Article 0: DEFINITIONS
AVG: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (also referred to as ‘GDPR’), as the Belgian Implementing Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data;
Authority: the Dutch Data Protection Authority as referred to in Article 51 GDPR; the independent public authority, called the Data Protection Authority (DPA), which has been appointed in Belgium by law of 3 December 2017 as a supervisory authority for the supervision of the processing of personal data;
Data subject: an identified or identifiable natural person to whom a Personal Data relates;
Special categories of personal data: Personal data as referred to in Article 9 of the GDPR; data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a person or data relating to a person or data relating to a person’s sexual behaviour or sexual orientation;
Services: the services provided by Direct to the Customer, as further stipulated in the Service Agreement and its description, included on direct’s website (http://www.Direct.eu/);
Identifiable: where a natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Breach (in connection with Personal Data): a breach of security that accidentally or unlawfully results in the destruction, loss, alteration or unauthorised disclosure of, or access to transmitted, stored or otherwise processed data within the meaning of Article 4.12 GDPR;
Agreement: this “Agreement for processing of
Personal data’, including its Annexes, if any;
Personal data: all information about an identified or identifiable natural person (the Data Subject), within the meaning of Article 4.1 GDPR;
Sub-Processor: any non-subordinate party that is involved by the Processor in the processing of Personal Data in the context of the Assignment Agreement, not being its employees or employees;
Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, it may determine who the controller is or the criteria according to which it is designated, all this within the meaning of Article 4.7 GDPR;
Processor: a natural or legal person, a public authority, a service or another body that processes personal data on behalf of the Controller within the meaning of Article 4.8 GDPR;
Processing: any action or set of operations relating to Personal Data or a set of Personal Data, whether or not carried out by automated means, including in any case the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data, within the meaning of Article 4.2 GDPR.
Article 1: SCOPE OF THE PROCESSING
1.1. In the context of the Agreement, the Client transfers personal data to Direct.
For the entire duration of the Agreement, Direct will process this personal data in accordance with the conditions stipulated in this Processor Agreement.
This Processor Agreement is an inseparable part of the Agreement. Insofar as the provisions of this Processor Agreement would conflict with the provisions of the Agreement, the provisions of this Processor Agreement shall prevail.
1.2. The processing takes place under the responsibility of the Client. Direct has no control over the purpose and means of the processing and does not make decisions about matters such as the use of personal data, the retention period of the Personal Data processed for the Client and the provision of personal data to third parties. The Client must ensure that it has clearly established the purpose and means of the processing of the personal data. Control over the personal data never rests with Direct.
ARTICLE 2: THE NATURE AND PURPOSE OF THE PROCESSING
2.1. The processing of the personal data takes place in the context of the execution of the Agreement, whereby the Client is regarded as ‘controller’, and Directly as ‘processor’ within the meaning of the GDPR. Direct does not make any other use of these personal data or process these personal data in a way that is not part of the Agreement and the description of the Services, unless expressly stipulated otherwise between the Parties.
2.2. As further stipulated in the Agreement and the description of the Services, the processing activities may include:
- Providing remote support by logging in and watching the screen (as with TeamViewer), plus the purposes that are reasonably related to this or that are determined with further consent.
This ‘viewing’ processing ends when the TeamViewer connection is closed.
- Storing the Client’s data in the ‘cloud’ with associated online services
ARTICLE 3: TYPES OF PERSONAL DATA
3.1. It will be immediately unknown which personal data are stored in the cloud by the Client.
3.2. In general, it can be stated that Direct will mainly process identification data of data subjects on behalf of the Client, such as name, address, telephone number, e-mail address, dates of birth, as well as any financial data.
3.3. However, the Client shall ensure that no personal data are transferred to Direct other than those that are strictly necessary for the provision of the Services. The Client, with the exclusion of Direct, is and remains responsible for the choice and content of the personal data that are passed on by the Client to Direct in execution of the Agreement and by using the Services.
ARTICLE 4: CATEGORIES OF DATA SUBJECTS
4.1. Direct will often be unaware of which categories of personal data are stored in the cloud by the Client.
4.2. In general, it can be stated that Direct will mainly process the personal data of employees, customers and/or suppliers of the Client.
4.3. The Customer declares and guarantees that the data subjects whose personal data are transferred to Direct by the Customer or by a third party, on the instructions of the Customer, can lawfully be transferred to Direct.
ARTICLE 5: RIGHTS AND OBLIGATIONS OF THE CLIENT
5.1. The Client shall immediately inform the Client, with the help of the systems made available to the Client by Direct, without delay when a third party requests the Client to remove his personal data from Direct’s systems, or to no longer use them in the context of the Agreement.
5.2. The Client may request Direct to provide its reasonable cooperation in an audit of the operation and systems of Direct that is necessary to demonstrate compliance with the obligations of Article 28 GDPR. Such an audit can take place once a year and by an auditor authorised by the Client, preferably by a third party appointed by both parties. An audit must be announced in writing to Direct at least ten days before the commencement, with a description of the parts in which the audit takes place and the audit process, and must not unduly disrupt Direct’s business activities. Direct will cooperate with the audit and make all information reasonably relevant to the audit, including supporting personal data such as system logs, and employees available as timely as possible, insofar as the (in)direct consequences of this do not cause a violation of the (contractual) rights, obligations, or legal requirements to the overall service or harm the interests of Direct.
Direct’s assistance in an audit will be invoiced at the then current hourly rates, which on the date of entry into force of this Processor Agreement will be € 110.00 excl. VAT amounts.
ARTICLE 6: OBLIGATIONS OF DIRECT
6.1. Processing in accordance with the instructions of the Client
Directly and all those who act under its responsibility or authority and have access to the personal data, will only process this personal data according to the written instructions of the Client, and this in function of the purposes described in Article 2.
Immediately, all reasonable instructions from the Client in connection with the processing of personal data will follow. Direct will immediately inform the Client if Direct is of the opinion that the instructions are in violation of the GDPR.
The above can be disregarded immediately if a legal provision obliges it to process. In that case, Direct will inform the Client of that legal provision prior to processing, unless that legislation prohibits this notification for important reasons of public interest.
6.2. Appropriate technical and organisational measures
Taking into account the state of the art, the implementation costs, as well as the nature, scope, context and purposes of processing and the risks to the rights and freedoms of individuals that vary in probability and severity, Direct shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
These measures will be in line with current industry practice and shall include at least the following:
- physical access security measures;
- logical access control, using passwords;
- organisational measures for access security;
- random monitoring of policy compliance;
- security of network connections via Secure Socket Layer (SSL) technology;
- a secure internal network;
- purpose-based access restrictions;
- control of powers granted.
Direct does not guarantee that the security is effective under all circumstances. Direct will make every effort to ensure that the security meets a level that, in view of the state of the art, the sensitivity of the personal data and the costs associated with taking the security, is not unreasonable.
The Client has been well informed about the technical and organizational measures taken by Direct and is of the opinion that these measures have a level of security that suits the nature of the personal data and the scope, context, purposes and risks of the processing and that DIRECT, more generally, offers adequate guarantees in terms of data protection.
6.3 Personal data breaches
The Client will immediately inform as soon as it has become aware of a Personal Data Breach.
The notification of the breach to the Data Protection Authority and (possibly) the person(s) involved is always the responsibility of the Client.
6.4. Processing by others, under the responsibility of Direct
The Client hereby gives his general permission that the Direct communicates the personal data to third parties, including Sub-processors. The Client will immediately inform of the existence of these Sub-processors.
If Direct wishes to appoint or replace a Sub-processor, Direct will inform the Client of this. The Client has the right to object to this appointment within 8 days after the information. In the event of an objection, this may in some cases mean that Direct must terminate the Agreement, which the Client accepts. Whether the Agreement should be terminated is at the sole discretion of Direct.
When Direct hires another processor to carry out specific processing activities on behalf of the Client, the same data protection obligations will be imposed on this other processor as those included in the Processor Agreement between the Client and Direct. In particular, it concerns the obligation to provide adequate guarantees with regard to the application of appropriate technical and organizational measures so that the processing complies with the provisions of the Processor Agreement and the GDPR.
If the other processor does not comply with its obligations regarding data protection, DIRECT remains fully liable to the Client for the fulfilment of the obligations of that other processor.
Direct declares and guarantees that the persons authorized to process personal data have committed themselves to it or undertake to observe the confidentiality of the personal data.
The Client will directly assist in complying with the Client’s obligations under the GDPR regarding security of processing, notification of a Personal Data Breach to the supervisory authority and to the data subject, the preparation of a data protection impact assessment (if applicable), and prior consultation.
Direct may charge for such assistance.
6.6. Requests from data subjects
In the event that a data subject addresses a request to direct the exercise of one of his rights under the GDPR, Direct will forward the request to the Client, and the Client will further handle the request. The Client agrees that Direct may inform the data subject that Direct is not the controller and that Direct has forwarded the request to the Client, who will further contact the data subject.
6.7. End of the Data Processing Agreement
This Processor Agreement ends when the Agreement is terminated.
At that time, Direct will transfer the personal data provided by the Client to Direct back to the Client or – if the Client immediately requests this – destroy it. Direct will only keep a copy of the personal data if it is obliged to do so on the basis of the law or professional regulations.
The costs of collecting and transferring personal data at the end of the Agreement are for the account of the Client. This is also the case for the costs of the destruction of the personal data.
ARTICLE 7: LIABILITY AND GUARANTEES
7.1. The Client guarantees that the processing of personal data on the basis of the Processor Agreement is not unlawful and does not infringe the rights of the data subject(s).
Direct will in no way be liable for damage resulting from instructions from the Client.
7.2. The Client guarantees that the content, use and order for the processing of the personal data is not unlawful and does not infringe any right of third parties, and that all additional guarantees that apply to the processing of the Special Categories of Personal Data have been met. The Client indemnifies Direct against all claims and claims related thereto.
7.3. Any liability of Direct for any other form of damage is excluded, including additional compensation in any form whatsoever, as well as compensation for indirect or consequential damage or damage due to loss of turnover or profit, fines imposed on the controller for example – but not exclusively – by the Data Protection Authority, delay damage, damage due to loss of data, damage due to exceeding of deadlines as a result of changed circumstances, theft, loss or damage to data and goods and damage due to information or advice provided by Direct, the content of which is not explicitly part of Direct’s obligations.
The amount of any compensation owed by Direct in the event of liability is capped at the amount paid out by Direct’s liability insurer in the case in question, or up to a maximum amount of 2,500 euros.
7.4. In principle, direct processing of personal data only within the European Economic Area (EEA).
Nevertheless, the Client hereby gives his general permission that Direct can communicate personal data to third parties who are located outside the EEA, provided that the rules for such transfer (Articles 44-50 GDPR) are met. Direct may also transfer personal data to a country outside the EEA if such transfer is necessary to comply with a binding European or Belgian legal rule. In such a case, Direct will notify the Client in advance and in writing of the legal rule that obliges Direct to pass on personal data, unless the relevant legal rule prohibits such notification.