Data Processing Agreement
Revised 3 February 2020
Datylon BV, with principal offices at Lange Gasthuisstraat 29, 2000 Antwerp, Belgium and registered under the company number BE0521.941.360 (“Processor”);
Customer, hereafter “Controller”;
each a “Party” and collectively the “Parties”.
- A: An agreement Datylon Customer Agreement (hereinafter the “Main Agreement”) has been concluded between the Controller and the Processor whereby the Processor (on a self-employed basis) will perform for the Controller services related to the Agreement; the aforementioned indication of the Parties as Controller and Processor is consistent with the terms and definitions given within the GDPR;
- B: In the performance of the Main Agreement, the Processor will receive and process Personal Data for the benefit of the Controller and according to its instructions; specific legislation applies to such Processing;
- C: The legislation applicable to these services includes, among others the GDPR with possible implementing laws;
- D: The aforementioned designation of Parties as Controller and Processor corresponds to the terminology used in the applicable legislation referred to;
- E: By means of this agreement (hereafter the “Agreement”) Parties wish to lay down their specific agreements with regard to the Processing of Personal Data within the framework of the Main Agreement.
Parties agreed as follows:
Article 1: Definitions
“Belgian Privacy Law”: means the Law of 30 July 2018 for the protection of privacy with regard to the processing of personal data.
“Consent”: of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her;
“Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided by Union or Member State law;
“Data Subject”: a natural person who is identified or identifiable by the Personal Data;
“GDPR”: Regulation (EU) 2016/679 of the European Parliament and of Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
“Personal Data”: means any information relating to an identified or identifiable natural person (the “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“(Personal) Data Breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
“Processing”: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor”: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
“Subprocessor”: refers to any Third Party that is involved in the Processing of Personal Data by the Processor with the permission of the Controller;
“Supervisory Authority”: refers independent government body who is responsible for monitoring the application of GDPR;
“Third Party”: a natural or legal person, a government agency, a service or other body, not being the Data Subject, neither the Controller nor the Processor, nor the persons authorized under direct authority of the Controller or the Processor to process the Personal Data;
All other terms with capital letters, not defined in this article, will have the meanings given to them in the GDPR.
Article 2: Object of this Agreement
2.1. This Agreement determines the conditions of the Processing by the Processor of the Personal Data communicated by or at the initiative of the Controller and in the context of the Main Agreement; this Processing will exclusively take place for the benefit of the Controller.
2.2. The nature and purpose of the Processing, a list and the type of Personal Data as well as the categories of the Data Subjects, taking into account the services to be performed, are detailed in Annex I.
2.3. The Processor will only process the Personal Data according to the documented instructions of the Controller, and will not use these Personal Data for its own purpose; the Processor will never transfer the rights resulting from this Agreement to a Third Party without the prior written consent of the Controller.
2.4. If the Processor is legally obliged to proceed with any Processing of Personal Data, the Processor, unless this would violate applicable mandatory rules, will inform the Controller of such obligation.
Article 3: Compliance with data protection regulation
The Controller and the Processor are obliged to comply with their obligations under applicable legislation (but possibly also codes of conduct, standard contractual clauses, other related regulations).
Article 4: Term
4.1. This Agreement is applicable to every Processing of Personal Data executed in the context of the Main Agreement.
4.2. This Agreement applies as long as the Processor processes Personal Data made available by the Controller in the context of the Main Agreement. This Agreement ends upon termination of the Main Agreement; the provisions of this Agreement that are either expressly or implicitly (given their nature) intended to have effect after termination of the Agreement (including without being limited to Articles 8, 9, 12, and 19 of this Agreement) shall survive the end of this Agreement as regards the Personal Data communicated by or at the initiative of the Controller in the context of the Main Agreement.
Article 5: Technical and organizational protection measures
The Processor offers adequate guarantees with regard to the implementation of appropriate technical and organizational measures so that the Processing complies with GDPR requirements and that the protection of the Data Subject's rights is guaranteed.
Article 6: Records of Processing activities
Each Party and, where applicable, their representatives, shall maintain a register of the processing activities under their responsibility. Each such register shall contain all legally required data.
Article 7: Data Protection Officer
If required by law, the Controller and/or the Processor will appoint a Data Protection Officer. The name and the contact details of the Data Protection Officer can be found in Annex I.
Article 8: Storage of Personal Data
8.1. The Processor will not keep the Personal Data any longer than as required for Processing of such Personal Data in the context of the Main Agreement. The Controller will not instruct the Processor to store any Personal Data longer than necessary. The standard storage period can be found in Annex I.
8.2. Unless storage of the Personal Data is mandatory under Union or Member State law, the Processor shall, within a reasonable period after the end of the Processing services, at the option of the Controller, either erase all Personal Data or return it to the Controller and delete existing copies.
Article 9: Security
9.1. The Controller and the Processor shall take all appropriate technical and organizational measures as referred to in Article 32 GDPR to ensure a level of security appropriate to the risk. The measures taken by the Processor are shown in the Annex II.
9.2. The Processor shall, taking into account the nature of the Processing and the information available, assist the Controller in ensuring compliance with the obligations resulting from Articles 32 to 36 GDPR. The Controller will reimburse the Processor for services rendered in the context of providing assistance in fulfilling the aforementioned obligations according to Article 17 “Costs” of this Agreement.
9.3. Only those agents of the Processor who are involved in the Processing of Personal Data may be informed about the Personal Data. The Processor ensures that persons authorized to process the Personal Data are committed to confidentiality by contract or are under an appropriate statutory obligation of confidentiality.
9.4. The Processor may only provide Personal Data to Third Parties with the prior written approval of the Controller.
Article 10: Code of conduct and certification
Adherence by the Processor to an approved code of conduct as referred to in Article 40 GDPR, or an approved certification mechanism as referred to in Article 42 GDPR may be used as an element of proof of sufficient guarantees as referred to in GDPR.
Article 11: Data Subject’s rights
11.1. Taking into account the nature of the Processing, the Processor shall use best efforts, by taking appropriate technical and organizational, to assist the Controller in the fulfillment of its obligation to respond to requests from Data Subjects.
11.2. For all services performed by the Processor in the context of the treatment of such requests from Data Subjects, the Controller will pay the Processor in accordance with Article 17 of this Agreement.
Article 12: Duty to notify
12.1. Upon becoming aware of a Personal Data Breach each Party shall notify the other Party thereof without undue delay. In the event not all information is simultaneously available, the Processor will complete it without undue delay.
12.2. At the request of the Controller, the Processor will cooperate with the investigation and elaboration of the measures necessary in case of any Personal Data Breaches.
12.3. The Controller will reimburse the Processor for the services rendered for the investigation of Personal Data Breaches and the elaboration of necessary measures according to Article 17 of this Agreement.
12.4. The Parties will keep each other informed of any new developments with regard to any Breach and of the measures they take to limit its consequences and to prevent the repetition of such Breach.
12.5. It is the responsibility of the Controller to report any Personal Data Breach to the Supervisory Authority or the Data Subject, as required.
Article 13: Subprocessing
13.1. By signing this Agreement, the Controller authorizes the Processor to engage Subcontractors for the processing of Personal Data. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any Subcontractor. The Controller can only refuse a Subcontractor proposed by the Processor on the basis of a well-founded justification submitted in writing.
13.2. The Processor will conclude a separate agreement with each Subcontractor.
13.3. In this subcontracting agreement, the same data protection obligations as set out in this Agreement shall be imposed on the Subcontractor.
13.4. In the event the Subcontractor fails to fulfill its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the obligations of that Subcontractor in accordance with Article 19 of this Agreement.
Article 14: Transfers of Personal Data
14.1. The Processing of Personal Data will exclusively take place within the EEA.
14.2. The Processing or transfer of Personal Data outside the EEA can only occur with the specific prior written consent of the Controller and/or in accordance with appropriate safeguards pursuant to applicable legislation such as:
a) (partial) replacement of this Agreement by standard contractual clauses approved by the European Commission (referred to in Article 28 paragraph 6 GDPR); or
b) signing of or compliance with standard contractual clauses, codes of conduct or any other instruments adopted by the European Commission, the application of which ensures that the transfer of Personal Data to a country outside the EEA complies with appropriate safeguards as required by the GDPR.
14.3. Controller grants Processor permission to transfer Personal Data to a third country or to an international organisation, as set out in Annex 1 (Information relating to the Processing). Any change or addition to the list as mentioned in Annex 1 (Information relating to the Processing). proposed or needed by Processor shall be notified to Controller prior to any such transfer taking place. Controller shall have the right to object to such transfer within five (5) days of notification of the change. Parties shall jointly agree on whether or not the transfer shall move forward and the consequences thereof on the provision of the Services in terms of, among other factors, scope, timing and budget.
14.4. Consent of the Controller is not required when the transfer of Personal Data to countries outside the EEA is mandatory under EU or Member State law provisions.
Article 15: Data Protection Impact Assessment and prior consultation
15.1. When a ‘Data Protection Impact Assessment’ or a ‘prior consultation’ is required according to Article 35 and 36 GDPR, the Controller will implement such assessment. At the request of the Controller, the Processor will assist in this assessment as well as in the compliance with any required measures.
15.2. The Controller will reimburse the Processor for the services so rendered in relation to this assessment and the compliance with any required measures in accordance with Article 17 of this Agreement.
Article 16: Audit – inspection
16.1. Each Party shall allow the other Party and its authorized auditors to perform audits regarding the compliance by a Party with its obligations under this Agreement and the applicable legislation in respect of data protection.
16.2. Each Party shall use best efforts to cooperate with those audits and to make available to the other Party all information necessary to prove compliance with the obligations of such Party. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the applicable legislation. The auditing Party will compensate the services provided on a time and material basis (at standard rates applicable at that moment in time).
16.3. Upon the performance of any such audit, the confidentiality obligations of the Parties with respect to Third Parties must be taken into account. Both the Parties and their auditors must keep the information collected in connection with an audit secret and use it exclusively to verify the compliance by the other Party with this Agreement and the applicable laws and regulations in respect of data protection.
16.4. The Controller and the Processor and where applicable their representatives, shall cooperate, upon request, with the Supervisory Authority in the performance of its tasks.
Article 17: Costs
17.1. The services to be performed under this Agreement for which the Processor may charge the Controller, will be charged on the basis of the hours worked and the applicable standard hourly rates of the Processor. The Processor will invoice these amounts on a monthly basis.
17.2. Payment by the Controller to the Processor for the services under this Agreement will take place in accordance with the provisions in the Main Agreement.
Article 18: Notice of default
When the Processor fails to comply with its obligations under this Agreement, the Controller shall first send a registered notice of default. This notice shall clearly mention the defaults that occurred, and, if redress is possible, a proposal of remedial measures and a reasonable term for their implementation.
Article 19: Liability
19.1. Limitations of liability in the Main Agreement are applicable to this Agreement.
19.2. The Processor is in any case only liable for the direct damage caused by Processing if it (a) did not comply with its specific obligations of the GDPR, or (b) acted outside or in violation of the lawful instructions of the Controller.
Article 20: Other provisions
If any provision in this Agreement or part thereof should be rendered invalid or void, the remainder of such provision and the Agreement shall remain valid. The invalid or void provisions shall be reduced to the maximum extent permitted under applicable law.
The provisions of the Main Agreement concerning changes, completeness of the agreement, applicable law and competent court are applicable to this Agreement.
- Annex I: Purpose and goal of the Processing and Personal Data
- Annex II: Appropriate technical and organizational measures
Annex I: Purpose and goal of the Processing and Personal Data
(a) The object of the Processing;
The personal data concern Authorized Users of the Datylon products, in addition to individuals whose personal data is supplied by Authorized Users of the Datylon products.
(b) Nature and purpose of the Processing;
The personal data is processed for the purposes of providing the Datylon Products in accordance with the Agreement
(c) Kind of Personal Data;
- Direct identifying information (e.g., name, email address, telephone).
- Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).
- Indirect identifying information (e.g., job title, gender, date of birth).
(d) Categories of Data Subjects being processed by Processor;
Datylon does not knowingly collect (and Customer or Authorized Users shall not submit or upload) any special categories of data (as defined under the Data Protection Legislation).
(e) Standard retention period;
1 year after termination of the Customer Agreement
(f) Name and contact details of the Data Protection Officer or the contact person for matters relating to Processing: Rutger Claes; DPO@datylon.com; Datylon, Lange Gasthuisstraat 29, 2000, Antwerpen, Belgium
(g) Transfer of Personal Data:
- Transfer of Personal Data to the countries listed herein is permitted pursuant to an adequacy decision (N/A);
- Following countries are deemed to provide appropriate safeguards for the transfer of Personal Data (N/A);
- Transfer to the following countries is permitted (Belarus for helpdesk and customer support purposes solely)
Annex II: Appropriate technical and organizational measures
Datylon has developed appropriate technical and organizational measures, safeguards and assurances to Process your Personal Data in accordance with applicable Belgian and European regulations, in particular to protect your Personal Data against loss, misuse, or unauthorized alteration. Datylon maintains a team of technicians, automated systems, and advanced technologies, such as:
- Security and risk plan
- Security policy
- Adequate employee awareness and training
- Disclosure procedure
- Information classification
- Disciplinary measures in case of non-compliance of these measures
- Disaster recovery plan
- Business continuity plan
- Back-up system(s)
- Adequate data encryption
- Physical and logical access control
- Authentication and authorization systems
- Password policy
- Logging & intrusion detection
Datylon makes all reasonable and appropriate efforts to protect the confidentiality of your Personal Data.
Despite the above measures taken by Datylon, you should be aware that there are always risks associated with sending Personal Data over the Internet. The security and protection of your Personal Data can never be fully guaranteed.