Data Processing Policy

• Under the terms and conditions of this Agreement, the Processor shall Process the Personal Data on behalf of the Controller.
• This Agreement shall apply as an annex to the overall Service Agreement.

• This Agreement shall enter into force and effect on the date of execution by the Parties. As from the date of execution, the terms and conditions of this Agreement shall be deemed applicable to all existing and new Processing of Personal Data.The term of this Agreement equals the term of the Service Agreement.
• The termination of the Service Agreement shall terminate this Agreement, without prior notice and effective immediately, without prejudice to Article 13.
• The Controller is entitled to terminate this Agreement, without prior notice and effective immediately, in the event where the Processor is in default of one or more obligations under this Agreement and fails to remedy such default within ten (10) business days following written notification.

(Art. 28, 3.1 GDPR)

• The Processing applies to the categories of Personal Data and Data Subjects needed for the well-functioning of the product.
• The Controller shall transfer the Personal Data to be Processed under the Service Agreement to the Processor. The Controller is liable for the accurateness and completeness of the Personal Data.

(Art. 28, 3.1 GDPR)

• The subject-matter, the nature and the purpose of the Processing are determined by the product specifications and the related data requirements.
• The Processing has a term equal to the term of the Service Agreement, without prejudice to Article 13.

(Art. 28, 1 GDPR)

• The Processor shall provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing shall meet the requirements of the relevant and applicable legislation, including the GDPR, and safeguard the rights of the Data Subjects. The cost related to a modification of technical and organisational measures on request of the Controller shall be borne by the Controller.

(Art. 28, 2 GDPR)

• The Controller agrees that the Processor is entitled to engage a third party for carrying out specific Processing activities as to the Personal Data on behalf of the Controller, subject to the same data protection obligations as set out in this Agreement or any other legal act shall be imposed on that other processor.
• The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes within a term of ten (10) business days following notification.
• The Processor shall remain fully liable to the Controller for the performance of that other processor's obligations.

(Art. 28, 2 GDPR)

• The Controller agrees that the Processor is entitled to engage a third party for carrying out specific Processing activities as to the Personal Data on behalf of the Controller, subject to the same data protection obligations as set out in this Agreement or any other legal act shall be imposed on that other processor.
• The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes within a term of ten (10) business days following notification.
• The Processor shall remain fully liable to the Controller for the performance of that other processor's obligations.

• The Processor ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Confidentiality under this Article shall mean that the Personal Data shall not be divulged to any third party and shall not be used for any other purpose than the Processing.
• Notwithstanding to article 8.2 the Processor shall be entitled to divulge the Personal Data to a third party with the authorization of the Controller, to the extent necessary for the execution of legal obligations and in the event necessary for the performance of the Service Agreement.

(Art. 28, 3.3 GDPR)

• The Processor shall undertake all appropriate technical and organisational measures to secure the Personal Data from theft, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
• A non-exhaustive overview of technical and organisational measures can be created specifically for the product upon request by the Controller. The cost related to modifications in such technical and organisational measures on request of the Controller shall be borne by the Controller.

(Art. 28, 3.5 GDPR)

• Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights.
• The Processor shall make available to the Controller without undue delay all requests for exercising the Data Subject's rights received directly from Data Subjects.
• The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.

(Art. 28, 3.6 GDPR)

• The Processor shall assist the Controller without undue delay in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of Processing and the information available to the Processor. The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.

(Art. 28, 3.6 GDPR)

• The Processor shall notify the Controller of any data breach as set forth in article 4 (12) GDPR without undue delay after becoming aware of a personal data breach within 24 hours after the constatation.
• The notification as set forth in Article 12.1 shall at least:

(a) describe the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the Personal Data breach;
(d) describe the measures taken or proposed to be taken by the Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
• Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
• The Controller is exclusively liable to notify the Personal Data breach to the competent supervisory authority and/or the relevant Data Subjects. The Processor cannot be held liable for lack of timely or insufficient notification.
• The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.

(Art. 28, 3.7 GDPR)

• The Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller following termination of the Service Agreement and delete existing copies unless relevant and applicable legislation requires storage of the Personal Data.
• The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.

(Art. 28, 3.8 GDPR)

• The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller to that effect. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes relevant and applicable legislation, including the GDPR.
• The cost related to the obligations of the Processor under this Article, shall be borne by the Controller, and shall be calculated in accordance with customary rates.

(Art. 29 GDPR)

• The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(Art. 82 GDPR)

• The Processor is only liable for damages following a breach of the obligations of the Processor under this Agreement or the GDPR. In addition, the Processor shall be exempt from liability if the Processor proves that it is not in any way responsible for the event giving rise to the damage.
• In any event the liability of the Processor is limited to the amount for which the Processor is insured under policy 37.739.026 at KBC.

• The terms and conditions of this Agreement shall not affect any legal, professional or other obligation of confidentiality applicable to the Processor.

• The invalidity of one or more provisions of this Agreement shall not affect the validity of the other provisions of this Agreement. Parties shall authorize the assigned court to mitigate the relevant provisions to the extent valid under relevant and applicable legislation.
• The Processor is entitled to modify this Agreement from time to time.
• Belgian law exclusively applies to this Agreement.
• The courts of Leuven are exclusively competent to rule over any conflict with this Agreement.