Add Your Heading Text Here
The present Processor’s Agreement is concluded between the undersigned:
Gemsotec BV, with company headquarters in 3200 Herent, Vilvoordsebaan 73 and here validly represented by the signatory or signatories,
Hereinafter referred to as: the ”Processor”;
The client, ……………………………………………………………………………………………. with company headquarters in …………………………………………………………………………………………………………………………………………………………….
Hereinafter referred to as: the “Client”;
Client and Processor are hereinafter to be referred to severally as “Party” and jointly as “Parties”, should no specific indication be intended towards the one or the other Party.
- Client, the data controller within the meaning of the GDPR (hereafter, “Client” or “data controller”), and Processor have concluded an Agreement;
- the Processor, in the course of execution of aforementioned Agreement, will come into contact with personal data within the meaning of the Act of 30 July 2018 concerning the protection of natural persons regarding the processing of personal data and with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the ‘GDPR’) and the ancillary implementing orders;
- the execution of aforementioned Agreement will also involve and include the processing of personal data by the Processor;
- Client and Processor have made arrangements with regard to the terms, conditions and guarantees that the Processor shall observe in the processing of personal data under the present Agreement;
- Client and Processor wish to lay down in writing the aforementioned arrangements by means of the present Processor’s Agreement;
- the present Processor’s Agreement is designed to serve as a Processor’s Agreement within the meaning of Article 28 GDPR;
- the present Processor’s Agreement shall form an integral part of the aforementioned Agreement;
- the aforementioned Agreement is referred to throughout what follows in the present Processor’s Agreement with the term “Agreement”
THE PARTIES HAVE THEREFORE AGREED THE FOLLOWING:
Article 1: Definitions
- The terms and expressions employed in the present Processor’s Agreement shall have the same meanings as those assigned to them in the Act of 30 July 2018 concerning the protection of natural persons regarding the processing of personal data and in the GDPR and in the ancillary implementing orders.
- Personal data means: all information concerning an identified or identifiable natural person that is either obtained by the Processor or generated during provision of the services for the Client as agreed under the Agreement “Identifiable person” means a natural person who can be identified, directly or indirectly, by means of an identifier such as a name, an identification number, location details, an online identifier or one or more elements characteristic of physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
Article 2: Processing assignment
The provision of service agreed in the Agreement includes the processing of personal data by the Processor in the role of processor as described in the GDPR. By signing this Processor’s Agreement the Client gives the Processor the assignment to process personal data. The Processor shall process that personal data for the purposes specified in the Agreement only and may not use the data for any other purpose.
Concerning the processing of personal data by the Processor the Parties wish to clarify the following points:
- The object and duration of the processing: The processing is required to fulfill and has the same effective date as “Overeenkomst Software-as-a-Service “GoRound”Applicatie
- All other rights and obligations of the Client as responsible for processing as described in the GDPR are set out in the Articles that follow.
- In the present Processor’s Agreement the Processor acknowledges receipt of the necessary written instructions from the Client for the purpose of being able to execute the processing of personal data in accordance with the requirements of the GDPR.
Article 3: Sub-Processors and transfer of data
The Client agrees that the Processor may enlist the aid of a third party as sub-processor, provided always that such party is established within the EU and the engagement of the sub-processor does not entail the risk of transfer of personal data outside the EU.
Given that the Client, in the previous paragraph, gives the Processor a general written permission for the use of sub-processors established within the EU with the guarantee that they will not transfer any personal data outside the EU, the Processor assumes the obligation to inform the Client as within the meaning of the GDPR, of all possible intended changes as regards the addition or replacement of other or new Processors.
In such cases the Client has the possibility of objection to such change.
The Client must inform the Processor by e-mail within a period of ten (10) working days regarding its objection to the planned changes.
In case of any objection by the Client the Processor shall not proceed with the planned changes.
The Processor is not permitted to transfer personal data to a third country or to an international organization.
Furthermore, the Processor may not engage any sub-processors established outside the EU or whose engagement is likely to entail the risk of transfer of personal data outside the EU.
If, however, the Processor does transfer personal data outside the EU, the Processor guarantees that each processing of personal data shall be conducted in accordance with the GDPR and indemnifies the Client against damages following directly out of the data transfer.
The Processor may not transfer or authorize the transfer of Data to a third country or to an international organization without the prior written consent of the Client. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
The Processor shall, in turn, impose on any sub-processor all obligations imposed on the Processor under the Agreement and under the present Processor’s Agreement. The Processor shall furnish the Client with proof to that effect.
Article 4: Satisfaction of legal obligations
Both the Client and the Processor shall respect the obligations from the Act of 30 July 2018 concerning the protection of natural persons regarding the processing of personal data and from the GDPR and the ancillary implementing orders, and any other legal obligations governing the processing of personal data.
Processor and Client shall process the personal data in conformity with the relevant guidelines and recommendations published by the competent Data Protection Authority.
Article 5: Processors’ personnel and confidentiality
The Processor shall ensure that all persons working for or on behalf of the Processor and with access to the personal data shall treat the personal data as confidential and shall process the personal data only to the extent that is strictly necessary for execution of the specific tasks that he has to perform for the execution of the Agreement. These persons are informed of the obligations issuing from the present Processor’s Agreement that are legally binding on the Processor.
Furthermore, the Processor, account being taken of the nature of the processing and the information available to him, shall offer the Client his assistance in satisfying the obligations issuing from Articles 32 to 36 of the GDPR.
Article 6: Adequate measures
The Processor shall implement and maintain adequate technical and organizational measures to prevent (i) loss of personal data and (ii) any form of processing of personal data that is in conflict with the law or with the present Processor’s Agreement.
Such measures would also concern the detection of security incidents and/or data breaches.
The Processor recognizes and agrees that the service to be provided within the framework of the Agreement must satisfy the high security requirements that may reasonably be expected of a professionally active provider of the services concerned taking into account (i) the implementation costs related to these measures, (ii) the nature, scope, context and purposes of processing, (iii) the risks involved for the Data Subjects’ rights and freedoms, in particular in case of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or non-authorised access to Personal Data transmitted, stored or otherwise processed, and (iv) the probability that the processing shall have an impact on the rights and freedoms of the Data Subjects. Without receiving sufficient and detailed information from the Controller, the Processor shall not be able to determine the necessary technical and organisational security measures.
Article 7: Processor’s obligation of notification
The Processor recognizes that the Client is obliged to store personal data no longer than is strictly necessary for the provision of the agreed services with or to the concerned associated parties. The Processor shall inform the Client should he have reason to believe that the storage of personal data is no longer necessary.
Furthermore, the Processor shall notify the Client immediately if he considers that one or more of the instructions he receives from the Client represents an infringement of the GDPR or of any other laws of the European Union or its Member States governing the protection of personal data.
Article 8: Requests from concerned person(s)
The Processor shall never react directly to a request from a concerned person in connection with the personal data processed by the Processor, but shall always inform the Client, by return of mail, regarding any such request.
The Processor shall, however – account here being taken of the nature of the processing – as far as possible, offer assistance to the Client in the form of suitable technical and organizational measures towards the satisfaction of the latter’s obligation to react to applications from natural persons for assertion of the rights for which provision is made in the GDPR. The Processor shall be entitled to reasonable compensation for this assistance.
Article 9: Processor’s obligation of information
On the Client’s first request, the Processor shall furnish the Client with:
- Information regarding the security and protection of personal data, including the policy that the Processor applies and evaluations thereof, certificates, risk analyses, test reports and reports on security incidents, in so far as such information is relevant for the processing of personal data and is available.
- Detailed information on all sub-processors engaged by the Processor in connection with the service for the Client under the Agreement, including company information and location where the personal data is processed by the sub-processor.
Article 10: Right to audit of compliance
The Client has the right, at any time and at his own cost, to make arrangement for its compliance officer(s) and/or a certified accountant or any other auditor, insofar as it does not concern competitors of Processor, to inspect the processing of personal data by the Processor and/or to conduct an audit on that processing. The Processor shall provide his full cooperation in any such and allow access to the (parts of the) systems and buildings relevant for the audit on the processing of personal data. In the event of an audit or inspection by a supervisory body, such as the Data Protection Authority, the Processor shall likewise provide his full cooperation in so far as the processing of personal data is concerned. Client shall inform Processor in a timely manner, and at least (ten) 10 days in advance, of such audits so that Processor can organise its presence and cooperation during the audit. If the Controller mandates a third party, such third party shall not be a direct competitor of Processor and such third party shall agree to be bound by confidentiality obligations regarding any information the auditor could have access to during the audit at Gemsotec.
The Parties may, either in the Agreement or in an addendum thereto, subject the conducting of the audits to more detailed conditions.
Article 11: Obligation of information in case of data breaches and security incidents
In case of a data breach and/or security incident that (also) concerns personal data, the Processor shall inform the Client accordingly as soon as possible, but in any case not later than within forty-eight (48) hours of the data breach or incident coming or being brought to the Processor’s attention.
The Processor shall not pass on such information to third parties unless obliged to do so as a result of a legal requirement or as a result of an instruction to do so from an authorized body. In that case the Processor shall inform the Client and undertake all within his power to place the Client in a position either to object or to give consent.
Article 13: Destruction after end of Agreement
On completion of the Processor’s processing services the Processor shall, as far as possible, return all personal data to the Client. All remaining personal data shall be deleted and any existing copies shall be removed promptly and in any event within ten (10) business days of the date of cessation of any Services, unless continued storage of that personal data in question is required by law.
The obligations issuing from the present Processor’s Agreement shall continue to apply with full effect until such time as the personal data is returned or, as the case may be, deleted or removed.
Article 14: Sanctions
The Processor is aware of the fact that, pursuant to the GDPR, he shall be regarded as data controller for a specific processing if he determines the purposes and means of the processing activities which are not instructed by Client.
If the Processor commits a violation of obligations imposed by the GDPR specifically on Processors or acts in any way contrary to the legitimate instructions of the Client, then the Processor shall bear liability for loss or damage.
If the Processor enlists the aid of other (sub-)processors, he remains liable for all loss or damage caused by an unlawful processing or by a processing that constitutes an infringement of the rules in the matter of the GDPR.
The Processor shall indemnify the Client should the latter find itself confronted with a claim for loss or damages filed by a natural person where such loss or damage was caused as stated in either of the two previous paragraphs.
The total liability of Processor shall, in any case, not exceed the total amount of charges paid by the Client as defined in the “Overeenkomst Software-as-a-Service – GoRound Applicatie”.
Article 15: Execution of Processor’s Agreement
Should any one of the clauses of the present Processor’s Agreement be found to be invalid, in whole or in part, this shall not detract from the validity of any of the other clauses. The non-validity or non-enforceability of any one of the clauses of the present Processor’s Agreement therefore does not entail the non-validity or non-enforceability of the Processor’s Agreement in its entirety.
In such cases the Parties shall endeavour, as far as possible, to replace the invalid clause with a clause most nearly approximating the intents and purposes of the present Processor’s Agreement.
All supplements and amendments to the present Processor’s Agreement require written form and must be signed by both Parties.
Article 16: Applicable law and competent courts
The Parties expressly agree that the present Agreement shall be governed solely by Belgian law.
All cases of dispute concerning the content and/or consequences of the present Agreement shall be referred for settlement to the exclusive jurisdiction of the Courts of Law of the district where Processor has its registered office.
Given in good faith in Leuven, this day ___/___/_____ in two originals, each Party acknowledging receipt of one copy.