Data Processing Agreement

Last update: December 2020

Welcome to Lepaya (“Lepaya”, “LTD Group BV”, “LTD NL BV” or “LTD NL”, or any of her wholly owned subsidiaries). Lepaya offers software and services to offer learning journeys to employees of its clients, and to measure the progress within these journeys. As described in our Privacy Policy (, Lepaya does this from the role defined within the GDPR Data Processor (“Processor”), where the client is the Data Controller (“Controller”). This Data DPA (“DPA”) applies to the contracts between Lepaya and its clients, unless a specific DPA, or specific exceptions or additions to the DPA below, have been agreed in writing between Lepaya and a client.

In this Agreement, “processing operations” means any action or set of actions relating to personal data (“Data”) , including in any case the collection, recording, organizing, retention, updating, modification, retrieval, consultation, use, provision by transmission, dissemination or any other form of making available, bringing together, linking together, as well as the shielding, erasure or destruction of data in the context of the controller’s assignment to Lepaya to make her application (“App”) available for the benefit of digitizing the learning journey of the employees of the Controller.

In this Agreement, the “Data” means personal data such as: first name, last name, email address, job title, Device ID, test results, telephone number.

1. Assignment

  • The Controller has contracted Lepaya to strengthen its training/education offering. This leads to the performance of processing operations, as described in the contract between the Controller and LTD, as well as this DPA. In the event of a conflict between the Service Agreement and this DPA, the content of this DPA will prevail.
  • Lepaya is not entitled to perform acts with regard to the Data other than on the basis of written instructions from the Controller. Lepaya will only process the Data for the purposes stated in the contract and Lepaya guarantees that it will never exploit, use or otherwise process the data for its own (commercial) purposes. If a Union or Member State law applicable to the Lepaya requires it to process, Lepaya will notify the Controller of that legal provision prior to the processing, unless that legislation prohibits such notification for important reasons of public interest.
  • Lepaya may outsource the processing operations referred to in Article 1.1 to third parties, including affiliated companies or subcontractors. Examples of sub processors are, Auth0 for user authentication, and Amazon Web Services as subprocessor for the hosting of our platform. The full list of sub-editors can be found here. Lepaya will ensure that these third parties are bound by all that is stipulated in this agreement. Lepaya remains responsible for any act and/or omission of third parties engaged with.
  • Lepaya will ensure that only those employees or other contractors of Lepaya who are required to process the Data will have access to the Data. Lepaya will adequately instruct these employees or other subordinates of Lepaya and ensure that they are familiar with the responsibilities and obligations under this agreement and under applicable laws and regulations.
  • Lepaya will, at the request of the Controller, make information available that is necessary to demonstrate compliance with this DPA as well as compliance with the applicable data protection laws and regulations.
  • At the request of the Controller, Lepaya will grant the Controller access to the Data and respond to questions and requests from the Controller in relation to the processing of Data. Lepaya will also, within two (2) weeks after request from the Controller:
    • a) provide a copy to the Controller of all Data or Data concerning a specific person that are in its possession or control, as well as a copy of all documents in which these Data are included and an overview of all systems in which this Data is included and all other processing of this Data that is carried out by Lepaya, in such a format as the Controller reasonably requests;
    • b) delete, block or correct certain Data in accordance with the instructions of the Controller; and/or
    • c) record non-compliance with specific requests for deletion, blocking or correction and the reasons for this.
  • Lepaya will notify the Controller within seventy-two (72) hours if a competent authority has made a legally binding request for the provision of the Data, unless Lepaya is not permitted to notify the Controller of this, such as in the event of a criminal injunction to maintain the confidentiality of any law enforcement investigation.
  • Lepaya will notify the Controller within seventy-two (72) hours if it receives a request from a data subject with regard to the Data, including but not limited to a request for access, rectification, erasure or restriction of processing, data portability, and/or an objection to the processing. Lepaya will assist the Controller in fulfilling its duty to respond to requests to exercise the rights of data subjects by means of appropriate technical and organisational measures.
  • Lepaya will inform the Controller if at any time it is not (any longer) able to fulfill its obligations under this DPA or if it foresees that it is not (any longer) able to do so in the near future. The controller can then decide to (i) with immediate effect stop providing Data to the Lepaya (ii) to instruct Lepaya to suspend the processing activities until the moment Lepaya is again able to fulfill the obligations under this To properly fulfill the DPA and/or (iii) to terminate this agreement with immediate effect.
  • Lepaya will observe strict confidentiality with regard to the Data and will guarantee that the persons authorized to process the Data have undertaken to observe confidentiality or are bound by an appropriate legal obligation of confidentiality. Lepaya will also ensure that it has taken measures to ensure that no more persons have access to the Data than necessary, and that every natural person acting under the authority of Lepaya and has access to the Data, only uses it in processed the order of the Controller, unless the natural person is bound by Union or Member State law to do the processing.
  • Lepaya will notify the Controller if, in the opinion of Lepaya, an instruction from the Controller is in conflict with the applicable laws and/or regulations, including but not limited to the applicable data protection laws and regulations, or if an upcoming change in applicable law – and regulations are likely to have a negative effect on the way in which Lepaya will be able to fulfill obligations under this agreement.
  • Lepaya will notify the Controller in writing within forty-eight (48) hours of becoming aware of a suspected or actual breach in connection with personal data (a “data breach”), including but not limited to an actual or suspected unauthorized access, disclosure, use, loss, damage or destruction of the data by a current or former employee, contractor or agent of Lepaya or by any other person or third party. Lepaya will provide the Controller with full assistance in fulfilling the obligations of the Controller in this respect, such as assisting, if requested, with reporting to the supervisory authority and / or the data subject (s).
  • Lepaya will timely assist and support the Controller in the event of an investigation by a supervisory authority, if and insofar as that investigation is in any way related to the processing of Data as referred to in this DPA.
  • Lepaya will at all times provide the Controller in a timely manner with the fulfillment of its obligations under Article 32 to 36 of the GDPR, including but not limited to the obligations of the Controller with regard to the security of the processing and the performance of data protection impact assessments.

2. Relevant legislation and regulations

  • Lepaya will comply with its obligations under this agreement as well as from all applicable laws and regulations, including but not limited to the Personal Data Protection Act (“Wbp”) when performing Processing Operations. the General Data Protection Regulation (“AVG”), and hereby accepts all (future) obligations that will ensue from this.

3. Security

  • Lepaya will take adequate technical and organisational measures to secure the Data and will apply a security level that guarantees the confidentiality of the Data and the Data is protected against loss, alteration, destruction, disclosure or access, and furthermore against all other forms of unlawful processing of the Data. Taking into account the state of the art and costs of implementation, these measures will guarantee an appropriate level of security, in view of the risks associated with the processing and the nature of the Data to be protected.

4. Processing outside the EEA

  • Without the prior written consent of the Controller, Lepaya will not process any Data outside the European Economic Area or have it processed.

5. Duration and termination

  • This agreement will enter into force on the same date as a contract between Lepaya and the client comes into effect, and will remain valid for one (1) year after termination of this contract.
  • Either party can terminate this agreement prematurely by giving notice of termination of the agreement in writing with due observance of a notice period of three (3) months. The canceling party does not owe the other party any compensation in connection with the cancellation, with the exception of fees as stipulated in the commercial contract between Lepaya and the client.
  • If one of the following cases occurs with regard to a party, this agreement will terminate with immediate effect and by operation of law without notice of default being required and without the parties owing each other any compensation:
    • the (company of that) party has ceased exist or has been dissolved;
      the party has been declared bankrupt or has been granted a moratorium on payments, whether or not temporarily;
    • the party has applied for a suspension of payments or that party is granted a suspension of payments; and/or
    • the party is placed under administration.

6. Consequences of termination

  • If this agreement ends, if the Controller requests the cessation of the processing activities, or if the retention period of the Data of two (2) years has expired, or if the retention period of the Data of one (1) year has expired, Lepaya will cease the processing activities with regard to the Data with immediate effect and it will, of its own accord, without delay, but no later than within one (1) week after the retention period has expired, return all documents, computer diskettes and other information carriers, including copies thereof, containing Data, to the Controller, regardless of whether the content of those information carriers by Processor, by Controller or manufactured by a third party. Insofar as Data is stored in a computer system of Lepaya or is recorded in another form that cannot reasonably be given to another party, Lepaya will destroy that Data, subject to other instructions from the Controller and unless Lepaya on the basis of of an EU or member state law is obliged to store the Data.

7. Applicable law/competent court

  • This agreement is exclusively subject to Dutch law. Applicability of the Vienna Sales Convention is expressly excluded.
    All disputes arising in connection with this agreement, including disputes about its existence and validity, will be settled by the competent court in Amsterdam.

8. Miscellaneous

  • This agreement is not transferable by either party except with the prior written consent of the other party.
  • This agreement can only be amended or supplemented in writing.

9. Questions?
If you have any questions about this DPA, you can always contact us via:

LTD NL BV (“Lepaya”)
Stephensonstraat 19
1097 BA, Amsterdam
The Netherlands
Chamber of Commerce (Chamber of Commerce) number: 69556318
VAT number: NL 857917171B01