Policies. last updated December 15, 2023.

Rubrik, Inc. Supplier Data Processing Agreement

This Supplier Data Processing Agreement (“DPA”) forms part of the Agreement (as defined below) or other mutually accepted written or electronic agreement between Rubrik, Inc., (“Rubrik”) and Supplier and is effective upon the date that the Agreement is signed between the parties (“Effective Date”).  This DPA reflects the Parties’ agreement with respect to the Processing of Rubrik Personal Data in the provision of Products and Services, as applicable, to be provided by Supplier pursuant to the terms and conditions of the Agreement and this DPA.

This DPA also consists of: Exhibit 1 - The Details and Nature of the Processing, the EU Standard Contractual Clauses (Module 2 - Controller to Processor) with Annexes I – III (“SCCs”) and the UK Addendum to the EU SCCs, all of which are incorporated by reference into and shall also form part of this DPA, and shall govern any applicable international transfer of Rubrik Personal Data, as described in Section 9 (Data Transfers) below. 

In the event of any conflict or inconsistency between the terms of the Agreement and this DPA, the terms of this DPA shall prevail. The terms of this DPA shall also supersede any privacy policies or privacy statements made by Supplier. For clarity, the terms of the SCCs shall prevail over any other term in this DPA. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1.     DEFINITIONS.

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2 “Agreement” means a writing that has been signed between Rubrik and Supplier detailing the rights and duties regarding past or future performance such as a Master Services Agreement, a Professional Services Agreement, or a Professional Staffing Services Agreement. 

1.3 “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.4 “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, including any regulatory guidance issued by the applicable Supervisory Authority, and the United States and its states, including without limitation, the U.S. Data Protection Laws, applicable to the Processing of Rubrik Personal Data under this DPA.

1.5 “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.6 “GDPR” means as applicable: (i) Regulation (EU) 2016/679 (General Data Protection Regulation) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data ("EU GDPR"), and (ii) the EU GDPR, as incorporated into the law of the United Kingdom under the European Union (Withdrawal) Act 2018 ("UK GDPR"), in each case as may be amended or superseded from time to time.

1.7 “Personal Data” “Personal Information”, and/or “Personally Identifiable Information”, which shall be referred to individually or collectively in this DPA as “Personal Data”, means (i) any information relating to an identified or identifiable national person, and/or (ii) any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer or household, which Supplier has access to, obtains, uses, maintains or otherwise handles, including digital IDs from devices, cookies or other tracking technologies, in connection with the performance of Agreement.  

1.8 “Personal Data Breach” means any destruction, loss, alteration, and/or unauthorized disclosure  or access to Rubrik Personal Data.

1.9 “Processor" means the entity which is Processing Rubrik Personal Data on behalf of the Controller.

1.10 "Process", “Processing”, or “Processed” means any operation or set of operations which is performed upon Rubrik Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  

1.11 “Rubrik Personal Data” means Personal Data owned, licensed, or otherwise controlled or Processed by Rubrik or by Rubrik Affiliates (including Personal Data Processed by Rubrik or by Rubrik’s Affiliates on behalf of Rubrik’s customers) and further Processed by Supplier in the course of providing the Products and Services under the Agreement.

1.12 “Standard Contractual Clauses” or “SCCs” or “Approved EU SCCs” means: (i) where the EU GDPR  applies, the standard data protection clauses, as described in Article 46 of the GDPR and approved by the European Commission decision 2021/914/EC, dated 4 June 2021, found at  EUR-Lex - 32021D0914 - EN - EUR-Lex (europa.eu); (ii) where the Swiss DPA applies, the Approved EU SCCs, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC") (the "Swiss SCCs"); and (iii) or any set of clauses later approved by the European Commission which amend, replace or supersede such version.

1.13 "Subprocessor" means any party engaged by Supplier to process Rubrik Personal Data under the Agreement, as approved by Rubrik.

1.14 “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

1.15 “UK” means the United Kingdom of Great Britain and Northern Ireland.

1.16 “UK Addendum” means the addendum to the Approved EU SCCs issued and published by the UK Information Commissioner’s Office on March 21, 2022. 

1.17 “U.S. Data Protection Laws” means any applicable U.S. privacy law or U.S. state privacy statutes and regulations relating to the protection of Personal Data, whether in existence as of the Effective Date or promulgated thereafter, as amended or superseded.

2.     SCOPE AND DURATION.

2.1  Rubrik enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates, if and to the extent Supplier Processes Rubrik Personal Data for which such Affiliates qualify as the Controller or a Processor. The Parties acknowledge and agree that in the context of the Agreement and this DPA, unless otherwise set forth in an attachment to this DPA, Supplier will act as the Processor to Rubrik who may act either as the Controller or Processor with respect to Rubrik Personal Data.

2.2  Supplier will Process Rubrik Personal Data for the Term of the Agreement, unless otherwise agreed to by the Parties in writing or pursuant to a requirement under Data Protection Laws.  The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit 1 to this DPA. Supplier shall impose all applicable contractual obligations from this DPA on employees, contractors, Subprocessors, and onward recipients that are at least as protective of Rubrik Personal Data as those set forth herein.

2.3 At Rubrik’s reasonable request, Supplier will also execute an additional agreement if required by applicable Data Protection Laws, such as a Business Associate Agreement.  With respect to any data that is subject to the GDPR or similar laws, Supplier acknowledges and agrees that the Standard Contractual Clauses and UK Addendum, as applicable, will apply to this DPA.
 

3.     INSTRUCTIONS. 

3.1 Supplier as Processor.  In the course of providing the Products and Services to Rubrik pursuant to the Agreement, Supplier (or its Subprocessor(s)) may Process Rubrik Personal Data on behalf of Rubrik for the following purposes: (i) Processing in accordance with the Agreement, this DPA and applicable Order Form(s); (ii) Processing initiated by Rubrik users in their use of the Supplier Products or Services; and (iii) any other purpose or instruction that is set forth in the Agreement.  Supplier shall not access, collect, store, retain, transfer, share, combine, use or otherwise process in any manner any Rubrik Personal Data, except to perform and provide the Products and Services, as applicable, pursuant to the Agreement associated with the purpose and categories detailed on Exhibit 1 to this DPA.  Supplier shall provide a list of all cookies, web beacons, local storage, and other tracking technologies (collectively, the “Tracking Technology”) used, along with the purpose of the Tracking Technology to comply with the transparency and notice requirements, and to the extent required, shall obtain the required consent as may be applicable under Data Protection Laws. 

3.2 Responsibilities.  Supplier shall inform Rubrik if it is unable to comply with a Processing instruction due to a legal requirement before Processing, unless that law prohibits such information from being disclosed to Rubrik. Further, Supplier shall immediately inform Rubrik if, in its opinion, an instruction infringes Data Protection Laws. Rubrik is solely responsible for the accuracy and legality of Rubrik Personal Data provided to Supplier.  However, Supplier shall make all reasonable efforts to ensure that Rubrik Personal Data is accurate and up-to-date at all times, while in its custody or under its control, to the extent Supplier has the ability to do so.  Supplier shall (and shall ensure that its Subprocessors) comply with Data Protection Laws in relation to its Processing of Rubrik Personal Data.

4.     SECURITY AND CONFIDENTIALITY.  Supplier shall ensure that persons authorized by Supplier to Process Rubrik Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Supplier will keep all Rubrik Personal Data secure from unauthorized access or other data processing, and maintain appropriate technical and organizational security measures to protect the security and confidentiality of Rubrik Personal Data against a Personal Data Breach, including without limitation, the security measures detailed in Data Security Schedule found here: https://www.rubrik.com/content/dam/rubrik/en/resources/policy/rubrik-data-security-schedule-2-0.pdf. In the event of a Personal Data Breach, Supplier will notify Rubrik without undue delay (and in any event within twenty-four (24) hours) after becoming aware of or reasonably suspecting a Personal Data Breach. Supplier will take reasonable steps to: (i) identify the cause of such Personal Data Breach; and (ii) take the steps necessary and reasonable to remediate the cause of such Personal Data Breach to the extent such remediation is within Supplier's reasonable control, including cooperating with Rubrik’s investigation and remediation efforts, mitigating damages and developing and executing a plan, subject to Rubrik’s approval, that promptly reduces the likelihood of a recurrence of the Personal Data Breach. To the extent Supplier has the information, Supplier will provide reasonable assistance to Rubrik with respect to Rubrik’s obligations under Article 33(3) of the GDPR and/or other applicable Data Protection Laws.

5.     AUDITS AND ASSISTANCE.

5.1  Supplier agrees to have audits performed by independent external auditors to verify its technical and organizational measures. Such audits will be conducted: (i) by a qualified independent third party; (ii) at least annually; (iii) in accordance with SOC 2 or ISO 27001 standards or substantially equivalent standards; and (iv) will result in an audit report ("Report"). Upon Rubrik's written request, and subject to the confidentiality obligations set forth in the Agreement, Supplier agrees to make available the Report and its applicable certifications in order to demonstrate the technical and organizational measures implemented by Supplier.

5.2  Supplier will provide reasonable assistance to the Rubrik so that Rubrik may comply with Rubrik's obligations to perform a data protection impact    assessment (or other assessments required under applicable Data Protection Laws) related to Rubrik’s use of the Products and Services, to the extent Rubrik does not otherwise have access to the relevant information and to the extent such information is available to Supplier.  Supplier shall provide reasonable assistance to Rubrik in the cooperation  or prior consultation with the Supervisory Authority in relation to this DPA, to the extent required by GDPR. Further, Supplier will take such steps as are reasonably required to assist Rubrik in ensuring compliance with its obligations under Articles 32 to 36 of GDPR and/or any applicable Data Protection Laws taking into account the nature of the Processing.

5.3  Supplier will also provide information on Supplier’s compliance  program and submit to a reasonable data security and privacy compliance audit by Rubrik, or at Rubrik’s request, by an independent third party, or customers of Rubrik, to verify compliance with the security and privacy standards set forth in this DPA, or applicable law, and any other applicable contractual obligations.

6.     RETENTION OF RUBRIK PERSONAL DATA. Supplier shall not (and shall ensure that its Subprocessors shall not), retain any Rubrik Personal Data for longer than is necessary for the performance of the Products or Services and/or the fulfillment of its obligations under the Agreement, or as required or permitted by applicable Data Protection Law. Upon expiration or termination of the Agreement, Supplier shall return or delete all Rubrik Personal Data following the termination of the Agreement within 30 days, unless such Rubrik Personal Data is required to be maintained by Data Protection Laws, in which case it shall be held in accordance with the terms of this DPA.

7.       SUBJECT ACCESS REQUESTS. Taking into account the nature of the Processing, Supplier shall (and shall ensure that its Subprocessors) provide full cooperation and assistance to Rubrik in ensuring that the individuals´ rights requests under Data Protection Laws are timely and appropriately addressed for the fulfillment of Rubrik´s obligation to respond without undue delay to requests by such individuals as required by Data Protection Laws. For the avoidance of doubt, Supplier will not respond directly to Data Subjects requests, but to the extent legally permissible, Supplier will advise the Data Subject to submit their request to Rubrik and Rubrik will be responsible for responding to any such requests.

8.     SUBPROCESSORS. Supplier will only appoint Subprocessors pursuant to Article 28(2) of the GDPR. Supplier represents and warrants that Supplier has provided to Rubrik, or has made publicly available via Supplier’s website, a list of all applicable Subprocessors Supplier currently uses in the provision of its Products and Services applicable to Rubrik.  Supplier warrants that it has conducted any required assessment under applicable Data Protection Laws including but not limited to a transfer impact assessment on Subprocessors that are subject to an onward transfer under Clause 8.7 of the SCCs. Supplier will notify Rubrik in writing within thirty (30) days prior to adding any new Subprocessors that may Process Rubrik Personal Data, and obtain Rubrik’s prior written consent to such Subprocessors. Should Rubrik reasonably object to a new Subprocessor, upon prior written notice, Rubrik may terminate the Agreement. Supplier shall enter into a written agreement with any applicable Subprocessors in accordance with the requirements under Data Protection Laws and such obligations will in no event be less protective of Rubrik Personal Data than this DPA.  Supplier will restrict the Subprocessor's access to only what is necessary to provide or maintain the Products and Services under the Agreement. Supplier will remain responsible and will be liable to Rubrik for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessors.

9.     DATA TRANSFERS.

9.1  Rubrik and Supplier agree that any transfers of Rubrik Personal Data  outside the European Economic Area to a third country that has not been given an adequacy decision by the European Commission, shall be subject to the EU Standard Contractual Clauses found at EUR-Lex - 32021D0914 - EN EU SCCs, or other permitted transfer mechanisms as allowed per the GDPR, which is incorporated by reference and shall form part of this DPA. With respect to the EU Standard Contractual Clauses, they shall be deemed completed as follows:

a. Module Two (Controller to Processor) will apply, where the data exporter is Rubrik and the data importer is Supplier;
b. In Clause 7, the optional docking clause will not apply;
c. In Clause 9, option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set forth in Section 8 above;
d. In Clause 11, the optional language will not apply;
e. In Clause 17, Option 1 applies with the governing law being     that of the Netherlands;
f.  In Clause 18(b), disputes will be resolved before the courts in   the Netherlands;
g. Annex I of the EU SCCs shall be deemed completed with the   information set out in Exhibit 1 to this DPA;
h. Annex II of the EU SCCs shall be deemed completed with the information set out in the Data Security Schedule found here: https://www.rubrik.com/content/dam/rubrik/en/resources/policy/rubrik-data-security-schedule-2-0.pdf;
i. Annex III of the EU SCCs shall be deemed completed with the information that Supplier supplies to Rubrik or has made publicly available via Supplier’s website; and
j. The term that Supplier will process Rubrik Personal Data as required for Annex I of the EU SCCs shall be for the Term of the Agreement. 

9.2  In case of any transfer of Rubrik Personal Data from the UK, the parties agree that the UK Addendum to the EU SCCs shall be deemed executed by the parties upon any transfer of Rubrik Personal Data from the UK. The information required by the UK Addendum is as follows:

a. for Table 1 of Part One of the UK Addendum, it shall be deemed completed with the information set forth in Section 9.1(a) above and the Agreement;
b. for Table 2 of Part One of the UK Addendum, it shall be deemed completed with the information set forth in Section 9.1(a) (d) above; 
c. for Table 3 of Part One of the UK Addendum, Annex 1A is          completed with Section 9.1(a) above, Annex 1B is completed with Exhibit 1 to this DPA, Annex II is completed with Section 9.1(h) above, and Annex III shall be completed with Section 9( above; and 
d. for Table 4 of Part One of the UK Addendum, the box for “neither party” is selected.

9.3 In case of any transfers of Rubrik Personal Data from Switzerland, the following provisions apply: (i) general and specific references in the EU SCCs to GDPR, or EU or Member State Law, shall have the same meaning as the equivalent reference in the Swiss Data Protection Laws; (ii) in respect of data transfers governed by Swiss Data Protection Laws, the EU SCCs also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity; (iii) where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws; and (iv) for Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.

10.     PROCESSING RUBRIK PERSONAL DATA. 

10.1  In the course of providing its Products or Services and/or fulfilling its obligations under the Agreement and this DPA, Supplier shall (and shall ensure that any relevant Subprocessor shall):

10.1.1 ensure it does not cause Rubrik, through any intentional act or omission, to be in breach of any Data Protection Laws;

10.1.2 notify Rubrik promptly if Supplier (or a Subprocessor) is required by law, court order, warrant, subpoena, or other legal process to disclose any Rubrik Personal Data to any person other than Rubrik, the relevant Rubrik customer, or another sub-processor of Rubrik expressly approved in writing by Rubrik to receive such information, unless prohibited by applicable law from notifying Rubrik.  Unless prohibited by applicable law, Supplier will: (i) promptly notify Rubrik prior to such disclosure; (ii) cooperate with Rubrik in the event that Rubrik elects to legally contest such disclosure, ensure confidential treatment of such information, or otherwise attempt to avoid or limit such disclosure; and (iii) limit such disclosure to the extent legally permissible; 

10.1.3 notify Rubrik immediately in writing of any investigation, litigation, arbitrated matter or other dispute relating to Supplier’s (or Supplier’s Subprocessors’) information security or privacy practices; and

10.1.4 notify Rubrik in writing if it determines that it can no longer meet or comply with any applicable Data Protection Law.

11.     REMEDIES. 

11.1 Supplier acknowledges and agrees that, in the event of a breach of this DPA, neither Rubrik nor any affected Rubrik customer(s) will have an adequate remedy in damages. Therefore, Rubrik or any affected Rubrik customer(s) shall be entitled to seek injunctive or equitable relief, to immediately cease or prevent the Processing, use or disclosure of Rubrik Personal Data not contemplated by the Agreement, and/or to enforce the terms of the Agreement (including this DPA), and/or to ensure compliance with any Data Protection Laws.

11.2 Supplier shall indemnify Rubrik against any loss, liability, cost damage and expense incurred as a result of a breach by the Supplier or its agents or Subprocessors of this DPA.

12.     ADDITIONAL PROCESSING OBLIGATIONS.

12.1 With respect to all applicable Data Protection Laws, including without limitation, the U.S. Data Protection Laws, that pertain to the Processing of Rubrik Personal Data, Supplier certifies its compliance with such applicable Data Protection Laws, including without limitation, Supplier’s obligations to: (i) provide the same level of privacy protection required by the applicable Data Protection Laws; and (ii) comply with the restrictions on sale, retention, use, sharing, combination, or disclosure of Rubrik Personal Data.  Supplier’s foregoing certification shall also extend to any additional obligations under this DPA to the extent such obligations fall under the certification requirement of applicable Data Protection Laws.

12.2 Supplier acknowledges and confirms that: (i) Rubrik is disclosing Rubrik Personal Data to Supplier solely for a valid business purpose and for Supplier to provide the Products and perform the Services as set forth in the Agreement; (ii) Supplier does not receive any Rubrik Personal Data as consideration for any Services or other items that Supplier provides to Rubrik; (iii) Supplier shall not have, derive, or exercise any rights or benefits regarding Rubrik Personal Data; (iv) Supplier shall not sell or share any Rubrik Personal Data, as such terms are defined in applicable Data Protection Laws; (v) Supplier shall not collect, combine, retain, or use any Rubrik Personal Data except as necessary to provide the Products and perform the Services for Rubrik and only within the direct business relationship with Rubrik; (vi) Supplier will make available all information necessary to demonstrate Supplier’s compliance with applicable U.S. Data Protection Laws and this DPA; and (vii) Supplier will promptly comply with any Rubrik request or instruction requiring Supplier to provide, amend, transfer or delete Rubrik Personal Data, or to stop, mitigate, or remedy any unauthorized Processing, and communicate such requirement or instruction to any applicable Subprocessor or onward recipient. 

12.3 Supplier represents and warrants that: (i) it has not purposefully created back doors (non-transparent access capabilities) or similar programming that could be used to access any Rubrik Personal Data, or any system implemented at Rubrik or on behalf of Rubrik that contains or accesses any Rubrik Personal Data, (ii) it has not purposefully created or changed its business processes in a manner that facilitates unauthorized access to Rubrik Personal Data or any system implemented at Rubrik or on behalf of Rubrik that contains or accesses any Rubrik Personal Data, and (iii) that any applicable laws do not require Supplier to create or maintain any back doors or facilitate unauthorized access to Rubrik Personal Data or any system implemented at Rubrik or on behalf of Rubrik that contains or accesses any Rubrik Personal Data, or for the Supplier to be in possession or to hand over any encryption key.

13.     LAW ENFORCEMENT ACCESS. Supplier will not disclose or provide access to any Rubrik Personal Data Processed by Supplier under this DPA to a law enforcement agency, unless required by law. If a law enforcement agency contacts Supplier with a demand for Rubrik Personal Data, Supplier will attempt to redirect the law enforcement agency to request that data directly from Rubrik. If Supplier is compelled to disclose or provide access to any Rubrik Personal Data Processed under this DPA to the law enforcement agency, Supplier will promptly notify Rubrik and provide a copy of the demand unless legally prohibited from doing so.

14.     CHANGES IN LAWS. In the event of: (i) any newly enacted Data Protection Law, (ii) any change to an existing Data Protection Law (including generally-accepted interpretations thereof), (iii) any interpretation of a new or existing Data Protection Law by Rubrik, or (iv) any material new or emerging cybersecurity threat, which individually or collectively requires a change in the manner by which Supplier is delivering any Products or Services to Rubrik, the Parties shall agree upon how Supplier’s performance of the Agreement will be impacted and shall make equitable adjustments to the terms of the Agreement.

Exhibit 1 to Data Processing Addendum

Description of Processing and International Transfer of Rubrik Personal Data

Categories of Personal Data:

The personal data transferred concern the following categories of data (please specify):

  1. Prospects, customers, business partners, and vendors of Rubrik; Employees or contact persons of Rubrik’s prospects, customers, business partners, and vendors; Employees, contractors, agents, vendors, and advisors of Rubrik; or Rubrik’s users authorized by data exporter to use the Services;

  2. Other data as defined in the Agreement;

  3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Data Subjects:
The personal data transferred concern the following categories of data subjects (please specify):

  • Prospects, customers, business partners, and vendors of Rubrik;

  • Employees or contact persons of data exporter’s prospects, customers, business partners, and vendors;

  • Employees, contractors, agents, vendors, and advisors of Rubrik

Special Categories of Data (if applicable)
Due to the nature of the Services, the exact types of Rubrik Personal Data cannot be determined by the Parties, and may vary depending on Rubrik’s use of Supplier’s Products and Services. 

Nature and Purpose of Processing

The nature and purpose of the Processing of the Rubrik Personal Data are set out in the Agreement and include:

  1. Provision of the relevant Products and Services;

  2. Delivering any additional services, including providing technical support, deployment, and solution/software development services, troubleshooting, detecting, investigating, mitigating, and repairing problems, including security incidents; and,

    3. Ongoing improvement by Supplier of the relevant Products and Services Activities, including without limitation, any maintenance, including installing the
         latest updates, and making improvments to the reliability, efficacy, quality, and security of the Products and Services.

The Period for which the Personal Data will be Retained: Rubrik Personal Data will only be retained during the period of performance of the Services, as established under the Agreement, or related order form, purchase order or quote. Within thirty days of termination or expiration of the Agreement, Supplier must return or destroy all Rubrik Personal Data that is in its possession.

Competent Supervisory Authority

Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ DEN HAAG
Telephone number: (+31) – (0)70 – 888 85 00 https://autoriteitpersoonsgegevens.nl.en