Ga naar hoofdinhoud
IT-producten en -diensten op één plek
Levering binnen 1–2 werkdagen
Klantenservice tijdens kantooruren
  • Log in
  • Registreer
  • Log in
  • Registreer
  • U hebt geen vergelijklijsten
  • U hebt geen favorietenlijsten
  • Kennisbank
  • Klantenservice en support
    • Vind de juiste accessoires en reserveonderdelen
...loading menu tree
  1. Startpagina
  2. Data processing agreement

Data Processing Agreement

  1. Background
  2. Definitions
  3. Processing of personal data
  4. Reporting of data breaches
  5. Sub-processors and transfers to third countries
  6. Assistance with requests from data subjects
  7. Confidentiality and disclosure of personal data
  8. Compensation
  9. Liability
  10. Audits
  11. Term and termination
  12. Appendix A

1. Background

The Supplier and the Customer have entered into an agreement that includes the service(s) listed in the main agreement (the “Agreement”) purchased by the Customer (the “Services”). Under the Agreement and in accordance with this DPA (as defined below), Supplier will from time to time and on behalf of the Customer process personal data for which the Customer is controller.

2. Definitions

“Applicable Data Protection Legislation” means, unless otherwise agreed in writing between the Parties; (i) the General Data Protection Regulation, (ii) the national data protection legislation in the Netherlands, as applicable for the Services; and (iii) the Data Protection Authority regulations and decisions applicable to the processing of personal data under this DPA in Sweden, Denmark, Norway and/or Finland, as applicable.

"Customer Equipment"means computers and other equipment owned, rented or leased by the Customer or the Customer’s operations provider.

"Supplier" means relevant Dustin company within Dustin group, as listed in Appendix A, and where relevant each person/entity authorized to perform work on behalf of a company listed in Appendix A.

"Supplier Equipment" means computers and other equipment owned, rented or leased by the Supplier or the Supplier’s operations provider.

"DPA" means this data processing agreement and attached appendices, as well as all changes to the aforementioned resulting from provisions of the Agreement.

"Security Measures" means the appropriate technical and organizational measures necessary to comply with Applicable Data Protection Legislation, listed in Appendix A or otherwise necessary to protect the personal data being processed from data breaches.

"Third Country" means a country outside EU/EES.

3. Processing of Personal Data

3.1 Instructions
The Customer is responsible for the processing of personal data being carried out in compliance with the Applicable Data Protection Legislation in its capacity as controller. The Customer must ensure that the Supplier does not process other categories of personal data on behalf of the Customer than the categories of personal data listed in Appendix A for the relevant Services and in the scope stated therein. Unless otherwise specifically stated in Appendix A, the Supplier shall when providing IT consultancy services:

(a) only process personal data with regard to the categories of data subjects within the scope of the Services by nature considered as harmless, such as contact information for customers and employees; and
(b) not process personal data constituting special categories of personal data, such as health data or other sensitive data.

The Supplier shall only process personal data in accordance with documented instructions of the Customer, unless the Supplier is otherwise obligated to process personal data under applicable law. In such cases, the Supplier will, to the extent allowed under applicable law, inform the Customer of such legal obligations before the processing is commenced.

Either Party must ensure that the other Party has the right to process contact information and other types of personal data of the other Party’s employees if and to the extent such processing is necessary to provide the Services.

The Supplier may not process personal data for its own purposes or other purposes except as set out in the DPA and the Agreement. The Supplier is entitled to process personal data for the purposes of providing, maintaining and providing support for the Services.

This DPA and the Customer’s use of the Service are the Customer’s complete and final instructions to the Supplier with regard to processing of personal data, with the exception of any written instructions the Customer is obliged to provide Supplier in order to comply with Applicable Data Protection Legislation. Any other changes must be agreed separately in writing between the Parties, including but not limited to changes relating to Appendix A. If the Supplier accepts the adjusted instructions, the Supplier is entitled to reasonable compensation for adapting to such instructions. If the Supplier informs the Customer within reasonable time that it cannot comply with the Customer’s adjusted instructions made in order to comply with Applicable Data Protection Legislation, the Supplier is not bound by the proposed instructions and the Customer is entitled to terminate the Agreement in accordance with section 11.2.

3.2 Security Measures
3.2.1 General
The Supplier has implemented and follows the Security Measures listed in Appendix A or stated in the Agreement when providing the Services. The Supplier’s at all times applicable in-house IT safety regulation applies to the delivery of the Service, and the Supplier may adjust such regulations during the term of the Agreement.

The Customer is responsible for ensuring that the Security Measures fulfils the Customer’s obligations related to adequate safety for the personal data being processed under Applicable Data Protection Legislation. If the Customer request a change of the Security Measures, the same provisions applies as for changed instructions requested by the Customer under section 3.1, paragraph 5. If the Supplier request changes to the agreed Security Measures, what is stated in the paragraph below applies.

If the Supplier becomes aware that the Security Measures completely or partially are in breach of Applicable Data Protection Legislation, the Supplier will within reasonable time inform the Customer and provide adjusted written instructions on adequate Security Measures in accordance with the above for the Customer’s approval. Should the Customer not approve the adjusted instructions within reasonable time after the Supplier has informed the Customer of the need of adjusted instructions, the Supplier is entitled to, at the expense of the Customer, take reasonable and necessary Security Measures to comply with Applicable Data Protection Legislation.

4. Reporting of data breaches

If the Supplier becomes aware of a data breach, the Supplier must inform the Customer without undue delay and in accordance with Applicable Data Protection Legislation.

5. Sub-processors and transfers to third countries

The Supplier is entitled to subcontract processing of personal data to sub-processors within and outside of the EU/EEA. The Customer hereby approves that processing of personal data may be carried out by the sub-processors, if any, listed in Appendix A in the countries stated therein. The Supplier must ensure that sub-processors are bound by written agreements that provide at least the same level of data protection as the obligations under this DPA. If any sub-processor fails to fulfil the obligations in accordance with above, the Supplier is responsible for the non-performance of such sub-processors’ obligations.

The Supplier will inform the Customer of any intentions to replace or hire a new sub-processor. The information will include an indication of the name of the sub-processor and the geographic location of the processing of personal data. The Customer has the right to submit a written objection to the replacement or hiring of such new sub-processor within fourteen days from receipt of notice. Should the Supplier despite the Customer’s objection still wish to replace or hire a new sub-processor, the Customer is entitled to terminate the Agreement in accordance with section 11.2.

The Supplier must ensure that there is a legal basis for transfer of personal data to a Third Country. Such legal basis may be standard data protection clauses adopted by the EU Commission or other equivalent provisions.

6. Assistance with requests from data subjects

In addition to what follows from section 3.2, the Supplier must implement adequate technical and organizational measures in order to, at the written request of the Customer, be able to assist the Customer in fulfilling the rights of the data subjects as set out in the General Data Protection Regulation. The Supplier’s obligation under this provision only applies to the extent such assistance is reasonably possible and to the extent the processing of personal data requires such obligation.

In addition to the above and taking into consideration the nature of the processing and the information available to the Supplier, the Supplier must at the written request of the Customer assist so that the Customer can fulfil the obligations imposed on it related to safety for personal data, data breaches, data protection impact assessment and prior consultation in accordance with Applicable Data Protection Legislation.

The Supplier is entitled to reasonable compensation for the assistance provided under this section 6.

7. Confidentiality and disclosure of personal data

Personal data for which the Customer is controller and which the Supplier is processing in accordance with this DPA is subject to the terms of confidentiality in the Agreement.

The Supplier must not disclose the Customer’s personal data under this DPA to a data subject or a third party, unless otherwise stated in the Agreement or provided by law, a judicial decision or an official decision. If the Supplier discloses such information due to legal requirements, a judicial decision or an official decision the Supplier will inform the Customer of the disclosure unless prohibited by the law, judicial decision or official decision in question.

The Supplier must without undue delay inform the Customer if the data subject requests information related to the processing of personal data under this DPA and refer the data subject to the Customer. The Supplier will assist the Customer in responding to such requests in accordance with section 6 above.

The Supplier and its representatives are obligated under Applicable Data Protection Legislation to co-operate with competent supervisory authorities. The Supplier will inform the Customer of such request without unreasonable delay if the request specifically concerns the processing of personal data under this DPA. The Supplier will not represent the Customer or act on behalf of the Customer in such requests from a supervisory authority. The Supplier is entitled to reasonable compensation for its work with inquiries related to the Customer subject to the enquiry not resulting from Supplier’s breach of its obligations under this DPA.

8. Compensation

In addition to what is stated in this DPA, the Supplier is entitled to reasonable compensation for complying with the Customer's written instructions unless the requested action is specifically stated in the Agreement. If the Supplier is entitled to compensation for work performed, the Supplier’s current price list will apply unless otherwise stated in the Agreement.

9. Liability

9.1 General
If the Supplier is liable to pay damages to data subjects in accordance with Applicable Data Protection Legislation, and the Customer has participated in the processing of personal data that forms the basis of the data subjects’ claims, the Customer must reimburse the Supplier for the part of the damages that the Supplier is obligated to pay to data subjects that is attributable to the Customer’s non-performance of its obligations or the Customer’s instructions to the Supplier. In addition, the Customer must reimburse Supplier for its reasonable costs relating to the Supplier’s defense against claims from data subjects (including what Supplier has been ordered to pay to data subjects).

If the Customer is liable to pay damages to data subjects in accordance with Applicable Data Protection Legislation, and the Supplier has participated in the processing of personal data that forms the basis of the data subjects’ claims, the Supplier must reimburse the Customer for the part of the damages that the Customer is obligated to pay and which is attributable to the Supplier’s non-performance of its obligations under Applicable Data Protection Legislation or this DPA. In addition, the Supplier must reimburse the Customer for its reasonable costs relating to the Customer’s defense against claims from data subjects (including what the Customer has been ordered to pay to data subjects). The Supplier’s total liability under this DPA is limited to 150 percent of the service fee for the first twelve months of the Services, unless the Supplier has caused the damage by intent or gross negligence.

A Party’s liability for damages other than expressly stated herein is governed by the Agreement.

9.2 Notification, right of information etc.
A Party that is subject to claims from data subjects must within reasonable time (i) inform the other Party in writing of any claims made that may result in claims against the other Party pursuant to this section 9; and (ii) allow the other Party insight to the documents in such proceedings, both from the Party and from the data subject, and allow the other Party to submit comments to such documents.

Claims for reimbursement of the other Party under this section 9 is subject to following the rules above and may be raised no later than six months after the Party has been obliged to pay damages to data subjects.

10. Audits

The Supplier will provide the Customer access to any information which may reasonably be needed to prove that the obligations imposed upon processors under Applicable Data Protection Legislation has been fulfilled. This includes providing reasonable assistance in audits and inspections, carried out by the Customer or an auditor appointed by the Customer. Inspections may only be done if an audit cannot be completed by the Supplier’s disclosure of information. Supplier must be informed about an inspection in good time prior to the intended date of inspection with specification of the scope and purpose of the inspection. The Supplier is entitled to reasonable compensation for the costs associated with the implementation of such audit or inspection.

Prior to an audit or inspection, the Customer or the auditor appointed by the Customer must meet the necessary confidentiality obligations and comply with the Supplier’s security regulations at the place of inspection. The inspection must not hinder the Supplier’s business or risk the protection of other customers' information. Information gathered as part of the audit must be deleted after completed audit or when it is no longer necessary for the purpose of the audit.

11. Term and termination

11.1 General
This DPA is valid as long as the Supplier processes personal data on behalf of the Customer and terminates automatically in connection with the Agreement when the Supplier no longer provides any Services to the Customer; however a Party’s liability under this DPA applies also after the termination of this Agreement.

Upon termination of this DPA, the Supplier must delete or return the Customer’s personal data to the Customer or to a third Party at the instruction of the Customer, including data being processed on Supplier Equipment but excluding data being processed on Customer Equipment. The personal data stored electronically may be provided electronically after the Customer's instructions, if reasonable. The Customer’s request of deletion or return must be submitted within sixty days of the termination of this DPA. After expiration of the period above, and unless otherwise required under Swedish, Danish, Norwegian, Finnish and/or EU law, as applicable, the Supplier may delete existing copies of the personal data. After the return of the personal data, or if the return of personal data has not been requested by the Customer after the expiration of the above period, the Supplier will delete the Customer’s personal data within reasonable time, but no later than six months after the termination of this DPA.

After the termination of this DPA, the Supplier may not process personal data for any other purpose than to delete the personal data or to protect the personal data from data breaches, unless otherwise proved under Swedish, Danish, Norwegian, Finnish and/or EU law, as applicable. The Supplier has the right to reasonable compensation for the work performed under this section 11.1.

11.2 Consequences of early termination
The Customer is entitled to terminate the Agreement in accordance with section 3.1 and 5 relating to the Services affected, with a 90 days’ notice period. If partial termination is not possible for technical reasons, then termination of any Service may apply to the entire Agreement and/or all Services affected. If the Agreement is terminated in accordance with above, the Supplier will refund any fees already paid for Services that will not be used after the termination of the Agreement. If the Customer has valid reasons for objecting, the Supplier may not hire the new sub-processor in question for the termination period. If the Customer cannot show that it has valid reasons for objecting, the termination is considered as an early termination without valid reason, in which case the Supplier is entitled to compensation corresponding to twenty-five percent of the remaining contract value. In addition, if the Services includes products necessary for the delivery of the Services and which has been purchased by the Supplier specifically for the Customer, the Customer undertakes to purchase such products from the Supplier if Customer requests early termination in accordance with this section. As an example, such products may include network products owned or leased by the Supplier and installed at Customer sites but does not include products related to private or public cloud services which is installed at the Supplier’s or its partners premises.

“Valid reason” for the purpose of this section means circumstances on the part of the sub-processor that significantly affects or is likely to affect the protection of data subjects’ personal data, such as the new subcontractor failing to comply with obligations imposed on processors under Applicable Data Protection Legislation.

APPENDIX A. TO DATA PROCESSING AGREEMENT

Specification over processing of personal data in connection with Takeback Services

INSTRUCTIONS

1.1 Short description of the Service and the purpose of the processing activity

State all purposes for which personal data will be processed by the Supplier:

Supplier will process personal data as necessary to perform the Services pursuant to the Agreement and as further specified in the Service Description, and as further instructed by Customer in its use of the Service.

1.2 Categories of personal data

List the types of personal data that will be processed by the Supplier:

The Supplier will process (delete) personal data stored on the Customer’s IT equipment, in accordance with the Service Description. The information on any storage media provided by the Customer is dependable on the use of the equipment by the users, and hence not known by Supplier and may be any kind of personal data.

List the types of special categories of personal data that will be processed by the Supplier (if any):

Personal data stored on Customer’s devices, provided to Supplier within the Service, is dependent on the users’ usage of such devices. Due to this, special categories of personal data may be processed (deleted).

1.3 1.3 Categories of data subjects

List the categories of data subjects that the Supplier will process personal data on and the scope of processing:

The content of any storage media provided by the Customer is dependable on the use of the equipment by the users, and hence it is not known by Supplier which data subjects the personal data may relate to.

1.4 1.4 Processing activities (storage, administration etc.)

List the processing activities that will be performed by the Supplier:

Deleting of storage media on equipment provided by the Customer either by securely overwriting the media or secure destruction of the media/equipment.

1.5 1.5 Place for processing

List all countries in which personal data may be stored and/or processed by the Supplier:

Personal data will be processed by the Supplier in Sweden.

SECURITY MEASURES

State all organizational and technical security measures that will be implemented by the Supplier

2.1 Physical access control

Measures to prevent physical access of unauthorized persons to IT systems that handle personal Data:

Access to buildings is restricted using personal access cards with personal pin code and access is only granted to authorized personnel during certain hours of the day. This applies to both office and production environments. Access to production area is restricted even further to only include authorized personnel operating to provide the Service. The buildings are protected by security level 2 alarm, connected to a third-party security company. The security company does daily inspection of the premises. Activation of alarm is automated and set to a specific time point in the evening.

2.2 System access control

Measures that prevent unauthorized persons from using IT systems and processes:

Access rights are implemented on a need-to-know basis, ensuring that personnel only have access to information they need to be able to fulfill their tasks within the responsibility of their roles. Access controls are reviewed regularly within a predefined time frequency to ensure that access rights remain up-to-date and relevant.

2.3 Data access control

Measures to ensure that persons authorized to use the IT system have access only to the personal data pursuant to their access rights:

Due to the nature of the Service, Supplier will not access the data, no processing will be performed by Supplier except deletion.

2.4 Transmission access control

Measures to ensure that personal data cannot be read, copied, altered or deleted by unauthorized persons during electronic transmission or during transport or storage on data media and that those areas can be controlled and identified where transmission of personal data is to be done via data transmission systems:

Due to the nature of the Service, Supplier will not transmit personal data electronically.

Devices are transported in locked safe boxes with different pin codes for each safe box. The production team scans the applicable box numbers and link the applicable safe boxes to the specific order. The safe boxes are locked when shipped out empty and Customer is responsible for locking safe boxes prior to shipment back to Supplier. Safe boxes are opened when arriving to Supplier and photos are taken to document the content of the boxes. Lock codes are changed with a preset time frequency to prevent unauthorized access to safe boxes.

2.5 Data Entry access control

Measures to ensure that it can be subsequently reviewed and determined if and from whom personal data was entered, altered or deleted in the IT system:

Access to systems is logged and monitored, to create a trail for audits and revisions in security and processes for accountability.

2.6 Availability control

Measures to ensure that personal data are protected against accidental destruction or loss:

Due to the nature of the Service, the intention will always be to delete data stored on devices provided by Customer to Supplier.

2.7 Separation control

Measures to ensure that personal data collected for different purposes can be processed separately:

Not applicable, Supplier will not process personal data on behalf of Customer for any other purposes than deletion.

2.8 Secure Erasure Process controls

The process for return, erasure and onward supply has been built to ensure secure handling of the items returned at all times. The key security measures are as follows:

  • 1. Customers returning equipment are required to prepare the devices for return e.g. disconnecting cloud backup storage areas for the device.
  • 2. Items are shipped to the Supplier using a secure, tracked courier facility.
  • 3. Items are logged in an inventory system on receipt and tracked all the way through the refurbishment process.
  • 4. Erasure certificates are issued where devices have been securely erased. Destruction certificates are issued where erasure was not possible and the storage device was destroyed.
  • 5. Secure erasure uses deletion software (e.g. Blancco) or degaussing to provide secure erasure. Where a drive cannot be securely erased, it is shredded and destroyed.
  • 6. Devices are checked before being reissued.

2.9 Retention rules

Measures to ensure that personal data is adequately erased or destroyed when use of the personal data is no longer reasonable or necessary:

During term of agreement: Due to the nature of the Service, Supplier will always delete or destroy the personal data as part of delivering the Service, within two 2 months from the date the products were handed over to Dustin

After expiry of the term of the agreement: Supplier will not process the personal data for any other purpose than deletion. Deletion or return of personal data after expiry of the term of the agreement will therefore not apply for the Service.
Ga naar hoofdinhoud

Registreer je als zakelijke klant

Voordelen van een account

  • Volg je bestellingen en bekijk je bestelgeschiedenis
  • Sla favorieten op en vergelijk producten met elkaar
  • Beheer eenvoudig je retourzendingen, klachten en garantieclaims
Maak zakelijk account aan

Bel ons op 088 011 82 82

Betalingsmogelijkheden

Mastercard
Visa
iDeal
Factuur

Bezorgopties

PostNL

Veilig winkelen

mcid
verifiedbyvisa

Kies land

Winkelen bij Dustin

  • Klantenservice
  • Betalingsinformatie
  • Verzendinformatie
  • Vrachtinformatie
  • Verkoopvoorwaarden
  • Accountvoorwaarden
  • Privacybeleid
  • Cookiebeleid
  • Campagnehandleiding
  • Beleid voor productbeoordelingen
  • Toegankelijkheid
  • Dustin Home informatie

IT-diensten & oplossingen

  • Managed Services
  • Dustin IT as a Service
  • Modern Workplace
  • Network as a Service
  • Cloud
  • Data Protection
  • Security
  • IT-diensten
  • Takeback
  • Dustin Software Marketplace
  • IT-servicedesk

Dit is Dustin

  • Persberichten
  • Over Dustin
  • Werken bij Dustin
  • Duurzaamheid
  • Onze eigen merken
  • Contact
  • Beveiliging en Privacy

Inspiratie

  • Kennisbank
  • Nieuwsbrief
  • Eventkalender
  • Expert Advies
  • Alle categorieën
  • Alle fabrikanten
  • Nieuwe producten
  • Black Friday
  • Copilot+ PC AI laptops

Dustin NL B.V., Wijchenseweg 20, 6537 TL, Nijmegen
KvK-nummer 09078252, BTW-identificatienummer: NL807448461B01

© 2026 Dustin Group AB. All rights reserved.

facebook iconlinkedIn iconyouTube icon
  • Deals
  • Aanbiedingen
  • Nieuwe producten
  • Computer & tablets
  • Monitor & computer accessoires
  • Server & opslag
  • Netwerk & beveiliging
  • Computeronderdelen
  • Opslag Interne & Externe
  • Printers & benodigdheden
  • Mobiele telefoons & accessoires
  • Audio & video
  • POS (verkooppunt)
  • Kantoorapparatuur
  • Software
  • Toon alle categorieën