Log in
Start for free now

Data Processing Agreement

Privacy and data processing

At 4planning, we believe it's important that you know exactly how we handle personal data. Our processor agreement outlines the terms and conditions that apply, how we secure data, and which parties support us in providing our services.

This Data Processing Agreement applies to the use of the online platform 4planning, provided by 4Software B.V., trading under the name 4planning.

This agreement supplements the agreement, general terms and conditions, and/or subscription agreement between 4planning and the customer. In the event of any conflict between this processor agreement and other agreements, the provisions of this processor agreement shall prevail as far as the processing of personal data is concerned.

1. Definitions

In this processor agreement, the following terms are used:

AVG
The General Data Protection Regulation.

Personal data
All information about an identified or identifiable natural person, such as name, email address, telephone number, address details, date of birth, or other data from which someone can be directly or indirectly identified.

Stakeholder
The data subject, such as a member, employee, volunteer, participant, administrator, contact person, or customer user.

Data controller
The organisation that determines why and how personal data is processed. Within this agreement, the customer is the data controller.

Processor
The party processing personal data on behalf of the data controller. Within this agreement, 4Software B.V., trading under the name 4planning, is the processor.

Sub-processor
A third party engaged by 4planning that processes personal data in the context of 4planning's services.

Processing
All processing of personal data, including collecting, recording, storing, altering, consulting, using, disclosing, blocking, erasing or destroying.

2. Parties

This Data Processing Agreement is entered into between:

Data controller:
The customer using 4planning.

and

Processor
4Software B.V., trading as 4planning
Hakkesstraat 32, 5916PX Venlo
KvK: 96265531
E-mail: info@4planning.nl

3. Applicability

This processing agreement applies to all processing of personal data carried out by 4planning on behalf of the client when providing the 4planning software, app, modules, support, and related services.

The customer decides independently which personal data is entered into 4planning, for whom this data is recorded, and for what purpose it is used.

4planning processes these personal details exclusively on behalf of the customer and not for its own purposes, unless this is necessary for its own legal obligations, security, administration, billing, support, or improvement of the service provision at an aggregated or anonymised level.

4. Purpose of Processing

4planning processes personal data for the provision of an online platform for, among other things:

  • Membership Management;
  • user management;
  • group management;
  • Roles and rights;
  • communication within organisations;
  • news reports;
  • event management;
  • Registrations and attendance;
  • Ticketing and access control;
  • QR scans;
  • document management;
  • Planning;
  • contribution and membership management;
  • notifications via email and push notifications;
  • support and management of the environment.


4planning does not process personal data for purposes other than those necessary for the provision, maintenance, security, and support of its services, unless the customer explicitly instructs it to do so or the law requires it.

5. Types of personal data

Depending on the customer's usage, the following personal data may be processed within 4planning, amongst others:

  • First name and surname;
  • Email address;
  • phone number;
  • address details;
  • Date of birth;
  • gender, if used by the customer;
  • Profile picture;
  • Username;
  • Organisational role;
  • group allocation;
  • Team or department information;
  • Membership number or internal customer number;
  • presence and login status;
  • participation in events;
  • ticket details;
  • QR code data;
  • communication preferences;
  • language preference;
  • Push notification settings;
  • document rights and access levels;
  • messages, polls, and replies within the environment;
  • log data, such as login times, technical error messages, and security logs;
  • payment statuses or transaction references, if applicable.


4planning does not store IBAN numbers unless expressly agreed otherwise and documented in writing in the future. Any payments, direct debits, or transactions may be processed via external payment providers or financial service providers. In such cases, 4planning can exclusively process limited payment statuses, transaction references, or administrative information for displaying the status within the platform.

6. Stakeholder Categories

The personal data may relate to, among other things:

  • members;
  • former members;
  • board members;
  • administrators;
  • group administrators;
  • employees;
  • volunteers;
  • trainers;
  • Team members;
  • event attendees;
  • Ticket buyers;
  • access control scanners;
  • contact persons;
  • customers or customer relationships;
  • other users who are granted access to 4planning by the customer.

7. Customer instructions

4planning processes personal data exclusively on the basis of the agreement with the customer, this processor agreement, the settings within the platform, and reasonable written instructions from the customer.

Where 4planning is of the opinion that an instruction conflicts with the GDPR or other applicable legislation, 4planning shall inform the customer thereof, to the extent legally permissible.

The customer remains responsible for the accuracy, legitimacy, and necessity of the personal data entered into 4planning.

8. Klantverantwoordelijkheden

The customer is responsible for:

  • having a valid basis for processing personal data;
  • informing stakeholders via, for example, a privacy statement;
  • determining which personal data are entered;
  • keeping data up to date;
  • correctly setting up roles, permissions, and access settings;
  • managing accounts and passwords carefully;
  • handling and processing requests from stakeholders;
  • assessing whether a data breach needs to be reported to the Dutch Data Protection Authority and/or data subjects.


The customer may not process personal data in 4planning that is not necessary for the use of the platform. The customer may not store special personal data in 4planning, unless there is a valid legal basis for doing so and appropriate measures have been taken.

9. Security

4planning takes appropriate technical and organisational measures to protect personal data from loss, misuse, unauthorised access, alteration or disclosure. Article 32 GDPR, among other things, mentions appropriate technical and organisational security measures, tailored to the risks of the processing.

These measures may include:

  • secure connections via SSL/TLS;
  • Access security with user accounts;
  • role and rights structure;
  • two-factor authentication where available;
  • logging of relevant system and security activities;
  • back-ups;
  • Server security;
  • restriction of access to authorised persons;
  • secure hosting environment;
  • periodic updates and maintenance;
  • measures against abuse, unauthorised access and data loss.


4planning is committed to continuously evaluating and improving security measures where necessary.

10. Confidentiality

4planning undertakes to keep confidential all personal data that it processes within the framework of this agreement.

This duty of confidentiality also applies to employees, hired personnel, freelancers and other individuals who may have access to personal data under the responsibility of 4planning.

The duty of confidentiality does not apply when disclosure is required by law, a court order, or an authorised government body.

11. Sub-processors

4planning may engage sub-processors to provide services. These include hosting providers, email providers, payment providers, support software, backup providers, or technical service providers.

The customer gives general consent for the activation of sub-processors, provided that 4planning:

  • makes an up-to-date list of sub-processors available;
  • sub-processors are obliged to provide appropriate security and confidentiality;
  • makes agreements with sub-processors that align with this data processing agreement;
  • the customer inquires about material changes to sub-processors;
  • gives the customer a reasonable opportunity to object to new sub-processors.


Pursuant to Article 28 GDPR, a processor may not engage another processor without the prior specific or general written authorisation of the controller. In the case of general authorisation, the customer must be informed of additions or replacements of sub-processors, thus enabling objection.

The current sub-processors are in the appendix or on a separate sub-processor page of 4planning.

12. Processing location

4planning endeavours to process personal data as much as possible within the European Economic Area.

When personal data are processed outside the EEA, 4planning ensures appropriate safeguards as required under the GDPR, for example by using recognised contractual clauses or other valid transfer mechanisms.

13. Data breaches

When 4planning discovers a security incident involving the loss of customer personal data, or where unlawful access, modification, or disclosure cannot be reasonably excluded, 4planning will inform the customer as soon as possible.

4planning provides, as far as is known and reasonably possible, information about:

  • the nature of the incident;
  • the personal data concerned;
  • the possible consequences;
  • the measures taken or proposed;
  • the contact person for follow-up.


4planning reports a data breach to the customer within 48 hours of discovery, unless this is not reasonably possible. In that instance, 4planning will report the incident as soon as possible thereafter.

The customer remains responsible for assessing whether the data breach must be reported to the Dutch Data Protection Authority and/or the data subjects.

14. Rights of data subjects

Under the GDPR, data subjects have rights, including the right of access, rectification, erasure, restriction, objection, and portability.

When a data subject submits a request directly to 4planning concerning personal data processed under the customer's responsibility, 4planning shall forward this request to the customer, unless 4planning is legally obliged to respond itself.

4planning will, as far as reasonably and technically possible, cooperate with the customer's requests to view, correct, delete, export or restrict personal data.

15. Export and removal

The customer may export data during the term of the agreement to the extent that the functionality of 4Planning supports this.

Upon termination of the agreement, 4planning will delete or return personal data, unless a legal retention obligation or justified technical reason requires temporary storage.

Backups can be retained for a limited period, solely for recovery and security purposes. Personal data in backups is not actively used and will be overwritten or deleted according to the regular backup schedule.

16. Control and audit

The customer has the right to request information regarding compliance with this processing agreement.

4planning can comply with this request by providing:

  • A security statement;
  • documentation on technical and organisational measures;
  • an overview of sub-processors;
  • relevant certifications or reports, if available;
  • Written answers to reasonable questions.

A physical or external audit is only possible when the customer has a demonstrable legitimate interest, the audit is announced in writing in advance, the audit does not cause unreasonable disruption to the service provision, and all persons involved observe confidentiality.

The costs of any audit requested by the customer shall be borne by the customer.

17. Liability

4planning's liability for damages in connection with the processing of personal data is limited as set out in the general terms and conditions or main agreement between the parties, unless mandatory law dictates otherwise.

The customer indemnifies 4planning against claims from third parties arising from unlawful or incorrect instructions from the customer, unlawful input of personal data, or insufficient compliance by the customer with its own GDPR obligations.

18. Duration and termination

This processing agreement comes into effect when the customer uses 4planning, takes out a subscription or accepts this agreement.

The processors agreement automatically terminates when the agreement for the use of 4planning ends, unless obligations from this agreement, by their nature, must continue to apply, such as confidentiality, liability, and agreements on deletion.

19. Changes

4planning may amend this processor agreement when necessary due to changes in legislation, service provision, security, sub-processors, or business operations.

4planning informs customers in good time about essential changes. When the customer continues to use 4planning after the change, the customer is deemed to have agreed to the amended agreement, unless written objection is made within the specified period.

20. Applicable Law

This processor agreement is governed by Dutch law.

Disputes shall be submitted to the competent court in the Netherlands, unless mandatory law dictates otherwise.