Data Processing Policy
During the course of every product development trajectory, our team may need access to the personal data of the end users of the product. The following document outlines the default positioning of Panenco as Processor with regard to data processing. These terms will stand unless other signed agreements are in effect.
(Last updated at 07/09/2021)

Between
Panenco BV, with registered office at 3001 LEUVEN, Kapeldreef 60 and with company number 0650.747.066 will act as Processor and will hereinafter be referred to as 'Processor'.

And

The Client, acting on behalf of a legal entity with registered office, will act as Controller and will hereinafter be referred to as 'Controller'.

Has been set out

  • The Controller has entered into a service agreement with The Processor. Unless specific contractual arrangements are in place, the services will be delivered under the default Terms & Conditions of Panenco BV.
  • During the performance of the Service Agreement, The Processor may process personal data under the General Data Protection Regulation ("GDPR");
  • The Processing shall apply to the type of personal data and categories of data subjects which are required for the delivery of the services (the "Personal Data"; the "Data Subjects");
  • The Parties wish to organise the Processing in correspondence with the relevant and applicable legislation, including the GDPR;
  • In this processor agreement (the "Agreement"), Controller and Processor wish to determine their respective rights and obligations as to the Processing.

Has been agreed upon
1. Subject
  • Under the terms and conditions of this Agreement, the Processor shall Process the Personal Data on behalf of the Controller.
  • This Agreement shall apply as an annex to the overall Service Agreement.
2. Term & termination
  • This Agreement shall enter into force and effect on the date of execution by the Parties. As from the date of execution, the terms and conditions of this Agreement shall be deemed applicable to all existing and new Processing of Personal Data.
  • The term of this Agreement equals the term of the Service Agreement. The termination of the Service Agreement shall terminate this Agreement, without prior notice and effective immediately, without prejudice to Article 13.
  • The Controller is entitled to terminate this Agreement, without prior notice and effective immediately, in the event where the Processor is in default of one or more obligations under this Agreement and fails to remedy such default within ten (10) business days following written notification.
3. Personal Data and categories of Data Subjects
(Art. 28, 3.1 GDPR)

  • The Processing applies to the categories of Personal Data and Data Subjects needed for the well-functioning of the product.
  • The Controller shall transfer the Personal Data to be Processed under the Service Agreement to the Processor. The Controller is liable for the accurateness and completeness of the Personal Data.
4. Subject-matter, nature, purpose and term of the Processing
(Art. 28, 3.1 GDPR)

  • The subject-matter, the nature and the purpose of the Processing are determined by the product specifications and the related data requirements.
  • The Processing has a term equal to the term of the Service Agreement, without prejudice to Article 13.
5. Relevant and applicable legislation
(Art. 28, 1 GDPR)

  • The Processor shall provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing shall meet the requirements of the relevant and applicable legislation, including the GDPR, and safeguard the rights of the Data Subjects. The cost related to a modification of technical and organisational measures on request of the Controller shall be borne by the Controller.
6. Other Processors
(Art. 28, 2 GDPR)

  • The Controller agrees that the Processor is entitled to engage a third party for carrying out specific Processing activities as to the Personal Data on behalf of the Controller, subject to the same data protection obligations as set out in this Agreement or any other legal act shall be imposed on that other processor.
  • The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes within a term of ten (10) business days following notification.
  • The Processor shall remain fully liable to the Controller for the performance of that other processor's obligations.
7. Written authorisation
(Art. 28, 3.1 GDPR)

  • The Processor shall Process the Personal Data only in compliance with the terms and conditions of this Agreement and the written instructions of the Controller, subject to deviant legislation or deviant requests of Data Subjects, that are compliant with relevant and applicable legislation. In that event, the Processor shall inform the Controller of such a deviant Processing, unless relevant and applicable law prohibits such information on important grounds of public interest.
8. Confidentiality
  • The Processor ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Confidentiality under this Article shall mean that the Personal Data shall not be divulged to any third party and shall not be used for any other purpose than the Processing.
  • Notwithstanding to article 8.2 the Processor shall be entitled to divulge the Personal Data to a third party with the authorization of the Controller, to the extent necessary for the execution of legal obligations and in the event necessary for the performance of the Service Agreement.
9. Security of the Processing
(Art. 28, 3.3 GDPR)

  • The Processor shall undertake all appropriate technical and organisational measures to secure the Personal Data from theft, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
  • A non-exhaustive overview of technical and organisational measures can be created specifically for the product upon request by the Controller. The cost related to modifications in such technical and organisational measures on request of the Controller shall be borne by the Controller.
10. Compliance with obligations of the Controller as to rights of Data Subjects' requests
(Art. 28, 3.5 GDPR)

  • Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights.
  • The Processor shall make available to the Controller without undue delay all requests for exercising the Data Subject's rights received directly from Data Subjects.
  • The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.
11. Compliance with obligations of the Controller as to Personal Data security
(Art. 28, 3.6 GDPR)

  • The Processor shall assist the Controller without undue delay in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of Processing and the information available to the Processor. The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.
12. Compliance with the obligations of the Controller as Data breach
t(Art. 28, 3.6 GDPR)

  • The Processor shall notify the Controller of any data breach as set forth in article 4 (12) GDPR without undue delay after becoming aware of a personal data breach within 24 hours after the constatation.
  • The notification as set forth in Article 12.1 shall at least:

    (a) describe the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
    (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    (c) describe the likely consequences of the Personal Data breach;
    (d) describe the measures taken or proposed to be taken by the Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  • Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  • The Controller is exclusively liable to notify the Personal Data breach to the competent supervisory authority and/or the relevant Data Subjects. The Processor cannot be held liable for lack of timely or insufficient notification.
  • The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.
13. Deletion and return of Personal Data
(Art. 28, 3.7 GDPR)

  • The Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller following termination of the Service Agreement and delete existing copies unless relevant and applicable legislation requires storage of the Personal Data.
  • The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.
14. Information
(Art. 28, 3.8 GDPR)

  • The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller to that effect. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes relevant and applicable legislation, including the GDPR.
  • The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.
15. Processing on behalf of the Processor
(Art. 29 GDPR)

  • The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
16. Liability
(Art. 82 GDPR)

  • The Processor is only liable for damages following a breach of the obligations of the Processor under this Agreement or the GDPR. In addition, the Processor shall be exempt from liability if the Processor proves that it is not in any way responsible for the event giving rise to the damage.
  • In any event the liability of the Processor is limited to the amount for which the Processor is insured under policy 37.739.026 at KBC.
17. Confidentiality
  • The terms and conditions of this Agreement shall not affect any legal, professional or other obligation of confidentiality applicable to the Processor.
18. Miscellaneous
  • The invalidity of one or more provisions of this Agreement shall not affect the validity of the other provisions of this Agreement. Parties shall authorize the assigned court to mitigate the relevant provisions to the extent valid under relevant and applicable legislation.
  • The Processor is entitled to modify this Agreement from time to time.
  • Belgian law exclusively applies to this Agreement.
  • The courts of Leuven are exclusively competent to rule over any conflict with this Agreement.
    Amendments

    In order to take action on the basis of your feedback or to clarify changes made in our processing activities, this document may be amended from time to time. Therefore, we invite you to consult the latest version of this policy on our website as the single source of truth.

    Do you have any further questions?

    Please feel free to contact us via e-mail: info@panenco.com.