Data Processing Agreement

This Data Processing Agreement (hereinafter: “Agreement”) supplements the main agreement between the following parties:

Data Controller — the Client (the organization using Hoeray’s services), hereinafter: “Client”.

Data Processor — Hoeray, established in the Netherlands, hereinafter: “Hoeray” or “Processor”.

Data subjects — the Client’s employees whose personal data is processed by Hoeray.

Terms capitalized in this Agreement have the meaning as defined in the General Data Protection Regulation (GDPR).

This Agreement pertains to the processing of personal data of the Client’s employees by Hoeray. The duration of the processing equals the term of the main agreement between the parties. Upon termination of the main agreement, this Data Processing Agreement also terminates.

Hoeray processes personal data of the Client’s employees for the purpose of automatically sending cards and flowers based on HR data at milestones, including birthdays, work anniversaries, onboarding, and offboarding.

The processing includes storing, consulting, and using the personal data to perform the aforementioned services.

The following categories of personal data are processed:

• First name
• Last name
• Date of birth
• Address details (street, postal code, city, country)
• Employment start date
• Employment end date

The data subjects are employees of the Data Controller (the Client). This includes current employees and, insofar as relevant to the services, employees who have recently left employment.

Hoeray commits to the following obligations:

a) Instructions
Hoeray processes personal data solely based on the Client’s written instructions, unless a legal obligation requires otherwise. In that case, Hoeray will inform the Client prior to processing, unless legally prohibited from doing so.

b) Confidentiality
Hoeray ensures that all employees who have access to personal data are bound by a confidentiality obligation.

c) Security measures (Art. 32 GDPR)
Hoeray implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• TLS encryption for data in transit
• Encrypted storage of personal data (encryption at rest)
• Access control based on the least-privilege principle
• Regular data backups

d) Sub-processors
Hoeray shall not engage a sub-processor without the Client’s prior written consent. Hoeray will inform the Client of any intended changes to the list of sub-processors, so the Client may object.

e) Assistance with data subject requests
Hoeray assists the Client in responding to data subject requests regarding their rights under the GDPR (access, rectification, erasure, restriction, portability, and objection).

f) Assistance with DPIA
Hoeray assists the Client in carrying out a Data Protection Impact Assessment (DPIA) where required under the GDPR.

g) Data breach notification
Hoeray shall notify the Client of a data breach without undue delay, and no later than 48 hours after discovery. The notification shall include at a minimum: the nature of the data breach, the categories of data subjects and personal data affected, the likely consequences, and the measures taken to address the breach.

The Client hereby grants consent for the engagement of the following sub-processors:

Hoeray ensures that a data processing agreement has been concluded with each sub-processor containing at least the same obligations as this Agreement.

Hoeray only transfers personal data to countries outside the European Economic Area (EEA) where an adequate level of protection is ensured. This is based on:

• An adequacy decision by the European Commission (such as the EU-US Data Privacy Framework); or
• Standard Contractual Clauses (SCCs) as adopted by the European Commission.

The Client has the right to conduct or commission audits to verify compliance with this Agreement, subject to the following conditions:

• A maximum of one (1) audit per calendar year.
• The audit shall be announced in writing at least thirty (30) days in advance.
• The costs of the audit shall be borne by the Client.
• The audit shall be conducted in a manner that minimally disrupts Hoeray’s business operations.

Upon termination of the main agreement, Hoeray shall, at the Client’s choice:

• Return all personal data to the Client in a common, machine-readable format; or
• Delete all personal data within thirty (30) days of termination.

Hoeray shall confirm the deletion in writing. An exception applies where Hoeray is required by applicable law to retain certain data for a longer period.

The liability of the parties under this Data Processing Agreement is subject to the limitations and conditions set forth in the main agreement (Hoeray’s General Terms and Conditions). Nothing in this Agreement limits the rights of data subjects under the GDPR.

This Data Processing Agreement is governed by Dutch law. Disputes arising from or in connection with this Agreement shall be submitted to the competent court in Amsterdam.