{"id":164016,"date":"2025-12-10T08:33:24","date_gmt":"2025-12-10T08:33:24","guid":{"rendered":"https:\/\/bas-ip.com\/data-processing-addendum\/"},"modified":"2026-04-13T11:16:38","modified_gmt":"2026-04-13T11:16:38","slug":"data-processing-addendum","status":"publish","type":"page","link":"https:\/\/bas-ip.com\/nl\/data-processing-addendum\/","title":{"rendered":"DATA PROCESSING ADDENDUM"},"content":{"rendered":"<p style=\"text-align: center;\"><span style=\"font-weight: 400;\">Last updated: [<\/span><span style=\"font-weight: 400;\">10.12.2025<\/span><span style=\"font-weight: 400;\">]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This Data Processing Addendum (hereinafter \u2018<\/span><b>DPA<\/b><span style=\"font-weight: 400;\">\u2019) is entered into between you (hereinafter the \u2018<\/span><b>Client<\/b><span style=\"font-weight: 400;\">\u2019, \u2018<\/span><b>you<\/b><span style=\"font-weight: 400;\">\u2019, \u2018<\/span><b>your<\/b><span style=\"font-weight: 400;\">\u2019) and BAS-IP DISTRIBUTION LTD (hereinafter the \u2018<\/span><b>Company<\/b><span style=\"font-weight: 400;\">\u2019, \u2018<\/span><b>BAS-IP<\/b><span style=\"font-weight: 400;\">\u2019, \u2018<\/span><b>we<\/b><span style=\"font-weight: 400;\">\u2019, \u2018<\/span><b>us<\/b><span style=\"font-weight: 400;\">\u2019 or \u2018<\/span><b>our<\/b><span style=\"font-weight: 400;\">\u2019), hereinafter referred to individually as a \u2018<\/span><b>Party<\/b><span style=\"font-weight: 400;\">\u2019 or together as the \u2018<\/span><b>Parties<\/b><span style=\"font-weight: 400;\">\u2019. This DPA supplements the <\/span><a href=\"https:\/\/bas-ip.com\/nl\/privacy\/\"><span style=\"font-weight: 400;\">Terms and Conditions<\/span><\/a><span style=\"font-weight: 400;\"> (hereinafter the \u2018<\/span><b>Agreement<\/b><span style=\"font-weight: 400;\">\u2019), concluded between the Parties.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This DPA governs the processing of personal data that the Client provides to BAS-IP in connection with the use of BAS-IP\u2019s products and services (together the \u2018<\/span><b>Services<\/b><span style=\"font-weight: 400;\">\u2019), as well as any personal data that BAS-IP obtains in the course of performing the Services for the Client.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Unless otherwise defined in this DPA, all capitalised terms used in this DPA will have the meanings set forth in the Agreement. This DPA shall remain in force until the termination of the Agreement between you and us governing your use of the Services. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail with respect to the processing of personal data.<\/span><\/p>\n<ol>\n<li><b> Definitions<\/b><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">For the purposes of this DPA, the following definitions shall apply:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>Client Data<\/b><span style=\"font-weight: 400;\">\u201d means any personal data that the Client uploads, transmits, or otherwise provides to BAS-IP in connection with the Services, as well as any personal data that BAS-IP processes in the course of performing the Services.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>Data Protection Laws<\/b><span style=\"font-weight: 400;\">\u201d means all applicable laws and regulations relating to the processing of Client Data, including those of the European Union, the European Economic Area and its member states, the United Kingdom, such as:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the EU General Data Protection Regulation (EU GDPR);<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the UK General Data Protection Regulation (UK GDPR);\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the Data Protection Act 2018;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the Data (Use and Access) Act 2025 (DUAA);<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">any other applicable data protection laws and regulations, to the extent applicable to the Parties and the processing activities under this DPAany other applicable laws and regulations.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>Data Transfer Mechanism<\/b><span style=\"font-weight: 400;\">\u201d means any legally recognised mechanism, instrument or framework that permits the transfer of Client Data from one jurisdiction to another in compliance with applicable Data Protection Laws, including, without limitation, the EU Standard Contractual Clauses and the UK Addendum.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>EU SCCs<\/b><span style=\"font-weight: 400;\">\u201d means EU Standard Contractual Clauses for the transfer of\u00a0 Client Data to third countries pursuant to Regulation (EU) 2016\/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021\/914 of 4 June 2021, as currently set out at<\/span><a href=\"https:\/\/eurlex.europa.eu\/eli\/dec_impl\/2021\/914\/oj\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">https:\/\/eurlex.europa.eu\/eli\/dec_impl\/2021\/914\/oj<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>General Data Protection Regulation (GDPR)<\/b><span style=\"font-weight: 400;\">\u201d means Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>International Data Transfer<\/b><span style=\"font-weight: 400;\">\u201d means any transfer of Client Data from a country in which the data is collected to a country outside of that jurisdiction, where the applicable Data Protection Laws require appropriate safeguards for such transfer.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>Public Authority<\/b><span style=\"font-weight: 400;\">\u201d means a government agency or law enforcement authority, including judicial authorities.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>Sensitive Client Data<\/b><span style=\"font-weight: 400;\">\u201d means Client Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health, or a person\u2019s sex life or sexual orientation, or data relating to criminal convictions and offences.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>Services<\/b><span style=\"font-weight: 400;\">\u201d means the services provided by the Company to the Client.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>Supervisory Authority<\/b><span style=\"font-weight: 400;\">\u201d means an independent public authority responsible for monitoring the application of the data protection legislation.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8220;<\/span><b>Technical and Organisational Security Measures<\/b><span style=\"font-weight: 400;\">&#8221; mean the measures aimed at the protection of personal data against unintentional destruction or unintentional loss, alteration, unauthorised disclosure or access, particularly where the processing involves the transmission of data via a network, and against all other unlawful forms of processing.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>UK GDPR<\/b><span style=\"font-weight: 400;\">\u201d means the retained version of the EU General Data Protection Regulation as it forms part of UK law, together with any amendments made by the Data Protection Act 2018 and any other applicable UK legislation governing the processing of personal data.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>UK Addendum<\/b><span style=\"font-weight: 400;\">\u201d means International Data Transfer Addendum to the EU Standard Contractual Clauses that has been issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK Data Protection Laws, as currently set out at <\/span><a href=\"https:\/\/ico.org.uk\/media\/for-organisations\/documents\/4019539\/international-data-transfer-addendum.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">https:\/\/ico.org.uk\/media\/for-organisations\/documents\/4019539\/international-data-transfer-addendum.pdf<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><b>controller<\/b><span style=\"font-weight: 400;\">\u201d, \u201c<\/span><b>processor<\/b><span style=\"font-weight: 400;\">\u201d, \u201c<\/span><b>sub-processor<\/b><span style=\"font-weight: 400;\">\u201d, \u201c<\/span><b>data subject<\/b><span style=\"font-weight: 400;\">\u201d, \u201c<\/span><b>personal data<\/b><span style=\"font-weight: 400;\">\u201d, and \u201c<\/span><b>processing<\/b><span style=\"font-weight: 400;\">\u201d have the meanings given in the Data Protection Laws.<\/span><\/p>\n<ol start=\"2\">\n<li><b> Roles and Responsibilities<\/b><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Where BAS-IP processes Client Data on your behalf in connection with Services, you acknowledge and agree that with regard to the processing of Client Data, you are a controller or processor, and we are a processor or sub-processor (as defined by the Data Protection Laws) acting on your behalf. A description of such processing is set out in Schedule 1 of this DPA. This DPA shall apply accordingly to established roles and not apply to situations where we act as a controller in accordance with BAS-IP\u2019s Privacy Policy.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If the Client is a processor, the Client warrants to BAS-IP that Client\u2019s instructions and actions in respect to personal data, including appointing BAS-IP as sub-processor and, where applicable, concluding the EU SCCs or any other Addenda under Section 9 of this DPA (including as they may be amended in Section 9 below), have been (and will, for the duration of this DPA, continue to be) authorised by the relevant third-party controller.<\/span><\/p>\n<ol start=\"3\">\n<li><b> Instructions<\/b><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The Parties agree that this DPA and the applicable Agreement constitute the Client\u2019s complete and final documented instructions regarding the processing of Client Data (hereinafter the \u2018<\/span><b>Instructions<\/b><span style=\"font-weight: 400;\">\u2019) where the Client acts as a controller or processor and BAS-IP acts as a processor or sub-processor under Data Protection Laws.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Any additional or alternative instructions must be agreed in writing by the Parties and shall be consistent with this DPA and the Agreement.<\/span><\/p>\n<ol start=\"4\">\n<li><b> Description of processing<\/b><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The processing of Client Data on Client\u2019s behalf in connection with Services is described in Schedule 1 of this DPA. We reserve the right to update the description of processing from time to time to reflect new functionality that is part of the Services.<\/span><\/p>\n<ol start=\"5\">\n<li><b> Client\u2019s obligations<\/b><\/li>\n<\/ol>\n<p><b>5.1. Controller\u2019s obligations<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Within the scope of the DPA, when the Client acts as a controller, the Client shall be responsible for complying with all requirements that apply to the Client as a controller under the Data Protection Laws.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When acting as a controller, you must:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(a) maintain the accuracy, quality, confidentiality, and security of the Client Data;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(b) comply with and perform your obligations under Data Protection Laws, including with regard to data subject rights, data security, and confidentiality, and ensure you have an appropriate legal basis for the processing of personal data;\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(c) provide BAS-IP only with Client Data that has been lawfully obtained and ensure such data is adequate, relevant, and proportionate to the intended purposes;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(d) ensure that your Instructions to BAS-IP regarding the processing of Client Data comply with the Data Protection Laws, including the principles of data minimisation, purpose limitation, and storage limitation.<\/span><\/p>\n<p><b>5.2. Processor\u2019s obligations<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Within the scope of the DPA, when the Client acts as a processor, the Client shall be responsible for complying with all requirements that apply to the Client as a processor under the Data Protection Laws.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When acting as a Processor, you must:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(a) provide BAS-IP only with processing instructions that accurately reflect the documented instructions of the respective controller;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(b) provide BAS-IP only with Client Data that has been lawfully obtained from the respective controller and that is adequate, relevant, and limited to what is necessary for the permitted purposes;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(c) maintain transparency with the respective controller regarding the engagement of BAS-IP and any sub-processors;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(d) comply with all obligations under applicable Data Protection Laws in your capacity as a processor;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(e) ensure that your personnel or any third party accessing Client Data comply with this DPA and the Agreement.<\/span><\/p>\n<ol start=\"6\">\n<li><b> BAS-IP obligations<\/b><\/li>\n<\/ol>\n<p><b>6.1. General Obligations<\/b><\/p>\n<p><span style=\"font-weight: 400;\">When BAS-IP acts as a processor\/sub-processor, we must:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(a) process Client Data according to your Instructions and exclusively for the specified purposes;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(b) inform you if, in BAS-IP\u2019s reasonable opinion:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(i) your Instructions violate or may violate applicable Data Protection Laws; or<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(ii) BAS-IP is unable to comply with your Instructions;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(c) implement and maintain appropriate technical and organizational measures to ensure the confidentiality of Client Data;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(d) comply with all applicable Data Protection Laws, including obligations relating to data subject rights, data security, and confidentiality;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(e) ensure, through written contracts or other legally binding means, that any sub-processor engaged to process Client Data on behalf of BAS-IP is subject to equivalent data protection obligations as set out in this DPA and the Agreement;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(f) maintain accurate records of all processing activities carried out on your behalf under this DPA and provide such records to you upon request;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(g) without undue delay notify you if BAS-IP becomes aware that any Client Data provided by you is inaccurate, incomplete, or outdated;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(g) apply appropriate and necessary safeguards or restrictions when processing Sensitive Client Data, as required by Data Protection Laws or the Instructions;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(h) provide you with all information reasonably necessary to demonstrate BAS-IP\u2019s compliance with its obligations under applicable Data Protection Laws.<\/span><\/p>\n<p><b>6.2. Notices to a Client<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Upon becoming aware, we shall inform you of any legally binding request for disclosure of Client Data by a Public Authority, unless we are otherwise forbidden by law to inform the Client, for instance, to preserve the confidentiality of an investigation by a Public Authority. We will inform you if BAS-IP becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of Client Data under this DPA conducted between you and us.<\/span><\/p>\n<p><b>6.3. Confidentiality\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We will not access, use, or disclose to any third party any Client Data, except, in each case, as necessary to maintain or provide the Services or as necessary to comply with contractual and legal obligations or a binding order of a public body (such as a subpoena or court order).\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We shall ensure that any employee\/contractor whom we authorise to access Client Data on our behalf is subject to appropriate confidentiality contractual or statutory duty obligations with respect to Client Data.\u00a0<\/span><\/p>\n<p><b>6.4. Security measures\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We shall implement and maintain appropriate technical and organisational measures to protect Client Data from any data breaches such as actual or suspected accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Client Data transmitted, stored or otherwise processed (hereinafter the \u2018<\/span><b>Security Incidents<\/b><span style=\"font-weight: 400;\">\u2019) in accordance with our security standards set out in Schedule 2 of this DPA.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You acknowledge that security measures are subject to technical progress, so that we may modify or update Schedule 2 of this DPA at our sole discretion, provided that such modification or update does not result in a material degradation in the security measures offered by Schedule 2 of this DPA.\u00a0<\/span><\/p>\n<p><b>6.5. Security Incident\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Upon becoming aware of a Security Incident, we shall:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">notify you without undue delay after we become aware of the Security Incident;\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">provide timely information relating to the Security Incident (the type of personal data, the categories and potential number of individuals or records affected) as it becomes known or as is reasonably requested by you; and\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">promptly take reasonable steps to contain and investigate any Security Incident so that you can notify competent authorities and\/or affected Data Subjects of the Security Incident.\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Our notification of or response to a Security Incident shall not be construed as an acknowledgment by us of any fault or liability regarding the Security Incident.\u00a0<\/span><\/p>\n<p><b>6.6. Return or deletion of Client Data\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Upon termination or expiration of the Agreement concluded between you and us, we shall delete or return all Client Data in our possession or control. This requirement shall not apply to the extent we are required by applicable law or respective contractual obligations to retain some or all of the Client Data.\u00a0<\/span><\/p>\n<p><b>6.7. Reasonable Assistance<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We agree to provide reasonable assistance to the Client regarding:\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(a) any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking, or deletion of Client Data that we process on behalf of Client. In the event that a data subject sends such a request directly to us, Section 7 of this DPA shall apply;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(b) the investigation of the Security Incident and communication of necessary notifications regarding such Security Incidents, subject to Section 6.5 of this DPA;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(c) preparation of data protection impact assessments (the \u2018<\/span><b>DPIAs<\/b><span style=\"font-weight: 400;\">\u2019) and, where necessary, consultation of the Client with the Supervisory Authority under Articles 35 and 36 of the GDPR.<\/span><\/p>\n<p><b>6.8 Audit and Certification<\/b><\/p>\n<p><b>6.8.1 Supervisory Authority Audit<\/b><\/p>\n<p><span style=\"font-weight: 400;\">If a Supervisory Authority requires an audit of our data processing facilities, we use to process the Client Data to ascertain or monitor the Client&#8217;s compliance with the Data Protection Laws, we will cooperate with the audit. The Client is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time we expend for any such audit, in addition to the rates for services performed by us.<\/span><\/p>\n<p><b>6.8.2 Audits<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The Client may, prior to the commencement of processing and at regular intervals, thereafter, audit the technical and organisational measures taken by us. If the Client is the controller with respect to the personal data processed by us on its behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to our business operations, we may provide the Client with all information necessary to demonstrate compliance with its obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client with respect to such processing.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We shall, upon the Client\u2019s written request and within a reasonable period, provide the Client with all information necessary for such audit, to the extent that such information is within our control and we are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.<\/span><\/p>\n<ol start=\"7\">\n<li><b> Data subject requests<\/b><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">In the event that a data subject contacts us with regard to the exercise of their rights under the Data Protection Laws (in particular, requests for access to, rectification, or deletion of Client Data), we will use all reasonable efforts to forward such requests to you. If we are legally required to respond to such a request, we shall immediately notify you and provide you with a copy of the request unless we are legally prohibited from doing so.\u00a0<\/span><\/p>\n<ol start=\"8\">\n<li><b> Sub-processors<\/b><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">BAS-IP has the general written authorisation from the Client for the engagement of sub-processors from an agreed list. BAS-IP agrees to inform the Client of any intended changes to that list concerning the addition or replacement of sub-processors at least 10 days prior to the engagement of the sub-processor in question, thereby giving the Client the opportunity to object to such changes. BAS-IP shall provide the Client with the information necessary to enable the Client to exercise the right to object.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If Section 9 of this DPA applies, the procedure for engaging sub-processors shall be governed by the relevant provisions of Section 9 of this DPA. In such a case, the provisions of Section 9 shall prevail.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The agreed list of Sub-processors is set out in Schedule 3 of this DPA.<\/span><\/p>\n<ol start=\"9\">\n<li><b> Transfers of Client Data<\/b><\/li>\n<\/ol>\n<p><b>9.1. General<\/b><\/p>\n<p><span style=\"font-weight: 400;\">You acknowledge and agree that using BAS-IP Services may involve transferring Client Data to other jurisdictions, in compliance with applicable Data Protection Laws.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Where such transfers require appropriate safeguards, the applicable Data Transfer Mechanisms shall be used, such as the EU SCCs and the UK Addendum. These Data Transfer Mechanisms are incorporated into and form an integral part of this DPA, as further described in Sections 9.2. and 9.3.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In the event of any conflict between the provisions of this DPA and the applicable Data Transfer Mechanisms, the provisions of the relevant Data Transfer Mechanism shall prevail solely to the extent of such conflict.<\/span><\/p>\n<p><b>9.2. Transfers under the GDPR<\/b><\/p>\n<p><span style=\"font-weight: 400;\">When the processing of Client Data on your behalf in connection with Services constitutes a \u201ctransfer\u201d under the GDPR, Standard Contractual Clauses shall apply.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When you are a controller, and we are a processor, Module Two of the EU SCCs shall apply, and when you are a processor, and we are a sub-processor, Module Three of the EU SCCs shall apply.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For the purpose of the EU SCCs, BAS-IP is a \u201cData Importer\u201d, and you are a \u201cData Exporter\u201d.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs are deemed to be completed as follows:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(i) in Clause 7, the optional docking clause shall not apply;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(ii) in Clause 9, Option 2 (General written authorisation) shall apply. For the purpose of Clause 9(a), the time period for informing the Data Exporter shall be 10 days;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(iii) in Clause 11, the optional provision shall not apply;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(iv) in Clause 13, a particular option shall apply depending on the specific case;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(v) in Clause 17, Option 1 shall apply. The EU SCCs shall be governed by the law of <\/span><span style=\"font-weight: 400;\">the Federal Republic of Germany<\/span><span style=\"font-weight: 400;\">;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(vi) in Clause 18(b), disputes shall be resolved by the courts of<\/span><span style=\"font-weight: 400;\"> the Federal Republic of Germany<\/span><span style=\"font-weight: 400;\">;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(vii) Annex I of the EU SCCs is deemed completed with the information set out in Schedule 1 of this DPA;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(viii) Annex II of the EU SCCs is deemed completed with the information set out in Schedule 2 of this DPA.<\/span><\/p>\n<p><b>9.3. Transfers under the UK Data Protection Framework\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">When the processing of Client Data on your behalf in connection with Services constitutes a \u201crestricted transfer\u201d under UK Data Protection Laws, the UK Addendum shall apply.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When you are a controller and BAS-IP is a processor, Module Two of the EU SCCs shall apply, and when you are a processor, and we are a sub-processor, Module Three of the EU SCCs shall apply, as completed in subsection 9.2. of this DPA.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For the purpose of the UK Addendum, BAS-IP is an \u201cImporter\u201d, and you are an \u201cExporter\u201d.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum are deemed to be completed as follows:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(i) Table 1 in Part 1 is deemed completed with the information set out in Schedule 1 of this DPA, and the official registration number of the Importer is <\/span><span style=\"font-weight: 400;\">328138502<\/span><span style=\"font-weight: 400;\">, and the official registration number of the Exporter is contained in the Client\u2019s account, if any;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(ii) Table 2 in Part 1 is deemed completed accordingly with the information set out in subsection 9.2. of this DPA;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(iii) Table 3 in Part 1 is deemed completed with the information set out in Schedules 1, 2, and 3 of this DPA;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum.<\/span><\/p>\n<p><b>SCHEDULE 1 &#8211; DESCRIPTION OF PROCESSING<\/b><\/p>\n<ol>\n<li><b> LIST OF PARTIES<\/b><\/li>\n<\/ol>\n<p><b>Client (Data Exporter)<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Name: You, \u2018Client\u2019<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Address: the relevant information is contained in the Client\u2019s account.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Contact person\u2019s name, position, and contact details: the relevant information is contained in the Client\u2019s account.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Activities relevant to the data transferred under these Clauses: provision of the Services.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Signature and date: the Parties agree that execution of the Agreement by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Role: controller or processor<\/span><\/p>\n<p><b>BAS-IP DISTRIBUTION LTD (Data Importer)<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Name: BAS-IP DISTRIBUTION LTD<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Address: Crown House 27 Old Gloucester Street, London, England<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Contact person\u2019s name, position, and contact details: [<\/span><span style=\"font-weight: 400;\">please, insert name, position, and contact details, e.g., email<\/span><span style=\"font-weight: 400;\">]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Activities relevant to the data transferred under these Clauses: provision of the Services.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Signature and date: the Parties agree that execution of the Agreement by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Role: processor or sub-processor<\/span><\/p>\n<ol>\n<li><b> DESCRIPTION OF TRANSFER\u00a0<\/b><\/li>\n<li><span style=\"font-weight: 400;\">Categories of data subjects whose personal data is transferred:<\/span><\/li>\n<\/ol>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Client\u2019s Customers;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">other data subjects whose personal data is transferred during the services provided by the Company to the Client.<\/span><\/li>\n<\/ul>\n<ol start=\"2\">\n<li><span style=\"font-weight: 400;\"> Categories of personal data transferred:<\/span><\/li>\n<\/ol>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">personal data related to Client\u2019s Customers;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">other personal data which may be transferred during the services provided by the Company to the Client.<\/span><\/li>\n<\/ul>\n<ol start=\"3\">\n<li><span style=\"font-weight: 400;\"> Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The Data Importer may obtain access to sensitive data only where such sensitive data is provided by the Client and solely to the extent necessary for the performance of Services. In such cases, the Data Importer implements the technical and organisational measures set out in Schedule 2, together with any other appropriate and necessary safeguards or restrictions, taking into account the nature of the sensitive data and risks associated with its processing, in compliance with applicable laws and regulations.<\/span><\/p>\n<ol start=\"4\">\n<li><span style=\"font-weight: 400;\"> The frequency of the transfer:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The personal data is transferred on a continuous basis.<\/span><\/p>\n<ol start=\"5\">\n<li><span style=\"font-weight: 400;\"> Nature of the processing:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Personal data processing consists of the following: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.<\/span><\/p>\n<ol start=\"6\">\n<li><span style=\"font-weight: 400;\"> Purpose(s) of the data transfer and further processing:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The purpose of the data processing under these Clauses is the performance of the services for the Data Exporter by the Data Importer under the Agreement concluded between the Data Importer and the Data Exporter.<\/span><\/p>\n<ol start=\"7\">\n<li><span style=\"font-weight: 400;\"> The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The personal data shall be stored for the duration of this DPA concluded between the Data Importer and the Data Exporter unless otherwise agreed in writing or the Data Importer is required by applicable law to retain some or all of the transferred personal data.\u00a0<\/span><\/p>\n<ol start=\"8\">\n<li><span style=\"font-weight: 400;\"> For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">subject matter: the performance of services\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">nature: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">duration: the performance of the services for the Data Importer by the (sub-) processor under the service agreement concluded between the Data Importer and (sub-) processor.<\/span><\/p>\n<ol>\n<li><b> COMPETENT SUPERVISORY AUTHORITY<\/b><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">In accordance with Clause 13, the competent supervisory authority under these Clauses is determined depending on which version of Clause 13(a) applies to the Data Exporter.<\/span><\/p>\n<p><b>SCHEDULE 2 &#8211; TECHNICAL AND ORGANISATIONAL MEASURES<\/b><\/p>\n<p><b>TECHNICAL AND ORGANISATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Description of the technical and organisational measures implemented by the Data Importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks for the rights and freedoms of natural persons:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data Importer is committed to preserving the confidentiality, integrity, availability, and resilience of all personal data in question throughout its processing activities and ensuring that personal data is protected against loss and destruction by implementing appropriate internal information security policies, procedures, and other appropriate measures.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data Importer grants access to personal data strictly on a need-to-know basis, and such data is accessible only to authorised personnel.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data Importer has implemented role-based access control and access control lists to enforce strict separation of user access rights.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data Importer&#8217;s information security procedures are subject to regular reviews.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data Importer uses reliable service providers and monitors what technical and organisational measures they have in place to ensure that personal data is protected at all times.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data Importer has implemented measures designed to protect the confidentiality and integrity of personal data during data transfers.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data Importer has implemented technical and organisational measures designed to contain security incidents and prevent further data loss and damage.<\/span><\/li>\n<\/ul>\n<p><b>SCHEDULE 3 &#8211; SUB-PROCESSORS<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The controller has authorised the use of the following sub-processors:\u00a0<\/span><\/p>\n<p><b>Sub-processor 1<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Name: Hetzner Online GmbH \/ Hetzner Finland Oy<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Address: Industriestr. 25, 91710 Gunzenhausen, Germany \/ Huurrekuja 10, 04360 Tuusula (Helsinki \/ Tuusula), Finland<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Contact person\u2019s name, position, and contact details: <\/span><a href=\"mailto:data-protection@hetzner.com\"><span style=\"font-weight: 400;\">data-protection@hetzner.com<\/span><\/a><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Description of processing: hosting of the data on the servers of Hetzner Online GmbH \/ Hetzner Finland Oy<\/span><\/p>\n<p><b>Sub-processor 2<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Name: DigitalOcean, LLC<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Address: 105 Edgeview Drive, Ste. 425, Broomfield, CO 80021, United States<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Contact person\u2019s name, position, and contact details: <\/span><a href=\"mailto:privacy@digitalocean.com\"><span style=\"font-weight: 400;\">privacy@digitalocean.com<\/span><\/a><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Description of processing: hosting of the data on the servers of DigitalOcean, LLC<\/span><\/p>","protected":false},"excerpt":{"rendered":"<p>Last updated: [10.12.2025] This Data Processing Addendum (hereinafter \u2018DPA\u2019) is entered into between you (hereinafter the \u2018Client\u2019, \u2018you\u2019, \u2018your\u2019) and BAS-IP DISTRIBUTION LTD (hereinafter the \u2018Company\u2019, \u2018BAS-IP\u2019, \u2018we\u2019, \u2018us\u2019 or \u2018our\u2019), hereinafter referred to individually as a \u2018Party\u2019 or together as the \u2018Parties\u2019. This DPA supplements the Terms and Conditions (hereinafter the \u2018Agreement\u2019), concluded between [&hellip;]<\/p>","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"inline_featured_image":false,"footnotes":""},"class_list":["post-164016","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/bas-ip.com\/nl\/wp-json\/wp\/v2\/pages\/164016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bas-ip.com\/nl\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/bas-ip.com\/nl\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/bas-ip.com\/nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bas-ip.com\/nl\/wp-json\/wp\/v2\/comments?post=164016"}],"version-history":[{"count":1,"href":"https:\/\/bas-ip.com\/nl\/wp-json\/wp\/v2\/pages\/164016\/revisions"}],"predecessor-version":[{"id":164017,"href":"https:\/\/bas-ip.com\/nl\/wp-json\/wp\/v2\/pages\/164016\/revisions\/164017"}],"wp:attachment":[{"href":"https:\/\/bas-ip.com\/nl\/wp-json\/wp\/v2\/media?parent=164016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}