Premium Plus Data Processing Agreement
This processing agreement applies to all forms of processing of personal data executed by Premium Plus BVBA, with registered office at Tweehagen 51, 9170 Sint-Gillis-Waas, with enterprise number 0844.776.562, (hereinafter referred to as the Processor) on behalf of another party to whom it provides its services (hereinafter referred to as the Controller).
Article 1. Definitions
- Personal Data: all information about an identified or identifiable natural person who is a resident of the EU, which is processed by the Processor in the context of the Agreement on behalf of the Controller.
- Data Subject: the person to whom Personal Data relates.
- Personal Data breach: an infringement that inadvertently or unlawfully leads to the destruction, loss, modification or unauthorized provision of or unauthorized access to transmitted, stored or otherwise processed data.
- Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (general data protection regulation).
- General Terms and Conditions: the General Terms and Conditions of the Processor.
- Agreement: the agreement or agreements between the Processor and the Controller, including the applicable General Terms and Conditions of the Processor.
- Processing Agreement: this agreement including considerations and associated annexes.
- Processing: an operation or a whole of operations in the context of the Agreement with regard to Personal Data, or a set of Personal Data, whether or not carried out via automated processes, such as collecting, recording, organizing, structuring, storing, updating or modifying, requesting, consulting, using, providing by means of forwarding, dissemination or otherwise making available, aligning or combining, blocking, erasing or destroying.
Article 2. Subject of this Processing Agreement
- This Processing Agreement governs the Processing of Personal Data by the Processor within the context of the Agreement.
- The Processor guarantees the application of appropriate technical and organizational measures, so that the Processing complies with the requirements of the Regulation and the protection of the Data Subject’s rights is guaranteed.
- The Processor guarantees to comply with the requirements of the applicable laws and regulations regarding the Processing of Personal Data.
- The relevant data processed by the Processor at the request of the Controller are to be drawn from the Agreement or the quotation or the General Terms and Conditions or the manual(s) associated with the purchased service(s).
Article 3. Purposes of processing
- The Processor undertakes to process Personal Data under the terms of this Processing Agreement on behalf of the Controller. Processing will only take place within the context of the automated processing of ordering, financial, management and logistical processes, plus those purposes that are reasonably related or that are determined with further consent.
- The Processor will not process the Personal Data for any other purpose than as established by the Controller. The Controller shall inform the Processor of the processing purposes to the extent that these are not already clear from this Processing Agreement and/or the documents as referred to in Article 2.4.
- The Personal Data processed by Processor in the context of the activities as referred to in the previous paragraph and the categories of data subjects from whom they originate, are listed in the appendix.
- The Personal Data processed by order of the Controller remain the property of the Controller and/or the relevant parties involved/
Article 4. Obligations and processing power of the Processor
- The obligations of the Processor arising from this Processing Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.
- If, in the opinion of the Processor, an instruction of the Controller conflicts with a statutory data protection regulation, he will inform the Controller thereof prior to the Processing, unless a statutory provision forbids such notification.
- The Processor will, insofar as this is within his power, provide assistance to the Controller for the performance of data protection impact assessments (DPIAs) whereby any costs and hours will be charged to the Controller at the currently applicable hourly rate.
- In case the Processor is obliged to provide Personal Data on the basis of a statutory provision, he will immediately inform the Controller and, if possible, prior to the provision of said data.
- The Processor has no control over the purpose and means for the Processing of Personal Data.
- The Processor processes the Personal Data exclusively by order of and on the basis of the concluded agreement(s) with the Controller, subject to deviating statutory regulations that apply to the Processor.
- The Processor may only process the Personal Data in all member states within the European Union.
- The Controller must himself ensure the privacy rights of the Data Subject concerning the Personal Data used, ensure that he has drawn up a comprehensive privacy statement and communicate it, and further complies with all the statutory obligations.
Article 5. Distribution of responsibility
- The Processor is solely responsible for the processing of the Personal Data under this Processing Agreement, in accordance with the concluded Agreement(s) with the Controller and under the express (final) responsibility of the Controller.
- For the other Processing of Personal Data, including in any case, but not limited to, the collection of the personal data by the Controller, processing for purposes not reported by the Controller to the Processor, processing by third parties and/or for other purposes, the Processor will expressly not be responsible.
- The Controller guarantees that the content, the use and the instructions for the processing of the Personal Data as referred to in this Processing Agreement are not unlawful and do not infringe any third party right.
Article 6. Sub-processor
When the Controller engages another processor to perform processing activities on behalf of the Processor, the same data protection obligations are imposed on this other processor in an agreement as those included in this Processing Agreement. The Controller does not have to request separate permission or to inform the Processor about this. The Processor guarantees correct compliance with the obligations arising from this Processing Agreement by these third parties and, in the event of errors by these third parties, is itself liable for all damages as if they had committed the fault(s) themselves.
Article 7. Security
- The Processor will make every effort to take sufficient technical and organizational measures with regard to the safe processing of the Personal Data, as well as against loss or against any form of unlawful processing (such as unauthorized access, violation, alteration or provision of the Personal Data).
- The Processor does not guarantee that the security is effective under all circumstances. If an explicitly defined security measure is missing in the Processing Agreement, the Processor will endeavour to have the security comply with a level that, in view of the state of the art, the sensitivity of the Personal Data and the costs associated with installing the security measure, is not unreasonable.
- The Controller will only make Personal Data available to Processor for processing if it has ensured that the required security measures have been taken. The Controller is responsible for compliance with the measures agreed by the Parties.
Article 8. Reporting obligation
- The Controller is at all times responsible for reporting a security breach of Personal Data that might lead to adverse consequences, or has adverse consequences for the protection of Personal Data to the regulatory body and/or parties involved. In order to enable the Controller to comply with this statutory obligation, the Processor will inform the Controller of the security breach within a reasonable period of time after learning about it.
- A report must only be made for events with a major impact, and only if the breach has actually occurred.
- The reporting obligation in any case includes reporting the fact that there has been a breach. In addition, the reporting obligation will include:
- the nature of the breach in connection with Personal Data, if possible with reference to the categories of Data Subjects and Personal Data in question and, approximately, the number of Data Subjects and Personal Data registers in question;
- the name and contact details of the data protection officer or another contact more information can be obtained from;
- the likely impact of the personal data breach;
- the measures proposed or taken by the Processor to address the breach in relation to Personal Data, including, where appropriate, the measures to limit any adverse effects thereof.
- The Parties each bear the costs to be incurred by them in connection with reporting to the competent regulatory body and the Data Subject concerned.
Article 9. Handling requests from Data Subjects
- In the event that a Data Subject submits a request for the execution of his/her legal rights to the Processor, the Processor will handle the request of the Data Subject himself, and inform the Controller of said processing.
- The Processor will invoice the costs for processing of all such requests to the Controller at the current hourly rate.
Article 10. Secrecy and confidentiality
- All Personal Data that the Processors receives from the Controller and/or collects themselves in the context of this Processing Agreement, is subject to a confidentiality obligation towards third parties. The Processor will not use this information for any purpose other than that for which it has obtained it, even if it has been put in such a form that it cannot be traced back to the Data Subjects involved.
- This confidentiality obligation does not apply insofar as the Controller has given explicit permission to provide the information to third parties, if the provision of the information to third parties is logically necessary in view of the nature of the assignment and the implementation of this Processing Agreement, or if there is a legal obligation to provide the information to a third party.
- At the request of the Processor, the Controller demonstrates that its personnel have committed themselves to observe confidentiality or have a confidentiality obligation.
Article 11. Audit
- In case of a concrete suspicion of misuse of Personal Data, the Controller reserves the right to have audits carried out by an independent third party who is bound to confidentiality in order to check compliance with the general regulations regarding the processing of Personal Data.
- The Processor will cooperate in the audit and make all relevant information reasonably relevant to the audit, including supporting data such as system logs, available within a reasonable period of time.
- Any recommendations resulting from the audit carried out will be assessed by the Parties in mutual consultation, and will be jointly or in consultation with one of the Parties or jointly by both Parties, be implemented.
- The costs of the audit are borne by the Controller. These costs also include all costs for deploying Processor personnel to cooperate in this audit at the currently applicable hourly rate.
Article 12. Liability
The Processor’s liability is governed by Article 15 in the General Terms and Conditions as applied by the Processor and as accepted by the Controller.
Article 13 Duration and termination
- This Processing Agreement is established through the digital or written agreement with the offer by the Controller or at the start of service provision.
- This Processing Agreement is entered into for the duration as stipulated in the Agreement between the Parties. In the absence of a clear end date, in any case for the duration of the use of the services provided by the Processor.
- As soon as the Processing Agreement, for whatever reason and in any way whatsoever, has been terminated, the Processor will delete all Personal Data and any copies thereof it has, unless the Processor is legally obliged to save this data.
- The Processor is entitled to revise this Processing Agreement from time to time with due observance of the term for changes stated in our General Terms and Conditions.
Article 14. Applicable law and dispute resolution
- Our General Terms and Conditions apply to this Processing Agreement.
- The Processing Agreement and its execution are governed by Belgian law.
- All disputes that may arise between the Parties related to the Processing Agreement will be submitted to the competent court for the district in which the Processor is established.
Appendix 1: Specification of Personal Data and Data Subjects
Personal Data
The Processor will possibly process the following (special) Personal Data on behalf of the Controller:
- Email address as an ID upon syncing
- Telephone numbers
- User ID
- Tickets that might contain Personal Data (for example in a comments field).
Categories of Data Subjects
The Processor will possibly process Personal Data from the following categories of Data Subjects on behalf of the Controller:
- Personnel of the Controller
- Prospects of the Controller
- Suppliers of the Controller
- Customers of the Controller
Categories of Receivers
The Processor will possibly forward Personal Data to the following categories of Receivers on behalf of the Controller:
- Administrative suppliers of the Controller
- Logistic suppliers of the Controller
- CRM suppliers of the Controller
- Support desk suppliers of the Controller
The Controller guarantees that the Personal Data and categories of Data Subjects described in this Appendix 1 are complete and correct, and indemnifies the Processor against any defects and claims that result from an incorrect representation by the Controller.
We only process data:
- while doing Data Migrations for the Controller,
- for integrations developed for the Controller, all data handling is transactional. We never store, retain or archive the data defined in Appendix on our servers or devices.