Personal Data Processing

 

Article 1- Applicability

1. Apart from the Conditions, the provisions of this Annex – Personal Data Processing are applicable to all situations in which Castor Marine. BVreceives via the Customer personal data within the sense of the General Data Protection Regulation (GDPR) at its disposal. The provisions of these Annex form an integral part of the Framework Agreement. 

 

Article 2 – Definitions and processing

1. The Customer qualifies as the controller within the sense of Article 4 of the GDPR. On the instructions of the Customer, Castor Marine. BVqualifies as the processor of personal data within the sense of Article 4 of the GDPR. 
2. Castor Marine. BVhas access to and processes for and for the benefit of the Customer the personal data of users of the software and/or LAN networks of the Customer. Processing these personal data is necessary to structure the work processes and/or to conduct audits of the Customer. 
3. The Customer determines the purpose and the means of processing. 
4. In connection with processing operations of personal data as meant in this module, Castor Marine. BVundertakes to process these data properly and with due care. Castor Marine. BVis not allowed to process or disclose to any third parties personal data received from the Customer for its own purposes, other than as agreed. Castor Marine. BVdoesn’t sell customer data.

 

Article 3 – Obligations of the Customer 

1. The Customer declares that it will process personal data properly and with due care and in accordance with the GDPR and other regulations applicable regarding processing personal data. The Customer declares to Castor Marine. BVthat the personal data which are obtained and/or processed based on this module are, with a view to the purposes for which they are to be processed, sufficient, relevant and not excessive. The Customer will take the necessary measures so that personal data are true and accurate.

 

Article 4 – Obligations of Castor Networks

1. Castor Marine. BVdeclares that it will process personal data properly and with due care and in accordance with the the GDPR and other regulations applicable regarding processing personal data. If Castor Marine. BVestablishes that acts are being carried out which are in contravention of the provisions of the GDPR – for instance because it apparently gains access to more or other personal data than the data which are necessary for performing the task assigned to it – it will immediately notify the Customer of this and fully cooperate with taking all those measures which are necessary to carry out the contract within the limits of the law and regulations. 
2. In addition, Castor Marine. BVshall enable the Customer to fulfil the obligations within the legal periods under the GDPR, such as the rights of data subjects to inspection, improvement, addition or removal of data. The associated costs will be at the expense of the Customer. 

 

Article 5 – Secrecy and destruction

1. Castor Marine. BVis obliged to keep strictly secret the personal data received from the Customer and to stipulate that its employees and/or the third parties it engages do the same. Moreover, Castor Marine. BVmust ensure that the personal data referred to above will be destroyed immediately after termination of this module, or sooner if possible. On first request of the Customer Castor Marine. BVwill confirm that this has been done. 

 

Article 6 – Storage of data

1. Castor Marine. BVshall store and/or retain the personal data meant in this module only on data carriers which are localized in the EU/EEA, or within a country of which the European Commission has stated that the security is adequate.

 

Article 7 – Commitment of sub-workers

1. Castor Marine. BVis allowed to engage third parties insofar as this is necessary in connection with technical system support as well as organizational and technical security. Castor Marine. BVis responsible for this/these third party/ies and will impose at least the same requirements on this/these third party/ies in the area of suitable technical and organizational measures as stipulated in this module. 

 

Article 8 – Security measures

1. The Customer and Castor Marine. BVguarantee each other that in their own organization they take (and have taken) sufficient organizational and technical measures with regard to the processing operations to be carried out with personal data, including measures which are directed against loss, destruction and/or damage to personal data, against any form of unauthorized and/or wrongful processing and/or access according to the requirements set in or pursuant to the GDPR and/or any other legislation and regulations which are in force at any time during the term of this module with regard to collecting, retaining and/or processing personal data. 
2. The Customer and Castor Marine. BVwill continuously adjust their security measures to the latest technology and up-to-date insights for the protection of personal data. Starting point is that the security policy and its implementation should at least comply with the criterion of the ‘suitable security level’ as meant in the the GDPR.
3. In the event of a security leak and/or a data leak as meant in the GDPR, the party who establishes this leak must directly and immediately report this to the other party. After notification, the Customer has the opportunity to report this within due time to the supervisory authority and any data subjects. The parties will immediately investigate the cause of the data leak in their own organizations and will bear the costs of the investigation themselves. Castor Marine. BVwill provide the Customer with a copy of the outcome of the investigation into its organization. 
4. The reporting duty covers in any event the notification of the fact that there has been a leak, as well as the exact moment of the leak, the system and facts of the event, the (assumed) cause of the leak, the expected consequences of the leak for the data subjects as well as the proposed solution. It should also state the measures being taken to limit the damage and to repair the ‘leak’, the measures taken to avoid a repetition as well as the measures to limit the negative consequences immediately as much as possible, including communication to third parties and data subjects. 

 

Article 9 – Request of a data subject

1. If a data subject submits a request to Castor Marine. BVfor inspection, improvement, addition, change, removal and/or screening of personal data, Castor Marine. BVwill notify the Customer thereof and the Customer shall immediately deal with this request. The Customer will inform Castor Marine. BVof the way in which this has been dealt with and Castor Marine. BVwill cooperate with the agreements made between the Customer and the data subject regarding the request. 

 

Article 10 – Audit 

1. The Customer is permitted to audit (1) the process; (2) the method of storage; and (3) the processing operations carried out by Castor Marine. BV(or have these subjects be audited) of the personal data defined in article 1.1 of this Annex. Castor Marine. BVwill fully cooperate to enable such audit whereby the auditor will be given access to documentation, manuals and systems. The costs of the auditor for such an audit will be at the expense of the Customer. 

 

Article 11 – Term and termination 

1. This Annex becomes effective on the Effective Date. This Annex terminates at the moment that all agreement between the Customer and Castor Marine. BVhave been terminated. 
2. Obligations, which by their nature are intended to continue to be effective even after the termination of this Annex, will continue to be effective after termination of the Annex. These obligations include for instance those which arise from the provisions regarding secrecy and/or liability.
3. Castor Marine. BVshall not retain the personal data longer than is strictly necessary and in no circumstance longer than until the end of this module or, if a retention period has been agreed between the parties, not longer than that period.