FSSC and Client are considered to be separate controllers for the processing of personal data. They will both treat all personal data in accordance with the General Data Protection Regulation (hereafter the “GDPR”).

In the event that FSSC is to be regarded as a processor of personal data on behalf of the Client, the conditions as laid down in this Data Processing Addendum will apply.

By accepting this Data Processing Addendum (hereafter the “DPA”), Client enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, if and to the extent FSSC processes personal data for which Client qualifies as the Controller. This DPA is an Addendum to and forms part of the General terms and conditions Digital Services (hereafter the “Agreement”). For the purposes of this DPA only, and except where indicated otherwise, all capitalized terms not defined herein shall have the meaning set forth in the Agreement.

In the course of providing the Services to Client pursuant to the Agreement, FSSC may process personal data on behalf of Client, and the Parties agree to comply with the following provisions with respect to any personal data, each acting reasonably and in good faith.


Client (hereinafter: ‘the Controller’) and the Foundation FSSC (hereinafter: ‘the Processor’);

hereinafter collectively referred to as ‘Parties’ and individually ‘Party,’

This DPA regarding the processing of personal data was drafted and entered into in order for the Parties to comply with the obligations set forth in the GDPR. This DPA contains the rights and obligations of the Controller and the Processor with regard to the processing of Personal Data.


  • the Controller processes personal data from various persons through the Platform of the Processor with respect to the Agreement;
  • The Processor may process the personal data within the Platform on behalf of the Controller, who holds control over the personal data.
  • The Controller determines the purpose and the means for processing the personal data and has chosen to use the Processors Portal for this purpose.
  • With this, DPA Parties wish to define how personal data is handled within the Platform and their rights and obligations in this regard.


have agreed as follows,


  • The Processor processes personal data on behalf of the Controller in accordance with the conditions laid down in this DPA. The processing will be executed exclusively within the framework of the Agreement and for all such purposes as may be agreed to subsequently.
  • The Processor shall take no unilateral decisions regarding the processing of personal data for purposes other than defined by the Controller.
  • Categories of Personal Data: The Personal Data processed are:
    • Name
    • Surname
    • E-mail
    • Phone number
    • Address
    • Login IP address and actions performed within the portal (log files)
    • Qualifications (concerning auditors)


  • The Processor shall comply with the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the GDPR.
  • The Processor has adopted measures set out under article 7.4 of this Agreement to comply with its obligations under this DPA and the GDPR.
  • The Processor shall impose the obligations included in the DPA on the (legal) persons engaged by the Processor, including but not limited to Employees and/or Sub-processors.


  • The Processor may process the personal data in countries outside the European Union provided that such a country or organization guarantees an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this DPA and the GDPR.


  • The Processor shall only process the personal data under this DPA, in accordance with the Controller’s instructions resulting from this DPA and the Agreement under the responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor and processing by third parties and/or for other purposes.
  • Controller represents and warrants that it has a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of claims and actions of third parties related to the processing of personal data without legal basis under this DPA.


  • The Processor is authorized within the framework of the Agreement to engage third parties without the prior approval of the Controller being required. Upon request of the Controller, the Processor shall inform the Controller about the third party/parties engaged, thereby allowing the Controller to object to such engagements.
  • The Processor shall, in any event, ensure that such third parties will be obliged to agree in writing to the same duties and standards that are agreed upon between the Controller and the Processor.


  • In the case of a Personal Data Breach relating to the subject of the processing of this Agreement, the Processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority. The Processor will endeavor that the furnished information is complete, correct, and accurate.
  • The Parties shall work together in good faith to limit possible adverse effects of a Personal Data Breach.
  • If required by law and/or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.
  • The duty to report includes, in any event, the duty to report the fact that a leak has occurred, including details regarding:
  • the (suspected) cause of the leak;
  • the categories and approximate number of Data Subjects concerned;
  • the (currently known and/or anticipated) consequences thereof;
  • the (proposed) solution;
  • the measures that have already been taken.


  • The Processor will endeavor to take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration, or disclosure of personal data) in connection with the performance of processing personal data under this DPA.
  • The Processor will endeavor to ensure that the security measures are of a sufficient level, having regard to state of the art, the sensitivity of the personal data, and the costs related to the security measures.
  • The Controller will only make the personal data available to the Processor if it is assured that the necessary security measures have been taken.
  • The Processor has implemented, amongst others, but not limited to, the following general technical and organizational security measures;
    • the prevention of unauthorized persons from gaining access to systems Processing Personal Data (physical access control),
    • the prevention of systems Processing Personal Data from being used without authorization (logical access control),
    • ensuring that persons entitled to use a system Processing Personal Data gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),
    • ensuring the establishment of an audit trail to document whether and by whom Personal Data has been entered into, modified in, or removed from systems Processing Personal Data (entry control),
    • ensuring that Personal Data Processed is Processed solely in accordance with the instructions (control of instructions),
    • ensuring that Personal Data is protected against accidental destruction or loss (availability control).


  • Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.


  • All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this DPA is subject to a duty of confidentiality vis-à-vis third parties.
  • This duty of confidentiality will not apply in the event that the Controller has expressly authorized the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of this DPA, or if there is a legal obligation to make the information available to a third party.


  • To confirm compliance with this DPA, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements and will not interfere unreasonably with the Processor’s business activities.
  • The audit may only be undertaken when there are specific grounds for suspecting the misuse of personal data and no earlier than two weeks after the Controller has provided written notice to the Processor.
  • The findings regarding the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
  • The Controller will bear the costs of the audit.


  • This DPA is entered into for the duration set out in the Agreement, and in the absence thereof, for the duration of the cooperation between the Parties.
  • The DPA may not be terminated in the interim.
  • This DPA may only be amended by the Parties subject to mutual consent.
  • The Processor shall provide its full cooperation in amending and adjusting this DPA in the event of new privacy legislation.


  • The DPA and the implementation thereof will be governed by Dutch law.
  • Any dispute arising between the Parties in connection with and/or arising from this DPA will be referred to the competent Dutch court in the district where the Processor has its registered office.
  • In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
    • the Agreement;
    • this DPA;
    • additional conditions, where applicable.


Version 1, October 2021