Help Center

Other

Privacy and security

Processors statement

Please note: at the request of the Client, a different Processing Agreement can be drawn up and signed. In that case, the agreements in that agreement will overwrite this statement.

General information

TrainTool BV

Hooghiemstraplein 152

3514 AZ Utrecht

KvK: 53801016

For questions you can contact:

Data Protection Officer

Peter van der Reyden

Hooghiemstraplein 152

3514 AZ Utrecht

030-8906555

info@traintool.com

Description of services

TrainTool provides an online training platform ("TrainTool"), content and classroom, telephone and online training and coaching.
TrainTool BV has a NEN/ISO 27001 certification.
Subprocessor TRUE BV (for infrastructure, hosting and management of hosting) is ISO27001 certified.
TrainTool BV is a Processor within the meaning of the GDPR.

Considerations

TrainTool BV - hereinafter referred to as Processor - makes IT services available and processes (special) personal data in that context;
With regard to the storage and processing of personal data, the Processor can be regarded as a Processor within the meaning of Article 4 of the GDPR;
TrainTool BV imposes - partly in implementation of the provisions of art. 28, third paragraph of the GDPR, this Statement sets out a number of conditions that apply in connection with the processing of personal data.

Article 1. Definitions

In this Processor Statement, the following capitalized terms have the following meaning:

AP:	Dutch Data Protection Authority
AVG:	General Data Protection Regulation
Data breach:	a breach of security of Personal Data leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, data transmitted, stored or otherwise processed
Agreement:	the agreement concluded between the Client and the Processor, on the basis of which the Processor will Process Personal Data for the Client
Personal data:	all data that can be traced directly or indirectly to a natural person as referred to in Article 4 of the GDPR
Process:	the processing of Personal Data as referred to in Article 4 of the GDPR
Processing:	the processing of Personal Data by the Processor

Article 2. Client for and Processor of the data

Processor processes Personal Data on behalf of the client in the execution of the (or: an) Agreement. The provisions of this Processor Statement apply to this Processing.

The Processing relates to the following categories of data subjects of the client:

Employees
Students
Teachers

The processing takes place for the following purposes and concerns the following categories of Personal Data:

Purposes:	(online) training and testing of communication skills
Categories of personal data:	name, e-mail address, telephone number (for Skills Coaching participants), personal password (one-way encrypted) and, during use, names of training courses followed, answers to exercises including audiovisual recordings, progress data, percentage of completed exercises, feedback and assessment scores

The Processor only processes the Personal Data for the purposes of the activities mentioned in this Processor Statement and/or the Agreement. The Processor will not use the Personal Data in any other way, unless the client has given explicit and written permission for this, or a legal provision obliges the Processor to do so. In that case, the Processor will inform the client prior to the Processing which legal requirement is involved, unless that legislation opposes this.

Article 3. General duty of care Processor

The Processor ensures compliance with this Processor Statement and the legal rules (such as the GDPR) that apply to the Processor. If the client so requests, the Processor will inform the client about the actions and measures that the Processor has taken in the context of this general duty of care of the Processor.

Article 4. Technical and organizational facilities

The Processor will take (or have taken) appropriate technical and organizational measures to protect Personal Data against loss or unlawful Processing. The processor will ensure that the security level is tailored to the risks. The state of the art and the costs of security measures will be taken into account.

The Processor will in any case take measures to protect Personal Data against destruction, against accidental and intentional loss, falsification, unauthorized distribution or access, or against any other form of unlawful Processing.

Processor is certified according to the most recent version of the NEN / ISO 27001 standard. If the current version of this standard is withdrawn and a new version comes into effect, the Processor will comply with the new standard as soon as possible. If necessary, the Processor will be recertified.

The processor will assist the client in complying with the security obligations that rest with the client.

Upon request, the Processor will provide a document stating the technical and organizational measures that the Processor has taken.

Article 5. Confidentiality

The Processor has had all its employees involved in the implementation of the Agreement sign a confidentiality statement - whether or not arising from or included in the employment contract with those employees - which in any case states that these employees must maintain confidentiality with regard to the Personal Data. The processor takes all necessary measures, such as screening of employees and security of data carriers and computer networks, to guarantee that this obligation of confidentiality is fulfilled.

Article 6. Data processing outside the European Economic Area (EEA)

The Processor does not process the Personal Data outside the EEA.

Article 7. Subprocessors

The processor may use sub-processors.

In any case, but not exclusively, the processor uses TRUE BV and Google Cloud as a sub-processor. TRUE BV is a sub-processor of personal data and hosts the infrastructure, hosting and management thereof. Google Cloud stores the data and its backups in a data center located in the Netherlands (Eemshaven). Google and TRUE BV are ISO 27001 certified.

The Processor contractually obliges its sub-processors to comply with confidentiality obligations, reporting obligations and security measures with regard to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor Statement.

Article 8. Personal Data Breach (Data Breach)

If the Processor becomes aware of a Data Breach, it will:

inform the client thereof, without unreasonable delay after the Processor has become aware of the existence of the Data Breach, and
take all reasonable measures to prevent and/or limit (further) violations of the GDPR.

When taking the aforementioned measures, the Processor will, where possible, refrain from taking measures that are irreversible and/or seriously hinder an investigation into the causes of the Data Breach.

The processor will cooperate with the client and support the client in carrying out its legal obligations with regard to the observed incident.

The processor will support the client in the client's obligation to report the breach in connection with Personal Data to the Dutch Data Protection Authority and/or the data subject, as referred to in Article 33(3) and 34(1) of the GDPR. The Processor will refrain from independently reporting a breach in connection with Personal Data to the AP and/or the data subject.

Article 9. Assistance to Client

Under the GDPR, the data subject has a number of rights, including the right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction (Art. 18 GDPR), portability (Art. 20 GDPR) and the right to object (Articles 21 and 22 GDPR). The Client must respond to requests to exercise those rights and the Processor will support the Client in this as far as reasonably possible. For example, the Processor will forward a complaint or request from a data subject to the client as quickly as possible.

The processor will support the client, as far as reasonably possible, in complying with its obligation under the GDPR to carry out a data protection impact assessment (Articles 35 and 36 GDPR).

The Processor will make available to the client all information required to demonstrate that the Processor complies with its obligations under the GDPR. Furthermore, at the request of the client, the Processor will enable and contribute to audits, including inspections, by the client or a party authorized by the client. The Client will inform the Processor in a timely manner that and when it will make use of this audit right. The number of audits is limited to a maximum of one per year.

The processor may charge the client its reasonable costs for the assistance referred to in this article.

Article 10. Termination & Miscellaneous

With regard to termination of this Processor Statement, the specific provisions of the Agreement between TrainTool BV and the client apply. Without prejudice to the specific provisions of this Agreement, the Processor will delete all Personal Data or return it to the Client at the first request of the Client, and delete existing copies, unless the Processor is legally obliged to store the Personal Data.

The Client will adequately inform the Processor about (legal) retention periods that apply to the Processing of Personal Data for the Processor. The Processor will not Process the Personal Data for longer than in accordance with these retention periods.

The obligations from this Processor Statement that by their nature are intended to survive termination will remain in force even after termination of this Processor Statement.