Contents

1 Definitions
2 Applicability of the terms and conditions
3 Scope
4 Confidentiality
5 Security measures
6 Monitoring compliance
7 Personal data breach
8 Rights of data subjects
9 Cooperating with data protection impact assessments and prior consultation
10 Sub-processors
11 Liability
12 Duration and termination
13 Governing law and jurisdiction
Annex I Data, data subjects, purposes, description of data processing

 


Article 1 - Definitions

The terms used in these Standard Terms and Conditions have the following meaning, unless other written agreements have been made. Terms in the singular also include the plural and vice versa to the extent required by the text. If certain terms in these Standard Terms and Conditions are not further defined, the Parties will align with the definitions of these terms as included in art. 4 of the GDPR.
1.1

GDPR: the General Data Protection Regulation 2016/679.

1.2

Terms and Conditions: these standard terms and conditions which apply to the delivery by RAI of the Exhibitor Invitation Portal Services.

1.3

Exhibitor Invitation Portal services: the services to use the Exhibitor Portal to send personalized e-mailings for inviting (potential) relations of Partner to the Event.

1.4

Data: the personal data described in Annex 1.

1.5

Data Processing Agreement: these Terms and Conditions.

1.6

Parties: RAI and Partner.

1.7

Partner: any natural or legal person that agrees to use the Exhibitor Invitation Portal Services.

1.8

Principal Agreement: the request of Partner and acceptance of RAI to use the Exhibitor Invitation Portal Services.

1.9

RAI: RAI Amsterdam B.V., which has its registered office at Europaplein 24, 1078 GZ, Amsterdam, The Netherlands, registered in the trade register of the Chambre of Commerce under number 34192575.

1.10

Data Processor: RAI.

1.11

Data Controller: Partner.

 

Article 2 - Applicability of the terms and conditions

2.1

These Terms and Conditions apply to all offers, requests for the delivery by RAI of the Exhibitor Invitation Portal Services to Partner.

2.2

If and to the extent that any provision of these Terms and Conditions is null and void or is avoided, the other provisions of these Terms and Conditions will remain in full force and effect. In such case, RAI will replace the provision with one that is of the tenor of the former provision.

2.3

Where relevant, these Terms and Conditions will supersede all previous data processing agreements and/or similar agreements between the Parties concerning the Exhibitor Invitation Portal Services.

 

Article 3 - Scope

3.1

The Data Controller hereby engages the Data Processor to process the Data described in Annex 1 on the Data Controller's behalf in accordance with the provisions of this Data Processing Agreement, which engagement the Data Processor accepts.

3.2

The Parties acknowledge that the processing of the Data is subject to the GDPR, as well as any and all other European and national regulations governing the protection of personal data applicable at any point in time.

3.3

The Data Processor will only process the Data in accordance with the documented instructions from the Data Controller in accordance with the instructions set out in this Data Processing Agreement and will not process the Data for other purposes or its own purposes, unless Union or Member State law – including but not limited to orders given by competent supervisory authorities, government bodies or an investigating, prosecuting or national security body – to which the Data Processor is subject, imposes a processing obligation on the Data Processor. In such cases, the Data Processor will inform the Data Controller of that legal requirement before processing that Data, unless said law prohibits such information on important grounds of public interest. If the Data Processor believes that an instruction constitutes a violation of the GDPR or any provision of Union or Member State law, the Data Processor will inform the Data Controller of this within a reasonable term.

3.4

The Data Processor has no control over the purposes of and the means used to process the Data. Under no circumstances will the Data Processor have control over the Data.

3.5

The Data Processor will only process the Data in the European Economic Area. If the Data Processor wishes to process Data outside the European Economic Area, either itself or through third parties (Sub-processors), the Data Processor must first obtain the Data Controller's prior written consent. Said consent may be made subject to additional conditions, such as taking additional contractual measures to ensure an adequate level of protection of the Data.

3.6

Insofar as any provision of this Data Processing Agreement is incompatible with the Principal Agreement, the provisions of this Data Processing Agreement will prevail.

3.7

Where relevant, this Data Processing Agreement will supersede all previous data processing agreements and/or similar agreements between the Parties concerning the Principal Agreement.

 

Article 4 - Confidentiality

4.1

The Data Processor shall keep the Data confidential and will impose the obligation on the persons in its employment or service to observe confidentiality in respect of all Data.

 

Article 5 - Security measures

5.1

The Data Processor will fulfil all obligations as a processor arising from article 32 of the GDPR. Consequently, the Data Processor will implement – taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons – appropriate technical and organisational measures (“security measures”) to ensure a level of security appropriate to the risk. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Data transmitted, stored or otherwise processed.

5.2

Taking into account the nature of the processing and the information provided, the Data Processor will assist the Data Controller in fulfilling the obligations arising from article 32 of the GDPR.

 

Article 6 - Monitoring compliance

6.1

The Data Processor will enable the Data Controller to check the Data Processor's compliance ('Audit') with this Data Processing Agreement maximum once (1) a year at the cost of Data Controller, subject to a reasonable notice period of at least 1 month, by an independent and certified auditor.

6.2

The Data Processor shall provide the auditor with all relevant information.

6.3

If it is established during an Audit that the Data Controller is non-compliant with the provisions of this Data Processing Agreement, the Data Processor shall, in consultation with the Data Controller, take the measures necessary to ensure that it is as yet compliant.

6.4

The Data Controller will bear the costs of the Audit, unless the Audit findings show that the Data Processor is non-compliant with the provisions of this Data Processing Agreement, in which case the Data Processor will bear the costs.

 

Article 7 - Personal data breach

7.1

In case of a personal data breach, the Data Processor will notify the data breach to the Data Controller, as soon as possible after having become aware of it.

7.2

Notifications made pursuant to article 7.1 must be addressed to the Data Controller or, where relevant, to one or more of the Data Controller's employees stated in writing while this Data Processing Agreement is in place.

7.3

Taking into account the nature of the processing and the information available to it, the Data Processor will help the Data Controller to comply with the obligations arising from articles 33 and 34 of the GDPR.

 

Article 8 - Rights of data subjects

8.1

If the Data Controller instructs the Data Processor to do so, the Data Processor will lend its full cooperation – bearing in mind the nature of the processing and the available information – to enable the Data Controller to satisfy requests from data subjects within the meaning of Chapter 3 of the GDPR. The costs will be borne by the Data Controller.

8.2

If such a request is submitted directly to the Data Processor, the Data Processor will send the request to Data Controller.

 

Article 9 - Cooperating with data protection impact assessments and prior consultation

9.1

Taking into account the nature of the processing and the information available to the Data Processor, the Data Processor will reasonably assist the Data Controller in fulfilling its obligations arising from Article 35 (data protection impact assessment) and Article 36 (prior consultation) of the GDPR.

 

Article 10 - Sub-processors

10.1

The Data Controller gives the Data Processor permission to engage third parties to process the Data. The Data Processor shall inform the Data Controller of any intended change regarding the addition or replacement of sub-processors. The Data Controller has the right to object to this addition or replacement within one month. If the Data Controller objects, parties will consult each other. If they do not reach a solution within a month, parties have the right to terminate the Principal Agreement.

10.2

At Data Controller's first request, the Data Processor will provide the Data Controller with an overview of all sub-processors.

 

Article 11 - Liability

11.1

The liability of the Data Processor is limited to the compensation of the direct damage suffered by the Data Controller with a maximum amount of € 5,000.00 (five thousand euro). Direct damage only include:

  1. the reasonable costs incurred by the Data Controller to rectify the Data Processor's shortcoming;
  2. the reasonable costs that the Data Controller must incur to prevent and limit the damage caused by a breach of security attributable to the Data Processor, insofar as the Data Controller can demonstrate that these costs have led to a limitation of the damage;
  3. the reasonable costs that the Data Controller must incur to determine the cause and extent of the damage, insofar as the determination relates to direct damage within the meaning of this paragraph.
11.2

The compensation for consequential damage, including but not limited to loss of revenue or loss of profit, business stagnation, reputation damage and lost savings, are excluded from compensation.

11.3

The Data Controller indemnifies the Data Processor against all claims from third parties, as well as fines and / or other sanctions imposed by a competent authority, which may be imposed against the Data Processor for a breach of the laws and regulations concerning the processing of Data and / or non-compliance with the obligations under this Data Processing Agreement by the Data Controller.

 

Article 12 - Duration and termination

12.1

These Terms and Conditions are valid for as long as the Data Controller instructs the Data Processor to process Data under the Principal Agreement.

12.2

Upon termination of this Data Processing Agreement, the Data Processor must destroy all documents and data carriers containing Data, as well as copies thereof, unless the Data Processor is required pursuant to a provision of Union or Member State law to retain the Data.

12.3

The Data Processor will reasonably cooperate with regard to the transfer of the work concerning the processing of the Data to the Data Controller or a subsequent Data Processor at the cost of Data Controller.

12.4

This Data Processing Agreement will remain in force for as long as the Data Processor has Data in its possession. Obligations which by their nature are intended to continue even after termination of this Data Processing Agreement will remain in effect after termination of this Data Processing Agreement.

 

Article 13 - Governing law and jurisdiction

13.1

These Terms and Conditions are governed by Dutch law.

13.2

All disputes relating to these Terms and Conditions or its performance will be adjudicated by the competent court in Amsterdam.

 

Annex I: Data, data subjects, purposes, description of data processing

Data

The Data Controller will give the Data Processor access to the following Data which the Data Processor may process:

  • company name;
  • name;
  • email address.
Data subjects

The Data concerns the following categories of data subjects:

  • relations of Controller (customers, leads, prospects etc.).
Purposes

Where necessary, the Data may be processed for the following purposes:

  • sending mailings.
Description of
data processing

performance of the Exhibitor Invitation Portal Services.

 

RL/260919