RGPD agreement between:
QUALIPSO whose registered office is established Rue André Dumont n°9 Box 1 1435 Mont Saint-Guibert represented by Mister De Dorlodot Benoît
Here in after referred to as " the partner " and " the customer "
The partner acts as a service provider for the customer. As part of this assignment, the partner has access to the customer's personal data, which always bears the final responsibility as controller. By the present contract of subcontracting, the parties aim at regulating the terms and conventions relating to this treatment.
Article 1 st - Definitions and Concepts
In the context of this contract, the following concepts have the following meaning:
· GDPR: General Data Protection Regulation (EU Regulation 2016/679);
· Data breach: breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or access unauthorized to such data;
· Personal data: any information relating to an identified or identifiable natural person (hereinafter referred to as the " data subject ") that the partner deals within the context of this contract. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more specific elements, specific to its physical, physiological, genetic, psychic, economic, cultural or social identity ;
· Processing : any transaction or set of transactions performed or not using automated processes and applied to personal data, such as collection, registration, organization, retention, adaptation or modification , extraction, consultation, use, communication
· by transmission, dissemination or any other form of provision, reconciliation or interconnection, and the locking, erasure or destruction ;
· Person responsible for the processing: natural or legal person, public authority, service or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. As part of this contract, the customer is considered to be responsible for the processing;
· Partner: natural or legal person, public authority, service or any other body that processes personal data on behalf of the controller;
· Person concerned: identified or identifiable natural person to whom the personal data relate;
· RGPD Agreement: this subcontract, including the annexes.
Article 2 - Conclusion, Duration and Termination of the Subcontract
After the end of this agreement, the obligations of notification of data leaks and confidentiality will be maintained, insofar as they concern personal data processed by the partner on behalf of the customer.
Article 3 - Processing of personal data
3.1. As part of the engagement between the parties and in the context of the GDPR, the customer acts as the controller and themis-security acts as a partner.
3.2. As controllerwithin the meaning of Paragraph 4 (7) of the RGPD, the customer retains full control over his personal data and determines the purpose, nature, purpose, means and duration of the processing. personal data by the partner under this contract. 3.3. The partner, within the meaning of Paragraph 4 (8) of the RGPD, processes the personal data entrusted to him by and on the instructions of the client as part of the services the client receives in accordance with the collaboration agreement concluded between them.
3.4. When processing personal data, the partner and the customer act in accordance with the legal and regulatory provisions regarding the protection of personal data, including those of the RGPD. The fact that the customer also acts as a partner for a third party responsible for the processing, does not detract from the control and responsibility of the customer about personal data under this contract.
3.5. The nature of the data processed, and the purposes of the processing are described in ANNEX 1of this contract. The customer shall also ensure that only personal data strictly necessary for the purposes described in Annex 1 are provided and that they are processed in a secure manner.
Article 4 - Partner Efforts
4 .1. The Partner will reasonably endeavor to treat with the utmost care and loyalty the personal data entrusted to it by the Customer and will do so in accordance with the Client's instructions as described in this Agreement.
4 .2. The partner also agrees to treat the personal data confidentially.
4 .3. Unless otherwise provided for in this contract and unless otherwise required by law in the performance of its duties, the partner will not process personal data for its own purposes or those of third parties, will not provide them for third parties and will not send them to a country outside the EEA without having received written instructions from the client to that effect. If a legal or regulatory provision applying to the partner or a compulsory decision by the public authorities or a judicial authority forces the partner to such treatment, the customer will be notified in advance, unless this provision prohibits such a notification for reasons of general interest.
Article 5 - Customer guarantees
5 .1. The customer guarantees that his instructions to the partner comply with the data protection laws and regulations, which he applies fully and correctly, as well as with the instructions that have been provided by the controller to the customer if the latter does not act himself as controller.
5 .2. The customer further guarantees that all personal data entrusted to the partner have been lawfully obtained and may be treated lawfully throughout the duration of the contract. The customer fully preserves the partner against any claim, action or claim from the data subjects, third parties, authorities and controller if the customer acts as a partner, as well as against any damage that may result to the customer. partner, including (administrative) fines, both in principal, interest and costs.
5 .3. If the partner finds that the client's instructions violate the data protection legislation and regulations, he or she would be obliged to inform the client without delay, the partner then being entitled to decide not to not perform and / or suspend treatment.
Article 6 - Use of third parties
6 .1. The partner is not authorized to use third parties for the processing of the personal data of the customer without the prior written consent of the latter. If the customer gives his consent, the partner will ensure that the third parties concerned provide a level of data protection equivalent to that imposed on the partner by this contract.
6 .2. The partner will also not use third parties outside the EEA for the processing of personal data, except with the prior written consent of the customer. Without prejudice to the preceding paragraph, the partner guarantees that the third parties concerned will ensure an appropriate level of protection and security of personal data within the meaning of the GDPR and will provide the necessary information to the client upon written request by the latter.
6 .3. Consent as referred to in the preceding paragraphs will not be refused by the client without reasonable cause. In case of refusal, the partner reserves the right, if necessary, to suspend the present contract, to terminate it and / or to propose modifications to its terms without being liable to any compensation to the customer.
6 .4. The partner shall inform the client, in accordance with Article 8 and as far as this information is available, of any leakage of data found in a third party to which the partner has appealed, without undue delay and as soon as the partner has knowledge.
Article 7 - Security and the obligation of confidentiality
7 .1. The partner is bound to the confidentiality of the personal data received from the client, unless and to the extent that a legal requirement obliges him to publish them or if this publication takes place on the order of the customer.
7 .2. The partner takes, with due care, the appropriate technical and organizational measures to protect the personal data provided by the customer against any loss or other form of illicit access or processing. These measures will ensure a suitable level of protection taking into account the state of the art and the costs related to their implementation, as well as the risks inherent in the processing of personal data and their nature.
7 .3. The partner will also ensure that its staff involved in the processing of personal data is aware of the obligations it has assumed under this contract and is required to comply with them. This provision will be concretized by a declaration of confidentiality annexed to the employment contract and / or work rules, internal policies and regular information of the staff.
7 .4. If the customer can conclusively demonstrate a partner's failure to take such appropriate technical and organizational measures, then the failure to take such measures within a reasonable period of time set by the customer, the latter is authorized to terminate contract of collaboration and / or to terminate the subcontracting assignment, without prejudice to its other rights under the law and / or this contract.
7 .5. The partner agrees, as far as possible and for reasonable compensation, to assist the client in fulfilling his obligations related to data protection impact assessments and data leakage treatment.
Article 8 - Treatment of data leaks
8 .1. The partner will notify the client in a detailed manner of any data leak that has occurred at home and is attributable to it, and this, at the latest within 72 hours of becoming aware.
The Partner will provide the Customer, on their own initiative, with all available information about the data leak, including the nature and scope of the personal data, an estimate of the number of data subjects and the security measures planned.
8 .2. The customer or controller in whose name the customer acts may, under certain circumstances, be required to notify the data leak to the Belgian supervisory authority or the data subjects. The partner will proceed in no case itself to the notification of a data breach to the supervisory authority or persons concerned.
8 .3. The partner will provide the client with all reasonable and required collaboration that may enable them to have an idea of the severity and (potential) consequences of the observed data leak. In particular, the partner will provide the client with all information (provided it is available) submitted by the client as necessary for the assessment of the situation or to be communicated to the supervisory authority or to the persons concerned, unless the law does not allow it.
Article 9 - Retention period and deletion of personal data
9 .1. After the expiry of the legal retention periods or, failing that, the time required to perform the assignment, the partner will scrupulously destroy the personal data that he has processed in the framework of the collaboration agreement, provided that no obligation legal obligation on the partner to keep certain personal data for a specified period.
9 .2. Upon explicit and written request from the customer, the personal data can be returned to the customer at the expiration of the retention period. The partner may derogate from the deletion of the data provided that it is essential to prove compliance with its obligations towards the customer, or in case of a legal obligation or a compulsory decision of the public authorities or a judicial authority. The return and / or destruction of personal data, as defined in this article, may give rise to reasonable compensation for the client's dependent partner, the terms to be agreed.
Article 1 0 - Rights of data subjects
To the extent required by the client's obligation to respond to requests from the persons concerned for the purpose of exercising their rights, as stipulated in Chapter III of the GDPR, and where the client does not dispose of it himself of this possibility, the partner will proceed, at the customer's written request and with all the care required, to the following operations :
1. Providing in writing all the information required, as far as it is available; and 2. Correction, updating, deletion, transfer or limitation of personal data, in accordance with the instructions of the customer, and as far as reasonably possible and within a reasonable time.
Article 1 1 - Liability
1 1 .1. In case of proof of a breach attributable to the partner regarding the respect of the present contract, the partner will be exclusively responsible for the direct, proven and certain damages, suffered by the customer, provided that the customer has put, in advance and in writing, the partner to meet its obligations and has given it a reasonable period of time to do so.
1 1 .2. The liability of the partner under this contract includes only compensation for direct damages, the damages that are the direct and immediate consequence of any fault attributable to the partner in the performance of this contract.
Article 1 2 - Miscellaneous provisions
1 2 .1. The customer always has the right, subject to the respect of the obligation of confidentiality envisaged in the contract of collaboration, to control itself the respect by the partner of this contract by asking the partner for information proving that this one respects the obligations provided by this contract.
1 2 .2. This control cannot in any way compromise the continuity of the services of the partner.
1 2 .3. Changes to this contract are only valid if agreed in writing between the parties. This provision does not apply to (i) any changes and / or updates made by the Partner regarding the measures and procedures described in Annex 2 in order to continue to fulfill its obligations under this contract and (ii) any necessary changes to meet the legal obligations of the partner or the binding decisions of the public authorities or a judicial authority.
1 2 .4. This contract is governed exclusively by Belgian law. The following courts are the only ones competent in case of litigation:
NIVELLES Court
Annex 1: Nature of the personal data processed and the purpose of the processing
Description of the personal data processed by the partner under the contract and related purposes TYPE OF PERSONAL DATA PURPOSE OF THE TREATMENT
Personal identification data
Surname, first name, address, telephone
Electronic identification data :
Hosting of data customers related to our applications Hosting of data customers related to our applications
|
Picture: Photo |
Hosting of data customers related to our applications |
Appendix 2: Overview of Security Measures
This annex provides an overview of the security measures that the partner must at least take.
The partner tries to take all appropriate and reasonable technical and organizational measures to ensure that the personal data entrusted to it not being the subject of a loss or unlawful processing and are especially not accessible to unauthorized persons.
Checklist of technical security measures:
o Use of an updated antivirus;
o Installing a firewall;
o Use of a strict password policy (ie unique login codes and personal passwords);
o Systematic secure backups to protect against data loss;
o Protection of physical access to personal data for those who should not have access to it because of their tasks; o Logging of activities relating to the processing of personal data;
o No use of unsecured hard drives;
Checklist of organizational measures:
o General information policy for staff on the protection of privacy;
o Establishment of an internal policy and guidelines concerning the confidential management of personal data; o Establishment of internal procedures in case of incidents (data leakage ...);
o Application of personal registration and identification systems for access to buildings to ensure that unauthorized persons do not have access to the premises of the enterprise;
o Application of a general code of conduct concerning the conscientious use of computer equipment (laptops, smartphones, USB keys, etc.) and other means of production;
o Use of a clean desk policy to protect confidential data from the eyes of unauthorized persons;
