Annex 3 : Data Processing Agreement
Changers BVBA, represented by mr. Dries Wijnen, manager, with registered office at 2310 Rijkevorsel, Molenstraat 92 with company number 0694.987.875 RPR Antwerpen, hereinafter: “Processor”
__________________, with registered office at____________, ________________, with company number ____________________, represented by ______________________. hereinafter; “Controller”
Jointly referred to as the “Parties” and individually as the “Party”;
A. Controller and Processor have entered into an agreement for a SaaS solution offered by Processor to Controller resulting in Processor processing Personal Data on behalf of Controller as defined in the General Data Protection Regulation (EU Regulation 2016/679)
B. Controller and Processor wish to lay down in this Agreement the reciprocal rights and obligations for the Processing of Personal Data by Processor in accordance with, inter alia, the General Data Protection Regulation (the ‘GDPR’);
1.1 The words or phrases used in this Processing Agreement shall have the following meaning:
a) Data Subject: the natural person to whom Personal Data relates;
b) Underlying Agreement: the Software as a Service Agreement entered into between Parties under which Controller has instructed Processor to carry out the processing of personal data;
c) Agreement: the Data Processing Agreement;
d) Personal data: any data relating to an identified or identifiable natural person that Processor has received from the Controller under the Underlying Agreement or to which it has gained access through the intermediary of the Controller and that Processor is required to Process;
e) Process/Processing: any operation or set of operations which is performed upon Personal Data or a set of Personal Data, whether or not by automatic means, such as collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, indexing, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
2.1 Unless the Parties have agreed otherwise in writing, the provisions of this Agreement shall apply to each Processing of Personal Data by the Processor pursuant to the Underlying Agreement.
3 Processing of Personal Data by the Processor
3.1 Processor Processes the Personal Data in accordance with Annex 1 only on the instructions of the Controller, subject to deviating legal obligations and deviating requests from Data Subjects.
3.2 Processor Processes data including Personal Data on behalf of Controller, in accordance with its instructions and under its responsibility and in the manner laid down in the Underlying Agreement.
3.3 Processor has no control over the purpose and means of processing Personal Data.
3.4 Processor must ensure compliance with the conditions imposed on the processing of Personal Data on the basis of the GDPR and other regulations, without prejudice to the legal obligations on the part of the Controller.
3.5 Processor shall only provide access to the Personal Data to its employees or agents who are subject to a confidentiality obligation and this only to the extent necessary for the performance of the services on the basis of the Underlying Agreement.
3.6 The Processor will inform Controller of requests relating to the exercise of rights concerning the Personal Data received directly from a Data Subject.
3.7 The Controller acknowledges having obtained all information necessary to ensure compliance with the obligations contained in the Agreement, including the possibility of carrying out an audit on the basis of the information made available, without prejudice to the rights to which the Controller is entitled by virtue of the GDPR.
4 Obligation to report data leaks
4.1 Controller will notify Processor as soon as reasonably possible and in any event within 24 hours of a security breach relating to the processing of Personal Data, and will provide Processor with information on the following to the extent possible: (i) the nature of the breach; (ii) the Personal Data affected or likely to be affected, the categories and estimated number of records affected; (iii) the identified and anticipated effects of the breach on the processing of the Personal Data and the individuals affected; and (iv) the measures Controller has taken and will take to mitigate the adverse effects of the breach
4.2 Processor acknowledges that under certain circumstances, Controller is legally obligated to report a security breach that pertains or may pertain to the Personal Data Processed by Processor to the supervisory authority and, where appropriate, to the Data Subjects. Prior to a report, the Controller shall – to the extent reasonably possible – consult and inform Processor of the intended report.
4.3 Processor will take all measures necessary to limit the (potential) damage and support Controller in reporting to the supervisory authority and the Data Subjects concerned.
- International transfer
5.1 The Processor will not store or transmit the Personal Data outside the European Economic Area or those countries that the European Commission has determined provide an equivalent level of protection other than in accordance with Article 5.2 of this Agreement.
6 Security measures
6.1 Processor shall take appropriate technical and organisational measures to protect Personal Data against loss or any unlawful processing as described in Annex 2.
6.2 The Controller acknowledges that the security measures taken by the Processor are appropriate having regard to all relevant aspects of the Processing, including the state of the art and the framework of the Underlying Agreement.
7 Obligations of the Controller
7.1 With regard to the Processing of Personal Data under this Agreement, the ‘Controller’ is the Processing controller, as he alone or together with others determines the purpose and means of Processing Personal Data.
7.2 Controller agrees and warrants that the Processing of the Personal Data in accordance with the Processing Agreement is in compliance with the GDPR and may subject the Processor to an audit (if applicable by an independent third party) subject to timely notice of at least fourteen (14) days prior. Controller and Processor will each bear their own costs incurred in the context of such audit.
8.1 The Agreement commences on the date of signature of this Agreement and is entered into for an indefinite period of time. The Agreement shall end at the time of termination of the Underlying Agreement.
8.2 At the first request of the Controller, Processor shall, in the event of termination of the Agreement, return all Personal Data made available to Controller and destroy all digital copies of Personal Data. If Controller is of the opinion that destruction may not take place, it shall inform Processor thereof in writing. In that case, Processor guarantees the confidentiality of the Personal Data to the Controller and shall not process the Personal Data except in compliance with its legal obligation or after written instructions from the Controller.
9 General Provisions
Sections 16 and 18 of the Underlying Agreement apply to this Processing Agreement.
Drawn up _____________________ in 2 original copies and each Party declares to be authorized to sign this Agreement and to have received an original signed copy of this Agreement..
Name : Dries Wijnen
Title : Manager
Place and date : Antwerp,
Place and date :
Description of the Processing
- Subject matter and nature of processing
- Purposes of the Processing
The processing of Personal Data by Processor takes place in the context of the execution of the Underlying Agreement.
- Description of Personal Data
- Contact details of the client
- Categories of Data Subjects
The Personal Data that are the subject of the Processing under this Agreement relate to the following categories of Data Subjects:
- Clients seeking legal advice or in need of legal assistance.
- Processing of Personal Data
The Controller hereby instructs the processing of the Personal Data in accordance with the instructions which arise directly from the provisions of the Underlying Agreement or this Processing Agreement or which are reasonably required for the proper performance by the Processor of its obligations.
Annex 2 : Technical and Organisational Security Measures
Processor has implemented the necessary security measures. The most important measures are listed below.
Processor undertakes to inform the persons who have access to the data in accordance with an agreement of the provisions of the GDPR. Processor ensures that the persons authorized to process the Personal Data have undertaken to respect confidentiality or are bound by an appropriate legal obligation of confidentiality.
Confidentiality Obligations: Processor employees are subject to confidentiality obligations and these obligations are formally included in employment contracts.
Security training: Processor shall inform its employees of the relevant security procedures for the protection of personal data and their role in this process.
Termination: Access rights shall be withdrawn in a timely manner upon termination of cooperation, in accordance with formal security procedures.
Inventory of assets. Processor maintains an inventory of all IT equipment and media it uses. Access to the inventories is limited to authorized employees only.
Treatment of assets:
– Data on portable devices is encrypted.
– Processor has procedures in place for secure destruction of media and printed materials containing confidential data.
Encryption of confidential data over public networks is done using cryptographic standards. TLS encryption mechanisms are implemented according to the highest standards and only use strong algorithms with at least 128-bit encryption.
Security of technical environment
Protection against data loss
Processor uses different systems that comply with industry standards to protect its data centers from data loss due to power outages and fire. Data is hosted via Google Cloud Engine on a European server. Google has the following ISO certifications: ISO 27001, ISO 270017 ISO 27018, SOC2 and SOC3.
- Processor implements and maintains an authorisation management system that controls access to systems containing client data.
- Each individual who has access to systems containing Customer Data and Personal Data has a separate, unique ID/username.
- Processor limits access to Personal Data to those individuals who need such access to perform their functions. The data processor shall limit the access to the Personal Data processed to those staff members who need the data to perform the tasks assigned by Processor in performance of the contract. Processor guarantees that the stored personal data will only be consulted at the request of the Controller or after notification for maintenance.
- Processor uses industry-standard practices to identify and authenticate users attempting to access SERVICE’s network or information systems, including strong authentication.
- If authentication mechanisms are based on passwords, then Processor requires passwords to be at least eight characters long and sufficiently complex.
- Accounts are locked when repeated attempts are made to access the information system using an invalid password.
- Processor maintains practices to ensure confidentiality and integrity of passwords when they are assigned and provided, and during storage.
Processor implements the necessary control measures (e.g. firewalls, security appliances, network segmentation) that provide reasonable assurance that access to its network is adequately protected..
Security of business operations
- Processor makes backups of client data for recovery purposes on a periodic basis, but in no case less frequently than once a day (unless no data has been updated during that period)..
- Processor keeps copies of client data and data recovery procedures in a location other than where the primary computer equipment processing the client data is located.
Malicious Software. Processor performs anti-malware checks to help prevent malicious software from gaining unauthorized access to client data.
Security updates. Security updates are tracked and installed according to a documented patch management process.
Logging. Processor records access to and use of its information systems containing client data, including the user ID, time and activity concerned.
Powers and responsibilities as an IT partner
- Access to systems of the customer
The customer, as Controller, expressly authorises Processor to carry out orders remotely where possible, for which Processor has installed aids on the systems. As such, Processor shall allow certain employees remote access to the ICT infrastructure, configuration and/or data belonging to the customer, either from within the Processor premises or by means of secure authentication.
Nature of system
Only accessible from the Processor offices or via 2 way authentication. Take over for technical and audit purposes.
Only accessible via 2 way authentication. Takeover for maintenance actions is part of the agreement and therefore continues without prior consent.
Workstations will only be taken over with the approval of the relevant user or the management.
If Processor carries out certain operations in cooperation with subcontractors or partners, the express consent of the Controller shall always be requested.
2. Unauthorised access and traceability
Processor has implemented a well-developed and secure user management, in which all activities and accesses are logged. In the event of unauthorised access or data leak, Processor is able to inform Controller quickly.
3. Data access, confidentiality & password policy
By means of the protocol of conduct, Processors employees have undertaken to observe confidentiality in all cases.
except in the case of an urgent notification subject to legal deadlines, as in the case of data breaches, in which case the notification shall take effect upon receipt of the email. In order to guarantee effective service, Processor may manage passwords with the approval of Controller. In general, there are several levels of passwords which may be maintained by Processor:
- Highest level administrator passwords
- User login in the systems
- Passwords for specific applications
Controller may at any time request the passwords of the Processor.
Controller shall be responsible for the nature and purpose of data, files and/or data which Processor and/or his employees expressly do not take cognizance of and shall never use, distribute or copy such information himself (except for the purpose of back-up, if this is necessary for the execution of the order).
Having regard to the state of the art and the cost of implementation, as well as the nature, scale, context and purposes of the processing, and the varying degrees of probability and seriousness of the risks to the rights and freedoms of individuals, Controller and Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented, including, where appropriate:
The pseudonymisation and encryption of personal data;
the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
a procedure for periodically testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.