General terms and conditions

Article 1: general

Controlin B.V. (‘Controlin’) is a private limited company having its registered office in Ridderkerk and is registered in the business register of the Chamber of Commerce under number 24407754.

Article 2 : applicability

All contracts are exclusively governed by Controlin’s General Terms and Conditions. Controlin reserves the right to change the General Terms and Conditions. The altered General Terms and Conditions will then also apply with regard to contracts that already exist.

Article 3: entering into contracts

All Controlin’s offers are fully without commitment and are made subject to errors and changes. The information regarding, among others, the wishes, requirements and in particular the specifications of the other party must be provided and known to Controlin timely, correctly, fully and in a comprehensible manner. The other party guarantees this.

Article 4: price adjustment, payment and breach

Controlin may adjust its prices at any time. Invoices are to be paid within thirty (30) days after the invoice date. In case of late payment the other party will automatically be in breach and will owe an administration fee of EUR 50 in addition to the statutory (commercial) interest. If Controlin takes debt collection measures to obtain the amount owing, the other party will also owe the (collection) costs actually incurred, with a minimum of EUR 350.

Article 5: cancellation

In case of cancellation by the other party, fifteen (15) % of the order price will be charged as cancellation costs, without prejudice to Controlin’s right to full compensation including lost profit. Goods already acquired by Controlin, whether or not any work or processing has been performed on such goods, must be purchased in case of cancellation. In the event of failure to do so the other party is bound to pay Controlin for all costs arising herefrom. Cancellation must be effected in writing and confirmed by Controlin.

Article 6: delivery time and transfer of risk

The agreed delivery time is indicative. A change in the delivery time specified by Controlin will not give any right to termination of the contract and/or compensation. The risk in the goods passes to the other party at the time of delivery.

Article 7: technical support

If technical support has been agreed, the work is explicitly limited to assisting the other party bringing about the functioning of only products delivered by Controlin.

Article 8: retention of title

All goods delivered by Controlin remain Controlin’s property until the other party has performed the obligations under all contract(s) made between the parties.

Article 9: guarantee

Any guarantee on the goods delivered by Controlin is limited to the manufacturer’s guarantee. No claim can be made on the guarantee for loss or damage resulting from incorrect, careless or inexpert use and/or use for purposes other than the normal business purposes.

Article 10: liability

Controlin’s contractual or extra-contractual liability for loss or damage arising from or connected with any shortcomings in the performance of the contract is limited to the amount that is paid out in a given case under Controlin’s liability insurance. If in a given case there is no cover and/or no payout for any reason whatsoever, the compensation obligation is limited to the invoice amount, with a maximum of EUR 25,000. Controlin is not liable for indirect loss, including but not limited to consequential loss, lost turnover and lost profit, lost savings and damage or loss due to business interruption. The other party indemnifies Controlin against any claims of third parties that suffer damage or loss in connection with the contract and which damage or loss is attributable to the other party.

Article 11: force majeure

In case of force majeure Controlin has the right to suspend the obligations under the contract(s), by a maximum of two months. After this time Controlin may terminate the contract in whole or in part without the need for judicial intervention. If at the time the force majeure situation arises Controlin has already performed part of the contract, this part will be invoiced as if it were a separate contract.

Article 12: applicable law and jurisdiction

These General Terms and Conditions have been drawn up in Dutch. The General Terms and Conditions have also been translated into English. The Dutch text is binding in case of any dispute regarding the content or purport. The legal relationship between Controlin and the other party is governed by Dutch law. Disputes will exclusively be adjudicated by the competent court in Rotterdam. The Vienna Sales Convention does not apply.

These General Terms and Conditions, version 010116, have been deposited with the Chamber of Commerce in Rotterdam under number 24407754 and can also be viewed on www.controlin.com.

GENERAL TERMS AND CONDITIONS FOR CLOUD SERVICES OF CONTROLIN B.V.

Article 1 – Definitions

“Initial Term”:                                                  The number of years stated in the Order, effective as of:

1. The date when Controlin gives the Client access to the Cloud Services; or
2. Two weeks after the Starting Date, depending on what occurs first.

“General Terms and Conditions”:             These General Terms and Conditions for Cloud Services.

“GDPR”:                                                              Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Order”:                                                             i) The order form (that is made available digitally or otherwise), ii) the order via the website, apps or applications or iii) an order via an external distribution network on the basis of which Controlin provides the Cloud Services to the Client and the Client receives the Cloud Services from Controlin in accordance with the conditions of the Contract.

“Cloud Services”:                                            The online Cloud Services, as described in further detail in the Order and made available by Controlin on its websites, apps and applications.

“Users”:                                                              All persons who have been authorised by the Client to gain access to the Cloud Services as described in further detail in the Order.

“Starting Date”:                                               i) The date when the Order is signed or ii) the date when the Cloud Services have been ordered by the Client by means of a Controlin online purchase environment, if this is available.

“Client”:                                                              The client stated in the Order.

“Contract”:                                                        The contract between Controlin and the Client, consisting of the Order, these General Terms and Conditions and any associated appendices.

“Controlin”:                                                       The relevant Controlin entity or trade name, such as Controlin B.V., Controlin GmbH, Energiemetershop.nl, Energymetershop.com, Stromzahlershop.de, with which the Contract is entered into and which charges the relevant Cloud Services.

“Controlin Platform”:                                    Controlin’s IT systems (including

software and hardware delivered by third parties) that are used to operate the Cloud Services. This includes but is not limited to the SKD flow.

“Confidential Information”:                        All information that is disclosed by or on behalf of a party

(in whatever manner, including in written, verbal, visual or electronic form, and regardless of whether this occurs before or after the date of the Contract), including all business, financial, commercial, technical, operational, organisational, legal, management and marketing information that is either marked as confidential or that can reasonably be deemed to be confidential in the normal course of business.

Article 2 – Applicability

• These General Terms and Conditions for Cloud Services apply to and are explicitly included in the Contract and all subsequent contracts entered into between Controlin and the Client in connection with the Cloud Services.
  • Applicability of the Client’s general terms and conditions is hereby explicitly excluded.

Article 3 – The Cloud Services

• The Client is given a non-exclusive and non-transferable right to make use of the Cloud Services selected in the Order, which right applies only for the purposes described in the Order.
  • The following matters are the Client’s responsibility:
    • Implementing and following Controlin’s instructions, manuals and documentation relating to the Cloud Services;
    • Ensuring that he possesses suitable and properly functioning hardware (including IT, computers and mobile devices), software and internet access to the Cloud Services with sufficient capacity (collectively called the “IT Infrastructure”);
    • Ensuring that he has implemented adequate technical and organisational measures for the security of his IT Infrastructure;
    • The transfer of data between the Client’s IT Infrastructure and the Controlin Platform; and
    • The correct configuration of the Cloud Services and the Client’s IT Infrastructure, including the interchangeability thereof.
  • The Client is offered a perpetual, non-exclusive, non-transferable right to use the results of the Cloud Services for his own internal purposes, unless explicitly otherwise permitted in writing by Controlin.

• Unless specifically otherwise agreed, the Cloud Services are provided without guarantees, including i) guarantees relating to the availability of the Cloud Services, errors and bug fixes, extra functionalities, service requests, consequences and interoperability, and ii) guarantees relating to the information that is provided via the Cloud Services, and the accuracy, completeness or application of such information. For the avoidance of doubt, it is explicitly stated that Controlin does not accept any liability for the above.
  • In addition, the Client acknowledges and agrees that Controlin cannot guarantee that the Client can successfully use the Cloud Services for the intended use, that these will be available continually or with a consistent quality and connectivity level, because such use is partly dependent on circumstances beyond Controlin’s reasonable control, including circumstances for which the Client is responsible pursuant to this Article 3.
  • Controlin has the right to modify the Cloud Services, including the appearance, functionalities, content and interoperability with the Client’s IT Infrastructure.
  • Controlin has the right to suspend the delivery of Cloud Services to the Client (in whole or in part) if the Client, in Controlin’s reasonable opinion, does not perform an obligation in the Contract.

Article 4 – User names and passwords

• The Client will provide Controlin with the necessary access details such as account names, user names and e-mail addresses of the Main User, being the Client’s administrator. The administrator can create user accounts himself. The Client is responsible for keeping all access details (including user names and passwords) secret and will ensure that the Users also have this responsibility.
  • The Client is responsible and liable for any use of the Cloud Services if a User has gained access to such a service via the Client’s access details, even if the Client has not agreed to such use or was not aware of such use.
  • The Client will not permit third parties to use the Cloud Services, unless it has Controlin’s prior

written consent. Controlin can arrange this for the Client.

• The Client will ensure that, unless explicitly otherwise stated, account details (including user names and passwords) and any individual use of the Cloud Services by means of such an account is limited to a specific person, and are not, for example, shared with other people.

Article 5 – Fees and payment

• The Client will pay Controlin for providing the Cloud Services in accordance with the costs stated in the Order. The costs are excluding VAT and must be paid within 30 days after receipt of the invoice for the Cloud Services, or as otherwise stated on such an invoice.
  • The costs are fixed for the Initial Term and Controlin can adjust them after that as of the first day of every extra period of one year, on condition that

Controlin has informed the Client thereof at least three (3) months in advance.

• The costs are owed annually in advance, or as otherwise stated in the Contract. If the Client defaults on timely payment under the Contract:
  • the Client will be in breach of performance of the Contract without any notice of breach being required and all Controlin’s claims on the Client will be immediately due and payable;
  • the Client is obliged to pay the statutory interest for commercial debts over the outstanding amount as well as all judicial and extrajudicial costs that Controlin makes with regard to the recovery and collection of an outstanding amount;
  • Controlin reserves the right to suspend the Client’s access to and the use of the Cloud Services until all outstanding amounts (including interest and costs) have been paid; and
  • the costs of suspension and reactivation are at the Client’s expense.
  • All payments to be made by the Client are to be effected without set-off or suspension.

Article 6 – Liability and indemnification

• Without prejudice to Article 6.3, Controlin is in no case liable on the basis of contract, tort (including in any event negligence), incorrect representations (other than deliberate misrepresentations), a breach of a statutory duty or otherwise, for lost profit, loss of expected savings, income loss, business loss, loss of or damage to data, loss of use, loss of goodwill, loss in relation to delays, penalties, fines or indirect loss or consequential loss of any nature whatsoever.
  • Without prejudice to Articles 6.1 and 6.3, Controlin’s total liability on the basis of contract, tort (including in any event negligence), incorrect representations (other than deliberate misrepresentations), a breach of a statutory duty or otherwise, is limited to the net price paid or to be paid by the Client in the twelve (12) months preceding the date when the loss or the damage occurred.
  • Nothing in the Contract is deemed to exclude or limit Controlin’s liability with regard to:
    • Loss or damage caused by intent or gross negligence of Controlin or the officers, employees, agents or contractors of Controlin; or
    • Personal injury to or death of a person, caused by Controlin or the officers, employees, agents or contractors of Controlin.

• Controlin must be informed of claims relating to loss or damage within four (4) months of the date when the loss or damage was caused. Failure to do so will be deemed a waiving of the right to present such claim.
  • The Client will defend, indemnify and hold harmless Controlin against claims, demands, lawsuits, losses, damage, expenses and costs (including but not limited to court costs and reasonable legal expenses) arising from or connected with the use of the Cloud Services by a third party that the Client permits to use the Cloud Services.
  • If the Client holds HB Holding B.V. and/or Widhekeer BV, the shareholding holdings of the Controlin Group, liable on the basis of a statement issued by it as referred to in Article 2:403(1)(f) of the Dutch Civil Code for debts of Controlin arising from the Contract, HB Holding B.V. and/or Widhekeer BV can invoke the same limitations of liability with regard to the Client laid down in these General Terms and Conditions that Controlin can invoke with regard to the Client.

Article 7 – Data protection

• The Client guarantees to Controlin that he will act in accordance with the applicable (Privacy) legislation and in accordance with all other (local) laws and regulations, including but not limited to implementation- and sector-specific laws and regulations, that he will adequately secure his systems and infrastructure at all times and that the content, the use and/or the processing of the data are not unlawful and do not infringe any third party rights.
  • Insofar as Controlin processes personal data in the framework of the performance of the Contract:
    • the Client guarantees to Controlin that he has the right to gather or instruct the gathering of this personal data and he has the right to processing of this personal data by or to have such personal data processed by (sub-processors of) Controlin and that he has informed the individuals whose personal data could be processed by Controlin (the “Data Subjects”) hereof in the legally correct manner and that he has the written consent of these Data Subjects insofar as required by law;
    • Controlin guarantees to the Client that as controller it is acting in accordance with

the obligations directly imposed on it by the GDPR; and

• the data processing agreement in Appendix 1 applies to said data processing.
  • Controlin has the right to transfer personal data to a country outside the European Economic Area if the conditions of Chapter 5 of the GDPR have been satisfied or the GDPR does not apply to Controlin in respect of the transfer of data in question.

• The Client indemnifies Controlin against any claim of a third party or Data Subject, including any penalties and administrative fines that have been imposed on Controlin by a supervisory body or other government agent, as a result of or in connection with the performance of this Contract in contravention of (local) laws and regulations and/or a breach by the Client of the provisions in this Article 15. The Client will provide the necessary information and cooperation to Controlin in order to avert the imposing of or reduce a penalty or administrative fine or some other loss heading.

Article 8 – Intellectual property

• With the exception of the qualified rights that are explicitly granted in Articles 3.1 and 3.3, Controlin reserves all rights to, ownership of and interests in the Cloud Services, including all associated intellectual property rights. The Client will be granted no other rights than the rights explicitly stated in these General Terms and Conditions.
  • Controlin is the exclusive owner of all rights to, ownership of and interests in (including intellectual property rights) software code, algorithms and know-how, capacities or data generated and/or gathered by the Controlin Platform in the operation of the Cloud Services. Insofar as necessary the Client hereby transfers all such rights, ownership and interests (including intellectual property rights) to Controlin, who hereby accepts this transfer. For the avoidance of doubt, the above only relates to technical and analytical data relating to the operation and the use of the Controlin Platform and the Cloud Services themselves, not to the data of the Client and User, which at all times belongs to the Client, User or a third party.
  • Except as permitted in the Contract, the Client will not (i) make any derivative works based on the Cloud Services, (ii) copy, frame or mirror any part or content of the Cloud Services, (iii) apply reverse engineering to the Cloud Services, or (iv) use the Cloud Services to (a) develop a competing product or competing service, or (b) copy features, functions or graphic material of the Cloud Services.

Article 9 – Confidentiality

• The party that receives Confidential Information will apply the same degree of care as it applies in protecting the confidentiality of its own confidential information of a similar nature (but in no case less than reasonable care) and agrees
  • not to use Confidential Information of the disclosing party for any

purpose outside the framework of the Contract, and

• except in the case of written consent from the disclosing party to the contrary, to limit access to Confidential Information of the disclosing party to its employees, affiliated undertakings, contractors and agents that need such access for purposes in accordance with the Contract and who have signed non-disclosure agreements with the receiving party that contain protective measures that are no less stringent than the protection laid down in these General Terms and Conditions.
  • If the Contract is terminated, the receiving party will immediately return or destroy all Confidential Information of the disclosing party at the request of the disclosing party.

• The receiving party can disclose Confidential Information of the disclosing party if this is required by law or regulatory requirements, on condition that the receiving party notifies the disclosing party in advance of this disclosure (insofar as legally permitted) and reasonably cooperates, at the expense of the disclosing party, if the disclosing party wishes to dispute the disclosure.
  • The conditions of the Contract are confidential and may not be disclosed by either

Party without the prior consent of the other party.

Article 10 – Duration and termination

1. The Contract starts on the Starting Date and ends after the Initial Term. After the Initial Term, the Contract will automatically be extended for successive additional periods of one (1) year each time (or a period that the parties have agreed in writing), unless one of the parties has notified the other party in writing of its intention not to extend the Contract, and gives such notice at least three (3) months before the date when the Contract would otherwise have been extended.
   1. Without prejudice to its other rights arising herefrom, each Party can, after giving written notice to the other party, terminate the Contract with immediate effect, if:
      1.          the other party is in material breach of the Contract, and this breach has not been rectified within 30 (thirty) days after written notice of the breach;
      1. the other party is granted a (provisional) moratorium on payment or is declared bankrupt or if a decision is made or a petition is filed for the liquidation of the other party, the other party has called a meeting of creditors or has made an arrangement with creditors or has proposed to enter into such an arrangement; or

(iii)         a force majeure situation lasts longer than sixty days.

Article 11 – Miscellaneous

1. The Contract forms the entire agreement between the parties and takes the place of any prior arrangements, agreements or contracts between them with regard to the subject-matter of the Contract.
   1. None of the parties may assign, transfer or alienate its rights under the Contract in whole or in part without the prior written consent of the other party.
   1. The invalidity or unenforceability of a provision of the Contract will not affect the validity or enforceability of the rest of the Contract, and the parties will use all reasonable endeavours to reach agreement within a reasonable period of time on lawful and reasonable deviations from the Contract that as much as possible have the same effect as the invalid or unenforceable provision would have had.

1. An amendment of the Contract is only valid or binding if it is effected in writing. Controlin has the right, however, to change these General Terms and Conditions, and such change applies to the Contract as of the date when the change is published on the Controlin website.
   1. This Contract and all disputes associated herewith regarding the entering into, the interpretation and the performance of the Contract are exclusively governed by Dutch law, without regard to the rules of International Private Law on the conflict of laws and without application of the Vienna Sales Convention (CISG). All disputes arising from or connected with this Contract will definitely be adjudicated in one of the following two ways: (I) if both parties – at the time that such a dispute is brought – are domiciled in the Netherlands or in a country that has a convention on the recognition and enforcement of judgments with the Netherlands, such dispute will exclusively be brought before the competent court in The Hague, the Netherlands; or (ii) if a party – at the time that such a dispute is brought – is domiciled in a country outside of the Netherlands or in a country that does not have a convention on the enforcement of judgments with the Netherlands, such a dispute will exclusively be adjudicated in accordance with the Arbitration Rules of the International Chamber of Commerce (ICC Rules) by one arbitrator with a background in the applicable law that applies to this Contract, whereby said arbitrator will be appointed in accordance with said rules and the arbitration proceedings will be held in The Hague in the Netherlands, in English.

APPENDIX 1 – DATA PROCESSING AGREEMENT

In this data processing agreement (1) the Client is referred to as the “Controller” and (2) Controlin is referred to as the “Processor”. The Controller and the Processor will collectively be referred to as the “Parties”. Unless otherwise stated, the definitions laid down in Controlin’s General Terms and Conditions for Cloud Services apply to this Appendix 1.

BACKGROUND

• In the framework of the performance of the Contract, the Processor can process personal data on behalf of the Controller, and the Parties wish to further arrange this by means of the data processing agreement in this Appendix 1 (the “DPA”).

THE PARTIES HEREBY AGREE AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION
   1. In this DPA the following words and sentences have the following meaning, unless otherwise indicated:

“Data Subject”: a natural person whose personal data is processed in the framework of the Contract and who can be directly or indirectly identified, in particular based on an identification number or on one or more  factors that are characteristic of the physical, physiological, psychological, economic, cultural or social identity of that person;

“Security Incident”: a security breach that accidentally or unlawfully leads to the destruction, loss, alteration of or unauthorised access to transferred, stored or otherwise processed personal data of (a) Data Subject(s); and

“Outsource” and “Outsourcing”: the process whereby one of the two Parties instructs a third party to perform its obligations under this DPA; and

“Sub-Processor”: the party to whom the Processor outsources the obligations.

1. In case of conflict between the provisions of this DPA and the Contract, the provisions of this DPA will prevail when it comes to the processing of personal data. The provisions of the Contract prevail for the rest.

2. PROCESSING OBLIGATIONS

• The Processor will only carry out actions relating to the personal data to be processed on behalf of the Controller as stipulated in the Contract, this DPA or otherwise based on the written instructions of the Controller, unless a provision laid down in EU law or the law of a member state applicable to the Processor obliges him to process the data. In that case the Processor will notify the Controller, prior to the processing, of that legal obligation, unless the law in question prohibits such notification on significant public interest grounds.

• The Controller will ensure that its instructions for the processing of personal data are in accordance with the GDPR and other applicable (local) (Privacy) laws and regulations.

3. SECURITY

• The Processor will take appropriate technical and organisational security measures to guarantee a security level geared to the risk. When determining the measures, the Processor will take account of the state of the art, the implementation costs, and the nature, the scope, the context and the processing goals and the various risks to the rights and freedoms of persons that differ in terms of probability and severity.
  • In addition to the general obligation set out in Article 3.1, such technical and organisational security measures will encompass, as a minimum standard of protection, compliance with the security measures set out below in Article 3.3.
  • As a minimum requirement, the Processor will take proper account of the following kinds of security measures:
    • Information security management systems;
    • Physical security;
    • Access control;
    • Security- and Privacy-promoting technologies;
    • Awareness, training and security checks relating to the personnel; and
    • Incident management/Response management/Continuity of operations.

4. SECURITY INCIDENTS

• The Processor will take technical and organisational security measures to

comply with the obligations in the GDPR relating to Security Incidents.

• If a Security Incident occurs, the Processor will notify the Controller thereof without undue delay and he will provide the first known information relating to the nature and the (categories of) Data Subjects and personal record registers affected by the Security Incident.
  • The Controller acknowledges that the Processor must immediately take all necessary and appropriate corrective measures to rectify possible shortcomings in his technical and organisational security measures, and the Controller will provide the Processor with reasonable support upon his first request.

5. CONFIDENTIALITY

• The Processor agrees that he will treat the personal data of Data Subjects confidentially and will ensure that his personnel undertakes to keep the personal data confidential.
  • Within 30 days after the termination or end of this DPA, the Processor will destroy all existing copies of personal data of Data Subjects, unless i) this is prohibited by law or

ii) additional agreements have been made with the Controller on returning this personal data.

• Article 5.1 is without prejudice to independent confidentiality obligations agreed between the Parties.

6. COOPERATION

• Insofar as possible, the Processor will reasonably cooperate with the Controller to enable Data Subjects to exercise their rights, including the right of access to their personal data and the right to rectification, erasure, restriction or portability of their personal data and the processing thereof.
  • The Processor will cooperate with the Controller in the performance of a data protection impact assessment and prior consultation with the supervisory authority, insofar as such is possible in connection with the information available to him and the nature of the processing.
  • The Processor reserves the right to charge the Controller his regular hourly rate for his cooperation.

7. OUTSOURCING

• The Controller acknowledges and agrees that the Processor can outsource his obligations under this DPA, by means of a written agreement, to Sub-Processors who offer a similar level of protection of the personal data of Data Subjects as is required of the Processor under this DPA, including but not limited to outsourcing to Microsoft
  • The Processor will notify the Controller of intended changes in relation to adding or replacing other Sub-Processors, whereby the Controller will be given the opportunity to object to such changes. If the Controller maintains his objection, he can only and exclusively claim termination of the Contract on condition that he pays all fees and costs for the remaining term of the Contract.

8. AUDIT

• Upon first request the Processor will make available to the Controller the information that is reasonably necessary to demonstrate that the obligations of this DPA have been performed and, if available, he will provide the Controller with certificates issued by independent external auditors (such as ISO certificates) evidencing such.
  • The Controller has the right to audit the Processor’s compliance with this DPA up to one time per contract year at the Controller’s expense, if the Controller is, at its sole discretion, of the opinion that the right pursuant to Article 8.1 is not sufficient in an individual case, or if a competent data protection authority requests such. At the election of the

Controller and with the approval of the Processor, such an audit will be carried out by i) the Processor or ii) a qualified, independent external security auditor (the “Auditor”). During such an audit the Auditor can access the Processor’s facilities during normal office hours and, without this having unreasonable consequences for the Processor’s activities, in particular without consequences for the Processor’s overall IT security, he can inspect the Processor’s work routines, set-ups and technical infrastructure.

• The Processor can demand a fee for his efforts to carry out audits and/or make audits possible. The Processor will provide support in the form of a maximum of one man-day per audit without extra costs for the Controller.
  • If the Auditor’s audit report shows that the measures taken and facilities provided by the Processor do not comply to a sufficient degree with this DPA, the Parties will consult on the manner in which the Processor can take the necessary measures to bring about compliance.

9. DURATION AND TERMINATION

After the Contract has been terminated or come to an end, this DPA will remain in effect as long as the Processor processes personal data of Data Subjects, after which this DPA will automatically end.