Data Processing Agreement Plugz
By using Plugz on the basis of an agreement we have concluded, various data relating to you are processed in our software. This also includes personal data, such as names, (email) addresses, telephone numbers and visual charging card numbers. From a legal perspective, you qualify as the “controller” for the processing of such personal data. Because our system enables the storage and use of this data, we qualify as the processor and we will process your personal data in a proper and careful manner.
Under the General Data Protection Regulation (GDPR), which has been applicable since 25 May 2018, arrangements must be made between controllers and processors regarding the processing of personal data by the processor.
In this data processing agreement, we set out these arrangements with you.
1. Definitions of Legal Terms
The GDPR uses various legal terms. To ensure this document is readable and understandable, we first explain what these terms mean:
Personal Data: Any data that provides information about a natural person and with which you can directly or indirectly establish that person’s identity. For example, a name, (email) address or telephone number.
Data Subject: The person to whom Personal Data relates, or their representative. This includes, for example, the customer or supplier whose (email) address or telephone number you have stored.
Third Party: A natural or legal person, a public authority, an agency or another body, other than the Data Subject, the Controller or the Processor.
Main Agreement: The agreement(s), including the quotation, the general terms and conditions and the user/access conditions, including any appendices, between you and Plugz regarding the services provided by Plugz, also the Processor, to you, also the Controller, of which this Data Processing Agreement forms an annex.
Sub-processor: A party engaged by the Processor for the performance of this Data Processing Agreement and the associated processing of Personal Data.
Processing of Personal Data: Any operation or set of operations performed on Personal Data, including in any event: collection, recording, organisation, storage, updating, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, correlation, as well as restriction, erasure or destruction of Personal Data.
Controller: The person or organisation that determines:
– whether Personal Data may be processed and, if so, which data;
– for what purpose such Personal Data may be processed;
– what such processing entails; and
– which means may be used.
Processor: The person or organisation that processes personal data for the Controller, for example via a web application, without being subject to the Controller’s direct authority. Under this Data Processing Agreement, we—Plugz—are the Processor.
Data Processing Agreement: This agreement in which the Controller (you) and the Processor (we) set out arrangements regarding the processing of Personal Data, including any annexes.
2. Who is Who?
Where this Data Processing Agreement refers to “you” or “your”, we mean you as a customer of one of Plugz’s Services who has entered into an agreement with us to use Plugz.
Where it refers to “we”, “us” or “our”, we mean Plugz B.V., located at Hertogstraat 131, 6511 RZ, Nijmegen, the Netherlands. Plugz is registered with the Dutch Chamber of Commerce under number 85674966.
3. When Does This Data Processing Agreement Apply? And Can You Terminate It During the Term?
1. By agreeing (online) to the contents of this Data Processing Agreement, this agreement is concluded and applies with immediate effect.
2. This Data Processing Agreement forms part of the Main Agreement we have concluded with you for the use of Plugz. The two agreements cannot be viewed separately. This means that if you or we terminate the Main Agreement for any reason, this Data Processing Agreement will automatically terminate immediately as well. It is not possible to terminate only this Data Processing Agreement without terminating the Main Agreement.
3. When this Data Processing Agreement is terminated, we will return the personal data to you at your request. You must make this request known upon termination of the agreement. We will delete or anonymise the relevant personal data within a reasonable period after termination of the agreement, unless we are legally obliged to retain certain personal data for a longer period (for example under tax legislation or security log retention requirements).
4. Which Personal Data Do We Process for You? And For What Purposes?
1. We process Personal Data only for the purpose to which the Main Agreement relates. This purpose is to adequately support our customers through software for parties in electric mobility and charging infrastructure and the functionalities associated therewith.
2. Personal Data will be Processed in a proper and careful manner, in accordance with the terms of this Data Processing Agreement and in accordance with the GDPR or other applicable laws and regulations regarding the protection of Personal Data.
3. The Processing does not involve special categories of Personal Data, such as Personal Data relating to race and ethnicity, unless we have made separate agreements with you. Annex 1 to this agreement specifies which Personal Data we Process for you.
5. Additional Provision: Processing of Personal Data via Third-Party APIs
In the context of our services, we use various APIs from third parties that provide or expose data. To the extent personal data is processed via these APIs, such processing falls within the scope of this Data Processing Agreement. Below we explain which categories of personal data originating from API integrations may be processed by us and in what manner.
Categories of Personal Data via APIs
We process only personal data that is necessary for providing our services and that is made available via APIs by you or by a third party. The scope and nature of personal data supplied via APIs by third parties is determined by those parties. Plugz processes only the personal data provided within the API integration that is necessary for the agreed services. Such personal data may include, among other things:
1. Identification and account data
– User or customer IDs
– Name, email address, telephone number
– RFID or charging card identifiers
2. Transaction and session data
– Start and end times of charging sessions
– Consumption data (kWh, power, duration)
– Charging point and location data that may indirectly be traceable to an individual
3. Operational data
– Statuses, error codes, reservation information
– Metadata containing user-identifiable information
4. Technical metadata
– IP addresses or network data, where necessary for the functioning of APIs
– Authentication and authorisation data (such as tokens)
This classification is technology-neutral and covers changes, expansions or additional API fields without requiring amendment of this Data Processing Agreement.
Types of Processing via APIs
We process this data exclusively for:
– providing and supporting the Plugz services;
– synchronisation, monitoring and analysis of charging transactions and operational processes;
– logging, error analysis and security;
– facilitating management and reporting;
– optional functionality such as user or loyalty programmes, if agreed.
No Processing in Case of Passive Transfer
Where personal data is routed through our systems solely in a passive manner, without Plugz storing, exposing, analysing or otherwise processing it, this is not considered “processing” within the meaning of the GDPR. No separate listing in this Data Processing Agreement is required for such passive transfer.
6. Which Responsibilities Rest with You as Controller?
1. The Controller warrants that the Personal Data is accurate, relevant and not excessive in view of the purposes for which the Personal Data is (further) processed.
2. The Controller shall immediately inform the Processor if errors or irregularities occur with respect to the Processing.
7. Of Course We Treat Personal Data Confidentially—But What Do We Do to Ensure This?
1. We are obliged to treat all Personal Data we process for you confidentially for the performance of the Main Agreement. We agree the following with you:
– We take all necessary measures to ensure confidentiality of the Personal Data.
– We ensure that all our employees treat Personal Data confidentially.
– If we use services of another party engaged for processing, we ensure that such party treats Personal Data with the same level of confidentiality, in line with the agreements made with you.
2. We are not required to treat Personal Data confidentially and/or keep it secret if:
– you have expressly given written consent to share specific Personal Data with a Third Party; or
– there is a legal obligation to provide certain Personal Data to a Third Party.
8. Where Is the Personal Data Stored and How Do We Secure It?
1. We host and Process the Personal Data only within the European Economic Area (EEA).
2. To secure personal data, we have implemented appropriate technical and organisational security measures, which are set out in Annex 2. Our choice of measures is based on available technology, implementation costs, the type of Personal Data we process for you, and the associated risks. Security requirements and technology are constantly changing. Therefore, we make efforts to continuously evaluate the security measures and, where necessary, tighten, supplement or improve them.
9. What Must We Do If There Is a Personal Data Breach?
1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2. If a personal data breach occurs in relation to the processing of personal data we process for you, we will inform you as soon as possible and without undue delay after we have discovered the breach.
3. As Controller, you also have certain (legal) obligations when there is a personal data breach. We will provide you with all assistance we can in complying with these obligations.
10. How Do We Handle Data Subject Rights?
Data Subjects have several rights under the GDPR. You are obliged to comply with those rights. Where possible, we will assist you, including with requests for access, rectification and restriction of transfer of Personal Data. If we receive a request or objection from a Data Subject, we will immediately forward such request or objection to you.
11. Who Else Gets Access to the Personal Data?
1. In some cases, we use Sub-processors. These are persons or organisations we engage to process Personal Data from our Plugz software on our behalf.
2. We make clear agreements with our Sub-processors about how they must handle all data. In particular, we agree on the technical and organisational security measures they must take to comply with applicable laws and regulations. We are liable to you, as Controller, for our Sub-processor’s compliance with these agreements.
3. By signing this Data Processing Agreement, you give us permission to engage Sub-processors. If we intend to use another Sub-processor, we will always inform you in advance. If you continue using the Plugz software after such announcement, you thereby agree to the engagement of those Sub-processors.
12. Who Is Liable in the Event of Damage?
1. You shall indemnify us against fines and/or penalty payments imposed on us by or on behalf of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and against claims for damages by a Data Subject, where it has been established that such fines and/or penalty payments or claims result from your failure, in the Processing of Personal Data, to comply with obligations specifically applicable to you under this Data Processing Agreement, the GDPR and other applicable privacy legislation.
2. If we are nevertheless liable for such fines and/or penalty payments imposed by or on behalf of the Autoriteit Persoonsgegevens or for claims by Data Subjects, then the provisions of the Main Agreement regarding (any limitation of) Plugz’s liability shall apply in full. Our liability is limited to the amount of subscription revenues arising from the Main Agreement.
13. What Can You Do to Check Compliance with Our Agreements?
1. We always strive to comply with this Data Processing Agreement. For that reason, we may have ourselves reviewed by an independent external auditor and have an audit performed. If we have had such a review performed, you may always make an appointment to inspect the report of this external independent auditor. Only if you can substantiate with sound reasons that we have not complied with this Data Processing Agreement, you are entitled to have an audit performed by an external auditor at your own expense. You also have this right if we do not yet have an audit report available for inspection.
2. You will notify us in writing at least 14 days in advance that you wish to have an audit performed. If the date and/or time of the audit is not convenient for us, we will inform you and propose an alternative date and/or time.
3. You will use an external auditor who is a member of NOREA, or an auditor who meets the same quality standards applied by NOREA to its members, such as confidentiality and independence requirements. If the external auditor does not meet these quality requirements, we reserve the right to refuse that auditor.
4. The persons conducting the audits shall comply with our security procedures. This means, for example, that they agree to confidentiality. You will also keep the audit results confidential. It is not permitted to communicate about this with third parties. This is permitted only if we have given consent after mutual consultation.
5. We will cooperate with audits and provide, as timely as possible, all information that is reasonably relevant. The costs of the audits are borne by you.
14. How Do We Handle Disputes?
1. If we have a dispute, we will do our best to reach a solution together with you. If we cannot resolve it together, we will submit the dispute to the competent court in the district of Gelderland, location Arnhem. We reserve the right—if another court is competent under the law—to nevertheless submit the dispute to that competent court.
2. This Data Processing Agreement is governed by Dutch law. This also applies to all agreements and other legal acts arising from or related to this Data Processing Agreement.
Annex 1: Description of Personal Data Processing
Annex 2: Description of the Processor’s Technical and Organisational Security Measures
This annex describes the technical and organisational security measures implemented by the Processor to secure the Personal Data.
The IT security measures implemented by Plugz:
– Security standards (via Google Cloud):
ISO 27001
NEN 7510
NTA 7516
– Plugz enforces strict access control, including the use of two-factor authentication (2FA), to ensure that only authorised employees have access to sensitive data.
– We protect Personal Data with encryption, proactive monitoring and regular security audits to prevent loss, unauthorised access and unauthorised processing.
– We actively monitor security developments, update security patches and perform security assessments to identify potential risks and improve our security.
– Measures relating to the Processor’s duty to inform the Controller, ensuring that the Processor acts correctly and completely in the event of a Personal Data Breach, in line with Article 8.3 of this Data Processing Agreement.
