Data Processing Agreement

Article 1 — Parties and Definitions

• Controller ("Customer"): Customer processing personal data via Smart-Verkoop.
• Processor ("Smart-Verkoop"): Smart-Verkoop, CoC 95488294.
• Personal Data: as defined in GDPR art. 4(1).
• Data Subjects: end customers/buyers whose data is processed.
• Sub-processor: third party engaged by Smart-Verkoop.

Article 2 — Subject and Duration

2.1 Takes effect on Platform use; ends on Subscription termination.

2.2 Smart-Verkoop processes only on written instruction from Customer.

Article 3 — Categories of Data Subjects and Data

Subjects: end customers/buyers on bol.com/Amazon, reviewers, B2B contacts.

Data: name, email, address, phone, transaction data, orders, reviews, limited payment info (no CC numbers), IP addresses if available.

No special categories (GDPR art. 9).

Article 4 — Purposes and Instructions

4.1 Purposes: display orders/inventory/customer info, calculate revenue/profit, reports, show reviews, historical data for trends, support.

4.2 Only written instructions. General instruction via Platform use.

4.3 Smart-Verkoop informs if instructions conflict with GDPR.

Article 5 — Processor Obligations

5.1 Confidentiality by all staff.

5.2 Appropriate technical and organizational measures (GDPR art. 32).

5.3 Cooperation on requests, DPIAs, audits.

5.4 All information available for GDPR compliance.

Article 6 — Security

Technical: SSL/TLS, bcrypt passwords, encrypted tokens, multi-tenant isolation, firewalls, rate limiting, SQL/XSS/CSRF protection, logging, backups.

Organizational: restricted access, password policy, incident response, periodic reviews, confidentiality, awareness training.

Article 7 — Sub-processors

7.1 Current sub-processors:

7.2 Changes: 30 days prior notice, right to object.

7.3 Same obligations imposed on sub-processors, Smart-Verkoop remains liable.

Article 8 — Data Subject Rights

8.1 Customer primarily responsible for handling GDPR requests.

8.2 Smart-Verkoop provides reasonable cooperation within 14 days.

8.3 Direct contact from Data Subjects: we refer them to Customer.

Article 9 — Data Breaches

9.1 Notification to Customer without undue delay, within 48 hours.

9.2 Includes: nature, cause, numbers, consequences, measures, contact, advice.

9.3 Support with DPA notification and Data Subject communication.

Article 10 — International Transfer

Only within EU/EEA. Transfer only with adequacy decision, SCCs, BCRs or GDPR art. 46-49.

Article 11 — Audit

11.1 Max 1 audit per year, at Customer's cost, 30 days notice.

11.2 Auditor signs NDA, no access to other customers' data.

11.3 Alternative: recent audit report or certification.

Article 12 — End of Agreement

12.1 Deleted or returned within 30 days (Customer's choice).

12.2 Backups overwritten within 90 days.

12.3 Exception: legal retention obligation.

12.4 Export in structured, machine-readable format (JSON/CSV).

Article 13 — Liability

As per Terms & Conditions. Each party own share per GDPR art. 82.

Article 14 — Final Provisions

14.1 In case of conflict this Agreement prevails for personal data.

14.2 Changes 30 days in advance.

14.3 Dutch law, competent court at Smart-Verkoop's location.

Annex A — Security Measures

• Access: RBAC, strong passwords, session timeout, lockout, audit logs
• Transit: TLS 1.2+, HSTS, API encryption
• At rest: bcrypt passwords, encrypted tokens, .htaccess protection, encrypted backups
• Infrastructure: firewalls, DDoS protection, updates, monitoring
• Operational: incident response, backup testing, change management, security reviews, awareness training

Contact

Email: info@smart-verkoop.com (subject: "Data Processing Agreement") | CoC: 95488294