Version 1.0 – 28 July 2025
This Data Processing Agreement is part of the Main Agreement entered into between ORvox B.V. (hereinafter: “ORvox”) and a natural person or legal entity (hereinafter: “Client”). Together, ORvox and the Client are referred to as the “Parties.”
Under Applicable Law, ORvox is classified as a Processor, and the Client as a Controller.
This Data Processing Agreement sets out the arrangements regarding the processing of Personal Data within the framework of the Main Agreement. If the Client has any questions about this agreement, they may contact us via our website: www.orvox.nl
The following capitalized terms in this Agreement have the meanings stated below:
The purpose of this Data Processing Agreement is to set out the terms under which ORvox may process Personal Data on behalf of the Client.
This Agreement forms an integral part of the Main Agreement between ORvox and the Client. Together, the Main Agreement and this DPA define the subject and duration of the processing.
The Parties guarantee compliance with the Applicable Law on the Processing of Personal Data.
The Client provides the Personal Data to ORvox and determines the purposes and means of the Processing.
The Client guarantees that the Processing, including the collection of Personal Data, complies with the Applicable Law.
If Employees of the Client process Personal Data, the Client remains responsible for ensuring compliance with the Applicable Law.
ORvox commits to processing Personal Data only on behalf of the Client and solely for the purpose of providing online elections, as described in the Main Agreement. Processing takes place only under the Client’s instruction.
ORvox processes the following types of Personal Data:
These data relate to the following categories of Data Subjects:
The following processing operations may be carried out:
collection, recording, structuring, storage, modification, consultation, use, transmission, combination, restriction, erasure, or destruction.
ORvox shall only process the Personal Data that is strictly necessary for fulfilling the Main Agreement.
ORvox does not determine the purpose of the Processing.
Personal Data will only be shared with Employees and/or Sub-Processors who need access for the purposes of the Main Agreement, unless required otherwise by law.
ORvox ensures its employees are informed of their obligations under this DPA.
Where necessary, ORvox may create backups. These backups will be subject to the same safeguards as the original data.
ORvox will not process Personal Data outside the European Economic Area (EEA).
The Client acknowledges that ORvox may engage Sub-Processors to perform processing activities.
Information about Sub-Processors can be requested by the Controller. Refusal is only permitted with valid justification.
ORvox ensures that Sub-Processors are bound by data protection obligations equivalent to those in this DPA.
ORvox remains fully liable to the Controller for compliance by the Sub-Processor and shall always be the Client's point of contact.
ORvox shall maintain strict confidentiality regarding all Personal Data processed on behalf of the Controller. This obligation extends to ORvox Employees and any Sub-Processors and remains in effect even after termination of this Agreement.
This duty of confidentiality does not apply if ORvox is legally required by a supervisory authority, law, or court order to disclose the Personal Data; or if the information is public, or disclosure is instructed by the Client.
ORvox implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Applicable Law and to protect the rights of Data Subjects.
The level of protection considers the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.
ORvox is responsible for adjusting the protection level when necessary or legally required.
Upon the Client’s express request, ORvox can take additional security measures. Additional costs are borne by the Client, unless agreed otherwise.
If ORvox becomes aware of a Data Breach, it will notify the Client without undue delay and no later than 48 hours after discovery.
The notification will include, at minimum:
ORvox will also provide updates about developments concerning the breach.
The Client is responsible for assessing whether notification to the supervisory authority and/or Data Subjects is required.
Each Party shall bear its own costs related to breach notification.
ORvox will support the Client, where reasonably possible, in handling requests from Data Subjects. If a request is received directly by ORvox, it will forward it to the Client.
The Client is responsible for handling such requests unless agreed otherwise.
ORvox will also assist the Client in responding to requests from government authorities, as far as possible.
The Client shall reimburse ORvox for any costs incurred in the execution of articles 10.1 and 10.2, unless agreed otherwise.
ORvox will make available all information necessary to demonstrate compliance with this DPA.
The Client may, at its own expense, conduct or commission an audit or Data Protection Impact Assessment (DPIA) once per year.
ORvox shall cooperate fully. Any (indirect) costs incurred by ORvox in relation to the audit shall also be reimbursed by the Client.
This DPA takes effect upon acceptance by the Client and remains in force for the duration of the Main Agreement.
The DPA cannot be terminated separately.
The DPA ends once ORvox has deleted all Personal Data in accordance with Article 12.4.
Upon termination of the Main Agreement, Personal Data will remain available for 30 days. After this, it will be deleted.
Backups and copies will be permanently deleted after 90 days, unless retention is required by law.
The Client can export Personal Data via the ORvox application up until termination of the Main Agreement.
This DPA forms part of the Main Agreement. Therefore, the rights and obligations under the Main Agreement and the ORvox General Terms and Conditions also apply.
In case of conflict between this DPA and the Main Agreement, this DPA shall prevail for matters concerning the processing of Personal Data.
This DPA replaces all previous agreements regarding Personal Data processing. Amendments must be made in writing.
In accordance with the ORvox General Terms and Conditions, Dutch law applies to this DPA and disputes shall be submitted to the court in Amsterdam.