This data processing agreement (“Data Processing Agreement”) describes specific terms in respect of the processing of Personal Data by CNTRC BV, a limited liability company established, organized and existing under the laws of Belgium, with registered office at Nieuwewandeling 62, 9000 Gent, Belgium, and registered with the Crossroads Bank for Enterprises under the company number 1010.076.440 (“CNTRC”) in connection with the provision of Services under the main agreement (“Agreement”) as may be provided to [NAME],incorporated, organized and existing under Belgian law with registered office at [ADRESS] and registered with the Crossroads Bank of Enterprises under company number [XXX] (“Customer”) by CNTRC in connection with the Agreement, the terms of which are incorporated herein by reference. In theevent of a conflict between the Agreement and any provision of this DataProcessing Agreement, the latter shall govern. Capitalized terms not otherwise defined herein, shall have the meaning specified in the Agreement.
1. DEFINITIONS ANDINTERPRETATION
1.1. For the purpose of this Data Processing Agreement, the following terms shall have the following meaning. In case of any doubt or differences with the terms defined in the Data Protection Legislation, the definitions stipulated in the relevant Data Protection Legislation shall prevail.
“Contact Person”
means the individual(s) assigned by a Party and communicated to the other Party as point of contact and representing the Party for (a part of) the Services.
“Data Controller”
means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
“Data Processor”
means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Data Controller.
“Data Protection Legislation”
means the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), together with the codes of practice, codes of conduct, regulatory guidance and standard clauses and other related legislation resulting from such Directive or Regulation, as updated from time to time.
“Data Subject”
means an identified or identifiable natural person to whom the Personal Data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The relevant categories of Data Subjects are identified in Annex 1.
“Personal Data”
means any information relating to a Data Subject. The relevant categories of Personal Data that are provided to CNTRC by, or on behalf of the Customer are identified in Annex 1;
“Personal Data Breach”
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Services.
“Processing”,
“Process(es)” or
“Processed”
means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Services”
means all services, functions, responsibilities and outputs of CNTRC as described in the Agreement.
“Standard Contractual Clauses”
means where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Module II: Controller to Processor), (“EU SCCs”) or any successor clauses adopted in accordance with GDPR., as supplemented by this Data Processing Agreement.
“Sub-processor”
means any subcontractor engaged by CNTRC to perform a part of the Services and who agrees to receive Personal Data intended for Processing on behalf of the Customer in accordance with the Customer’s instructions and the provisions of the Agreement.
1.2. This Data Processing Agreement forms an integral part of the Agreement. The provisions of the Agreement therefore apply to this Data Processing Agreement. All capitalized terms not defined in this Data Processing Agreement will have the meaning set forth in the Agreement.
1.3. Incase of conflict between any provision in this Data Processing Agreement and any provision of another part of the Agreement, this Data Processing Agreement shall prevail.
2. Scope and purpose
2.1. In connection with and for the purpose of the performance of the Services under the Agreement, the Customer commissions CNTRC to process Personal Data in accordance with the provisions of this Data Processing Agreement.
3. Specification of the Data Processing
3.1. Any Processing of Personal Data under the Agreement shall be performed in accordance with the applicable Data Protection Legislation.
3.2. For the performance of the Services, CNTRC is a Data Processor acting on behalf of the Customer. As a Data Processor, CNTRC will only act upon the Customer’s instructions. The Agreement, including this Data Processing Agreement, is theCustomer’s complete instruction to CNTRC with regard to the Processing ofPersonal Data. Any additional or alternate instructions must be jointly agreed by the Parties in writing. The following is deemed an instruction by CNTRC toProcess Personal Data: (1) Processing in accordance with the Agreement and (2)Processing initiated by the Customer users in their use of the Services.
3.3. A more detailed description of the subject matter of the Processing of Personal Data in terms of the concerned categories of Personal Data and of Data Subjects (envisaged Processing of Personal Data) is contained in Exhibit 1 here to.
4. Data Subjects’ Rights
4.1. With regard to the protection of Data Subjects’ rights pursuant to the applicable Data Protection Legislation, the Customer shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
4.2. Should a Data Subject directly contact CNTRC wanting to exercise his individual rights such as requesting a copy, correction or deletion of his data or wanting to restrict or object to the Processing activities, CNTRC shall inform the Customer of such request within five (5) business days and provide the Customer with full details thereof, together with a copy of the Personal Data held by it in relation to the Data Subject where relevant. CNTRC shall promptly direct such Data Subject to the Customer. In support of the above, CNTRC may provide the Customer’s basic contact information to the requestor. The Customer agrees to answer to and comply with any such request of a Data Subject in line with the provisions of the applicable Data Protection Legislation.
4.3. In so far as this is possible, CNTRC shall cooperate with and assist the Customer by appropriate technical and organizational measures for the fulfilment of the Customer’s obligation to respond to requests from Data Subjects exercising their rights.
5. Consultation andCorrection of Personal Data
5.1. CNTRC will provide the Customer, in its role of Data Controller with access toPersonal Data Processed under the Agreement, in order to allow the Customer to consult and correct such Personal Data.
6. Disclosure
6.1. CNTRC will not disclose Personal Data to any third party, except (1) as the Customer directs, (2) as stipulated in the Agreement, (3) as required for Processing by approved Sub-processors in accordance with Article 9 or (4) as required by law, in which case CNTRC shall inform the Customer of that legal requirement beforeProcessing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest.
6.2. CNTRC represents and warrants that persons acting on behalf of CNTRC and who are authorized to Process Personal Data or to support and manage the systems that Process Personal Data (i) have committed themselves to maintain the security and confidentiality of Personal Data in accordance with the provisions of this Data Processing Agreement, (ii) are subject to user authentication and log on processes when accessing the Personal Data and (iii)have undertaken appropriate training in relation to Data Protection Legislation. CNTRC shall inform the persons acting on its behalf about the applicable requirements and ensure their compliance with such requirements through contractual or statutory confidentiality obligations.
7. Deletion and Return of Personal Data
7.1. At the latest within thirty (30) calendar days upon termination of the Agreement, CNTRC shall sanitize or destroy any Personal Data that it stores in a secure way that ensures that all Personal Data is deleted and unrecoverable. Data used to verify proper data processing in compliance with the assignment and data that needs to be kept to comply with relevant legal and regulatory retention requirements may be kept by CNTRC beyond termination or expiry of the Agreement only as long as required by such laws or regulations.
7.2. Upon written request submitted by the Customer no later than five (5) calendar days prior to termination of the Agreement, CNTRC will provide the Customer with a readable and usable copy of the Personal Data and/or the systems containing Personal Data prior to sanitization or destruction.
8. Location of Processing
8.1. CNTRC will store Personal Data at rest within the territory of the European Economic Area for EEA customers.
9. USEOF SUB-PROCESSORS
9.1. The Customer acknowledges and expressly agrees that CNTRC may use third party Sub-processors for the provision of the Services as described in the Agreement.
9.2. Any such Sub-processors that provide services for CNTRC and thereto Process Personal Data will be permitted to Process Personal Data only to deliver the services CNTRC has entrusted them with and will be prohibited from Processing such Personal Data for any other purpose. CNTRC remains fully responsible for any such Sub-processor’s compliance with CNTRC’s obligations under the Agreement, including this Data Processing Agreement.
9.3. CNTRC will enter into written agreements with any such Sub-processor which contain obligations no less protective than those contained in this Data Processing Agreement, including the obligations imposed by the Standard Contractual Clauses, as applicable.
9.4. CNTRC shall make available to the Customer the current list of Sub-processors for the Services identified in Exhibit 2 that to this Data Processing Agreement. Such Sub-processors list shall include the identities of those Sub-processors and their country of location. CNTRC shall provide the Customer with a notification of a new Sub-processor before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the Services under this Data Processing Agreement.
9.5. If the Customer objects to the use of a new Sub-processor that will be processing the Customer’s Personal Data, then the Customer shall notify CNTRC in writing within ten (10) calendar days after receipt of CNTRC’s written request to that effect. In such a case, CNTRC will use reasonable efforts to change the affected Services or to recommend a commercially reasonable change to the Customer’s use of the affected Services to avoid the Processing of Personal Data by the Sub-processor concerned. If CNTRC is unable to make available or propose such change within sixty (60) calendar days, the Customer may terminate the relevant part of the Agreement regarding those Services which cannot be provided by the CNTRC without the use of the Sub-processor concerned. To that end, the Customer shall provide written notice of termination that includes the reasonable motivation for non-approval. TheCustomer will bear the costs incurred in relation to this article 9.5.
10. Technical and Organizational Measures
10.1. CNTRC has implemented and will maintain appropriate technical and organizational measures intended to protect Personal Data or the systems that Process Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction. These measures shall take into account and be appropriate to the state of the art, nature, scope, context and purposes of Processing and risk of harm which might result from unauthorized or unlawful Processing or accidental loss, destruction or damage to Personal Data.
11. Liability
11.1.The Data Processor is only liable towards each Data Controller for direct damages caused by the Data Processor or any subprocessor engaged by it, due to the Data Processor’s breach of this Data Processing Agreement and obligations specifically imposed on the Data Processor by Data Protection Legislation.
11.2. To the maximum permitted under applicable law, Data Processor’s maximum liability to the Data Controller arising under the Data Processing Agreement in respect of each event and each calendar year (of series of connected events) shall in no event exceed the paid or payable from the Data Controller to the Data Processor during the preceding twelve (12) month period. The foregoing limitations shall not apply to the Data Processor’s liability due to (i) fraud or deceit, and/or (ii) wilful misconduct.
11.3. For the avoidance of doubt, it is specified that in no event either party either be liable for any indirect, consequential or other similar damages (including, without limitation, damages for loss of profits, revenues, business, contracts or customers, loss or corruption of data, loss of goodwill, damage to equipment and reputation, loss of opportunity or loss of anticipated savings), even if such party has been advised or notified of the possibility of such costs or damages.
12. PersonalData Breaches
12.1. In the event of a (likely or known) Personal Data Breach and irrespective of its cause, the CNTRC shall notify the Customer without undue delay and at the latest within forty-eight (48) hours after having become aware of (the likelihood or occurrence of) the existence of such Personal DataBreach, providing the Customer with sufficient information and in a timescale, which allows the Customer to meet any obligations to report a Personal Data Breach under the Data Protection Legislation. Such notification shall as a minimum specify:
- the nature of the Personal Data Breach;
- the nature or type of Personal Data implicated in the Personal Data Breach, as well as the categories and numbers of Data Subjects concerned;
- the likely consequences of the Personal Data Breach;
- as the case may be, the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach;
- the identity and contact details of the Data Protection Officer or another Contact Person from whom more information can be obtained.
12.2. CNTRC shall without undue delay further investigate the Personal Data Breach and shall keep the Customer informed of the progress of the investigation and take reasonable steps to further minimize the impact. Both Parties agree to fully cooperate with such investigation and to assist each other in complying with any notification requirements and procedures.
12.3. A Party’s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by that Party of any fault or liability with respect to the Personal Data Breach.
13. Customer responsabilities
13.1. The Customer shall comply with all applicable laws and regulations, including the Data Protection Legislation.
13.2. The Customer remains responsible for the lawfulness of the Processing of Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of his or her Personal Data.
13.3. The Customer shall take reasonable steps to keep Personal Data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.
13.4. With regard to components that Customer provides or controls, including but not limited to workstations connecting to Services, data transfer mechanisms used, and credentials issued to the Customer’s personnel, the Customer shall implement and maintain the required technical and organizational measures for protection of Personal Data.
13.5. CNTRC makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this article and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Nevertheless, the Customer shall limit its initiatives to conduct an audit or inspection to no more than once a year, except in the event that (i) it is legally required to do so, (ii) CNTRC has experienced a material Personal Data Breach in the preceding twelve (12) months that has affected the Customer's Personal Data or (iii) in the event of a mutual agreement, and shall notify CNTRC of such request at least thirty (30) business days prior to the audit. The Customer shall bear all costs for conducting an audit or inspection.
14. Notifications
14.1. Unless legally prohibited from doing so, CNTRC shall notify the Customer as soon as reasonably possible, and at the latest within five (5) business days of becoming aware of the relevant circumstances, if it or any of its Sub-processors: (i) receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing; (ii) intends to disclose Personal Data to any competent public authority outside the scope of the Services of the Agreement. (iii) receives an instruction that infringes the Data Protection Legislation or the obligations of this Data Processing Agreement;
14.2. Any notification under this Data Processing Agreement, including a Personal Data Breach notification, will be delivered to one or more of the Customer’s Contact Persons via email possibly supplemented by any other means CNTRC selects. Upon request of the Customer, CNTRC shall provide the Customer with an overview of the contact information of the registeredCustomer’s Contact Persons. It is Customer’s sole responsibility to timely report any changes in contact information and to ensure the Customer’s Contact Persons maintain accurate contact information.
15. Term and terminations
15.1. This Agreement enters into force on the date of its signing by all Parties and remains in force until Processing of Personal Data by CNTRC is no longer required in the framework of or pursuant to the Agreement.
