The AVG talks about two types of processors:
- The controller
- The processor
Matrix Software is both controller and processor. We are responsible for the personal data that customers and suppliers share with Matrix, so that we can execute our agreement, stay in touch with you, handle your payments, etc. We also process the personal data in our software products that you share with us, for example when a Matrix employee has a remote connection to your computer or has a backup of your (customer) database. In addition, Matrix is a processor of personal data of customers of customers in online applications such as WebKozijn. According to the AVG, every user of the Matrix software must conclude a Processing Agreement with Matrix. To simplify this, Matrix takes the initiative for all its customers. The Processor Agreement has become part of the General Terms and Conditions (AV).
Processing Agreement Matrix Software
Matrix Software (Matrix) processes, among other things, personal data for and on behalf of the customer because the customer has a software user agreement with Matrix. Matrix and the customer are therefore obliged to conclude a Processor Agreement in accordance with the General Data Protection Regulation (AVG). Because Matrix provides standard applications with the associated standard services, Matrix has included the processing agreement in the General Terms and Conditions. In this respect, matrix is the 'processor' and the customer is the 'controller'. Matrix and the customer commit to back and forth to comply with the General Data Protection Regulation (AVG). For the definitions of concepts is connected to the AVG. Matrix will only process the personal data for and on behalf of the customer and to implement the agreement.
The processing consists of making the Matrix applications available with the data entered, generated and / or supplied by the customer. Matrix will not add, modify or delete data without the customer having given specific instructions for this. This instruction can be given via a request or via the application. Within the applications that Matrix makes available, different types of personal data can be recorded. Matrix is aware that the customer can enter all these personal data and / or personal data or categories to be created and Matrix will then process them. The customer is responsible for assessing whether the purpose and nature of the processing fits the services provided by Matrix and comply with the rules of the AVG. Matrix collects anonymous data about the use of its products and services. These data support Matrix to gain insight into whether, how and how often certain parts of the product are used. The anonymised data will only be used to improve products and services. Matrix will never use the collected user statistics for commercial purposes or offer it to third parties.
Matrix is aware that the information that the customer stores within the Matrix Software applications and / or shares with Matrix, has a secret and company-sensitive character. All Matrix employees will handle the client's information in a responsible manner during and after termination of their employment. This is laid down in their contract for the employment relationship by means of a confidentiality clause.
Employees with access to data
Consultants, support staff and other Matrix employees only have access to the customer and personal data if they have received permission from the customer and as long as they have the customer's permission.
Matrix continues to take appropriate technical and organizational measures to protect the customer's personal data against loss or any form of unlawful processing. These measures are regarded as an appropriate security level in the sense of the AVG. If the Personal Data Protection Authority will issue a binding instruction to the controller, the customer must immediately inform Matrix of this binding instruction. Matrix will do what it can reasonably be expected of it to make compliance possible.
Some applications of Matrix Software, including WebKozijn, the online web store for window frames, is being processed in the data centers of LeaseWeb Netherlands B.V. As a result, according to the AVG, Leaseweb is a subprocessor. The data centers Matrix uses are located exclusively in the Netherlands (Schiphol Rijk and Haarlem) and are subject to Dutch laws and regulations and comply with strict Dutch and European legislation regarding logical and physical access security and continuity. The data centers are at least ISO 27001 certified. The (personal) data are processed exclusively by Matrix and the subprocessor within the European Economic Area. Matrix will not have any new subprocessing data processed without informing the customer in good time. The customer can object to the subprocessor at Matrix. Matrix will deal with these objections at board level. If Matrix wishes to have data processed by a new subprocessor, the customer has the option to terminate the agreement.
Matrix has no control over the personal data processed by the customer and made available to Matrix for processing. Without explicit permission from the customer or legal obligation, Matrix will not provide the data to third parties or process them for other purposes than for the agreed purposes. The customer guarantees that the personal data may be processed by Matrix on the basis of a basis mentioned in the AVG.
The customer is responsible for the data entered by the data subjects and thereby for informing and assisting the rights of the data subjects. Matrix will never respond to requests from data subjects and always refer to the controller. Matrix will, insofar as this is possible within the application, provide its cooperation to the customer so that he can fulfill his legal obligations in the event that a data subject exercises its rights under the AVG or other applicable regulations concerning the processing of personal data.
Reporting duty data leaks
The AVG requires that any data breaches be reported to the Data Protection Authority by the controller of the data. Matrix will therefore not make any reports to the Dutch Data Protection Authority itself. Of course Matrix will inform the customer correctly, timely and completely about relevant incidents, so that the customer can fulfill his legal obligations as controller. The Policy Rules on reporting duty data leaks by the Dutch Data Protection Authority provide more information on this. If the customer makes a (provisional) report to the Dutch Data Protection Authority and / or the person (s) concerned about a data breach at Matrix, without the customer having discussed this in advance with Matrix, then the customer is liable for the damage and costs incurred by Matrix. . The customer is also obliged to withdraw such a report immediately.
Determination of data breach
To determine whether or not there is a data breach, Matrix uses the AVG and the Policy Rules for reporting data leaks as a guideline.
Notification to the customer
If Matrix concludes a security incident or data breach, Matrix will inform the customer about this as soon as possible after Matrix has become familiar with the data breach. In order to achieve this, Matrix ensures that all its employees are able and remain able to detect a data breach and expects Matrix from its customers to enable Matrix to meet these requirements. If there is a data breach at a Matrix supplier or sub-processor, Matrix reports to the customer. Matrix is and remains the point of contact for the customer. The customer does not have to contact suppliers or sub-processors of Matrix.
Inform primary contact person
Initially, Matrix will inform the customer's primary contact person about a data breach. If this contact person is not (or no longer) the right one, contact will be made with the management of the customer. To the best of its ability, Matrix will provide all relevant information that the customer needs to make a possible report to the Dutch Data Protection Authority and / or the person (s) involved.
Term of information
The AVG indicates that 'without delay' must be reported. According to the Dutch Data Protection Authority, this is without undue delay and if possible no later than 72 hours after discovery by the controller. If a security incident occurs, Matrix will inform the customer as soon as possible, but at the latest within 48 hours after the discovery by Matrix. The customer will have to make his own assessment of whether the security incident falls under the term 'data breach' and whether a report to the Dutch Data Protection Authority will have to be made. After the customer has been notified by Matrix, the customer has up to 72 hours.
Progress and measures
Matrix will keep the customer informed about the progress and the measures that will be taken. Matrix makes agreements about this with the primary contact person at the initial report. In any case, Matrix keeps the customer informed in the event of a change in the situation, the publication of further information and the measures that are taken.
Processing agreement Matrix Software, version 18.1