Parties:

This data processing agreement (“Agreement”) is entered into between:

1. The Controller: the natural person or legal entity that enters into an agreement with What’s Next AI B.V. for the procurement of services and qualifies as a controller within the meaning of the General Data Protection Regulation (GDPR);

2. What’s Next B.V., with its registered office at Hanzeweg 1C, 7418 AW Deventer, registered with the Dutch Chamber of Commerce under number 97668222, hereinafter referred to as the “Processor”;

Hereinafter jointly referred to as the “Parties”.

Whereas:

• The Controller makes use of the services of the Processor, including but not limited to AI implementation, automation and system development;

• The performance of these services may involve the processing of personal data within the meaning of the GDPR;

• The Parties wish to record their mutual rights and obligations regarding the processing of personal data in writing in accordance with the GDPR;

The Parties agree as follows:

Article 1. Definitions

For the purposes of this Agreement, the following terms shall have the meaning stated below:

• “Personal Data”: all information relating to an identified or identifiable natural person;

• “Processing”: any operation or set of operations performed on Personal Data, whether or not by automated means;

• “Data Subject”: the natural person to whom the Personal Data relates;

• “Sub-processor”: a third party engaged by the Processor for the processing of Personal Data;

• “Data Breach”: a breach of security that results in the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to Personal Data;

• “AI Systems”: the technical systems, models and automation solutions that the Processor develops for the Controller.
  
  

Article 2. Assignment and Scope

1. The Controller hereby instructs the Processor to process Personal Data in the context of the performance of the main agreement(s) concluded between the Parties.

2. The Processor shall process the Personal Data solely on behalf of and according to the written instructions of the Controller and in accordance with the purposes laid down in this Agreement.

3. The Processor has no independent authority over the purpose and means of the processing and shall not make decisions regarding the use of the Personal Data, disclosure to third parties, retention periods or other aspects outside the scope of this Agreement.

4. The Processor accepts the assignment to process Personal Data under the conditions set out in this Agreement.

Article 3. Purposes of the Processing

The Processor shall process the Personal Data solely for the performance of the agreement concluded with the Controller, including but not limited to AI services, technical support, automation and optimisation of processes, and compliance with legal obligations.

Article 4. Categories of Personal Data

In performing the agreement, the Processor may process the following categories of Personal Data:

• Contact details, including name, address, email address and telephone number;

• Technical data, including IP addresses and browser information;

• Login details, including usernames and passwords;

• AI log data, insofar as applicable.

Article 5. Use of Sub-processors and Data Transfers

1. The Processor is entitled to engage Sub-processors for the processing of Personal Data, provided they are located within the European Economic Area (EEA).

2. Transfer of Personal Data outside the EEA shall take place only if:

   a) The Controller has given written permission; and

   b) The country concerned offers an adequate level of protection in accordance with the GDPR, for example based on an adequacy decision of the European Commission or by providing appropriate safeguards such as standard data protection clauses.

3. At the request of the Controller, the Processor shall provide an overview of the Sub-processors involved in the processing.

Article 6. Security Measures

1. The Processor shall take appropriate technical and organisational security measures to protect Personal Data against loss or any form of unlawful processing.

2. These measures shall correspond to the state of the art, the sensitivity of the data and the costs of implementation, and may include encryption, access controls and pseudonymisation.

3. The Processor shall periodically evaluate and update the measures taken, where necessary.

Article 7. Notification of Data Breaches

1. If a Data Breach occurs at the Processor, the Processor shall inform the Controller without undue delay, but no later than within 24 hours after discovery.

2. The Processor shall provide all relevant information, including the nature of the Data Breach, the affected data, the affected individuals, the likely consequences and any measures taken or proposed.

3. The Processor shall maintain a register of all Data Breaches and shall make this register available to the Controller upon request.

Article 8. Rights of Data Subjects

The Processor shall promptly forward requests from Data Subjects relating to their rights under the GDPR, including rights of access, rectification, deletion and data portability, to the Controller. The Processor shall follow the reasonable instructions of the Controller and provide the necessary cooperation.

Article 9. Inspection and Audits

1. The Controller is entitled to conduct an audit once per calendar year to verify the Processor’s compliance with this Agreement.

2. The audit shall be announced in advance, may not unreasonably disrupt the Processor’s business operations, and shall be carried out by an independent, competent third party who is bound by confidentiality.

3. The costs of the audit shall be borne by the Controller.

Article 10. Liability

1. The Processor’s total liability for direct damage resulting from attributable failures in the performance of this Agreement is limited to the amount paid by the Controller to the Processor in the twelve (12) months preceding the event causing the damage.

2. The Processor is not liable for indirect damages, consequential damages, lost profits, loss of data, fines issued by supervisory authorities, or reputational damages.

3. The Processor is not liable for damages arising from AI output or use of the systems outside the agreed purposes.

Article 11. Ownership and Transfer of AI Systems

1. The AI Systems developed by the Processor under the agreement become the property of the Controller after full payment of all agreed fees and outstanding invoices.

2. Until full payment, ownership of the AI Systems remains with the Processor and the Controller only receives a temporary, non-transferable right of use.

3. The Processor retains the right to use generic components, knowledge, methods and non-client-specific building blocks developed during the work in other contexts, provided no confidential information of the Controller is used.

4. Transfer of source code, technical documentation and configurations shall take place no later than thirty (30) days after completion of the project and full payment.

Article 12. Confidentiality

1. The Parties shall maintain strict confidentiality regarding all confidential information shared in the context of this Agreement.

2. This obligation does not apply where disclosure is required by law or with the prior written consent of the other Party.

3. The confidentiality obligation remains in force for the duration of the Agreement and for three (3) years after its termination.

Article 13. Term and Termination

1. This Agreement enters into force on the start date of the assignment and remains in effect as long as the Processor provides services to the Controller.

2. After termination of the agreement, the Processor shall delete or return the Personal Data, unless a legal obligation requires retention.

Article 14. Applicable Law and Disputes

1. This Agreement is governed exclusively by Dutch law.

2. Disputes arising from or related to this Agreement shall be submitted exclusively to the competent court in Amsterdam.