XOIP Data Processing Agreement (as required by Article 28 GDPR)

XOIP values privacy and security very highly. In order to comply with the legal obligation under the General Data Protection Regulation (GDPR) to enter into a data processing agreement we have carefully considered best market practice and industry standards in this area.

XOIP commits to the general provisions on data processing by Dutch trade association NLdigital to ensure GDPR compliance, taking into account that these provisions have been approved by the Dutch Data Protection Authority. You can scroll through these provisions (Articles 23-29) that have been incorporated in Section 2 of the NLdigital Terms here. For your convenience these provisions are set out below:


Section 2. Standard clauses on data processing

The provisions in this section ‘Standard clauses on data processing’ apply, apart from the General provisions of these general terms, if supplierprocesses personal data, in the context of the performance of an agreement, for the controller(s) as (sub)processor as meant in the laws and regulations on personal data protection. These ‘Standard clauses on data processing’together with the practical arrangements made on personal data processing in the agreement or in a separate appendix (for example a Data ProStatement) form a processing agreement as meant in article 28, paragraph 3 of the General Data Protection Regulation (GDPR).

Article 23 General

23.1 Supplier processes the personal data on client’s behalf and in accordance with the written instructions agreed on by supplier and client.

23.2 Client, or client’s client, is the controller in the sense of the GDPR, has control over the processing of personal data and has established the purpose of and the means for the personal data processing.

23.4 Supplier implements the GDPR as laid down in this section ‘Standard clauses on data processing’ and in the agreement. Client is responsible for assessing, on the basis of this information, whether supplier offers adequate guarantees with respect to applying appropriate technical and organisational measures for the processing to meet the requirements posed by the GDPR and to adequately safeguard the protection of the data subjects’ rights.

23.5 Client guarantees vis-à-vis supplier that it acts in compliance with the GDPR, that its systems and infrastructure are at anytime appropriately secured and that the content, the use and/or the processing of the personal data are not unlawful and do not breach any third party rights.

23.6 Client is not entitled to seek recovery from supplier of an administrative fine imposed on client by the supervisory authority, on whatever legal ground. In the present section (Section 2) ‘supervisory authority’ is understood to mean the supervisory authority referred to in the GDPR.

Article 24 Security

24.1 Supplier takes all the technical and organisational security measures described in the agreement. When implementing these technical and organisational measures, supplier has taken into account the state of the art, the costs involved in implementing the security measures, the nature, scope and context of the processing, the nature of its products and services, the processing risks and the varying risks, in terms of likelihood and severity, posed to the rights and freedoms of the data subjects that supplier could expect in view of the use intended to be made of its products and services.

24.2 Unless explicitly stated otherwise in the agreement, supplier’s product or service is not intended for processing special categories of personal data or data relating to convictions under criminal law or criminal offences.

24.3 Supplier endeavours to ensure that the security measures to be taken by supplier are appropriate for the use of the product or service intended by supplier.

24.4 The security measures described offer a security level, in client’s opinion and taking the factors referred to in article 24.1 into account, appropriate to the risk involved in processing personal data used or provided by client.

24.5 Supplier may adjust the security measures implemented if this should be required, in supplier’s opinion, to continue to offer an appropriate security level. Supplier keeps a record of important adjustments and informs client of these adjustments where relevant.

24.6 Client may request supplier to implement further security measures. Supplier is not obliged to implement any adjustments in its security measures following such request. Supplier may charge client for the costs involved in implementing the adjustments requested by client. Supplier is not obliged to actually implement these adjusted security measures before the security measures requested by client have been agreed on in writing.

Article 25 Personal data breaches

25.1 Supplier does not guarantee that the security measures are effective in all circumstances. If supplier discovers a personal data breach, supplier informs client of this without undue delay. The agreement stipulates in which way supplier informs client of personal data breaches. If no specific arrangements have been agreed on, supplier contacts the client’s contact person in the usual way.

25.2 It is up to the controller – i.e. client or client’s client – to assess whether the personal data breach reported by supplier must be reported to the supervisory authority or the data subject. Reporting personal data breaches is, at any time, controller’s – i.e. client’s or client’s client’s – responsibility. Supplier is not obliged to report personal data breaches to the supervisory authority and/or the data subject.

25.3 Where required, supplier provides further information on the personal data breach and renders assistance in providing the information to client that client needs to report a breach to the supervisory authority or the data subject.

25.4 Supplier may charge client for the costs involved in this context, within reason and at supplier’s current rates.

Article 26 Confidentiality

26.1 Supplier ensures that the obligation to observe confidentiality is imposed on any person processing personal data under supplier’s responsibility.

26.2 Supplier is entitled to provide personal data to third parties if and insofar as this should be required pursuant to a judicial decision or a statutory requirement, on the basis of an authorised order by a public authority or in the context of the proper performance of the agreement.

Article 27 Obligations following termination

27.2 Supplier may charge client for any costs possibly incurred in the context of the stipulation in the previous paragraph. Further arrangements on this may be laid down in the agreement.

24.4 The security measures described offer a security level, in client’s opinion and taking the factors referred to in article 24.1 into account, appropriate to the risk involved in processing personal data used or provided by client.

27.3 The provisions of article 27.1 do not apply if statutory provisions should prohibit supplier to delete the personal data or return these, in part or in full. In such event supplier only continues to process the personal data insofar as required under its statutory obligations. The provisions of article 27.1 do not apply either if supplier is a controller in the sense of the GDPR with respect to the personal data.

24.5 Supplier may adjust the security measures implemented if this should be required, in supplier’s opinion, to continue to offer an appropriate security level. Supplier keeps a record of important adjustments and informs client of these adjustments where relevant.

Article 28 Data subjects’ rights, Data Protection Impact Assessment (DPIA) and audit rights

28.1 Where possible, supplier renders assistance in reasonable requests by client that are related to data subjects exercising their rights against client. If supplier is directly contacted by a data subject, supplier refers this data subject, whenever possible, to client.

28.2 If client should be obliged under the GDPR to carry out a Data Protection Impact Assessment (DPIA) or a prior consultation following this, supplier renders assistance, at client’s reasonable request, in this DPIA or prior consultation.

28.3 At client’s request, supplier provides all information that would be reasonably required to demonstrate compliance with the arrangements laid down in the agreement with respect to personal data processing, for example by means of a valid Data Pro Certificate or another certificate at least equal to it, an audit report (Third Party Memorandum) drafted by an independent expert commissioned by supplier or by means of other information to be provided by supplier. If client should nevertheless have reasons to assume that the personal data are not processed in accordance with the agreement, client may commission an audit, no more than once per year and at client’s expense, by an independent, certified external expert who has demonstrable experience in the type of data processing that is carried out under the agreement. Supplier is entitled to refuse an expert if this expert affects, in supplier’s opinion, supplier’s competitive position. The audit is limited to verifying compliance with the arrangements on personal data processing as laid down in the agreement. The expert is obliged to observe confidentiality with respect to his findings and only reports issues to client which result in a failure by supplier to meet its obligations under the agreement. The expert provides supplier with a copy of his report. Supplier may refuse an expert, an audit or an instruction by the expert if this should be, in supplier’s opinion, in violation of the GDPR or other laws and regulations or if this should be an unacceptable breach of the security measures implemented by supplier.

28.4 Parties hold consultations on the findings of the report as soon as possible. Parties comply with the improvement measures proposed and laid down in the report insofar as this can be reasonably expected from them. Supplier implements the proposed measures insofar as these are appropriate in supplier’s opinion, taking into account the processing risks associated with supplier’s product or service, the state of the art, the implementation costs, the market in which supplier operates and the intended use of the product or service.

28.5 Supplier is entitled to charge client for the costs it has incurred in the context of the provisions laid down in this article.

Article 29 Subprocessors

29.1 Supplier has stated in the agreement if and, if so, which third parties (subprocessors) supplier contracts for the processing of personal data.

29.2 Client grants supplier permission to contract other subprocessors in the performance of supplier’s obligations under the agreement.

29.3 Supplier informs client about possible changes with respect to the third parties it contracts. Client is entitled to object to said change by supplier.


The above provisions on data processing apply where XOIP processes personal data in the context of your XOIP Services Agreement together with the practical arrangements in the agreement and the XOIP Privacy Statement.