Data processor agreement

 

PERSONAL DATA PROCESSING AGREEMENT

 

(abbreviated “Data processing agreement”)



BETWEEN



The Client hereinafter referred to as the “Controller“,



AND

 

Gemsotec hereinafter referred to as the “Processor“,



WHEREAS

 

  1. The Controller collects and manages personal data in order to process and use them to automate tasks such as mobile inspections in the field, assigning tasks and giving instructions and to plan and manage tasks. 
  2. The applicable Data Protection legislation (i.e. for example the General Data Protection Regulation and national data protection laws) requires the Controller to enter into a data processing agreement with the Processor.
  3. The Controller wishes to process this personal data under the provisions mentioned below and entrust this to the Processor which has developed the GoRound application. The GoRound application logs automatically the business operations of the Client making it possible to generate KPIs and visualise data of equipment and parameters in order to allow mobile inspections in the field, mobile work instructions and the planning, task management and data analysis. The Processor will process personal data of employees of the Client for the following purposes :

 

  • for the login on the GoRound application
  • to assign tasks to an employee
  • to log inspections performed by an employee



  1. The Processor will process Personal Data (as further defined below) on behalf of the Controller.
  2. The Processor has declared and established credibly that he has the necessary competence and capacity to be able to properly perform this data processing and that he meets all legal requirements for this processing and can perform the processing while taking into account all statutory provisions.
  3. The Parties have executed or shall execute this Data Processing Agreement (as further defined below).

 

HAVE AGREED AS FOLLOWS

Article 1 – Definitions

Data Processing Agreement

means the present data processing agreement including its annexes;

Agreement





means the “Terms and Conditionsexecuted between the Controller and the Processor as described in Annex 1 of the Data Processing Agreement;

  

Data Subject(s)


Data Protection Act

means the identifiable or identified natural person(s) whose Personal Data is or are processed; 


means the Act of 30 July 2018 concerning the protection of natural persons regarding the processing of personal data. 


ECA


means the Act of 13 June 2005 concerning Electronic Communications;

General Data Protection Regulation or GDPR






means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Judicial Data

Contains the categories of personal data as described in article 10 GDPR;

  

Personal Data

means any information which the Processor processes on behalf of the Controller within the framework of the Agreement and which can directly or indirectly identify the Data Subject;

Personal Data Breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed; 

Special Categories of Personal Data

Contains the categories of personal data as described in article 9 GDPR. 

Article 2 – Object

  • The Processor shall exclusively and always process the Personal Data on behalf of the Controller. The Processor is not allowed to process the Personal Data in any form (not even in the form of anonymous or anonymized Personal Data) and in no way for his own account nor for the account of a third party. The Processor has no control on the purpose of the processing of Personal Data, nor may he independently take decisions concerning the use, storage or disclosure of the Personal Data, unless and to the extent it has been expressly agreed upon in the Data Processing Agreement, or instructed by the Controller, or when Processor has good faith that disclosure is reasonably necessary to comply with a law, regulation or compulsory legal request. 

 

The Processor informs the Controller if he cannot comply with the instructions of the Controller or the obligations following this Data Processing Agreement, without undue delay and grants the right to the Controller to suspend the disclosure and transfer of Personal Data and/or to terminate this Data Processing Agreement in accordance with Article 10.3 of present Data Processing Agreement. 

 

  • The Controller shall ensure that any disclosure of Personal Data to Processor is Personal Data that has been collected lawfully, i.e. processed on a legal basis as described in the articles 6-10 of the GDPR. The Controller shall indemnify Processor against all losses, expenses and liabilities incurred by Processor arising directly or indirectly from the Controller’s breach of this obligation.

 

  • The subject, duration, nature and purpose of the processing, as well as the type of Personal Data being processed, the categories of Data Subjects, and location of the processing are listed in Annex 1.  Any change in one of the elements listed in Annex 1, will result in an amendment of Annex 1, as mutually agreed by the Parties. If the Processor is aware of the fact that one of the elements listed in Annex 1 will be changed, he must promptly inform the Controller hereof in writing.

 

  • The Processor only processes the Personal Data for the performance of its obligations under the Agreement, in accordance with the Data Processing Agreement and the written instructions of the Controller and shall perform the processing at all times with state of the art security measures and at all times in accordance with the minimum organisational and technical security measures as set out in Annex 2 to this Data Processing Agreement. Any other use of the Personal Data by the Processor, in any form (even in the form of anonymous or anonymized Personal Data) or in any way, is not allowed. The Processor may not edit (nor have anyone edit) the Personal Data (such as but not limited to copying, printing, forwarding, enriching, modifying, etc.) unless and to the extent necessary for the performance of the Agreement and the Data Processing Agreement.

 

  • The Parties will, each in their respective capacity, process the Personal Data in accordance with the Data Protection Act, the ECA, the GDPR, and any other applicable regulation to which the Controller and/or the Processor are subject.

 

The Processor acknowledges being granted or subject to the Processor-oriented rights and obligations under the Data Protection Act and the GDPR. The Processor acknowledges that the Controller is granted or subject to the Controller-oriented rights and obligations under the Data Protection Act and the GDPR.

 

  • The purpose of the GoRound application is to process data regarding business operations as described under “Whereas” and its considerations (A) and (C). Controller shall not process Special Categories of Personal Data and no Judicial Data through the GoRound Application. If Controller processes Special Categories of Personal Data or Judicial Data through the application, Controller shall be solely and fully responsible and liable for any damage claims or sanctions it may occur following the processing of Personal Data outside the scope and purpose of the GoRound application and shall hold Processor harmless against any claims in this respect.

 

Article 3 – Confidentiality

  • Regardless the type of Personal Data entrusted by Controller to Processor, the Processor shall treat the existence of the processing on behalf of the Controller, and the Personal Data, as strictly confidential. This duty of confidentiality is more stringent for the processing of Special Categories of Personal Data. 

 

  • The Processor shall not disclose, in any form or manner whatsoever, the Personal Data to third parties or grant third parties access to Personal Data, including to sub-processors, except in the cases and under the conditions provided for in Article 3.3.

 

The Processor shall exclusively and always process the personal data on behalf of the Client in order to perform this Data Processing Agreement and in no way for his own account nor for the account of a third party.

 

  • The Processor may grant third parties access to the Personal Data in the event: 

 

  • the Controller gave its prior and explicit written approval – the Controller hereby agrees that access to the Personal Data is being granted to third parties listed in Annex 1. In the event the Controller agrees to grant such access to new third parties in the course of the Agreement, Annex 1 shall be amended accordingly by mutual consent.

 

  • The Processor is required to grant such access under a mandatory Belgian or European provision of law. In this case unless such notification is prohibited by law or by overriding reasons of general interest, the Processor shall notify the Controller in advance and in writing about the request to access Personal Data, the relevant mandatory provision and the response the Processor intends to give to this request. 

 

  • Except in the cases set out in Article 3.3 (ii), in the event the Processor grants third parties access to the Personal Data, it undertakes that each third party will be subject to contractual obligations at least equivalent to the ones to which the Processor is itself subject vis-à-vis the Controller under this Data Processing Agreement. The Processor guarantees that each third party, to whom it grants access to the Personal data, shall comply with these obligations. The Processor provides to Controller, on its request and without undue delay, a copy of the sub-processing agreement(s).

 

  • The Processor can grant its employees access to the Personal Data in accordance with the need-to-know principle, i.e. to the extent the employees need such access to the Personal Data in order to allow a proper performance of the Processor’s obligations under the Agreement and under the Data Processing Agreement. The Processor will inform the concerned employees in writing about the Personal Data’s confidential character along with the Personal Data’s legal and contractual framework, and shall impose a contractual confidentiality obligation upon the concerned employees. Processor shall impose a contractual confidentiality obligation upon the employees, that may have access to the Personal Data in order to perform the data processing, whose confidentiality obligation is identical to the present Article.

 

  • The Processor shall be responsible for complying with the duty of confidentiality by all people (i.e. employees and contractors) who are aware of the personal data and/or of its processing. This duty of confidentiality also continues to apply for 10 years after  termination of present Data Processing Agreement.

 

  • The Processor shall guarantee the confidentiality of the personal data to be processed and will take the necessary organisational and technical security measures. 

Article 4 – Obligation to assist 

  • The Processor commits to assist the Controller in ensuring compliance with its legal obligations under the Data Protection Act, the ECA (if applicable) and the GDPR. In this regard the Processor shall respond within a reasonable delay to any request for assistance made by the Controller. In the event the Processor is of the opinion that a Controller’s request or instruction infringes the Data Protection Act, the ECA (if applicable) or the GDPR, he will immediately notify the Controller. This assistance provided by the Processor to the Controller shall be subject to reasonable compensation.

 

  • Upon the Controller’s request, the Processor shall inform the Controller about the modalities of its Personal Data’s processing and shall grant access to the processed Personal Data and to all documents, buildings, systems, software, hardware, databases, installations and infrastructure necessary to enable the Controller to verify compliance with the Data Protection Act, the ECA (if applicable) and the GDPR.

 

  • Upon the Controller’s request, the Processor shall accept and cooperate with audits and inspections of its Personal Data’s processing so that the Controller is able to verify whether the Processor complies with its obligations following this Data Processing Agreement and the applicable data protection laws (GDPR and national data protection laws). Controller shall inform Processor in a timely manner, and at least 15 workdays in advance, of such audits so that Processor can organise its presence and cooperation during the audit. The Controller may itself carry out these audits and inspections or mandate a third party thereto. If the Controller mandates a third party, such third party shall not be a direct competitor of Processor and such third party shall agree to be bound by confidentiality obligations that are no less protective than those set out in Article 3 of the Data Processing Agreement.

 

  • The Processor shall immediately transfer to the Controller any Data Subject’s request or question in connection with the (processing of) Personal data. The Controller shall decide on the response to be given in that regard. On request of the Controller, the Processor shall assist and support the Controller in responding to such data subject’s requests insofar reasonably possible for the Processor. In particular, the Processor shall, if and to the extent that it falls within its technical capabilities and powers under the Data Processing Agreement, comply within 5 working days with any Controller’s request regarding the response or execution of the Data Subjects’ requests. The Processor shall be entitled to reasonable compensation for this assistance.

 

  • To the extent that the Processor itself has communicated Personal Data to third parties, it shall without delay transfer to these third parties every Personal Data’s alteration, erasure or restriction of which it becomes aware.

 

  • The Processor undertakes to assist the Controller in determining whether a data protection impact assessment is necessary for the Controller’s processing of Personal Data. This implies for example that if the Processors’ processing requires the use of new technologies, or if the Processor considers it plausible that the used technology may qualify as “new” and such new technology is likely to result in a high risk to the rights and freedoms of natural persons, the Processor notifies the Controller accordingly before starting the Personal Data’s processing.

 

  • If the Controller is of the opinion that a data protection impact assessment must be conducted, the Processor commits itself to assist the Controller, upon its written request, in executing the data protection impact assessment. In such case the Processor provides the Controller the required information as set out by Controller, and shall only begin the processing after receipt of the (evaluation of the) data protection impact assessment and the Controller’s written instructions in that regard. The Processor shall be entitled to reasonable compensation for this assistance.

 

  • In the event a Data Subject wishes to exercise her/his right to data portability regarding Personal Data processed by the Processor on behalf of the Controller, the Processor shall communicate the relevant Personal Data in a structured, standard and machine-readable form to the Controller or, at the request of the Controller, to the Data Subject. The Processor shall be entitled to reasonable compensation for this assistance.

Article 5 – Personal Data Breach

  • If a Personal Data Breach occurs or has occurred, the Processor shall, immediately after becoming aware of it, notify the Controller’s legal department by telephone and by e-mail.

 

  • The Processor provides the Controller upon the notification of the incident, or if this is not feasible without undue delay after the notification of the Personal Data Breach, with the following information regarding the Personal Data Breach: 



  1. the nature of the Personal Data Breach, 
  2. where possible the categories of Data Subject(s), 
  3. the estimated amount of Data Subject(s),
  4. the categories of Personal Data,
  5. the estimated amount of Personal Data, 
  6. the name and contact details of the data protection officer if the Processor has appointed such an officer, or in the event that there is no data protection officer, another contact point where more information on the Personal Data Breach can be obtained,  
  7. the likely consequences and risks, including the likely consequences and risks for the Data Subjects, 
  8. the measures taken to address the Personal Data Breach, including, where appropriate, the measures to mitigate its possible adverse effects.

 

  • The Processor shall assist the Controller as much as possible when reporting a Personal Data Breach to the supervisory authority and/or the Data Subject(s). The Processor shall in any event respond on a priority basis to any question/request from the Controller regarding the Personal Data Breach.

Article 6 – Organisational and technical security measures

  • The Processor undertakes to implement and comply with the appropriate technical and organisational security measures necessary for the Personal Data’s protection. 

 

  • The Processor shall take into account the information provided by the Controller regarding the processing activities conducted on behalf of the Controller, when determining the appropriate technical and organisational security measures, (i) the state of the art, (ii) the implementation costs related to these measures, (iii) the nature, scope, context and purposes of processing, (iv) the risks involved for the Data Subjects’ rights and freedoms, in particular in case of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or non-authorised access to Personal Data transmitted, stored or otherwise processed, and (v) the probability that the processing shall have an impact on the rights and freedoms of the Data Subjects. 

 

  • The Processor shall update these measures on a regular basis according to the criteria referred to in Article 6.2 and by taking any incident into account. These organisational and technical measures shall correspond to article 32 of the GDPR and Annex 2 of this Data Processing Agreement.

Article 7 – Liability

  • The Processor is liable and shall indemnify the Controller for all principal sums, costs, interests and other expenses for the payment of damages caused to or claims from third parties, including the Data Subject, fines, administrative sanctions and other legal costs and other requirements by virtue of claims that may be filed against the Controller by individuals, by a data protection authority or by a government due to the Processor’s breach of the Data Processing Agreement, the obligations specifically imposed on the Processor by the Data Protection Act, the ECA (if applicable) and/or the GDPR.

 

  • The Processor shall indemnify the Controller for all damages caused by third parties (i.e. sub-processors) appointed by the Processor. 

 

  • The Processor shall take out insurance covering all damages, such as defined in Article 7.1, following non-compliance with the applicable data protection laws (i.e. national data protection laws and GDPR) and non-compliance with the provisions of present data processing agreement, including damages following the occurrence of (a) personal data breach(es).

 

  • To the extent permitted by applicable law, in any event will the processor’s liability be limited to the lesser of the total value of monetary value paid by a Client during the twelve months preceding the cause of liability or 20.000,- Euro.

Article 8 – Force Majeure

  • The following force majeure circumstances apply if they occur after the execution of this Data Processing Agreement and which prevent its performance: labour disputes and all other circumstances, such as fire, mobilisation, seizure, embargo, ban on currency transfer, revolt, a shortage of modes of transport, general scarcity of raw materials, limitations in energy use, if these other circumstances occur outside the will of the parties.

 

  • The party that appeals to the abovementioned circumstances must immediately inform the other party of the commencement as well as of the termination of the force majeure circumstances in writing.

 

The occurrence of one of these circumstances removes all liability of both the Controller and the Processor.

Article 9 – Transfer of Personal Data

  • The Processor cannot transfer Personal Data to a country outside the European Economic Area (i.e. at the moment the European Union, Liechtenstein, Iceland and Norway) unless that country or the undertaking(s) concerned (including companies linked to the Processor) to which the Personal Data are transferred guarantee(s) an adequate level of protection of Personal Data, and the Controller has given its prior written consent to the transfer. The Controller agrees to transfer the data to the countries listed in Annex 1.

 

  • A transfer to a country outside the European Economic Area is authorised without the Controller’s written consent if this transfer is necessary on the basis of a rule of law which is mandatory under EU law or Belgian law. In such case, the Processor shall notify the Controller in advance and in writing about the legal provision on the basis of which the Processor is obliged to transfer the Personal Data, unless the relevant legislation prohibits such notification for reasons of public interest.

 

  • The Processor guarantees that the country or the undertaking, to which the Personal Data are transferred, ensures an adequate level of protection of Personal Data.

 

  • In the event of a transfer of Personal Data by the Processor to a country outside the European Economic Area, the adequate level of protection is guaranteed by the signature of the European Commission Standard Contractual Clauses. The Parties acknowledge the lack of European Commission Standard Contractual Clauses for transfers “processor to sub-processor”. This particular transfer can be regularized to the extent the Processor guarantees that the sub-processor will sign, at the Controller’s discretion, the European Commission Standard Contractual Clauses “controller-processor” directly with the Controller or the European Commission Standard Clauses “controller-processor” with the Processor on behalf of the Controller. 



Article 10 –  Duration and termination  

  • The Data Processing Agreement shall enter into force on the date of its signature.

 

  • The Data Processing Agreement shall remain in force for the duration of the Agreement. This Data Processing Agreement shall terminate automatically if the Agreement terminates.

 

  • In case of a breach of one of the provisions of this Data Processing Agreement by a Party, it can be terminated immediately by the other Party at the expense of the Party that remains in default. Furthermore, this Data Processing Agreement can be terminated at any time with a two-month notice period, provided that the termination is communicated by registered letter.

 

  • Upon termination of the Data Processing Agreement, all Personal Data and any physical or electronic copies thereof must be immediately provided to the Controller in a structured, commonly used and (machine) readable format. The Processor shall, at the choice of the Controller, delete all Personal Data, at the end of the provision of services relating to data processing and deletes existing copies unless the storage of the Personal Data is required on the basis of EU law and/or Belgian law.

Article 11 – Applicable law & competent court

This Data Processing Agreement shall be exclusively governed by Belgian law.

 

All disputes arising from this Data Processing Agreement shall be settled exclusively by the Courts of Leuven.

Article 12 – Miscellaneous

  • The Data Processing Agreement is severable. If one or more provisions that do not affect the essence of the Data Processing Agreement are declared fully or partially invalid, void or unenforceable, this shall not affect the validity and enforceability of the remaining provisions of this Data Processing Agreement nor of the entire Agreement. The Data Processing Agreement will remain in force between the Parties, as if the invalid, void or unenforceable provision never existed.

 

  • In the aforementioned case, the Parties undertake to renegotiate in good faith the Data Processing Agreement in order to modify or replace the (fully or partially) void, invalid or unenforceable provision by a provision that most closely matches the purpose of the invalid, void or unenforceable provision.

 

  • The modifications of and supplements to the Data Processing Agreement are valid only if they are expressly agreed in writing between the Parties.

 

  • If a provision of the Agreement is incompatible or contradictory to the provisions of this Data Processing Agreement, the Data Processing Agreement will prevail.

 

  • If the Personal Data or the relationship between the Parties is subject to new (European) legislation or case law, the Parties agree to renegotiate in good faith the Data Processing Agreement, and to bring the Data Processing Agreement in line with the new (European) legislation or case law.

 

  • If the Processor is subject to a code of conduct or was certified with regard to the processing of Personal Data, it undertakes to comply with and to maintain this code of conduct or certification for the duration of the Data Processing Agreement.



Annex 1 – Overview of the Agreement and the processing operations 

 

Name of the Agreement

Overeenkomst Terms and Conditions “GoRound” Applicatie

Subject matter of the Agreement

The GoRound application logs automatically the business operations of the Controller making it possible to generate KPIs and visualise data of equipment and parameters in order to allow mobile inspections of the field, mobile work instructions and the planning, task management and data analysis.

Duration of the processing 

The duration of the processing is equal to the duration of the Agreement 

Nature and purposes of the processing 

Processor will process personal data of employees of the Client for the following purposes :


  • for the login on the GoRound application
  • to assign tasks to an employee
  • to log inspections performed by an employee

Type of Personal Data that are processed 

  • Name
  • Login and passwords
  • Assigned tasks
  • Performance of inspections
  • Mac address
  • IP

Types of Special Categories of Personal Data

No Special Categories of Personal Data or Judicial Data are being processed through the GoRound application

Categories of Data Subjects 

  • Employees of Controller

Location(s) of the processing of Personal Data

  • Belgium (registered office of Gemsotec)
  • Google Cloud platform located in Belgium (Mons)

Third parties

No third party has access to the Personal Data, except for: 


Google  

  • Sendgrid
  • Cumulio
  • Auth0
  • Bugsnag 

Third countries to which Personal Data are transferred

Personal Data will not be transferred to third countries, except for: 


n/a 

Annex 2 – Technical and organisational security measures

 

The Processor shall install and provide the following security measures in order to protect the personal data:

 


Organisational measures

  • Security policy
  • Raising staff’s awareness through information and training
  • Notification procedure in case of physical/technical incidents  

Technical measures

  • Back-up system
  • Measures in case of fire-, burglary-, or water damage, or physical/technical incidents
  • Control of access (physically and logical)
  • Authentication system 
  • Password policy
  • User-ID policy
  • Logging system, detection and analysis of the entrance 
  • Patching
  • Anti-virus
  • Fire wall 
  • Network security
  • Surveillance, examination and maintenance of the systems




Personal Data Processing Agreement version 30 March 2021.