DATA PROCESSING AGREEMENT

MARKETPHASE B.V.

Version: 1.
Date: October 12 th, 2020

This data processing agreement is an appendix to the "Reseller agreement" (hereinafter: the Agreement) and
is between Reseller (hereinafter: Controller) and Marketphase (hereinafter: Processor).

WHEREAS:

  • the Controller has access to the personal data of various data subjects;
  • the Controller wants the Processor to execute certain types of processing in accordance with the
    Agreement, in order to the performance of financial services. This includes, in particular, services for
    the optimization and automation of calculations of taxes of e-commerce sellers;
  • the Controller and the Processor for the aforementioned purposes have concluded the Agreement;
  • the Controller has pointed out the objectives and means with respect to the processing as governed
    by the terms and conditions referred to herein;
  • the Processor has undertaken to comply with and to abide by the security obligations and other
    aspects of the General Data Protection Regulation (hereinafter: “GDPR”) in addition to other relevant
    and applicable (privacy) legislation;
  • the Controller is hereby deemed to be the responsible party within the meaning of article 4 section 7
    of the GDPR;
  • the Processor is hereby deemed to be the processor within the meaning of article 4 section 8 of the
    GDPR;
  • the Parties, having regard also to the provisions of article 28 section 3 of the GDPR, wish to set down
    their rights and duties in writing within this data processing agreement (hereafter: “Data Processing
    Agreement”);

HAVE AGREED AS FOLLOWS:

ARTICLE 1. PROCESSING OBJECTIVES

1.1. The Processor undertakes to process personal data on behalf of the Controller in accordance with the
conditions laid down in this Data Processing Agreement. The processing will be executed exclusively
within the framework of the Agreement in the performance of financial services, and for all such
purposes as may be agreed to subsequently.
1.2. The Processor shall not process the personal data for any other purpose unless with the Controller’s
consent. The Controller shall inform The Processor of any processing purposes to the extent not
already mentioned in this Data Processing Agreement.
1.3. The personal data processed by the Processor, and the categories of data subjects to whom the
personal data relates, are specified in Annex 1.
1.4. The Processor shall take no unilateral decisions regarding the processing of the personal data for other
purposes, including decisions regarding the provision thereof to third parties and the retention periods
of the data. Within the framework of this Data Processing Agreement and/or other agreements
concluded between the Parties, it is the Controller who shall have the say in regard to the personal
data furnished to the Processor and in regard to the data processed by the Processor within that
framework.
1.5. All personal data processed on behalf of the Controller shall remain the property of the Controller
and/or the relevant data subjects.

ARTICLE 2. PROCESSOR’S OBLIGATIONS

2.1. The Processor shall warrant compliance with the applicable laws and regulations, including all laws
and regulations governing the protection of personal data, such as the GDPR.
2.2. The Processor shall furnish the Controller immediately on request with details regarding the measures
it has adopted to comply with its obligations under this Data Processing Agreement and the applicable
laws and regulations.
2.3. The Processor’s obligations arising under the terms of this Data Processing Agreement apply also to
whomsoever processes personal data under the Processor’s instructions, including but not limited to
staff, in the broadest sense of the word.
2.4. Under no circumstances will the processing of data by the Processor lead to a situation in which the
Processor’s own databases will benefit from the data deriving from the Controller’s datasets. The
Processor is not permitted to combine the data obtained from the Controller.
2.5. The Processor shall inform the Controller without delay if in its opinion an instruction of the Controller
would violate the legislation referred to in the first clause of this article.
2.6. The Processor shall provide reasonable assistance to the Controller in the context of any privacy
impact assessments to be made by the Controller.
2.7. The Processor shall, in accordance with article 30 of the GDPR, keep a register of all categories of
processing activities which it carries out on behalf of the Controller under this Data Processing
Agreement. At the Controller’s request, the Processor shall provide the Controller access to this
register.

ARTICLE 3. TRANSMISSION OF PERSONAL DATA

3.1. The Processor may process the personal data in any country within the European Union.
3.2. Transfer to countries outside the European Union is not permitted.
3.3. The Processor shall notify the Controller as to which country or countries the personal data will be
processed in.

ARTICLE 4. ALLOCATION OF RESPONSIBILITY

4.1. The authorised processing will be executed within a (semi-)automated environment under the
Processor’s control.
4.2. Processor is solely responsible for the processing of personal data under this Data Processing
Agreement in accordance with the instructions of Controller and under the explicit supervision of
Controller. For any other processing of personal data, including but not limited to any collection of
personal data by Controller, processing for purposes not reported to Processor, processing by third
parties and/or for other purposes, the Processor does not accept any responsibility.
4.3. The Controller shall be responsible in respect of all personal data which may be processed by itself,
rather than by the Processor.

ARTICLE 5. ENGAGING OF SUBCONTRACTORS (SUBPROCESSORS)

5.1. Processor shall involve third parties in the processing under this Data Processing Agreement on the
condition that such parties are reported in advance to the Controller; Controller may object to a
specific third party if its involvement would reasonably be unacceptable to it.
5.2. In any event, Processor shall ensure that any third parties are bound to at least the same obligations
as agreed between Controller and Processor.
5.3. Processor shall ensure that these third parties shall comply with the obligations under this Data
Processing Agreement and is liable for any damages caused by violations by these third parties as if it
committed the violation itself.

ARTICLE 6. SECURITY

6.1. The Processor shall take adequate technical and organisational measures against loss or any form of
unlawful processing (such as unauthorised access, infringement, changing or passing on of the
personal data) in connection with the performance of processing personal data under this Data
Processing Agreement.
6.2. Processor does not warrant that the security is effective under all circumstances. If any security
measure explicitly agreed in this Data Processing Agreement is missing, then Processor shall use best
efforts to ensure a level of security appropriate to the risk taking into account the state of the art, the
costs of implementation and the nature, scope, context and purposes of processing as well as the risk
of varying likelihood and severity for the rights and freedoms of natural persons.
6.3. Controller shall only provide personal data to Processor for processing if it has ensured that the
required security measures have been taken. Controller is responsible for the parties' compliance with
these security measures.

ARTICLE 7. DATA BREACHES

7.1. In the event of (the presumption of) a security breach (a failing or breach of the security of personal
data) and/or a data breach (a personal data breach as described in article 4 under 12 of the GDPR),
the Processor shall notify the Controller thereof without undue delay and not later than within 24
hours after having become aware of the breach, after which the Controller shall determine whether
or not to inform the relevant supervisory authority(ies) and/or the data subject(s). The Processor shall
warrant that the information it has furnished is complete, correct and accurate. This duty to report
applies irrespective of the impact of the leak.
7.2. The Processor shall have adequate written procedures with respect to timely recognition and the
handling of security and data breaches. The Processor will provide, on first request of the Controller,
insight in these written procedures and will give prompt written notice about any modifications with
respect to these written procedures.
7.3. The Processor shall, on first request of the Controller, cooperate in notifying the relevant authorities
and/or involved parties.
7.4. The duty to report includes in any event the duty to report the fact that a breach has occurred,
including details regarding:

  • the nature of the personal data breach including where possible, the categories and
    approximate number of data subjects concerned and the categories and approximate
    number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where
    more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • the measures taken or proposed to be taken by the Controller to address the personal
    data breach, including, where appropriate, measures to mitigate its possible adverse
    effects.
  • The date at which the breach has occurred (the period in which the breach occurred
    suffices in case the Processor is unable to determine the exact date at which the breach
    occurred);
  • The (suspected) cause of the breach;
  • Whether the personal data has been encrypted, hashed or in any manner has been made
    incomprehensible or inaccessible to unauthorized individuals.

7.5. On first request of the Controller, the Processor will provide further information about the breach.
7.6. The Processor shall document all data breaches in accordance with article 33(5) of the GDPR, including
the facts relating to the personal data breaches, the consequences thereof and the measures taken
to correct the respective breach. At the Controller’s first request, the Processor shall provide access
hereto.

ARTICLE 8. HANDLING REQUESTS FROM DATA SUBJECTS

8.1. Where a relevant party submits a request to the Processor to exercise one of its legal rights, the
Processor will forward the request to the Controller and the request will then be dealt with by the
Controller. The Processor may notify the data subject hereof.
8.2. The Processor shall cooperate with the Controller, wherever this is required, in order to make the
exercise of its legal rights by a data subject, possible.

ARTICLE 9. NONDISCLOSURE AND CONFIDENTIALITY

9.1. All personal data processed by the Processor from the Controller and/or compiled by the Processor
within the framework of this Data Processing Agreement is subject to a duty of confidentiality vis-à-
vis third parties. The Processor shall refrain from using this information for any purpose other than
that for which it was furnished, even where made available in a manner that is not traceable to the
relevant parties.
9.2. This duty of confidentiality shall not apply to the extent the Controller has granted explicit permission
to provide the information to third parties, the provision to third parties is reasonably necessary
considering the nature of the assignment to the Controller or the provision is legally required.

ARTICLE 10. AUDIT

10.1. Controller has the right to have audits performed on Processor by an independent third party bound
by confidentiality obligations to verify compliance with the security requirements, and all issues
reasonably connected thereto.
10.2. This audit may be performed in case a substantiated allegation of misuse of personal data has arisen.
10.3. Processor shall give its full cooperation to the audit and shall make available employees and all
reasonably relevant information, including supporting data such as system logs.
10.4. The audit findings shall be assessed by the parties in joint consultation and may or may not be
implemented by either party or jointly.
10.5. The costs of the audit shall be borne by Processor in case the audit reveals discrepancies with the
subjects of clause 1 of this article that are attributable to Processor. In all other cases the costs of the
audit shall be borne by Controller.

ARTICLE 11. LIABILITY

11.1. Parties explicitly agree that any liability arising in connection with personal data processing shall be as
provided in the Agreement.

ARTICLE 12. DURATION AND TERMINATION

12.1. This Data Processing Agreement enters into force upon signature by the Parties and on the date of
the last signature and is entered into for the duration set out in the Agreement, and in the absence
thereof, for the duration of the processing.
12.2. The Data Processing Agreement may not be terminated in the interim.
12.3. This Data Processing Agreement may only be amended by the Parties subject to mutual consent in
writing.
12.4. The Processor shall provide its full cooperation in amending and adjusting this Data Processing
Agreement accordingly in the event of new privacy legislation.
12.5. Upon termination of the Data Processing Agreement, regardless of reason or manner, Processor
shall - at the choice of Controller - return in original format or destroy all personal data available to it.

ARTICLE 13. APPLICABLE LAW AND DISPUTE RESOLUTION

13.1. The Data Processing Agreement and the implementation thereof will be governed by Dutch law.
13.2. Any dispute arising between the Parties in connection with the Data Processing Agreement will be
referred to the court of competent jurisdiction for the place of business of the Controller.
13.3. Logs, measurements taken, and audit reports by the Controller will count as binding proof, subject to
proof to the contrary to be provided by the Processor.
13.4. In the case of any inconsistency between documents and the appendices thereto, the following order
of priority will apply:
a. the Agreement;
b. this Data Processing Agreement;
c. any appendices (including the data processing agreement);
d. any general terms and conditions, where applicable.

ANNEX 1: PROCESSED PERSONAL DATA AND THE DATA SUBJECTS

The Processor will process, within the framework of the Agreement, the (sensitive) personal data as
mentioned in this annex. The categories of data subjects to whom the personal data relates, are also
mentioned in this annex.

Personal data:

  • Name and address details
  • E-mail addresses
  • IP addresses
  • Sales data
  • Other financial data related to sales

Categories of data subjects:

  • Companies that sell on Amazon
  • People who order products online from the end user