prevention

Purpose: Camera Surveillance

Identity verification

Data security

Credit check

Categories of Personal Camera images, Identifiation, Password, Name, and Credit

Data: Registration

Research and Development

Purpose: Market research

Categories of Personal Data: Personal

Other activities

Purpose: Personal

Categories of Personal Data: Personal

4. The Data Processor shall only process Personal Data for the activities mentioned in this Data Processing Agreement and the Agreement. The Processor shall not make use of the Personal Data in any other way unless the Controller has given explicit and written permission otherwise, or a statutory provision obliges the Processor to do so. In that case, the Processor shall inform the Controller, before the Processing takes place, of the statutory provision, unless such a process is not permitted by this legislation.

Article 3. General duty of care Data Processor

1. The Processor must ensure compliance with this Data Processing Agreement and the statutory rules (such as the GDPR) that apply to the Processor. If the Controller so requests, the Processor shall inform the Controller of the actions and measures taken by the Processor within the framework of this general duty of care.

Article 4. Technical and organizational measures

1. The Processor shall take appropriate technical and organizational measures to secure the Personal Data against loss or unlawful Processing. The Processor must ensure that the security level sufficiently addresses the risks. These measures will take into account the current state of technology and the costs of the security measures.

2. The Processor shall in any case take measures to protect the Personal Data against destruction, against accidental and intentional loss, forgery, unauthorized distribution or access, or against any other form of unlawful Processing.

3. The Processor has attained the most recent version of the NEN / ISO 27001 certification. When the current version of this standard is revoked and a new version comes into effect, the Processor shall comply with the new standard as soon as possible. If necessary, the Processor shall obtain certification again.

4. The Processor shall assist the Controller in fulfilling the security obligations that rest on the Controller himself.

5. The Processor shall provide a document which includes the technical and organizational measures taken by the Processor. This document shall form part of the current Agreement and will be included as an attachment.

Article 5. Confidentiality

1. The Processor shall have all employees who are involved in the execution of the Agreement sign a confidentiality agreement – whether or not resulting from or included in the employment contract with those employees – which states that these employees must observe confidentiality with regard to the Processing of the Personal Data. The Processor shall take all necessary measures, such as screening of employees and security of data carriers, to ensure that confidentiality is maintained.

Article 6. Data processing outside the European Economic Area (EEA)

1. The Processor shall not process the Personal Data outside the EEA.

Article 7. Sub-processors

1. The Processor is allowed to make use of sub–processers in the framework of the Data Processing Agreement and the Agreement. Processor may only use sub– processors after obtaining prior written consent from the Controller.

2. The Processor shall obligate each sub–processor to fulfill the confidentiality obligations, notification obligations and security measures in relation to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Data Processing Agreement

Article 8. Liability

1. The Processor is liable to the Controller for all damage and costs in connection with a claim from a data subject, which is the result of the fact that the Processor has failed to comply with the obligations arising from the GDPR or has acted contrary to the lawful instructions of the Controller.

Article 9. Infringement in connection with Personal Data (Data Breach)

1. If the Processor is informed of a Data Breach, the Processor shall (i) inform the
Controller as soon as possible and in any case within 24 hours after the Processor became aware of the existence of the Data Breach and (ii) take all reasonable measures to limit or prevent (further) violation of the GDPR. When taking the aforementioned measures, the Processor shall refrain from taking measures that are irreversible and/or seriously impede an investigation into the causes of the Data Breach.

2. The Processor shall offer cooperation and support to the Controller in the performance of its legal obligations with respect to the identified incident.

3. The Processor shall offer technical support to the Controller with regards to the reporting obligation with respect to the Personal Data Breach with the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens” or “AP”) and/or the person concerned, as referred to in Article 33 paragraph 3 and 34 paragraph 1 GDPR. The Processor shall refrain from independently submitting a notification of infringement related to Personal Data to the AP and / or the Data Subject.

Article 10. Assistance to Data Controller

1. Under the GDPR, the Data Subject has a number of rights, including the right of access (Article 15 of the GDPR), rectification (Article 16 of the GDPR), right to erasure (Article 17 of the GDPR), right to restrict the processing of personal data (Article 18 of the GDPR), data portability (Art. 20 GDPR) and the right of objection (Articles 21 and 22 GDPR). The Controller must answer requests for the exercise of those rights and the Processor will provide support to the Controller in so far as reasonably possible. For example, if the complaint is submitted to the Processor,

the Processor will forward the complaint or request from a Data Subject to the Controller as quickly as possible.

2. The Processor shall support the Controller, as far as reasonably possible, in fulfilling its duty under the GDPR to carry out a Data Protection Impact Assessment (articles 35 and 36 GDPR).

3. The Processor shall provide the Controller with all information necessary to demonstrate that the Processor complies with its obligations under the GDPR. In addition, at the request of the Controller, the Processor will make and contribute to audits, including inspections, by the Controller or a party authorized by the Controller.

Article 11. Termination & Miscellaneous

1. With regard to the termination of this Data Processing Agreement, the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, the Processor will delete or return all Personal Data at the first request of the Controller, and delete existing copies, unless the Processor is otherwise legally obliged to store the Personal Data.

2. The Controller will be responsible to adequately inform the Processor about (legal) retention periods that apply to the Processing of the Personal Data for Processors. Processor will not Process the Personal Data for longer than to the predefined retention periods.

3. The obligations arising from this Data Processing Agreement which by their nature are intended to survive termination shall also remain in force after termination of this Data Processing Agreement.

Signature

Thus agreed upon, made out in twofold and signed:

Sajida Mulla

Date: