GDPR

Processor agreement

This addendum forms part of the General Terms and Conditions between Volta BVBA and the customer (hereinafter ‘Controller’) in relation to the processing of personal data. By agreeing to the General Terms and Conditions, of which this addendum forms a part, Customer also agrees to the provisions below in relation to the processing of personal data by Volta BVBA.  

Questions about this addendum can be sent to privacy@volta.be.

#section926

Between Volta BVBA and Processor

Together, Processing Controller and Processor are referred to as the ‘Parties’.

Whereas:
 

  1. Controller and Processor have entered into a contract pursuant to which Processor has undertaken to provide, for the account of Controller, certain services involving the processing of data, including Personal Data as defined below (hereinafter, the ‘Main Contract’)
  2. The parties have decided to enter into the present, additional agreement in accordance with the applicable Privacy Laws (as defined below), which sets out their respective rights and obligations (the ‘Processor Agreement’).

 

Was decided as follows:

  1. Definitions 
    The following terms shall have the meanings indicated below:
    - General Data Protection Regulation or AVG: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which enters into force on 25 May 2018.
    - Data Subject or Affected Persons: the identifiable natural person whose Personal Data are processed.
    - Controller: any natural or legal person who determines the purpose of and the means for Processing Personal Data.
    - Processor: any natural or legal person who processes Personal Data on behalf of the Controller.
    - Sub-processor: any third party engaged by Processor to process personal data for the benefit of Processor, without being subject to the direct authority of Processor.
    - Personal Data: any information relating to an identified or identifiable natural person; an identifiable person is considered to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characterising the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
    - Privacy legislation: the entire Belgian and European legislation applicable to data protection, including the Law of 8 December 1992 on the protection of privacy with respect to the processing of personal data and, as of 25 May 2018, the General Data Protection Regulation.
    - Processing: any operation or set of operations involving Personal Data or a set of Personal Data, whether or not carried out by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
    - Data Breach: a breach of security of Personal Data that accidentally or unlawfully results in the destruction, loss, alteration or unauthorised disclosure of, or unauthorised access to, transmitted, stored or otherwise processed data.
    - Supervisory Authority: in Belgium this is the Commission for the Protection of Privacy, from 25 May 2018 it will be reformed into the Data Protection Authority.
    - Collaborator(s): the persons authorised by the Parties for the performance of this Processing Agreement and working under their responsibility.
     

  2. Object of the Processor Agreement
    2.1 The object of this Processor Agreement is to set out the conditions under which the Processor may process Personal Data on behalf of the Controller.

    2.2 The parties agree that this Processor Agreement forms an integral part of the Main Contract between the Controller and the Processor.
     

  3. Permitted Processing
    3.1 The Processor undertakes to process Personal Data only on the basis of written instructions from the Controller, arising from the Main Agreement. The Main Agreement and the Processor Agreement jointly determine the subject matter and duration of the Processing.

    3.2 The Processor and its Employees shall process the Personal Data on behalf of the Controller in the context of the services and purpose described below:
    Processor shall process the Personal Data for the implementation of the website, email campaign or other communication means, as agreed between the Parties.

    3.3 For the entire duration of the contract, Processor may subject the Personal Data to the following Processing operations: collection, recording, organisation, structuring, storage, updating or modification, retrieval, consultation, use, alignment or combination, blocking, erasure or destruction of data.

    3.4 The Processor processes the following types of Personal Data: name, first name, address details, email addresses, date of birth, age, gender....

    This Personal Data relates to the following categories of Data Subjects: users of the website(s), newsletter subscriber, prospect or customer of the Client.
     

  4. Rights and obligations of Controller
    4.1 Controller has the duty to provide the information in Articles 13 and 14 of the AVG to the Data Subjects who are the subject of the Processing Operations under the current Processor Agreement.

    4.2 The Controller shall make the Personal Data, as set out in this Processor Agreement, available to the Processor. The Controller determines the purpose and means of the Processing. It guarantees that the Processing of the Personal Data, including the transfer of the Personal Data, is done in a lawful manner and in accordance with the relevant Privacy Laws.

    4.3 The Processing by the Processor shall only take place on the basis of written instructions due to the Controller. Processor guarantees that the instruction to Process the Personal Data is done in accordance with the Privacy Law. If the order for Processing changes, the Controller shall immediately inform the Processor.

    4.4 If the Processor's Employees themselves process Personal Data, the responsibility for compliance with the requirements of the Privacy Legislation of Processing Personal Data is the responsibility of the Processor and not the responsibility of the Processor.

    4.5 The Controller shall keep a register of the processing activities carried out under its responsibility in accordance with Article 30(1) of the AVG.

    4.6 All information and material made available by the Processor to the Processor and containing Personal Data will always be considered as the property of the Processor.
     

  5. Rights and obligations of Processor
    5.1 Processor may only process Personal Data strictly necessary for the performance of the Master Contract and undertakes to process the Personal Data only for the purposes described in this Processor Agreement. Processor shall not process the Personal Data for any purpose other than as specified by Processor.

    5.2 Processor undertakes to process the Personal Data only on the basis of the written instructions of Processor and according to the provisions of the Processor Agreement. If Processor considers an instruction to be in breach of the Privacy Laws, it will inform the Processing Responsible Party without delay. This power of advice from the Processor is purely a best-efforts obligation and cannot be used against the Processor as a ground for liability. If the Processor is expected to transfer Personal Data to a third country or to an international organisation under the law of the European Union or the law of a Member State applicable to it, the Processor must notify this to the Controller prior to the Processing, unless if the relevant law prohibits it from giving such notification on important public interest grounds.

    5.3 Processor shall ensure the confidentiality of the Personal Data transmitted to it under the Processor Agreement. Processor further guarantees that all its Employees have undertaken to observe confidentiality or are bound by an appropriate legal obligation of confidentiality.

    5.4 Processor may not store, transfer or otherwise process the Personal Data at a location outside the European Economic Area or transfer it to countries outside the European Economic Area without the prior written consent of Processor. In addition, Processor must ensure that the third country or international organisation provides an adequate level of data protection. If this is not the case, appropriate guarantees must be given by contractual means or the explicit consent of Data Subjects must be obtained.

    5.5 Processor shall process Personal Data transmitted by Processor for as long as necessary for the performance of the Main Contract. Once the assignment has been performed, Processor shall, within a reasonable period of time, unless expressly agreed otherwise, cease any use of the Personal Data other than what is necessary to enable Processor to recover the data entrusted to Processor.

    5.6 To the extent possible, Processor shall assist Processor in its duty to comply with Data Subjects' requests concerning the right of inspection, right of rectification, right of data erasure, right of restriction of Processing, right of data portability, or right of objection to automated individual decision-making (including profiling). In the event that a data subject makes such a request to Processor, Processor shall forward the request to Processor, and Processor shall further process the request, unless explicitly agreed otherwise.

    5.7 Processor shall assist Processor for any data protection impact assessment and prior consultation of the Supervisory Authority. In addition, Processor shall assist Processor to respond to requests from the Supervisory Authority. For the execution of such requests, Parties may agree on a fee arrangement for this purpose.

    5.8 If necessary for the performance of the assignment, Processor may make copies and proceed with a back-up. The Personal Data on these copies and backups shall enjoy the same protection as the original Personal Data.

    5.9 Processor shall keep a written register of all processing activities carried out on behalf of the Controller. This register shall contain all the information required by Article 30(2) of the AVG.

    5.10 Processor guarantees that its Employees will only have access to the Personal Data to the extent necessary to perform their duties in the context of the order for Processing. The Processor's Employees are also bound by confidentiality obligations. Processor shall inform its Employees about the obligations of the Privacy Legislation and of this Processor Agreement.

    5.11 Processor shall provide Processor with the name and contact details of its Data Protection Officer (DPO), if it is required to designate one under Article 37 of the AVG.
     

  6. Subprocessors 
    6.1 With the prior, specific and written consent of Processor, Processor may outsource all or part of the assignment to a Subprocessor. Processor may refuse only if it has legitimate reasons. The Processor remains at all times the point of contact for the Controller.

    6.2 The Processor may only use the services of a Subprocessor located outside the European Economic Area with the prior, specific and written approval of the Controller. In this case, the Processor must choose a Subprocessor that provides adequate protection measures to protect the Personal Data. In the absence of such measures, appropriate guarantees must be given by contractual means or the express consent of Data Subjects must be obtained.

    6.3 Processor must ensure that the Sub-processor provides the same safeguards regarding the implementation of appropriate technical and organisational measures in accordance with Article 32 of the AVG.

    6.4 All obligations contained in Article 5 of the current Processor Agreement shall apply in full to the Subprocessor. These obligations shall be stipulated in writing in an agreement between the Processor and the Subprocessor. The Processor remains fully responsible to the Controller for the Subprocessor's compliance with its obligations.

    6.5 The following Sub-processors are used for the proper performance of the tasks as Processor:
    - Combell (web hosting)
    - Amazon (data storage and web hosting)
    - MailChimp (e-mail campaigns and transactional mails)
    - Campaign Monitor (e-mail campaigns and transactional emails)
    - Google (web analytics)
     

  7. Confidentiality
    7.1 Processor is bound by a duty of confidentiality in respect of the Personal Data it receives from Processor for the processing order and any information it receives in the context of this Processor Agreement. This duty of confidentiality applies in full to Processor's Employees and to any Sub-processors and their Employees.

    7.2 This confidentiality obligation arises during the negotiation of the Processor Agreement, continues to apply during the entire duration of the Processor Agreement and also after the termination of the Processor Agreement.

    7.3 This confidentiality obligation does not apply when Processor is required by the Supervisory Authority, a statutory provision or a court order to disclose this Personal Data, when the information is in the public domain and when the data disclosure takes place at the behest of Processor.
     

  8. Security Measures 
    8.1 Controller and Processor shall take the required and appropriate technical and organisational measures (hereinafter the ‘Security Measures’) to protect the Personal Data against destruction, whether accidental or unlawful, against loss, falsification, unauthorised dissemination or access, in particular where the processing involves the transmission of data over a network, or against any other form of unlawful Processing or use.

    8.2 Taking into account the state of the art and the costs of implementation, the Security Measures guarantee an adequate level of security given the risks involved in the processing and the nature of data to be protected. The Security Measures are also aimed at preventing unnecessary collection and further processing of personal data.

    8.3 Processor shall inform Processor about all Security measures it takes to comply with the protection obligation. In determining the relevant measures, the state of the art and the cost of implementation shall be taken into account. If changes in technology require changes to the technology used, the Processor shall inform the Controller and estimate the necessary costs. If the Processor does not agree to implement these security measures deemed necessary by the Processor, the Processor cannot be held liable for a Data Breach attributable to a failure to act by the Processor. In that case, the Processor cannot recover possible administrative fines and/or costs towards the Data Subjects from the Processor.

    8.4 Controller and Processor shall make all reasonable efforts to ensure that the processing systems used meet the requirements of confidentiality, integrity and availability, always taking into account the state of the art and the reasonable costs of implementation. Likewise, both Parties shall verify that their systems are sufficiently resilient.
     

  9. Notification of a Data Breach
    9.1 If Processor discovers a Data Breach, it shall notify Processor without delay and at the latest within 24 hours after the discovery. This notification shall describe or communicate at least the following:

    - the nature of the personal data breach, where possible indicating the categories of Data Subjects and Personal Data concerned and, approximately, the number of Data Subjects and Personal Data concerned;

    - the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;

    - the likely consequences of the Data Breach in relation to Personal Data;

    - the measures proposed or taken by Processor to address the Data Breach, including, where applicable, the measures to mitigate any adverse consequences thereof.

    9.2 At the request of Processor, Processor shall report the Data Breach, in the name and on behalf of Processor, to the Supervisory Authority as soon as reasonably possible and, if possible, within 72 hours after the Data Breach was detected, unless it is unlikely that the Data Breach poses a risk to the rights and freedoms of Data Subjects.

    9.3 At Processor's request, Processor shall report the Data Breach to the Supervisory Authority in the name and on behalf of Processor as soon as reasonably practicable, if the Data Breach is indeed likely to pose a risk to the rights and freedoms of Data Subjects.

    9.4 It is for the Controller to assess whether or not to inform the Supervisory Authority and/or Data Subjects.
     

  10. Intellectual property rights
    10.1 All intellectual property rights to the Personal Data and to the databases containing such Personal Data shall belong to Controller. These intellectual property rights include copyright and sui generis database rights.

    10.2 Processor shall only receive a limited right of use to the extent necessary to perform the agreed Processing under this Processor Agreement. Processor is not allowed to modify, copy, or communicate the protected elements to the public, except with the express consent of the Controller.
     

  11. Duration and end of the agreement
    11.1 This Processor Agreement shall run for as long as the Master Agreement is in force and shall be terminated at the same time as the Master Agreement. The Processor Agreement cannot be terminated separately from the Main Agreement unless the Parties agree that termination is necessary to comply with Privacy Legislation or Supervisory Authority decisions.

    11.2 At the end of the Processor Agreement, Processor shall deliver to Controller all Personal Data that has been processed. In addition, it shall provide all information and documentation necessary for the subsequent Processing of the Personal Data. After all Personal Data have been transmitted to Processor, Processor shall immediately terminate the Processing and destroy any copy or backup in its possession. Any costs associated with the return of the Personal Data and the destruction of the shall be borne by the Controller.
     

  12. General provisions, applicable law and dispute resolution
    12.1 This Agreement shall not be assigned by either Party to others without the prior written consent of the other Party. However, this does not apply to transfers to associated or acquired companies or legal successors of one of the Parties, which do not require consent.

    12.2 This Agreement constitutes the entire will of the Parties with respect to its subject matter and supersedes all previous or existing agreements between the Parties with respect to its subject matter. This Agreement may only be amended in writing, after joint signature by the Parties.

    12.3 The nullity or invalidity of any provision or part of a provision of this Agreement shall not affect the operation and validity of the remaining provisions. In such case, the Parties shall endeavour to replace or amend the relevant provision to the extent necessary to make it valid and enforceable. In that case, the Parties will negotiate in good faith and will strive for an adaptation that leaves the original purport of the provision intact as much as possible. If this proves impossible, only that provision will be considered non-existent.

    12.4 Titles or subtitles in this agreement are deemed to be purely illustrative.

    12.5 This Agreement shall be governed by Belgian law. In the event of any dispute regarding the performance of this Agreement, the Parties are expected to make every effort to find an amicable solution. The Parties will give priority to a reasonable interpretation of this Agreement. Failing an amicable solution, the dispute may be submitted to an arbitration and mediation centre (such as CEPANI) or a competent court. The exclusively competent court is the court of the judicial district of Antwerp, being the district in which the registered office of Processor is located.