General Terms & Conditions CM Identity Services - CM Payments B.V.

29 Nov 2019
  • Terms and conditions
  • Privacy policy
  • Service level agreement
  • General Terms & Conditions CM Identity Services
  • Terms of Procurement

CM Payments B.V.

CM Payments B.V.
Konijnenberg 30
4825BD Breda
Netherlands (the)
VAT number:
NL854646826B01
Coc number:
62095757

Terms and Conditions CM Identity Services

A. General

1. Definitions

The terms contained in the Agreement and these Terms and Conditions beginning with a capital letter are defined and have the meaning as set out in this Article:

Agreement: the agreement concluded between CM and Client, including all associated appendices, to which these Terms and Conditions apply.

Applicable Law: (i) all applicable laws and regulations, government requests and codes of conduct laid down by competent authorities or industries that apply to providing or receiving the Service and/or End User Service in the country where the Service and/or the End User Service is delivered; and also (ii) all regulations, guidelines, conditions, policy rules and/or other requirements that are used by Suppliers in the country where the Service and/or the End User Service is delivered.

Client: the Party with whom CM concludes the Agreement.

CM: the private limited liability company CM Payments B.V. trading as CM Identity Services (Chamber of Commerce 62095757).

End User: a natural person who is authorized by Client to make use of the Client’s End User Services.

End User Service: the services offered by the Client to the natural person using the authentication, verification service(s) solution provided by CM to the Client.

Suppliers: a service provider that provides authentication and/or identification services and other related services.

Platform: the computing environment of CM designed to create the connection with the system of the Client and provide the Service to Client.

Service: a service CM provides to the Client under the Agreement.

Working Day: Monday to Friday from 8.30 a.m. to 5.00 p.m. Central European (Summer) Time (CE(S)T), excluding generally recognized public holidays in the Netherlands.

2. Scope

2.1 These Terms and Conditions apply to all requests, offers, relations, quotations and Agreements between CM and the Client, unless the Parties have expressly agreed otherwise in writing.

2.2 The applicability of any general (purchasing) terms and conditions used by Client or third parties is hereby expressly excluded.

3. Prices, payment and taxes

3.1 All prices are exclusive of value added tax (VAT) and/or any other taxes, charges or levies imposed by any government authority.

3.2 The applicable prices and rates are listed on the website of CM and/or described in the Agreement. Unless a fixed price has been expressly agreed, CM is reserves the right to change prices and rates at any time without notice.

3.3 If a fixed price has been expressly agreed in the Agreement, CM is only entitled to change the agreed fixed price(s) after written agreement by the Client.

3.4 Notwithstanding article 3.3, CM is in every instance entitled to change its prices following from changes to Applicable Law, from an increase in the purchase price of messages and/or from rates changes effected by Suppliers. CM shall inform the Client in advance of such price increases as soon as reasonably possible.

3.5 Notwithstanding article 3.3, CM shall have the right to make adjustments to its prices (fixed or general) on an annual basis at the beginning of each subsequent calendar year to reflect the annual changes in the national Consumer Price Index (CPI).

3.6 The Client shall pay all invoices without suspension, set-off or deduction within fourteen (14) days of the invoice date, unless the Agreement explicitly contains different payment terms.

3.7 CM is entitled to demand payment of a deposit. During the term of the Agreement the deposit may be adjusted after mutual consultation. Upon termination of the Agreement the deposit will be refunded to the Client after set-off of the deposit against any outstanding amounts then due by the Client to CM. The deposit shall be transferred back to the client within two (2) whole calendar months following termination of the Agreement. CM shall not be obligated to maintain deposits in segregated accounts or and neither will they accrue interest for the Client.

3.8 In the event that Client fails to pay CM the amounts due within the agreed period, statutory commercial interest shall be applied and will fall due accordingly by the Client on the outstanding amount without any requirement from CM to communicate a notice of default.

3.9 Client is responsible for payment of the applicable value added tax (VAT) and/or any other tax or levy on its End User Service. The Client shall indemnify CM for and against all claims by tax authorities in this regard and shall indemnify CM for all losses, penalties and costs arising thereof.

3.10 Where bank fees occur, Client shall bear the costs imposed by its own bank, any intermediate bank and the bank of CM as indicated on the invoice when making payments under the Agreement. The net amount received by CM shall correspond to the amount invoiced. In this regard, the Client remains liable to pay the any shortfall of outstanding amounts due.

4. Obligations

4.1 Client will ensure a secure, continuously working connection at its own cost to the Platform of CM.

4.2 Client shall ensure that access to the aforementioned connection and the account of Client is limited to authorized employees of Client and that log-in credentials are stored securely. It is not permitted to authorize use to other persons and/or third parties.

4.3 Client shall only use the Services for its intended and normal purpose and/or purposes as agreed and described in the Agreement. Any change to the Service is to be requested in writing.

4.4 Client shall cooperate with CM and provide any information reasonably required for boarding and acceptance procedures of Supplier(s). Client will provide CM the full name of its company, its address, company registration number and VAT number (if applicable) and the name of its director(s) authorized to sign the Agreement. Changes to these details must be passed on to CM in writing.

4.5 Client accepts that CM may be obliged by Applicable Law and/or competent authorities and/or financial institutions to provide the data of Client referred to in the previous paragraph or the data of other parties that are connected via Client. Client shall provide all such data requested by CM within three (3) Working Days.

4.6 Client guarantees that all information relevant to the Agreement as provided by Client is correct and provides a correct impression of its business operations.

4.7 Data of the Client is collected by CM at registration. This (personal) data is required for contract management and customer support, conducting credit checks and preventing fraud and criminal activities on the CM Platform. The data can additionally be used for statistical research and to contact Client for marketing activities of CM and its affiliates. For the purpose of carrying out credit checks and monitoring to prevent fraud and criminal activities, CM may share data with third parties.

5. Know Your Client Procedure

5.1 CM has a Client Due Diligence procedure ("KYC") following which the Client is screened.

5.2 The Client shall provide all information reasonably requested by CM during the KYC procedure.

5.3 If CM considers it necessary for its KYC policy to receive further information and/or other documents about the Client, the Client shall provide the information immediately.

5.4 CM in its sole discretion may at any time refuse to accept the Client without providing any further information.

5.5 The Agreement is only concluded and the Services are delivered after:

a. the Agreement has been signed by CM and the Client; and

b. there is a positive outcome of the KYC procedure as specified in this Article 5.

6. Client Due Diligence

6.1 CM is obliged to continuously perform a so-called Client Due Diligence. To this end, the Client shall inform CM of any changes to the Client Due Diligence:

a. the ownership structure of the group to which the Client belongs (which also includes the natural persons who hold a qualified participation (greater than 10%) in the entity of the Client);

b. the management of the Client's entity (by means of the provision of a recent extract from the Chamber of Commerce and a copy of the passport of the new directors);

c. the acceptance policy of the Client;

d. modification of the business description as included in the Trade Register of the Chamber of Commerce in which the Client is included; or

e. organizational structure and risk management method of the Client.

7. Warranty and indemnification

7.1 Client shall indemnify, defend and hold harmless CM and its affiliates against all liabilities, losses, damages, claims, penalties, fines and costs (including reasonable legal costs) resulting from or arising out of the failure by Client to comply with article 4 and/or Applicable Law. The indemnity includes, but is not limited to claims made by authorities, organizations and institutions that supervise compliance with the Applicable Law, claims by third parties and also all claims made by Suppliers in connection with the failure by Client to comply with the Applicable Law.

7.2 CM will not be responsible for any Service failures or faults which occur, or losses suffered by the Client, as a result of a breach by the Client of the provisions of this Agreement, including but not limited to the Client's obligations in Article 4.

8. Suspension

8.1 If the Client acts contrary to an obligation under the Agreement, these Terms and Conditions, Applicable Law, Supplier guidelines or the obligation to pay the amounts due to CM within the agreed payment term, CM is entitled to suspend provision of the Service without limitation to any other remedy available to CM, including cancellation of this Agreement and/or a claim for specific performance and/or damages.

8.2 The Client remains liable for payment for the period that the provision of the Service is suspended in accordance with the provisions of this Article.

8.3 As soon as the reason for suspension in accordance with the provisions of this Article is removed by Client, CM shall resume delivery of the Service unless CM believes that the nature and/or frequency of Client's non-compliance is such that the provision of the Services should be cancelled permanently. If applicable, the activation costs which CM incurs in this respect will be charged to the Client.

9. Disputes regarding amounts payable

9.1 If the Client disputes the accuracy of an invoice sent by CM, Client will provide a motivated complaint within the payment term applicable to the invoice in question by written notice to CM.

9.2 The Client will only be entitled to suspend payment of the disputed part of the invoice, if the amount disputed by the Client exceeds 5% of the total amount of the invoice in question (excluding VAT). If the dispute is not resolved within twenty (20) Working Days after the due payment date of the invoice in question, the Parties will be able to submit the dispute to an external expert. This external party will be appointed in mutual consultation. The Parties will also make agreements in this regard concerning the costs involved in engaging the external party.

10. Confidentiality

10.1 Parties shall keep confidential all information and data received from each other that is marked confidential or evidently confidential from its nature, unless a legal obligation exists to disclose such information or when disclosure is required by the relevant supervisory authority and/or or financial institutions involved.

10.2 The Client solely receives the user rights and authorities expressly granted under the Agreement, these Terms and Conditions or otherwise, and for the remainder shall not disclose, reproduce or make copies of any materials it receives on the basis of this Agreement from CM, nor shall the Client process or modify these materials, without prejudice to further arrangements between CM and the Client in this matter.

10.3 Client shall use confidential information solely for the purpose of exercising its rights or complying with its obligations under the Agreement and shall exercise the same level of care as it uses for its own confidential information to ensure the confidentiality of that information and to prevent a third party from using or gaining access to the confidential information.

10.4 The non-disclosure obligation shall end two years after the Agreement ends.

11. Intellectual property rights

11.1 The Parties accept and respect each other's intellectual and other property rights. All intellectual property rights to any materials, developed by CM for or made available to the Client on the basis of the Agreement, such as equipment, software, analyses, designs, documentation, reports and/or offers, and any preparatory material belonging thereto, shall solely be held by CM and/or its licensors.

12. Liability

12.1 Client acknowledges that access to the internet and other communication networks is subject to risks relating to authorization, authenticity, data security, availability of services and reliability of transmission. CM shall not be liable if an interruption of the service was due to a fact beyond its control. In the event of a fault or defect, CM shall use its reasonable efforts to restore the Service in accordance with proper practices recognized in the industry.

12.2 Neither Party will be liable under or in relation to this Agreement or arising out of the provision of the Service, to the maximum extent permitted by applicable law, even if advised of the possibility of such damages and whether in relation to tort, including negligence, breach of contract or otherwise, or any other liability for any of the following: (i) loss of profits, revenues or sales; (ii) loss of bargain; (iii) loss of opportunity; (iv) loss of use of any service or any computer equipment; (v) loss of time on the part of management or other staff; (vi) professional fees or expenses; (vii) business interruption, related to this agreement or the Services provided hereunder, (viii) loss of income by the Client because the Client did not set up correct rates for the Traffic, (ix) damage to or loss of data; (x) loss of goodwill or reputation, or (xi) any other indirect, special, incidental or consequential damages of any kind howsoever arising.

12.3 CM’s liability shall be limited in aggregate to an amount equal to the average monthly invoice of Client with a maximum of fifty thousand euro (€ 50.000) for the total duration of the Agreement. In no event shall the total compensation by CM for any and all claims under this Agreement exceed fifty thousand euro (€ 50,000.00).

12.4 The limitations on liability specified in Article 12.2 and 12.3 shall cease to apply if and insofar as the loss is due to the willful intent or gross negligence of the liable party, or in case of damage to life, body and health.

12.5 No right to compensation shall ever arise unless the Party in question reports the loss to the other Party in writing within ten (10) Working Days after it has arisen. The other Party then has ten (10) Working Days to remedy the loss, if possible.

13. Force Majeure

13.1 CM is not bound to meet any obligation under the Agreement if it is prevented from doing so as a consequence of force majeure. The term 'force majeure' is used in this context to include but is not limited to: government interventions, strikes, acts of terrorism or threat thereof, interruption of operations, energy disruptions, interruptions in telecommunications facilities of third parties, failure or late compliance by ancillary suppliers of CM or other third parties engaged by CM, as well as every other circumstance that CM could not reasonably have avoided or prevented, which creates an obstacle to the normal performance of the Agreement.

13.2 If CM is prevented from complying with its obligations due to force majeure, it shall make this known to the Client within ten (10) Working Days following the day on which the situation of force majeure arose.

14. Duration and termination of the Agreement

14.1 The Agreement is entered into for the initial duration agreed between the Parties in the Agreement, failing which a period of one (1) year shall apply.

14.2 After the initial period the Agreement shall be renewed for the duration specified in the Agreement, failing which a period of one (1) year shall apply. After the initial period, the Parties may terminate the Agreement in writing by giving three (3) months' notice.

14.3 CM may unilaterally terminate the Agreement or the provision of a Service prematurely if it considers that further execution of the Service cannot reasonably be expected on economic grounds. This is to be announced and substantiated in writing to Client.

14.4 Either Party may terminate the Agreement for cause, wholly or partially, by registered letter if the other Party imputably fails to comply with its obligations under the Agreement, and – unless compliance is permanently impossible – if, after sending the most detailed possible written notice of default while allowing a term of ten (10) Working Days to remedy the failure, the other party continues to fail to comply. The nature and/or extent of the shortcoming must justify this premature termination.

14.5 Either Party may terminate the Agreement for cause, wholly or partially and with immediate effect, by registered letter without need for notice of default:

a. if the other Party – whether temporarily or not – is granted suspension of payments, or if a petition in the other Party's bankruptcy is filed, or if the other Party is declared bankrupt, or if a significant part of the other Party’s assets are seized, or the other Party’s business is liquidated or terminated other than for the purposes of restructuring or merging undertakings;

b. if the situation of force majeure as referred to in Article 13 lasts longer than twenty (20) Working Days;

c. if such termination is required by the authorities or because of changes to the terms and conditions of Supplier(s).

14.6 If at the time of such termination as is referred to in Article 14.4 and 14.5 the Client has already received any performance in the execution of the Agreement, any amounts invoiced by CM before the termination in connection with that received performance shall remain fully due and shall become immediately payable upon termination.

14.7 Provisions which by their nature are intended to survive termination of the Agreement shall continue to apply after the end of the Agreement.

15. Reporting security breaches, information and audit rights

15.1 The Client shall inform CM immediately, in any case within 24 hours, after the Client has become aware of a security incident (of any nature whatsoever) that (partly) relates or may relate to Services. The Client hereby provides the following information:

  • the nature of the security incident;
  • the (possibly) affected data;
  • the observed and probable consequences of the security incident;
  • the measures that the Client has taken and/or will take to limit the negative consequences of the security incident. The Client shall take all measures necessary to limit the (possible) damage resulting from the security incident.

15.2 CM is at all times entitled to receive from the Client all information about the use that the Client makes of the Service, insofar as this is necessary to check compliance with the Agreement.

15.3 CM is at all times entitled, after reasonable notice, to have its compliance officers, internal auditors and external auditors carry out one or more investigations, audits or risk assessments to check the Client's compliance with its obligations under the Agreement ("the Audit"). CM will not conduct an audit more than once a year, except in exceptional circumstances such as suspected fraud or a security incident.

15.4 The external costs of an Audit shall be borne by CM, unless the Audit reveals a shortcoming on the part of the Client, in which case the Client shall bear the costs of the Audit. The internal costs (i.e. the time that the Client's employees or advisors spend providing the information requested in the context of the Audit) shall be borne by the Client.

15.5 The audit rights of CM include an audit right on site, a right to request information, a right of access to the buildings, systems and personnel of the Client after reasonable notice during the relevant working hours.

15.6 All rights granted to CM under this article (Right to information and audit) are also granted to the Suppliers.

16. Transfer of rights and obligations; subcontracting

16.1 This Agreement may not be assigned by either Party without the written consent of the other Party, such consent not to be unreasonably withheld; provided, however, either Party may assign this Agreement to any affiliate of such entity or to any entity acquiring all or substantially all of assets of such entity. Any prohibited assignment shall be null and void. Subject to the foregoing, this Agreement shall be binding upon and shall inure to the benefit of the successors and permitted assigns.

16.2 CM is entitled to engage affiliates and third parties for the performance of the Agreement.

17. Applicable law

17.1 All offers from and Agreements with CM and their performance, as well as these Terms and Conditions are governed exclusively by Dutch law.

17.2 Any disputes, including those which are only considered as such by one Party, resulting from or connected with the Agreement to which these Terms and Conditions apply or the Terms and Conditions themselves, will – notwithstanding the possibility of appeal – be submitted to the competent court in Amsterdam.

18. Miscellaneous provisions

18.1 Amendments and additions to the Agreement or other notifications only apply if they are agreed in writing and have been signed by the persons authorized for this purpose on behalf of both Parties. Any amendment or addition will only apply to the relevant Agreement.

18.2 Contact persons may only represent and bind Parties insofar as this concerns the operational performance of the Agreement.

18.3 CM is authorized to modify this Terms and Conditions at any time. CM will inform Client of any modifications. If Client doesn’t object in writing within a month from the date of sending of the modification notification, the modifications to the terms and conditions are deemed accepted by Client. If Client objects, the previous terms and conditions will still apply. However, CM then alternatively has the right to cancel the Agreement with Client by giving one (1) month written notice.

18.4 Failure by one of the Parties to demand compliance with any obligation will not affect the right still to demand compliance, unless the Party in question has expressly agreed to the non-compliance in writing.

18.5 In the event that one or more of the conditions in this Agreement or these Terms and Conditions is or becomes null and void, or is set aside by a court, the remaining conditions will continue to apply in full. The Parties will consult each other as regards the invalid provisions in order to agree, if possible, on a similar provision that is permitted by law.

B. Supplementary Terms and Conditions iDIN

19. Definitions

The terms contained in the Agreement and these Terms and Conditions beginning with a capital letter are defined and have the meaning as set out in this Article:

Acquirer: The party that handles the iDIN traffic between the Issuer and the DISP.

DISP: Digital Identity Service Provider. The role fulfilled by CM. The DISP takes care of the iDIN traffic between the bank and the Client.

User: the natural person who has access to the online service of his bank (the Issuer) and for that purpose uses an Access Method provided to him by that bank.

iDIN: the standards and rules managed by iDIN B.V. (established in Amsterdam) on the basis of which CM can provide iDIN to Clients.

Issuer: the bank to which the User is a customer. The Issuer has provided the User with one or more Access Methods with which the User has access to the online services of Issuer.

Access Method: a tool by which the User can make himself identifiable in order to be able to use online services.

20. Obligations DISP

20.1 The DISP shall make the iDIN data received from the Issuer available to the Client. User agrees to the set of data shown by Issuer and identifies himself with an authentication method equal to or higher than the level requested by the Client in his iDIN-message.

20.2 The BIN (Bank Identification Number) for the Client is unique and is always the same if the User uses a method of authentication from the same Issuer (regardless of the method).

21. Liability and suspension of services

21.1 The DISP provides the iDIN service as made available by the Acquirer and Issuer. DISP is not liable for any disruptions or temporary unavailability on the part of the Acquirer and/or Issuer, any inaccuracies in the data provided or fraudulent use of iDIN.

21.2. The iDIN Service is provided by Acquirer to DISP, and by DISP to Client as available, without any guarantee with regard to the correctness, completeness, availability and actuality of the personal data included in the iDIN information. The Acquirer and DISP provide the User's personal data as recorded in the Issuer's administration. Issuer and Acquirer are not liable to the Client in connection with the use of iDIN. The Client shall not hold Issuer and/or Acquirer liable in connection with the use of iDIN, including disruptions, possible inaccuracies in the data provided, fraudulent use or (temporary) unavailability of iDIN and for (damage as a result of) errors in the iDIN information provision. If Client fails in its obligation under this article, Client shall indemnify the DISP against all damage caused by DISP as a result of this failure.

21.3 The DISP may suspend or limit the provision of services or take other (emergency) measures if, in its opinion, there are compelling reasons for doing so, including but not limited to legal requirements, a well-founded suspicion by the DISP of fraud on the part of the Client and/or Users, if the DISP is obliged to do so on the basis of license conditions in respect of iDIN, if the Acquirer ceases provision of services towards the DISP or if the Acquirer takes other (emergency) measures. If the DISP discontinues the provision of services on the basis of this article, it shall under no circumstances be liable for any damage to Client.

21.4 The DISP will immediately resume the service in accordance with the Agreement if, in the opinion of the DISP, there is no longer a situation as described in article 21.3. During the suspension, the DISP also retains all its other rights, including the right to compensation for damage and/or termination of the Agreement.

21.5 The DISP is authorized to limit and/or suspend iDIN in whole or in part in the event of malfunctions, maintenance work or security incidents, among other things. If possible, the DISP shall give the Client the opportunity to become aware in advance of a (proposal for) suspension, unless the DISP considers this undesirable in connection with, for example, fraud prevention or detection or the interests of third parties. If DISP discontinues the provision of services on the basis of this article, it shall under no circumstances be liable for any damage to Client.

21.6 Neither the Acquirer nor the Issuer nor the DISP are party to the (service) relationship between the Client and third parties (including User). Nor is the DISP responsible for the legal capacity or legal capacity of third parties (including User). Client indemnifies DISP against all damage that DISP may suffer as a result of claims by third parties and/or claims by Users relating to (legal) acts performed between User and Client and the use of iDIN in connection with such acts, claims by the Client against Issuer and/or Acquirer, and reimburses DISP for the damage that the DISP suffers as a result of such claims. The Client fully indemnifies the DISP, the Issuer and the Acquirer against damage as a result of claims from third parties, including Users, in connection with the use of iDIN.

22. iDIN documentation

22.1 Client shall comply with the conditions for iDIN, as described in the iDIN implementation guide, the iDIN Corporate Identity Manual and the other instructions as may be issued by the DISP from time to time. The DISP can provide Client with the iDIN implementation guide including API documentation and the iDIN Corporate Identity Manual. Client guarantees compliance with these documents.

22.2 The DISP shall be entitled to supplement, amend and/or replace the iDIN implementation guide and the iDIN Corporate Identity Manual. Where possible, the DISP shall inform Client of any addition, change and/or replacement prior to the commencement date. If Client does not agree to a supplement, amendment and/or replacement of the iDIN implementation guide, Client shall inform the DISP in writing of this immediately after termination of the Agreement as of the effective date of the supplement, amendment and/or replacement.

23. No Reselling

23.1 Client guarantees that it shall only use the iDIN services for itself and that it shall not act as an iDIN service provider towards third parties. Client shall not be permitted to act as a reseller of iDIN.

24. Recognizability of Customer

24.1 Client shall be obliged to use its statutory or trade names as contractually agreed with the DISP with regard to the iDIN request and with regard to communications about iDIN..

25. Handling of complaints relating to iDIN

25.1 Client shall ensure that a proper complaints and escalation procedure is in place, whereby Client can be easily reached at all times via e-mail and also via another direct contact option (e.g. telephone number, chat box or other medium).

25.2 Client shall make the information about the complaints procedure available to the Users in a clear manner and in a convenient place.

25.3 Client shall resolve disputes with Users or others (whose data has been obtained by Client through the provision of iDIN) in a reasonable manner and at its own expense and risk.

26. Use of provided data

26.1 Client acts as controller within the meaning of the General Data Protection Regulation (GDPR). Client processes the iDIN data in accordance with the GDPR.

26.2 iDIN may only be used (on websites) in the Netherlands. The personal data included in the iDIN provision may not be transferred or processed outside the EU countries.

27. Obligations Client

27.1 The Client shall request the User's iDIN data for the purpose that he has previously made clear to the User. The Client shall clearly inform the User in advance of which data the Client requests.

27.2 Without delay, the Client shall cooperate fully with requests for information from the Acquirer and/or DISP and/or the relevant regulator within the framework of iDIN. The Client guarantees the accuracy and completeness of the information provided.

27.3 Client guarantees that all software and electronic files are checked for viruses using the most appropriate version of the available antivirus software and the latest updates of virus definitions.

27.4 Client guarantees that adequate measures have been taken to protect all applications and supporting infrastructure against unauthorized access, security incidents or data leaks.

27.5 Client guarantees that all Applicable law and regulations are complied with in the execution of business activities.

27.6 The Client shall not perform any transactions with the aid of iDIN that are contrary to the law, good morals and/or public order.

27.7 The Client accepts full responsibility for compliance with this Agreement, even if Client engages a third party in the performance of this Agreement. Before Client engages a third party, Client shall notify the DISP of its intention to do so. The Client shall ensure that the third parties engaged by Client are fully aware of, and bound by, the obligations arising for the Client and/or third parties from the Agreement. Client shall ensure that these third parties correctly fulfil such obligations and shall, at the first request of the DISP, enforce the fulfilment of these obligations in court. Client is aware that the involvement of third parties involves risks. In selecting these third parties, the Client shall exercise due care.

28. Termination of the Agreement

28.1 The DISP may terminate the Agreement with immediate effect, without notice of default or other formalities and without being obliged to compensate for damage or restitution, a) in the event of an act or omission by Client or by third parties for whom Client has accepted responsibility, whereby i) the image or reputation of the DISP and/or of iDIN is or may be damaged; and/or ii) all relevant laws and regulations are not complied with; and/or iii) there is a case of non-performance or (alleged) fraud; and/or iv) the integrity of the financial sector is at risk; and/or v) the reliability of iDIN services is at risk; and b) if the iDIN Agreement between DISP and Acquirer is terminated.

28.2 The termination of the Agreement does not release the Parties from their obligations, which by their nature continue after the termination of the Agreement.

29. Warranties

29.1 Client guarantees that Client shall not use iDIN in the following cases:

  • The Client knows or suspects that there has been fraud or other unlawful and/or punishable acts by or to the disadvantage of the User, Issuer, Acquirer or the Client;
  • (legal) acts relating to goods or services the existence, exploitation, trading, possession or use of which is punishable in the Netherlands or abroad;
  • in the case of (legal) acts that are in violation of, or act in violation of, imperative Dutch or foreign laws or regulations;
  • if this could damage the reputation of the DISP and/or Acquirer and/or the image of iDIN;
  • if this causes nuisance to Users or to the financial institutions of those Users;
  • if the Customer thereby acts in violation of the Agreement, the iDIN implementation guide and these terms and conditions.

30. Information and research

30.1 Client grants DISP the right to have Client 's administration and (computer) systems examined by an independent party if DISP has reasonable grounds to doubt the correct fulfilment of the obligations arising from the Agreement by Client or third parties engaged by him. Client shall cooperate fully with this party in the execution of the investigation. The costs of the investigation shall be borne by DISP, unless the investigation shows that Client or a third party engaged by him has failed to comply with the obligations described in this article. In the latter case, Client is obliged to reimburse DISP for the reasonable costs of the investigation.

C. Data Processing

31. Definitions and interpretation

In Part C of these Terms and Conditions, except where set forth otherwise, the following terms shall have the following meanings:

31.1
Data Protection Laws: the Data Protection Laws of the country in which Client is established and any Data Protection Laws applicable to Client and/or CM in connection with the Agreement.

Personal Data: any information relating to an identified or identifiable natural person (‘Data Subject’) that is Processed by CM in its role as Processor as part of providing the Service to Client under the Agreement.

Processing/to Process: any operation or set of operations which is performed on Personal Data, whether or not by automatic means, including collecting, accessing, storing, using, combining, transferring, disclosing or deleting of Personal Data.

Technical and Organizational Measures: measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access and against all other unlawful forms of Processing.

Personal Data Breach: a breach of security leading to the accident or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

The expressions such as, ‘Data Subject’, ‘Processor’, ‘Controller’, ‘data protection impact assessment’, etc. shall have the meaning ascribed to them in the Data Protection Laws.

31.2 References in Part II of these Terms and Conditions to the Data Protection Laws shall be replaced with or incorporate references to any laws replacing or amending those Data Protection Laws, and the equivalent terms defined in such laws, once in force and applicable.

31.3 Notwithstanding anything in Part C of these Terms and Conditions, CM will have the right to collect, extract, compile, synthesize and analyze non-personal identifiable data or information resulting from Client's use or operation of the Services including, by way of example and without limitation, information relating to volumes, frequencies, bounce rates, or any other information regarding communications (“Service Data”) Client, its End Users or recipients generate and send using the Services. To the extent any Service Data is collected or generated by CM such data will be solely owned by CM and may be used by CM for any lawful business purpose without a duty of accounting to Client, provided that such data is used only in an aggregated form, without directly identifying any person. For the avoidance of doubt, Part C of these Terms and Conditions will not apply to Service Data containing Personal Data.

31.4 In case of any conflict, the provisions concerning Processing of Personal Data shall take precedence over the provisions of the Agreement. Where individual provisions are invalid or unenforceable, the validity and enforceability of the other provisions shall not be affected.

32. Obligations of the Client

32.1 Compliance

32.1.1 Client shall, in its use of the Service, Process Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data.

32.1.2 Client shall maintain accurate and complete records of the use of the Service under the Agreement during the term and as required under the Data Protection Laws. Upon reasonable written notice, Client shall provide information as requested and where required by CM, any Supplier, regulator or other competent authority. Without limiting the generality of any other provision of the Agreement, prior to using the Service, Client shall obtain verifiable informed consent of the End Users or be able to provide confirmation of the lawful basis for Processing in accordance with applicable legislation and regulations, and shall maintain a record of each such consent and/or lawful basis.

33. Obligations of the Processor

33.1 Instructions

33.1.1 CM shall Process Personal Data in accordance with this Part C and the Agreement, and for the purposes and in the manner specified by Client from time to time in the Agreement and further instructions within the scope of the Agreement.

33.2 Technical and Organizational Measures

33.2.1 Taking into account the state of the art, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CM shall implement appropriate Technical and Organizational Measures (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data) to ensure a level of security appropriate to the risk. Up to date information regarding Technical and Organizational Measures can be found on CM.com/about-cm/security-compliance/.

33.2.2 CM shall test, assess and evaluate the effectiveness of Technical and Organizational Measures for ensuring the security of the Processing on an ongoing basis. CM shall continuously enhance and improve Technical and Organizational Measures.

33.3 Personnel requirements

CM ensures that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

33.4 Confidentiality

CM agrees that it shall maintain the Personal Data in confidence. In particular, CM agrees that it shall not disclose any Personal Data supplied to CM by, for, or on behalf of Client to any third party without Client's prior consent, except as foreseen and required for the performance of the Service under the Agreement or mandatory law.

33.5 Data Subject Rights

33.5.1 CM shall promptly notify Client if CM receives a Data Subject Request. Taking into account the nature of the Processing, CM shall assist Client, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws. CM shall assist Client in responding to such Data Subject Request, to the extent CM is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Client shall be responsible for any costs arising from CM’s provision of such assistance.

33.6 Assistance with Client’s compliance CM shall provide to Client further assistance reasonably required to ensure compliance with Client's obligations under Data Protection Laws, including with respect to:

(a) data protection impact assessment, by providing such information and cooperation as Client may require for the purpose of assisting Client in carrying out a data protection impact assessment and periodic reviews to assess if the Processing of Personal Data is performed in compliance with the data protection impact assessment;

(b) prior consultation with a data protection supervisory authority regarding high risk Processing.

33.7 Compliance, information and audit

33.7.1 CM has obtained the third-party certifications set forth in the Security & Compliance section on the website of CM, which provides information on Technical and Organizational Measures and data security. Upon Client’s written request, and subject to the confidentiality obligations set forth in the Agreement, Processor shall make available to Client, that is not a competitor of CM (or Client’s independent, third-party auditor that is not a competitor of CM) a copy of CM’s then most recent third-party certifications and information regarding the IT architecture and security, as applicable and reasonably requested.

33.7.2 Client has the right to appoint an accredited external expert at most once per year to audit the procedures regarding the data Processing for Client. CM will cooperate with such audit upon a reasonable prior written notice of no less than ten working days. Client shall reimburse CM for any time expended by CM for any such audit at CM’s then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such audit, the Parties shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible.

33.7.3 CM is entitled to request that the external expert signs a confidentiality declaration in favor of CM. The confidentiality declaration shall contain the terms and conditions that are usual for this type of declaration. Any report or statement provided by the external expert shall be made available to CM. Client shall ensure that the audit hinders CM 's operations as little as possible.

33.8 Records

CM shall maintain complete, accurate and up to date records of Processing activities carried out on behalf of its Clients.

33.9 Affiliates and Sub-processors

33.9.1 Some or all of CM’s obligations under the Agreement may be performed by Affiliates of CM. For the purpose hereof an “Affiliate” means a legal entity directly or indirectly Controlling, Controlled by, or under common Control with CM, for so long as such Control lasts. "Control" shall exist through the direct or indirect ownership of more than 50% of the share capital of the legal entity or of more than 50% of the issued share capital entitling the holders to vote for the election of directors or persons performing similar functions. CM and its Affiliates have entered into intra-company arrangements, under which its Affiliates Processing Personal Data adopt safeguards consistent with those of CM. CM is responsible for compliance of its Affiliates' with this Agreement.

33.9.2 Client acknowledges and agrees that (a) CM’s Affiliates may be retained as Sub-processors; and (b) CM and CM’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Provided always CM or a CM Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Service provided by such Sub-processor.

33.9.3 CM shall be responsible for each of its Sub-processors to the same extent CM would be responsible if performing the services of each Sub-processor directly under the terms of the Agreement.

33.10 Breach Notification

In respect of a Personal Data Breach, CM shall:

(a) notify Client of a Personal Data Breach involving CM or a sub-contractor without undue delay (but in no event later than forty-eight hours after becoming aware of the Personal Data Breach).

(b) provide reasonable cooperation and assistance to Client in relation to any action to be taken in response to a Personal Data Breach under applicable Data Protection Laws, such as Art. 33(3) and 34(3) GDPR, including regarding any communication of the Personal Data Breach to the Data Subject and data protection authorities.

CM will promptly investigate a Personal Data Breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by law, CM will provide Client with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, and other information Client may reasonably request. The Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or the relevant data protection authorities.

34. Storage, retention and deletion of Personal Data

CM shall Process and retain data, including Personal Data, in accordance with applicable law, regulations. The data, including Personal Data, submitted to the platform of CM shall be Processed and stored in accordance with the CM’s data retention policy. The Personal Data shall be retained for no longer than is necessary for providing the Services under the Agreement, for the purposes as states in Part I and as far as required under applicable law.

35. Description of Processing

35.1 Nature and Purpose of Processing

CM will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Agreement, and as further instructed by Client in its use of the Services.

35.2 Categories of Data Subjects

In using the Service, CM will process information as requested by Client, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: • (Potential) customers (who are natural persons) of Client or its clients; • Employees, contractors, advisors, freelancers or persons hired by (customers of) Client; • Contact persons of Client’s prospects, customers and business partners; • Client’s users authorized by Client to use the Services.

35.3 Type of Personal Data

Client may request Personal Data through the Services, the extent of which is determined and controlled by CM and the Supplier, and which may include, but is not limited to the following categories of Personal Data: First and last name, Contact information ( address, email, phone).

35.4 Purposes of Processing

The Personal Data is Processed for the following purposes: Provision of the Services as detailed in the Agreement, handling complaints and disputes, providing information to emergency services, preventing fraud and criminal activities on CM’s platform.