Data processor statement
All about privacy and data securityFor participants of our customers:
- Privacy Statement for participants
- Data Processor Agreement (DPA)
- Data security (FAQ)
- Service Level Agreement
Please note: at the request of the Client, a different Processor Agreement can be drawn up and signed. In that case, the agreements in that agreement will overwrite this statement.
TrainTool BV (trading under the trade name Faculty of Skills)Vondellaan 34
3521 GH Utrecht
Chamber of Commerce: 53801016
If you have any questions, please contact:
Data Protection Officer
Peter van der Reijden
3521 GH Utrecht
Description of servicesFaculty of Skills is a full-service training agency for the development of soft skills. Faculty delivers blended customised programmes with online training and testing, personal coaching and integrated live sessions. For the online training we use our own software TrainTool.
TrainTool BV has a NEN/ISO 27001 certification.
Subprocessor TRUE BV (for infrastructure, hosting and management of hosting) is ISO27001 certified.
TrainTool BV is Processor in the sense of the AVG.
TrainTool BV - hereinafter referred to as Processor - makes IT services available and processes (special) personal data in that context;
With regard to the storage and processing of personal data, Processor is to be regarded as Processor within the meaning of Article 4 of the GTC;
TrainTool BV lays down a number of conditions in this Statement that apply in connection with the processing of personal data, also in implementation of the provisions of Article 28(3) of the AVG.
Article 1 Definitions
In this Processor Statement, the following capitalized terms have the following meanings:
Authority Personal data
General Data Protection Regulation
a breach of security of Personal Data leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed
the agreement concluded between the Client and Processor, on the basis of which Processor shall Process Personal Data for the Client
all data directly or indirectly traceable to a natural person as referred to in Article 4 of the GDPR
the processing of Personal Data as referred to in Article 4 of the GDPR
the processing of Personal Data by Processor
Article 2 Client for and Processor of the data
Processor processes Personal Data on the instructions of the Client in the performance of the (or: an) Agreement. This Processing is subject to the provisions of this Processing Statement.
The Processing relates to the following categories of Client's data subjects
The processing is carried out for the following purposes and concerns the following categories of Personal Data
(online) training and testing of communication skills
Categories of personal data:
name, e-mail address, phone number (for participants of Skills Coaching), personal password (one-way encrypted) and, during use, names of training courses followed, answers to exercises including audiovisual recordings, progress data, percentage of exercises completed, feedback and assessment scores
Processor will only process the Personal Data for the purpose of the activities referred to in this Processor Statement and/or the Agreement. Processing Company shall not use the Personal Data in any other way, unless the Client has given its express written permission to do so, or a statutory provision obliges Processing Company to do so. In that case, prior to the Processing, the Processor shall inform the Client of the legal requirement in question, unless that legislation opposes this.
Article 3 General duty of care Processor
Processor ensures compliance with this Processor Statement and the legal rules (such as the AVG) that apply to Processor. If requested by the Client, Processor shall inform the Client of the actions and measures that Processor has taken in the context of this general duty of care.
Article 4 Technical and organisational arrangements
Processor will take (or have taken) appropriate technical and organizational measures to protect Personal Data against loss or unlawful processing. Processor will ensure that the security level is adjusted to the risks. The state of the art and the costs of the security measures will be taken into account.
Processor shall in any case take measures to protect Personal Data against destruction, accidental and deliberate loss, forgery, unauthorised distribution or access, or against any other form of unlawful processing.
Processor is certified according to the most recent version of the NEN / ISO 27001 standard. When the current version of this standard is withdrawn and a new version comes into force, Processor will comply with the new standard as soon as possible. If necessary, Processor will be re-certified.
Processor will assist Client in meeting the security obligations that rest with Client. On request, Processor will provide a document stating the technical and organisational measures that Processor has taken.
Upon request, Processor will provide a document stating the technical and organisational measures that Processor has taken.
Article 5 Confidentiality
Processing Company has had all its employees who are involved in the performance of the Agreement sign a confidentiality declaration - whether or not arising from or included in the employment contract with those employees - in which it is stated in any case that these employees must observe confidentiality with respect to the Personal Data. Processor will take all necessary measures, such as screening of employees and security of data carriers and computer networks, to guarantee that this obligation of confidentiality is met.
Article 6 Data processing outside the European Economic Area (EEA)
Processor does not process Personal Data outside the EEA.
Article 7. Sub-processors
Processor may use sub-processors.
Processor will in any event, but not exclusively, use TRUE BV as a sub-processor of personal data and for hosting and managing the infrastructure. TRUE BV stores the data and its backups in a data centre located in the Netherlands. TRUE BV is ISO27001 certified.
Processor contractually obliges its sub-processors to comply with the confidentiality obligations, reporting obligations and security measures with respect to the Processing of Personal Data which obligations and measures must as a minimum comply with the provisions of this Processor Statement.
Processor shall inform the Client of any intended changes concerning the addition or replacement of other subprocessors, thereby giving the Client the opportunity to object to such changes.
Article 8 Infringement in connection with Personal Data (Data breach)If Processor becomes aware of a Data breach, it will
- inform the Client thereof, without unreasonable delay after the Processor becomes aware of the existence of the Data breach, and
- take all reasonable measures to prevent and/or limit (further) violation of the AVG.
Processing Plant will cooperate with the Client and will support the Client in the performance of its statutory obligations in respect of the incident observed.
Processor shall support the Client in fulfilling its obligation to report the breach of Personal Data to the Authority for Personal Data and/or the person concerned, as referred to in articles 33 paragraph 3 and 34 paragraph 1 of the AVG. Processor will refrain from independently reporting a breach in connection with Personal Data to the AP and/or the person concerned.
Article 9 Assistance to the Client
Under the AVG, the person concerned has a number of rights, including the right of inspection (art. 15 AVG), rectification (art. 16 AVG), data erasure (art. 17 AVG), restriction (art. 18 AVG), transferability (art. 20 AVG) and the right of objection (art. 21 and 22 AVG). Client must answer requests for the exercise of these rights and Processor will support Client in this as far as reasonably possible. For example, Processing Plant will forward a complaint or request from a party involved to Client as soon as possible
To the extent reasonably possible, Processor will support the Client in fulfilling its obligation under the AVG to carry out a data protection impact assessment (Sections 35 and 36 AVG).
Processor will provide the Client with all information necessary to demonstrate that Processor complies with its obligations under the AVG. Furthermore, at the request of the Client, Processor will enable and contribute to audits, including inspections, by the Client or a party authorised by the Client. Client shall timely indicate to Processor that, and when, it will make use of this right of audit. The number of audits is limited to a maximum of one per year.
Processor may charge its reasonable costs for the assistance referred to in this article to the Client.
Article 10 Termination & Various topics
With regard to the termination of this Processor Statement, the specific provisions of the Agreement concluded between TrainTool BV and the Client shall apply. Without prejudice to the specific provisions of this Agreement, Processor shall, at the Client's first request, delete all Personal Data or return them to the Client, and remove existing copies, unless Processor is legally obliged to store the Personal Data
The Customer shall adequately inform Processor of (statutory) retention periods that apply to the Processing of Personal Data for Processor. Processor shall not process the Personal Data for longer than in accordance with these retention periods
The obligations contained in this Processor Statement that by their nature are intended to survive termination shall remain in force even after termination of this Processor Statement.