Article 1

Upon the Agreement's implementation, Rulebooks processes the Personal Data of (customers of) Subscriber by order and under the responsibility of the Subscriber.

Article 2

Rulebooks has the role of Processor concerning the data for which the Subscriber can be qualified as Data Controller; or the role of Sub-processor concerning the data for which Subscriber can be qualified as Processor in the sense of the Applicable Law.

Article 3

The Subscriber provides Rulebooks with Personal Data of End-users, employees, officers (also including potential employees, self-employed workers, and volunteers), former collaborators, and receivers of benefits (of customers) of the Subscriber (in the following “Data Subjects”). Rulebooks processes these personal data by order of Subscriber.

Article 4

Upon the conducting of the activities, as indicated in the Agreement, Rulebooks in the context of the provision of services to Subscriber can process the following (non-exhaustive listing of) types of Personal Data of Data Subjects:

• Name, Address, residence information,
• (copy) ID/proof of identity
• Details profession
• Social security number/BSN Details training
• Contact details (e.g., phone numbers and e-mail addresses)
• Details of leave and absence
• Family composition 

Article 5

Rulebooks will process the Personal Data based on instructions (including the order formulated in the Agreement and the Terms and Conditions) of the Subscriber. The Subscriber is responsible for ensuring his instructions are by the Applicable Legislation. Subscriber will continue to grant orders to Rulebooks during the term of the data processing to process the Personal Data. Rulebooks will process the Personal Data appropriately and diligently. Rulebooks immediately informs Subscriber if, in its opinion, any instruction violates the Applicable Legislation.

Article 6

Rulebooks will process the Personal Data if there is a legal obligation to do so for Rulebooks, including the processing that is necessary on account of a competently issued court order, a charge granted by the competent authorities, a competently issued instruction or lawful request of the relevant competent oversight authority, such as Autoriteit Persoonsgegevens. Rulebooks will inform Subscriber without unnecessarily delaying an instruction or other communication issued by an authority competent to such

effect (such as Autoriteit Persoonsgegevens) regarding the Personal Data. To the extent this legal obligation exceeds the contractual obligations of the processor as established in the Agreement, and it may have consequences for planning of costs and time that has been established, the obligation to carry out such processing only arises after Parties have reached a consensus concerning.

Article 7

Rulebooks processes Personal Data by the obligations flowing from the Agreement. By these obligations, Rulebooks intends, among other matters, the provision of (aggregated and anonymized) analyses to Subscriber with the aid of artificial intelligence algorithms; the carrying out of statistical research; the use of data for invoicing; the conducting of statistical research and product improvement of Rulebooks as well as the (possible) provision of services to Subscriber.

Article 8

It is permitted to Rulebooks to use data regarding the use of Rulebooks that were entered and/or generated by Subscriber and/or his End-user(s) for the delivery, development, security, and/or maintenance of Rulebooks and new products and/or services associated therewith. Rulebooks may share these data with parties affiliated with Rulebooks under the proviso that such an affiliated party may exclusively use the data for the delivery, development, security, and/or maintenance of its products and/or services.

Article 9

It is permitted to Rulebooks in its capacity of Processor to carry out the processing required for anonymization so that the data described in Article 6.8 can no longer identify a Data Subject and/or be qualified as Personal Data under the applicable law.

Article 10

Subscriber guarantees that all requirements for the lawful processing of the Personal Data entered by Subscriber have been met, including the one that the Personal Data has been obtained in a manner that corresponds with the effective legal regulations, especially those flowing from the Applicable Law. Subscriber guarantees towards Rulebooks that the content, the use by or on behalf of Subscriber, and the processing ordered are not unlawful and do not violate the rights of Data Subjects.

Article 11

Subscriber safeguards Rulebooks against claims by persons whose Personal Data were registered or are processed in the context of a personal registration conducted by Subscriber or for which Subscriber is otherwise responsible on the grounds of the law unless Subscriber proves that the facts on which the claim is based must be exclusively attributed to Rulebooks

Article 12

Rulebooks is obliged to observe the secrecy of the Personal Data that is provided to it by Subscriber, barring to the extent this inevitably flows from the order as outlined in the Agreement, it flows from an additional written instruction of Subscriber or from a legal obligation (including if the processing is necessary on account of a competently issued court order, a warrant issued by the competent authorities, competently issued instructions or lawful request of the relevant oversight authority, such as Autoriteit Persoonsgegevens) or the prior written permission of Subscriber was obtained to such effect.

Article 13

Rulebooks ensures that everyone working under its authority is obliged to observe the secrecy of the Personal Data that he/she takes cognizance of by what is established in the previous section.

Article 14

Rulebooks has the right to allocate access or identification codes to Subscriber and has the right to alter allocated access or identification codes. When changing access or identification codes, Rulebooks will provide Subscriber, in proper consultation, with new access or identification codes and not deny the Subscriber access to Rulebooks on unreasonable grounds. Subscriber treats the access and identification codes with confidentiality and care and communicates these only personally to authorized staff members.

Article 15

Rulebooks is not liable for damage or costs resulting from the use or abuse made of access or identification codes. In case of damage or costs for Subscriber due to "regular use" by "authorized users". Parties will consult each other in good faith to reach a suitable solution.

Article 16

Rulebooks will render its assistance if this reasonably lies within its sphere of influence and taking into account the nature of the Processing, by way of appropriate technical and organizational measures, to the extent possible, to the Subscriber upon the fulfillment of his legal obligations on the grounds of the Applicable Law, such as in case of requests of Data Subjects and the general compliance with Articles 32 through 36 of the GDPR. Rulebooks has the right to bill the reasonable costs involved therein to Subscriber.

Article 17

Rulebooks will take appropriate technical and organizational security measures which, considering state of the art and the costs involved, correspond with the nature, as known, of the Personal Data and the order upon which the data are processed, for the protection of the Personal Data against loss or unlawful processing, as intended in Article 32 GDPR.

Article 18

Rulebooks makes sure that during the term of the Agreement, it demonstrably complies with the internationally accepted framework(s) of standards (assurance standards) and/or internationally accepted certification(s) that are relevant to Rulebooks and the services offered by Rulebooks. Upon request, Rulebooks will share (free of charge) the order letter and/or the cover sheet of the certification statement (‘assurance report’) with the Subscriber. Rulebooks will, upon request, under the necessary assurances, and against a reasonable compensation, provide the full certification statement concerning (‘assurance report’) to Subscriber. Rulebooks reserves itself the right at all times to replace the certification and/or assurance standard used by a different, adequate, and general certification and/or assurance standard based on international standards.

Article 19

Subscriber can obtain a summary and descriptions of the current implemented technical and organizational measures by requesting/obtaining the most recent and applicable ‘assurance report’ and/or available whitepapers (or similar sources of information made available by Rulebooks).

Article 20

Subscriber has the right to conduct audits on the conditions set in this Article. Suppose the Subscriber requests conducting an audit in conformity with the conditions of this Article. In that case, Rulebooks will make available those locations for an audit where Personal Data are processed for Subscriber. Rulebooks offers all assistance and information that Subscriber reasonably requires for the audit. Such an audit will be carried out by an independent third party, which party is selected by Subscriber, in consultation with Rulebooks. This party will be qualified as an independent auditor certified to control compliance with the Applicable Law. The auditor must be willing before the audit to sign a confidentiality statement concerning. 

Article 21

The audit (also including the documentation and other data that the audit covers) and the results thereof will be treated with confidentiality by Subscriber and the external party. Subscriber will provide Rulebooks as soon as possible with a complete and unaltered copy of the audit's findings in a form that is simply readable and durable for Rulebooks to the extent the audit's results regard Rulebooks (and its possible sub-processors). The audit and the results may only be rendered accessible to third parties with the prior permission of Rulebooks, which permission will not be denied on unreasonable grounds. 

Article 22

Subscriber bears the (internal and external) costs of the audit unless it is evinced by the audit that Rulebooks falls materially short or has fallen short in complying with its obligations as stipulated in this Article. Before the start of an audit,  Parties will agree with each other on the scope, planning, and duration of the audit and also determine what the hourly rate of Rulebooks and its Sub-processors will be for the assistance rendered. It is not permitted for Subscriber to request an audit on location if Rulebooks can present a recent internal or external audit report that regards the same locations for which Subscriber requests an audit unless Subscriber proves that such an intern or external audit report does not meet the requirements as set in the Applicable Law.

Article 23

If a breach occurs concerning Personal Data processed by Rulebooks or by the Sub-processors deployed by it, Rulebooks accordingly informs Subscriber without unreasonable delay, and in any event, within 48 hours after becoming aware of it. Rulebooks thereby provides the Subscriber with all reasonably required information as established in the Applicable Law to enable Subscriber to report this timely, correctly, and completely to the competent oversight authorities (such as Autoriteit Persoonsgegevens) and the relevant Data Subjects. If after the report to Subscriber as intended in this Article, possibly new, relevant developments occur, also including the measures that Rulebooks (including its Sub-processor) takes to mitigate the consequences of the incident on its part and to prevent repetition, Rulebooks accordingly informs Subscriber without delay.

Article 24

Rulebooks will, where necessary, assist the Subscriber with adequately informing the oversight authorities and Data Subjects regarding the relevant Breaches in conformity with what is established concerning the Applicable Law. 

Article 25

Without prejudice to what is established in Article 6.12, Parties will mutually observe strict secrecy concerning any possible Breaches. Parties will only report Breaches to the competent oversight authorities and the possible data subject(s) by what is established in the Applicable Law.

Article 26

Subscriber hereby permits Rulebooks, in a general sense, to make use in the context of the Agreement of the services of sub-processors as specified on the website of Rulebooks https://www.rulebooks.ai/security/subprocessors, where Subscriber also has the option of registering for the receipt of notifications regarding a possible intended alteration or addition of a certain sub-processor.

Article 27

Subscriber hereby permits Rulebooks, in a general sense, to make use in the context of the Agreement of the services of sub-processors within the European Economic Area as well as of sub-processors in countries for which the European Commission has established that they offer an appropriate level of security. 

Article 28

Suppose Rulebooks wants to use services of sub-processors established in a country that does not offer an appropriate level of security as referred to above. In that case, Rulebooks must first receive prior written permission for this from Subscriber, which permission Subscriber will not deny on unreasonable grounds. Subscriber will not deny its permission if Rulebooks guarantees that for these data exchanges, an appropriate level of security is still provided in a manner that CJEU approves.

Article 29

Before replacing a sub-processor or deploying a new sub-processor, Rulebooks will ensure that the summary on https://www.rulebooks.ai is updated. 

Article 30

Subscriber takes care of the periodic consultation of the website of Rulebooks. Suppose Subscriber is unable on reasonable grounds to agree to a certain sub-processor's intended to change or addition. In that case, it is permitted the Subscriber to object within ten business days after the sending of the notification of the change by Rulebooks to the Subscriber. In case of objection, it is permitted to Rulebooks to offer an alternative within a 4-week term to continue the relevant service. If Rulebooks does not offer an alternative, it is permitted to Subscriber to cancel the Agreement without Rulebooks being obliged towards Subscriber to provide compensation of damages on account of the termination. 

Article 30

Rulebooks will impose the same obligations on the sub-processors deployed by it as those flowing for it from this Article 6.

‍