WHEREAS:
The Client (as referred to in the commercial proposal) concluded an agreement (the “Agreement”) with sharingbox, (the “Provider”) for the provision of services describes in the above commercial proposal (the “Services”). When providing these services to Client under or in connection with the Agreement, Provider may process certain Personal Data of Client as a data processor on behalf of Client (the “Client Personal Data”), excluding Personal Data processed by Provider in its capacity of data controller;
When processing Client Personal Data, Provider will be acting as data processor in the meaning of the applicable Data Protection Legislation; and
Client and Provider wish to lay down in this Data Processing Annex the framework for the processing of the Client Personal Data by Provider under or in connection with the Agreement.
THEREFORE IT IS AGREED AS FOLLOWS:
1. Interpretation
This Data Processing Annex will be governed by the terms and conditions set out in the Agreement. Capitalized terms used but not defined in this Data Processing Annex shall have the meanings given to them in the Agreement unless the context requires otherwise.
In this Data Processing Annex:
“Agreement” has the meaning given to that term in recital 1 of this Data Processing Annex;
“Approved Subcontractors” means the subcontractors that have been approved by Client in accordance with article 6.2;
“Client Personal Data” has the meaning given to that term in recital 1 of this Data Processing Annex. A description of the categories of Client Personal Data is set out in Schedule 1;
“Data Protection Legislation” means any law, enactment, regulation, regulatory policy, by law, ordinance or subordinate legislation relating to the processing, privacy, and use of Personal Data, as applicable to Client, Provider and/or the Services, including:
in Belgium:
the Data Protection Act of 8 December 1992 and any other national laws or regulations implementing EU Directive 95/46/EC (“Data Protection Directive”); and
the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), and any corresponding or equivalent national laws or regulations; and
in other EU countries: the Data Protection Directive or the GDPR, once applicable and all relevant Member State laws or regulations implementing these Directives or further determining the GDPR;
in each case, as in force and applicable, and as may be amended, supplemented or replaced from time to time;
“Data Processing Annex” means the present data processing annex, including any schedules to this Data Processing Annex;
“Personal Data” means any information relating to an identified or identifiable natural person;
“Services” has the meaning given to that term in recital 1 of this Data Processing Annex ;
“Third Country” has the meaning given to that term in article 7.1.
The Parties acknowledge and agree that this Data Processing Annex forms an integral part of the Agreement. If there is any conflict or inconsistency between any:
term in the main part of this Data Processing Annex;
term in any of the schedules to this Data Processing Annex; and
term in the Agreement and its schedules and annexes;
the term falling into the category first appearing in the list above shall take precedence.
2. Scope and purpose
The provisions of this Data Processing Annex will only apply if and to the extent that, for the provision of the Services, Provider processes Client Personal Data.
3. Compliance with applicable Data Protection Legislation
When processing Client Personal Data Provider will at all times comply with its obligations under all applicable Data Protection Legislation.
Provider will only process Client Personal Data:
in the manner and for the purposes set out in Schedule 1; and
upon documented instructions of Client.
Client hereby:
instructs Provider to take such steps in the processing of Client Personal Data on behalf of Client as are reasonably necessary for the provision of the Services; and
authorises Provider to provide to the Approved Subcontractors and on behalf of Client instructions that are equivalent to the instructions set out in article 3.3.1.
4. confidentiality and Security
Provider undertakes to treat all Client Personal Data as confidential. Unless Client requires otherwise in writing, Provider will not disclose Client Personal Data to any third party other than:
to those of its employees, Approved Subcontractors and employees of the Approved Subcontractors to whom such disclosure is reasonably necessary for the provision of the Services; or
to the extent required by law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction; and,
provided that the persons to whom Client Personal Data may be disclosed pursuant to article 4.1.3 are bound by obligations of confidentiality consistent with those imposed upon Provider under this Data Processing Annex and under the Agreement;
Having regard to the technology available, the cost of its implementation and having regard to the nature, scope, context and purposes of the processing of Client Personal Data, Provider will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and to prevent any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Data.
5. Reporting personal data breaches
Provider will provide Client with written notice as soon as reasonably possible upon becoming aware of any actual breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Client Personal Data processed by Provider.
6. Subcontracting and subprocessing
Client authorises Provider to subcontract all or part of the processing of Client Personal Data provided that:
Provider informs Client of any intended changes concerning the addition or replacement or subcontractors, thereby giving Client the opportunity to object such changes; and
Provider and the subcontractor have entered into a written data processing agreement setting out obligations that are consistent with those set out in this Data Processing Annex.
For the purpose of article 6.1, Client hereby approves the subcontracting of the processing of Client Personal Data to the subcontractors as described in Schedule 2. The subcontractors described in Schedule 2 will be deemed to be Approved Subcontractors for the purpose of this Data Processing Annex.
7. Cross-border transfers of Client Personal Data
Provider may transfer Client Personal Data to a recipient in a country outside of the European Economic Area (such other country being a “Third Country”) if:
there has been an EU Commission finding of adequacy in respect of that Third Country pursuant to applicable Data Protection Legislation;
the transfer falls within the scope of the EU-US Privacy Shield program;
the recipient has entered into a contract with Client that contains model clauses that have been approved by the EU Commission or another competent public authority in accordance with applicable Data Protection Legislation; or
alternative appropriate safeguards have been provided pursuant to applicable Data Protection Legislation.
8. Audit
For the purpose of auditing Provider’s compliance with Provider’s obligations under this Data Processing Annex, Client may request and Provider will permit Client to obtain copies of any non-confidential information that is reasonably necessary to demonstrate Provider’s compliance with Provider’s obligations under this Data Processing Annex. Such requests for information will be made in writing by Client. Provider undertakes to provide, to the best of its knowledge, the requested documents and information within a reasonable period, taking into account the amount and complexity of the requested information.
To the extent Client has not obtained the necessary information pursuant to article 8.1, Client may, for the purpose of auditing Provider’s compliance with Provider’s obligations under this Data Processing Annex, request an inspection on Provider’s premises and Provider will accept such inspection, if and only all the following conditions are being met:
the inspection request is provided in writing to Provider at least ninety (90) business days prior to the inspection taking place;
the inspection is conducted during normal business hours;
Provider’s daily operations remain unaffected by the inspection;
the inspection does not last longer or involve more resources than necessary to obtain the requested information;
Client and/or the third parties conducting the inspection on its behalf first agree to be bound by ad hoc reasonable confidentiality obligations in respect of the information and documents obtained, prior to any inspection being conducted;
Client and Provider agree on a written action plan containing the exact scope of information, documents, information systems and IT facilities that will be subject to the inspection; and
Client will bear all costs and expenses relating to each audit (including, without limitation, costs and expenses incurred by Provider in connection with any assistance provided by Provider in the conduct of such audit).
9. Assistance when Handling requests from data subjects
Provider will, to the extent possible and at Client’s costs and expenses, cooperate with Client when:
handling requests from data subjects exercising their rights; and
conducting any data privacy impact assessments in connection with the provision of the Services.
10. Term and termination
This Data Processing Annex enters into force on the date of the Service Agreement and will remain in force for as long as Provider will provide the Services under the Agreement.
11. Return/Destruction of Client Personal Data
Within thirty (30) business days after expiration or termination of this Data Processing Annex, Provider will:
at the option of Client:
return to Client in a then commonly used electronic format all Client Personal Data that, as of the termination date or expiration date, are in the possession or under the control of Provider; or
destroy or purge their computer systems and files of any Client Personal Data that, as of the termination date or expiration date, are in the possession or under the control of Provide
Schedule 1: Description of data processing
1. Purposes of the data processing
The purposes of the data processing are:
Photos and data collection through photo booths, hosting online photo galleries, photo quality checks and dispatch of photos to end-users;
IT support (troubleshooting) and customer support (including remote access to photo booths for maintenance purposes).
2. Categories of Personal Data
The Client Personal Data that will be processed by the Processor are:
– Identification data (names, titles, etc.);
– Location of photo booths;
– Contact details (emails);
– Professional identification data (job title, etc.);
– Image recordings (photos).
3. Categories of data subjects
The categories of data subjects are:
– End-users of the photo booths.
4. Processing instructions
Provider will process the Client Personal Data as follows:
– Only to the extent necessary to achieve the above mentioned purposes; and
– Where applicable, only to the extent necessary to comply with a legal obligation applicable to the Provider; or
– When consent is required from a data subject, only after having obtained prior consent from the data subject.
Schedule 2: Approved Subcontractors
– Amazon Web Services, Inc. located at P.O. Box 81226 Seattle, WA 98108-1226
– Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States
– Mandrill, (The Rocket Science Group LLC), located at 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308
– Twilio Inc., located at 375 Beale Street, Suite 300, San Francisco, CA 94105
– Sightengine, Kozelo SAS, 16 bis rue d’Odessa, 75014 Paris, France