GRUB Processor Agreement

Version December 18, 2020 - 2nd version

ComplianceWise BV , having its registered office and principal place of business at 1059 CM Amsterdam at Anthony Fokkerweg 3, Chamber of Commerce number 59384999, hereinafter referred to as “ Processor “, and the “ Controller “, hereinafter jointly referred to as“ Parties ”, consider the following:

  1. Controller and Processor have by signing the Grub order form a Agreement concluded, hereinafter referred to as “Agreement”, for the provision of services by Processor to Controller;
  2. On the basis of the Agreement, Processor will process Personal Data on behalf of and on behalf of Controller;
  3. The agreements that apply between the Parties in that regard are laid down in this Processor Agreement;

And correspond as follows:

1. Definitions

The terms below are written with a capital letter and have the following meaning:

AP: Dutch Data Protection Authority
Audit: The investigation referred to in Article 11 of this Processing Agreement
GDPR: General Regulation data protection (EU) 2016/679
Data Subject: An identified or identifiable natural person whose Personal Data are being processed
Attachment: An attachment to this Processor Agreement that forms an integral part thereof
Data breach: A breach in connection Personal data as referred to in article 4 sub 12 of the AVG
Agreement: The agreement referred to in consideration A.
Parties: Processor and Controller.
Personal data: All information as referred to in article 4 sub 1 of the GDPR that Processor processes on the basis of the Agreement and / or Processor Agreement on behalf of Controller.
PIA (Privacy impact assessment): Data protection impact assessment as referred to in Article 35 of the GDPR
Sub-processor: Another processor engaged by the Processor
Controller: The party with whom the Processor has concluded the Agreement referred to in consideration A.
Implementation Act: The Implementing Act General Data Protection Regulation
Processor Agreement: This agreement between Processor and Controller, including considerations and Appendices.

2. Duration of the Processor Agreement

2.1. This Processor Agreement commences on the effective date of the Agreement and will be in effect as long as the Agreement is in force. By signing the Agreement, the Parties also declare that they agree with this Processor Agreement. Upon termination of the Agreement, this Processor Agreement will end by operation of law without any further (legal) action being required.

3. Relationship parties

3.1. This Processor Agreement contains the agreements between the Parties about the processing of Personal Data in the context of the provision of services by the Processor for the execution of the Agreement.
3.2. Controller independently determines the purpose and means of the processing of the Personal Data.
3.3. Processor processes the Personal Data on behalf of and for the purposes as determined by Controller. Processor is not entitled to use the Personal Data for its own purposes or for its own use.
3.4. The parties will provide each other with all reasonably required information to enable proper compliance with the laws and regulations applicable to them with regard to the protection of personal data.
3.5. If the Processor is of the opinion that the instructions of the Controller are in conflict with the applicable laws and regulations, the Processor will notify the Controller thereof.

4. Processing

4.1. The parties have described in Annex I the nature and purpose of the processing, the type of Personal Data that is processed and the categories of Data Subjects.

5. Security

5.1. Processor must take and maintain the appropriate technical and organizational measures agreed by Parties to protect the Personal Data processed on the basis of the Agreement.
5.2. When determining appropriate technical and organizational measures, the parties take into account the risks that a security incident or data breach could cause with regard to the relevant processing and also look at the current technical security options, the implementation costs and the nature, scope and context of the processing. of the Personal Data.
5.3. The parties have included in Appendix II which technical and organizational security measures the Processor must take. The controller has accepted the measures included in Annex II as being of an appropriate level as referred to in Article 5.1.

6. Help with Data Leaks

6.1. The Processor will inform the Controller immediately and in any case within 24 hours as soon as it becomes aware of a Data Breach with regard to Personal Data that the Processor processes on the basis of the Agreement. In doing so, the Processor will indicate as soon as possible which events and circumstances have led to the Data Breach and which measures have been taken to close the Data Breach.
6.2. If the Controller has to report the Data Breach to the AP and / or the Data Subjects, the Processor will provide the Controller with reasonable assistance to enable the Controller to make this report (s) within the statutory deadlines set.
6.3. In the event of a Data Breach, the parties will observe the procedure set out in Annex III.

7. Assistance in exercising data subjects' rights, PIAs and prior consultation

7.1. Processor will provide Controller with reasonable assistance to enable Controller to comply with requests from Data Subjects to exercise their rights under the GDPR within the legal deadlines.
7.2. If a Data Subject submits a request as referred to in the first paragraph directly to the Processor, the Processor will inform the Controller of this by sending the relevant request to the Controller.
7.3. If the Controller is required to perform a PIA pursuant to the GDPR, or the PIA proves that the AP must be consulted, the Processor will provide the Controller with all reasonable assistance that may be expected from the Processor in this regard.
7.4. Processor can charge costs associated with providing the reasonable assistance as set out in this Article 7 to Controller after prior written notification of these costs to Controller.

8. Vertrouwelijkheid

8.1. Processor will keep the Personal Data that it processes on the basis of the Agreement and / or the Processor Agreement secret, as well as all other information that is or becomes known to it under this Processor Agreement, unless it is required to disclose the Personal Data or other information by law or a court decision. obligated. However, CW is entitled to share confidential information with its Sub-processors and other third parties that it engages for the performance of the Agreement.
8.2. Processor ensures that its employees or other persons or Sub-processors that it deploys in the performance of the Agreement and / or the Processing Agreement observe confidentiality with regard to Personal Data as referred to in Article 8.1.

9. Sub-processor

9.1. The Controller hereby gives the Processor general permission as referred to in Article 28 paragraph 2 of the GDPR to engage the Sub-processor (s) in the performance of the Agreement. The Processor will enter into an agreement with Sub-processor (s), in which the Sub-processor -in particular with regard to security and the reporting of Data Leaks- is bound to similar requirements as laid down in this Processor Agreement.
9.3. If a Sub-processor is engaged, the Processor remains responsible for the fulfillment of its obligations under this Processor Agreement.

10. International aspects

10.1. Processor processes the Personal Data exclusively within the European Economic Area (EEA), unless the Controller has agreed to transfer to countries outside the EEA and one of the measures is provided to ensure an adequate level of protection for these Personal Data.

11. Audit

11.1. The Controller is entitled to carry out an investigation (hereinafter: Audit) at the Processor after prior written notification, subject to a period of four weeks, to check whether the applicable laws and regulations and the provisions of this Processor Agreement are complied with. The controller is entitled to engage an independent third party for this purpose, provided this third party maintains confidentiality. Controller bears the costs of the Audit.
11.2. An Audit will take place no more than once per calendar year, unless the Controller has concrete indications that the Processor is not complying with its legal or contractual obligations and he notifies the Processor in writing and documented.
11.3. Processor will provide the Controller or the engaged independent third party with access to its buildings, offices, systems, information and documentation and provide reasonable cooperation if and insofar as this is necessary for the Audit performed by or on behalf of the Controller. The associated costs are for the account of the Controller.
11.4. The Controller will share the results with the Processor within a reasonable period of time after completion of the Audit. If irregularities are found, the Parties will determine in mutual consultation how and within what period they will be adjusted and rectified.
11.5. If the DPA or another supervisory authority starts an investigation at the Processor, the Processor will immediately inform the Controller of this in writing or by email, unless the Processor is not entitled to do so on the basis of a legal obligation, a court decision or an order from the DPA. The parties will cooperate in joint consultation with the investigation.

12. Liability

12.1 For the liability of each of the Parties arising from or in connection with this Processor Agreement and the Agreement in total, the exclusions and limitations of liability as agreed by the Parties in the Agreement apply.

13. End of Processor Agreement

13.1 At the end of the Processor Agreement, the Controller has the option of obtaining the Personal Data by means of an export functionality during a period described in the Agreement. After that period, the Processor will delete the Personal Data, unless the Processor is obliged to keep the Personal Data on the basis of a legal obligation or court decision.

14. Other

14.1. In the event of any contradiction between the provisions of this Processor Agreement and the Agreement, the provisions of this Processor Agreement will prevail, unless the Parties have expressly agreed otherwise in writing.
14.2. The Controller is not entitled to transfer rights and obligations under this Processor Agreement to a third party, unless the Processor has given prior written consent.
14.3. Parties can only change this Processor Agreement in writing.
14.4. Obligations under this Processor Agreement which by their nature are intended to continue after the end of this Processor Agreement, such as but not limited to the article regarding liability, will continue to exist after the end of this Processor Agreement.

15. Applicable law and competent court

15.1. This Processor Agreement is exclusively governed by Dutch law.
15.2. All disputes that may arise from this Processor Agreement will be submitted exclusively to the body that is also authorized to judge disputes that may arise from the Agreement. In the absence thereof, the competent court in Amsterdam will have exclusive jurisdiction.

By signing the Agreement, the Parties also agree to this Processing Agreement.

Appendix 1: Processing of personal data

This Appendix describes which processing activities take place in the context of the performance of the services by the Processor on behalf of the Controller as agreed in the Agreement.

Contact details of the Processor (including country where the data are processed) :

  • ComplianceWise BV
  • Anthony Fokkerweg 3
  • 1059 CM Amsterdam
  • Contact person: Vincent Glazenburg
  • Telephone: 020-2044538
  • E-mail:
  • Country where the personal data are processed: The Netherlands
  • Nature, duration and purpose of the processing:

    • The GRUB application facilitates the Controller in complying with anti-money laundering regulations, such as know your customer (KYC) and transaction monitoring during the duration of the Agreement.

    Type of Personal Data Processed

    • Personal Data Collected and Checked to Comply with Anti-Money Laundering Rules information, such as contact details, data regarding identification, Chamber of Commerce data, PEP (politically exposed person) data, or persons appearing on international sanctions lists and relevant data generated by online research.

    Categories of data subjects:

    • Customers and potential customers of the customer and / or persons employed by or involved with the customers and potential customers of the customer.

    If applicable: Data of the Sub-processor (s)

    • N / A

    International: processing of Personal Data outside the EEA? If so, which countries are involved and what safeguards have / or been in place to ensure an adequate level of protection.

    • N / A

Annex 2: Security

This Appendix describes which technical and organizational measures have been taken to protect the Personal Data.

ComplianceWise has taken a number of organizational and technical measures to protect the Personal Data.

To have access to the Personal Data, the User must have appropriate authorization. Authorization within the system is arranged at user level based on the wishes of the customer. When administrators or employees of ComplianceWise need access to the environment, they must request permission. The purpose and term of access must be clearly described with the application.

In addition to access security within the ComplianceWise system, the data is also encrypted. An AES256 encryption key is used both in transit and at rest. In this way, the data within the system cannot be intercepted or read by third parties. More information about the security of Personal Data within ComplianceWise can be provided by the Security Officers. Mail to

To ensure the integrity and availability of the Client data, ComplianceWise makes an encrypted backup of the Client data every day.

< p> ComplianceWise continuously monitors whether the Application and the Client data are still accessible. When due to an Incident or disaster (temporary) no access to the Client data, ComplianceWise will notify the owner of the Client data via the designated contact person. ComplianceWise then strives to restore the service as quickly as possible, in accordance with the agreed service levels.

ComplianceWise applies the continuous service improvement principle to periodically evaluate the established processes and make improvements where necessary. < br /> More information about the backup and disaster recovery processes of ComplianceWise can be requested via

Appendix 3: Procedure for data leaks

Processor informs Controller within 24 hours after becoming aware of a Data Breach.

Processor reports a Data Breach by email and by telephone to the contact person of Controller known to him.

  • Name: Vincent Glazenburg
  • Phone: 020-2044538
  • Email:

At the request of the Controller, the Processor will provide the necessary data indicated by the Controller to enable the Controller to comply with its legal obligations in the event of a Data Breach. It is expressly noted here that the Processor only provides this information to the Controller, but does not itself report it to the DPA and / or to the Data Subjects.

The controller decides on the basis of the legal criteria and the guidelines of the AP whether the Data Breach must be reported to the AP and possibly also to the Data Subjects.

The Processor keeps a secure registration of the Data Leaks that have occurred with regard to the Controller. This registration is made available to the controller at the first request of the Controller.

Article 8 of the Processor Agreement is fully applicable.