GDPR

Data processing agreement

This addendum forms part of the General Terms and Conditions between Volta BVBA and the client (hereinafter ‘Data Controller’) in relation to the processing of personal data. By agreeing to the General Terms and Conditions, of which this addendum forms a part, the client also agrees to the provisions below in relation to the processing of personal data by Volta BVBA.

Questions about this addendum can be sent to privacy@volta.be.

#section926

Volta BVBA and the Data Controller

Together, the Data Controller and Data Processor are referred to as the ‘Parties’.

Whereas:
 

  1. The Data Controller and the Data Processor have entered into an agreement pursuant to which the Data Processor has undertaken to provide, on behalf of the Data Controller, certain services involving the processing of data, including Personal Data as defined below (hereinafter, the ‘Main Contract’)
  2. The parties have decided to enter into the present, additional agreement in accordance with the applicable Privacy Laws (as defined below), which sets out their respective rights and obligations (the ‘Data Processing Agreement’).

 

Hereby agree:

  1. Definitions 
    The following terms shall have the meanings indicated below:
    - General Data Protection Regulation or GDPR: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which entered into force on 25 May 2018.
    - Data Subject or person Concerned: the identifiable natural person whose personal Data are processed.
    - Data Controller: any natural or legal person who determines the purposes and the means of the processing of personal data.
    - Data Processor: any natural or legal person which processes personal Data on behalf of the Data Controller.
    - Sub-Processor: any third party engaged by the Data Processor to process personal data on behalf of the Data Processor, without being subject to the direct authority of the Data Processor.
    - Personal Data: any information relating to an identified or identifiable natural person; an identifiable person is considered to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characterising the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
    - Privacy Legislation: the entire Belgian and European legislation applicable to data including the Law of 8 December 1992 on the protection of privacy with respect to the processing of personal data and, as of 25 May 2018, the General Data Protection Regulation.
    - Processing: any operation or set of operations involving Personal Data or a set of Personal Data, whether or not carried out by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
    - Data Breach: a breach of security of Personal Data that accidentally or unlawfully results in the destruction, loss, alteration or unauthorised disclosure of, or unauthorised access to, transmitted, stored or otherwise processed data.
    - Supervisory Authority: in Belgium this is the Commission for the Protection of Privacy, known since 25 May 2018 as the Data Protection Authority.
    - Collaborator(s): the persons authorised by the Parties for the performance of this Processing Agreement and working under their responsibility.
     

  2. Purpose of the Data Processing Agreement
    2.1 The purpose of this Data Processing Agreement is to set out the conditions under which the Data Processor may process Personal Data on behalf of the Data Controller.

    2.2 The parties agree that this Data Processing Agreement forms an integral part of the Main Contract between the Data Controller and the Data Processor.
     

  3. Permitted Processing
    3.1 The Data Processor undertakes to process Personal Data only on the basis of written instructions from the Data Controller, arising from the Main Agreement. The Main Agreement and the Data Processing Agreement jointly determine the subject matter and duration of the Processing.

    3.2 The Data Processor and its Employees shall process the Personal Data on behalf of the Data Controller in the context of the services and purpose described below:
    The Data Processor shall process the Personal Data for the implementation of the website, email campaign or other communication means, as agreed between the Parties.

    3.3 For the entire duration of the agreement, the Data Processor may subject the Personal Data to the following Processing operations: collection, recording, organisation, structuring, storage, updating or modification, retrieval, consultation, use, alignment or combination, blocking, erasure or destruction of data.

    3.4 The Data Processor processes the following types of Personal Data: surname, first name, address details, email addresses, date of birth, age, gender....

    This Personal Data relates to the following categories of Data Subjects: users of the website(s), newsletter subscriber, prospect or customer of the Client.
     

  4. Rights and obligations of the Data Controller
    4.1 The Data Controller has the duty to provide the information in Articles 13 and 14 of the GDPR to the Data Subjects who are the subject of the Processing Operations under the current Data Processing Agreement.

    4.2 The Data Controller shall make the Personal Data, as set out in this Data Processing Agreement, available to the Data Processor. The Data Controller determines the purposes and means of the Processing. It guarantees that the Processing of the Personal Data, including the transfer of the Personal Data, is done in a lawful manner and in accordance with the relevant Privacy Legislation.

    4.3 The Processing by the Data Processor shall only take place on the basis of written instructions provided by the Data Controller. The Data Processor guarantees that the order to Process the Personal Data is done in accordance with the Privacy Legislation. If the Processing order changes, the Data Controller shall immediately inform the Data Processor.

    4.4 If the Data Controller's Employees themselves process Personal Data, the responsibility for compliance with the requirements of the Privacy Legislation on the Processing of Personal Data falls to the Data Controller and not the Data Processor.

    4.5 The Data Controller shall keep a register of the processing activities carried out under its responsibility in accordance with Article 30(1) of the GDPR.

    4.6 All information and material made available by the Data Controller to the Data Processor and containing Personal Data will always be considered as the property of the Data Controller.
     

  5. Rights and obligations of the Data Processor
    5.1 The Data Processor may only process Personal Data strictly necessary for the performance of the Main Contract and undertakes to process the Personal Data only for the purposes described in this Data Processing Agreement. The Data Processor shall not process the Personal Data for any purpose other than as specified by the Data Controller.

    5.2 The Data Processor undertakes to process the Personal Data only on the basis of the written instructions of the Data Controller and according to the provisions of the Data Processing Agreement. If the Data Processor considers an instruction to be in breach of  Privacy Legislation, it shall immediately inform the Data Controller. This advisory authority on the part of the Data Processor is purely a best-efforts obligation and cannot be used against the Data Processor as a basis for liability. If the Data Processor is expected to transfer Personal Data to a third country or to an international organisation under the law of the European Union or the law of a Member State applicable to it, the Data Processor must notify the Data Controller prior to the Processing, unless  the relevant law prohibits it from giving such notification on important public interest grounds.

    5.3 The Data Processor shall ensure the confidentiality of the Personal Data transmitted to it under the Data Processing Agreement. The Data Processor further guarantees that all its Employees have undertaken to observe confidentiality or are bound by an appropriate legal obligation of confidentiality.

    5.4 The Data Processor may not store, transfer or otherwise process the Personal Data at a location outside the European Economic Area or transfer it to countries outside the European Economic Area without the prior written consent of the Data Processor. In addition, the Data Processor must ensure that the third country or international organisation provides an adequate level of data protection. If this is not the case, appropriate guarantees must be given by contractual means or the explicit consent of Data Subjects must be obtained.

    5.5 The Data Processor shall process Personal Data transmitted by the Data Controller for as long as necessary for the performance of the Main Contract. Once the assignment has been performed, the Data Processor shall, within a reasonable period of time, unless expressly agreed otherwise, cease any use of the Personal Data other than what is necessary to enable the Data Controller to recover the data entrusted to the Data Processor.

    5.6 To the extent possible, the Data Processor shall assist the Data Controller in its duty to comply with Data Subjects' requests concerning the right of inspection, right of rectification, right of data erasure, right of restriction of Processing, right of data portability, or right of objection to automated individual decision-making (including profiling). In the event that a Data Subject makes such a request to the Data Processor, the Data Processor shall forward the request to the Data Controller, and the Data Controller shall further process the request, unless explicitly agreed otherwise.

    5.7 The Data Processor shall assist the Data Controller with any data protection impact assessment and prior consultation of the Supervisory Authority. In addition, the Data Processor shall provide its assistance to the Data Controller to respond to requests from the Supervisory Authority. For the execution of such requests, the Parties may agree on a fee arrangement for this purpose.

    5.8 If necessary for the performance of the assignment, the Data Processor may make copies and proceed with a back-up. The Personal Data on these copies and backups shall enjoy the same protection as the original Personal Data.

    5.9 The Data Processor shall keep a written register of all processing activities carried out on behalf of the Data Controller. This register shall contain all the information required by Article 30(2) of the GDPR.

    5.10 The Data Processor guarantees that its Employees will only have access to the Personal Data to the extent necessary to perform their duties in the context of the Processing Order. The Data Processor's Employees are also bound by confidentiality obligations. The Data Processor shall inform its Employees about the obligations of the Privacy Legislation and of this Data Processing Agreement.

    5.11 The Data Processor shall provide the Data Controller with the name and contact details of its Data Protection Officer (DPO), if it is required to designate one under Article 37 of the GDPR.
     

  6. Sub-Processors 
    6.1 With the prior, specific and written consent of the Data Controller, the Data Processor may outsource all or part of the assignment to a Sub-Processor. The Data Controller may refuse only if it has legitimate reasons. The Data Processor remains at all times the point of contact for the Data Controller.

    6.2 The Data Processor may only use the services of a Sub-Processor located outside the European Economic Area with the prior, specific and written approval of the Data Controller. In this case, the Data Processor must choose a Sub-Processor that provides adequate protection measures to protect the Personal Data. In the absence of such measures, appropriate guarantees must be given by contractual means or the express consent of Data Subjects must be obtained.

    6.3 The Data Processor must ensure that the Sub-Processor provides the same safeguards regarding the implementation of appropriate technical and organisational measures in accordance with Article 32 of the GDPR.

    6.4 All obligations contained in Article 5 of the this Data Processing Agreement shall apply in full to the Sub-Processor. These obligations shall be stipulated in writing in an agreement between the Data Processor and the Sub-Processor. The Data Processor remains fully responsible to the Data Controller for the Sub-processor's compliance with its obligations.

    6.5 The following Sub-Processors are used for the proper performance of the tasks as Data Processor:
    - Combell (web hosting)
    - Amazon (data storage and web hosting)
    - MailChimp (email campaigns and transactional emails)
    - Campaign Monitor (email campaigns and transactional emails)
    - Google (web analytics)
     

  7. Confidentiality
    7.1 The Data Processor is bound by a duty of confidentiality in respect of the Personal Data it receives from the Data Controller for the processing order and any information it receives in the context of this Data Processing Agreement. This duty of confidentiality applies in full to the Data Processor's Employees and to any Sub-Processors and their Employees.

    7.2 This confidentiality obligation arises during the negotiation of the Data Processing Agreement, continues to apply during the entire duration of the Data Processing Agreement and also after the termination of the Data Processing Agreement.

    7.3 This confidentiality obligation does not apply when the Data Processor is required by the Supervisory Authority, a statutory provision or a court order to disclose this Personal Data, when the information is in the public domain and when the data disclosure takes place at the behest of the Data Controller.
     

  8. Security Measures 
    8.1 The Data Controller and the Data Processor shall take the required and appropriate technical and organisational measures (hereinafter the ‘Security Measures’) to protect the Personal Data against destruction, whether accidental or unlawful, against loss, falsification, unauthorised dissemination or access, in particular where the processing involves the transmission of data over a network, or against any other form of unlawful Processing or use.

    8.2 Taking into account the state of the art and the costs of implementation, the Security Measures guarantee an adequate level of security given the risks involved in the processing and the nature of data to be protected. The Security Measures are also aimed at preventing unnecessary collection and further processing of personal data.

    8.3 The Data Processor shall inform the Data Controller about all Security measures it takes to comply with the protection obligation. In determining the relevant measures, the state of the art and the cost of implementation shall be taken into account. If changes in technology require changes to the technology used, the Data Processor shall inform the Data Controller and estimate the necessary costs. If the Data Controller does not agree to implement these security measures deemed necessary by the Data Processor, the Data Processor cannot be held liable for a Data Breach attributable to the Data Controller's failure to act. In that case, the Data Controller cannot recover any administrative fines and/or costs towards the Data Subjects from the Data Processor.

    8.4 The Data Controller and the Data Processor shall make all reasonable efforts to ensure that the processing systems used meet the requirements of confidentiality, integrity and availability, always taking into account the state of the art and the reasonable costs of implementation. Likewise, both Parties shall verify that their systems are sufficiently resilient.
     

  9. Notification of a Data Breach
    9.1 If the Data Processor discovers a Data Breach, it shall  notify the Data Controller without delay and at the latest within 24 hours after the discovery. This notification shall describe or communicate at least the following:

    - the nature of the personal data breach, where possible indicating the categories of Data Subjects and Personal Data concerned and, approximately, the number of Data Subjects and Personal Data concerned;

    - the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;

    - the likely consequences of the Data Breach in relation to Personal Data;

    - the measures proposed or taken by the Data Processor to address the Data Breach, including, where applicable, the measures to mitigate any adverse consequences thereof.

    9.2 At the request of the Data Controller, the Data Processor shall report the Data Breach, in the name and on behalf of the Data Controller, to the Supervisory Authority as soon as reasonably possible and, if possible, within 72 hours after the Data Breach was detected, unless it is unlikely that the Data Breach poses a risk to the rights and freedoms of Data Subjects.

    9.3 At the Data Controller's request, the Data Processor shall report the Data Breach to the Supervisory Authority in the name and on behalf of the Data Controller as soon as reasonably practicable, if the Data Breach is indeed likely to pose a risk to the rights and freedoms of Data Subjects.

    9.4 It is up to the Data Controller to assess whether or not to inform the Supervisory Authority and/or Data Subjects.
     

  10. Intellectual property rights
    10.1 All intellectual property rights to the Personal Data and to the databases containing such Personal Data shall belong to the Data Controller. These intellectual property rights include copyright and sui generis database rights.

    10.2 The Data Processor shall only receive a limited right of use to the extent necessary to perform the agreed Processing under this Data Processing Agreement. The Data Processor is not permitted to modify, copy or communicate the protected elements to the public, except with the express consent of the Data Controller.
     

  11. Duration and end of the agreement
    11.1 This Data Processing Agreement shall run for as long as the Main Agreement is in force and shall be terminated at the same time as the Main Agreement. The Data Processing Agreement cannot be terminated separately from the Main Agreement unless the Parties agree that termination is necessary to comply with Privacy Legislation or Supervisory Authority decisions.

    11.2 At the end of the Data Processing Agreement, the Data Processor shall deliver to the Data Controller all Personal Data that has been processed. In addition, it shall provide all information and documentation necessary for the subsequent Processing of the Personal Data. After all Personal Data have been transmitted to the Data Controller, the Data Processor shall immediately terminate the Processing and destroy any copy or backup in its possession. Any costs associated with the return of the Personal Data and the destruction of the shall be borne by the Data Controller.
     

  12. General provisions, applicable law and dispute resolution
    12.1 This Agreement shall not be assigned by either Party to others without the prior written consent of the other Party. However, this does not apply to transfers to associated or acquired companies or legal successors of one of the Parties, which do not require consent.

    12.2 This Agreement constitutes the entire will of the Parties with respect to its subject matter and supersedes all previous or existing agreements between the Parties with respect to its subject matter. This Agreement may only be amended in writing, after joint signature by the Parties.

    12.3 The nullity or invalidity of any provision or part of a provision of this Agreement shall not affect the operation and validity of the remaining provisions. In such case, the Parties shall endeavour to replace or amend the relevant provision to the extent necessary to make it valid and enforceable. In that case, the Parties will negotiate in good faith and will strive for an adaptation that leaves the original purport of the provision intact as much as possible. If this proves impossible, only that provision will be considered non-existent.

    12.4 Titles or subtitles in this agreement are deemed to be purely illustrative.

    12.5 This Agreement shall be governed by Belgian law. In the event of any dispute regarding the performance of this Agreement, the Parties are expected to make every effort to find an amicable solution. The Parties will give priority to a reasonable interpretation of this Agreement. Failing an amicable solution, the dispute may be submitted to an arbitration and mediation centre (such as CEPANI) or a competent court. The exclusively competent court is the court of the judicial district of Antwerp, being the district in which the registered office of Processor is located.