Addendum: Data Processing Agreement
Parties seek to implement a Data Processing Agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the General Data Protection Regulation (GPDR). Therefore, Parties agree to enter into this DPA which governs the Parties’ rights and obligations with regard to the Processing of Personal Data.
- Services: websites, platforms and services provided by Clevercast and Rambla BVBA
- Personal Data, Special Categories of Data, Processing/Process, Data Processor, Data Controller and Data Subject shall have the same meaning as stated in the GDPR
Applicable Law: European Union or Member State law applicable to the Processing of Personal Data, including, to the extent applicable, any other relevant regulations, guidelines, policies, instructions or recommendations of any governmental authority and any amendments, replacements updates, or later versions thereof
Data Breach: a breach of security that poses a risk to the rights and freedoms of Data Subjects with regard to their Personal Data or leads to serious, negative consequences for the protection of Personal Data;
Data Processing Agreement (“DPA”): this Addendum including its recitals and any accompanying appendices;
Data Protection Authority: the relevant statutory authority in each jurisdiction where Rambla BVBA processes Personal Data or where the Data Controller is established;
Employees: the persons engaged by a Party for the implementation of this Data Processing Agreement, who will operate under the responsibility of the Party;
Sub-processor: any legal person appointed by a Party or a Party’s affiliate which processes Personal Data on behalf of one or both Parties in connection with the Agreement and this Data Processing Agreement.
- Data Register: the data register that is maintained by the Data Controller.
Object of this agreement
- The Data Controller is any natural person, company, organization or any legal entity that wishes to use the Clevercast and Rambla BVBA websites, platforms and services (“Services“)
- The Data Processor is Rambla BVBA. Data Processor will only process the Personal Data, which is transferred by the Data Controller, to offer its Services to Data Controller.
- Data Controller and Data Processor shall perform the services in accordance with the provisions of the DPA and the Applicable Law.
- Data Processor undertakes to exclusively process the personal data of Data Subjects gathered by the Data Controller according to its purpose as set forth by the Data Controller. The rightful acquisition of personal data from data subjects is the exclusive responsibility of the Data Controller.
- The data processed by the Data Processor commissioned by the Data Controller is set forth in the Data Register, which is kept by the Data Processor. Data Controller is required to make sure the Data Register is up to date by sending an email to firstname.lastname@example.org, containing all categories of personal data that are transferred to the Services. For each category, the email must also contain the purposes for which data are processed. The email must also contain the name and contact details of the Data Controller (or their representatives) and (if present) the data protection officer. If the Data Controller fails to provide the Data Processor with the accurate information, he will bear all responsibility for the consequences.
Rights and obligations of Parties
Parties explicitly agree to protect the privacy of the Data Subjects and to comply with the relevant provisions of the Applicable Law and the obligations as laid down in this DPA. Each Party shall promptly notify the other Party in the event that it is unable to comply with any of its obligations under this DPA.
Parties guarantee that the Personal Data shall only be provided to those Employees who need access to the data for the performance of their duties and only on a need to know basis, to the extent necessary to fulfil their job requirements. If the Employees are involved in any Processing of the Personal Data, Parties will correctly inform their Employees. Parties will be responsible for the compliance of their Employees with the Applicable Law and this DPA, specifically regarding the security and confidentiality obligation.
Rights and obligations of the Data Controller
- Data Controller determines the purposes and means for the Processing of the Personal Data and instructs the Data Processor to Process the transferred Personal Data only on the Data Controller’s behalf and in accordance with the Applicable Law.
- Data Controller warrants that the Processing of Personal Data is not illegal, will not be used for any illegal activities and does not violate the rights of Data Subjects. The Data Controller is responsible for the collected data, even if the Data Processor helped with the processing of Personal Data.
Data Controller warrants that it has implemented technical and organizational security measures before Processing the transferred Personal Data.
Data Controller shall inform, if the transfer involves special categories of Personal Data, the Data Subjects about the Processing of their Personal Data to the extent that sufficient transparency is offered. Data Controller also ensures that parental notice and consent will be obtained before Processing of the Personal Data.
Data Controller warrants that if the Data Subject invokes any rights according to the Applicable Law and/or claims compensation for damages under this DPA, the Data Processor cannot be held responsible, except for breaches solely caused by Data Controller in which case penalties are limited to the amount set forth in the main services contract.
- Data Controller is required to make sure the Data Register is always up to date by sending an email to email@example.com, containing all current categories of personal data that are transferred to the Services. For each category, the email must also contain the purposes for which data are processed. The email must also contain the name and contact details of the Data Controller (or their representatives) and (if present) the data protection officer. Data controller will send a new email immediately when there is a change in data categories or purposes of processing, or when the contact details of Data Processer change. If the Data Controller fails to provide the Data Processor with the accurate information, he will bear all responsibility for the consequences.
Rights and obligations of the Data Processor
- Data Processor processes the Personal Data exclusively on behalf of the Processing Controller, based on its written instructions and this agreement.
Data Processor will not rent, sell, or share received Personal Data with third parties.
- Data Processor warrants that it has implemented technical and organizational security measures before Processing the transferred Personal Data. The Data Processor undertakes to implement all necessary security measures to guarantee the safe processing of personal data.
- Data Processor undertakes to protect the Personal Data against destruction, loss, alteration, unauthorized disclosure or unauthorized access, either accidentally or unlawfully.
- Data Processor guarantees that the persons in his service who are authorized to process the Personal Data are committed to observe the confidentiality of the Personal Data.
- Data Processor guarantees that, taking into account the nature of the processing, by means of appropriate technical and organizational measures, he will, as far as possible, provide assistance to the Data Controller in fulfilling its duty to request the exercise of the conditions set out in Chapter III of the General Terms and Conditions. Data Protection Regulation to determine the rights of the person concerned. Data Processor warrants to deal promptly with all inquiries from the Data Controller relating to its Processing of the Personal Data and to abide by the advice of the supervisory authorities with regard to the Processing of the Personal Data.
Data Processor will promptly notify the Data Controller about any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, any accidental or unauthorized access, and any request received directly from the Data Subjects
Data Processor will process the Personal Data on behalf of Data Controller as long as necessary for providing the Services and subsequently this DPA. After this period, the Personal Data will be destroyed.
Data Processor will assist the Data Controller in complying with requests and demands of Data Subject in the execution of their rights under the GDPR
Data Processor shall not subcontract any of its Processing operations performed on behalf of the Data Controller without the prior written consent of the Data Controller. When Processing operations are subcontracted to a Sub-processor, the Data Processor shall remain the contact point at all times.
- Data Processor undertakes to not share any personal data outside of the European Economic Area (EEA).
Security measures and obligations in case of data breach
Parties shall take the appropriate and necessary technical and organizational security measures compliant with the Applicable Law to safeguard Personal Data against destruction, either by accident or unlawful, loss, forgery, disclosure, unauthorized distribution, transfer or access.
Data Controller will take all protection measures deemed necessary conform the required standards as laid down in the Applicable Law. The determination of the relevant measures takes into account the state of the art, the cost of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Parties agree that this is an obligation of means.
Parties shall maintain adequate procedures designed to detect and respond to a Data Breach, including procedures for preventive and corrective actions.
If the Data Processor determines a Data Breach, it will report this to the Data Controller without undue delay. The notification shall include all necessary information as follows from the Applicable Law, such as the nature and the scope of the Data Breach, its consequences and the proposed and/or taken measures to remedy and/or limit the consequences.
When a Data Breach occurred the Data Controller is responsible to take action. This includes taking all adequate measures to remedy and limit the consequences without any delay as well as the necessary measures to avoid reoccurrence, all at its own costs. Data Controller is responsible to notify the personal Data Breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.
Parties acknowledge that they may become privy to confidential information which is disclosed by the other Party.
Parties shall not disclose confidential information to any third party and shall not use confidential information for any purposes other than for the purposes of this DPA. Parties shall safeguard the confidential information to the same extent that they safeguard their own confidential information and in any event with no less than a reasonable degree of protection.
This confidentiality obligation also explicitly applies to the Parties’ employees and Sub-processors.
This obligation of confidentiality will continue to apply after termination of this DPA.
Parties agree that if one Party is held liable for a violation of the clauses of this DPA committed by the other Party, the latter will, to the extent to which it is liable, indemnify the first Party for any cost, charge, damages, expenses or loss it has incurred. Indemnification is contingent upon the Data Controller promptly notifying the Data Processor of a claim; and the Data Processor being given the possibility to cooperate with the Data Controller in the defence and settlement of the claim.
Terms and termination
This DPA enters into force on the date that the Data Processor first provides its Services to Data Controller. In order to fully implement and/or develop the necessary security measurements, standards and requirements, a two month implementation period shall be taken into account upon signing this DPA.
This DPA shall remain in force and effect until the agreement between Parties is terminated or expired, unless earlier termination is required to comply with the requirements of the Applicable Law or a decision of a supervisory authority or court order. After termination of the Agreement and this DPA, the Data Processor will immediately cease and desist all Processing of Personal Data with regard to its Services.
In the event that one or more provisions of this DPA turn out not to be legally valid or not enforceable, the specific provision(s) will be modified to the minimum extent necessary to make the provision(s) valid, legal and enforceable. Parties will negotiate in good faith to amend the provision so that it, to the greatest extent possible, achieves the intended commercial result of the original provision. If such modification is not possible, the relevant (part of the) provision shall be deemed deleted. Any modification or (partly) deleting of a provision shall not affect the validity and enforceability of this DPA.
Parties acknowledge that this DPA is governed by Belgian law. Any disputes arising within the scope of this DPA may only be brought before the competent courts of the judicial district of Antwerp.