JURIDISCH
Data Processing Agreement
The standard Article 28 GDPR terms used when NINAWA processes personal data on behalf of a client.
Laatst bijgewerkt: 13 June 20261. Roles and instructions
The client is the controller and NINAWA is the processor for personal data processed solely to deliver the contracted service. NINAWA processes data only on documented instructions, including agreed transfers, unless EU or Belgian law requires otherwise.
2. Processing details
The proposal or project schedule records the subject matter, duration, nature, purpose, data categories and groups of data subjects. Typical data may include customer contact, request, booking or account information handled through the client's website.
3. Confidentiality and security
People authorised to process client data are bound by confidentiality. NINAWA maintains proportionate technical and organisational measures, including access control, encrypted transport, patching, backups, separation of client environments where appropriate and incident procedures.
4. Sub-processors
The client gives general authorisation for necessary hosting, email, monitoring and infrastructure providers identified for the service. NINAWA remains responsible for imposing equivalent data-protection duties and will inform the client of intended material changes so the client can raise a reasoned objection.
5. Assistance
Taking account of the processing and information available, NINAWA assists the client with data-subject requests, security, breach assessment and notification, data-protection impact assessments and supervisory-authority consultations where applicable. Work beyond normal service scope may be charged at the agreed rate.
6. Personal-data breaches
NINAWA informs the client without undue delay after becoming aware of a personal-data breach affecting client data and provides available information needed for the client's assessment and notifications.
7. Return and deletion
At the end of the service, NINAWA returns or deletes client personal data as instructed, unless retention is legally required. Backup copies are isolated and expire through the normal backup cycle.
8. Audits and compliance
NINAWA makes information reasonably necessary to demonstrate Article 28 compliance available and supports proportionate audits subject to confidentiality, security and reasonable notice.
9. Transfers and precedence
Data outside the EEA requires a lawful transfer mechanism. If this DPA conflicts with the main service agreement on data protection, this DPA prevails. A project-specific signed schedule should be completed before client personal data is processed.