Agreement between InBrandevoort (Processor) and Organizations (Controller)
This Data Processing Agreement (DPA) is entered into between:
Processor:
InBrandevoort, De Plaetse 26, 5708ZJ Helmond, the Netherlands
The Controller is the organization that accepts this DPA when using InBrandevoort to publish content (posts, events, news, etc.). This includes both manually created content and automated imports via the news scraping feature. By using these features, the organization enters into this agreement.
Privacy Contact Point
For all privacy-related matters under this DPA, the Controller may contact the designated privacy contact point as specified in our Privacy Policy.
This DPA supplements and forms an integral part of any agreement between the parties. In case of conflict between this DPA and other agreements (including the general Terms and Conditions), this DPA shall prevail with respect to data protection matters.
All processing activities performed by InBrandevoort under this DPA are purely technical in nature and carried out solely in support of the Controller's use of the service. InBrandevoort does not determine the purposes of processing and acts exclusively on the Controller's instructions.
This DPA governs the processing of personal data when the Controller uses InBrandevoort to publish and manage content. The processing includes:
This DPA remains in effect for as long as the Controller uses InBrandevoort to publish or manage content. Upon ceasing use or disabling features, previously published content remains stored unless the Controller requests deletion. The DPA terminates when all personal data has been deleted or returned.
The Controller may at any time request complete or partial removal of content, or request modifications to published content. Such requests will be processed without undue delay.
The following categories of personal data may be processed, but only if the Controller enters this information manually or if it appears on the Controller's public website that is being scraped:
Personal data may relate to the following categories of data subjects:
The Controller warrants and agrees that:
InBrandevoort, as Processor, shall in accordance with Article 28(3) GDPR:
The Processor shall assist the Controller with Data Protection Impact Assessments (Article 35 GDPR) and prior consultations with supervisory authorities (Article 36 GDPR) where required, taking into account the nature of the processing and the information available to the Processor.
The Controller grants general authorization for InBrandevoort to engage sub-processors. The current authorized sub-processors are:
InBrandevoort shall inform the Controller in writing of any intended changes concerning the addition or replacement of sub-processors at least 14 days before the change takes effect, thereby giving the Controller the opportunity to object to such changes.
If the Controller has reasonable grounds to object to the use of a new sub-processor, the Controller shall notify InBrandevoort in writing within 14 days of receiving notice. In case of a reasonable objection, the parties shall discuss in good faith a mutually acceptable solution. If no solution can be found within 30 days, the Controller may terminate the affected service without penalty, and InBrandevoort shall delete or return all related personal data.
InBrandevoort shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.
InBrandevoort implements appropriate technical and organizational measures pursuant to Article 32 GDPR, including:
InBrandevoort will assist the Controller in responding to data subject requests under Chapter III GDPR:
In the event of a personal data breach affecting the Controller's data, InBrandevoort shall:
The Controller has the right to audit InBrandevoort's compliance with this DPA:
InBrandevoort may request postponement of on-site audits if there is an immediate risk to infrastructure security or availability (e.g., ongoing security incident, system failure). In such cases, InBrandevoort shall propose an alternative date within 14 days and provide interim documentation or remote access where feasible.
Each party bears its own costs for audits, unless the audit reveals material non-compliance by InBrandevoort, in which case InBrandevoort shall bear reasonable audit costs.
Regarding data retention:
Personal data is primarily stored within the European Economic Area (EEA). InBrandevoort shall not transfer personal data to a third country or international organisation unless:
Where sub-processors may process data outside the EEA (e.g., Google Translate), Standard Contractual Clauses or equivalent safeguards apply. InBrandevoort conducts Transfer Impact Assessments where required, in accordance with the case law of the Court of Justice of the European Union. Details of international transfers are available in our Privacy Policy.
Each party is liable for damages caused by processing that infringes GDPR, to the extent set out in Article 82 GDPR. The Controller is responsible for ensuring they have the right to scrape and display the content. InBrandevoort is not liable for claims arising from content the Controller did not have the right to publish or from instructions that violate applicable law.
Upon termination of this DPA:
This DPA is governed by the laws of the Netherlands. Disputes will be submitted to the competent court in 's-Hertogenbosch, the Netherlands. This DPA is subject to the GDPR and shall be interpreted consistently with GDPR requirements.
Last updated: February 12, 2026