Privacy and personal data

Privacy and personal data

  • a. Parties mutually undertake to act in accordance with the legislation on the protection of personal data. Parties shall act in accordance with the Policy Rules on Notification of Data Breaches of the Authority for the Protection of Personal Data (Autoriteit Persoonsgegevens), the AVG and the AVG Implementation Act.
  • b. A data leak is understood to mean: all security incidents as a result of which the protection of personal data has been breached at any time or as a result of which the personal data has been exposed to loss or unlawful processing. It may concern, for example, the loss of a USB stick or computer, the sending of an e-mail in which the e-mail addresses are visible to all addressees, a calamity such as fire in a data centre or malware infection.
  • c. RG will determine for each processing operation whether it is operating in the role of processor or data controller. RG processes personal data in order to comply with deliveries and rental agreements.
  • d. If a controller becomes aware of a data breach, it must immediately, and where possible within 72 hours, report this to the Personal Data Authority. If this is not possible, an explanation must be given for the delay.
  • e. If it appears that RG has a data leak, which must be reported by Client to the Authority for the Protection of Personal Data and/or the person(s) concerned, RG shall inform Client thereof as soon as possible after RG becomes aware of the data leak. RG shall promptly endeavour to provide the Client with all the information it requires to make a full report to the Personal Data Authority and/or the person(s) concerned.
  • f. Parties shall take appropriate technical and organisational measures to secure the personal data against loss or any form of unlawful processing.
  • g. Client, in consultation with RG, is entitled during the term of the agreement to verify compliance in the area of personal data protection by means of an independent expert. Client shall bear all costs in connection with this inspection.
  • h. RG may engage third parties (sub-processors) to perform certain work, for example if these Third Parties have specialist knowledge or resources that RG does not have. If the engagement of Third Parties results in the processing of Personal Data, then RG will make (written) agreements with those Third Parties about the protection of Personal Data. By entering into an agreement with RG, Client gives permission for the engagement of Third Parties.
  • i. RG shall only process the Personal Data within the European Economic Area, unless RG has made other written arrangements with the Client in this regard.
  • j. RG is not liable for fines or claims if Client does not comply with the obligations under the laws and regulations on the protection of Personal Data.