Version dated 26/06/2019
SA OSIMIS, with its statutory seat at rue du Bois Saint-Jean 15/1, 4102 Seraing (Belgium) registered with the Crossroads Bank of Enterprises under number 0637.982.658 (the “Processor”)
The entity referred to as “client” in the Purchase Order (as defined below) (the “Controller”)
The Processor and the Controller being referred each individually as “party” and together as “parties”
Whereas the parties have entered into an agreement whereby the Processor provides certain services to the Controller that involve the processing by the Processor of certain personal data (the “Agreement”)
THE PARTIES HAVE AGREED AS FOLLOWS:
The following terms shall have the following meanings in this Data Processing Addendum:
The Processor shall process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a Third Country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject ; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Controller ensures that any disclosure of Personal Data to the Processor is Personal Data that has been collected lawfully e.g. processed under an adequate legal basis and in respect of the required transparency obligations pursuant to Applicable Data Protection Law. The Controller shall indemnify the Processor against all losses, expenses and liabilities incurred by Processor arising directly or indirectly from the Controller’s breach of this obligation.
The subject, duration, nature and purpose of the processing, as well as the categories of Personal Data and the categories of Data Subjects, are listed in Annex 1. The Controller shall inform the Processor of any change in one of the elements listed in Annex 1, which will result in an amendment to Annex 1, as mutually agreed by the parties.
The parties will, each in their respective capacity, process the Personal Data in accordance with Applicable Data Protection Law.
The Controller grants a general written authorisation for the Processor to engage processors for carrying out specific processing activities on behalf of the Controller (the “sub-processors”). The Processor ensures that it will impose no less onerous data protection obligations on its sub-processors than those set out in this Data Processing Addendum. The sub-processors engaged by the Processor are listed in Annex 2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the reasonable opportunity to object to such changes. If the Controller does not object to such changes within a reasonable period of time and at the latest within fifteen (15) calendar days after having made aware of the intention of the Processor, the Controller will be deemed to have accepted such addition or replacement of sub-processors.
The Processor ensures that the Personal Data will be disclosed to only those persons that must access such Personal Data (access on a need-to-know basis) and that the persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Processor shall reasonably assist the Controller in ensuring compliance with its legal obligations under Applicable Data Protection Law.
Upon the Controller’s request, the Processor shall, at the Controller’s costs, contribute to audits and inspections of its processing of the Personal Data. The Controller may itself carry out these audits and inspections or mandate a third party thereto. If the Controller mandates a third party, such third party shall not be a direct competitor of the Processor and such third party shall agree to be bound by confidentiality obligations that are no less onerous than those set out in this Data Processing Addendum.
The Processor shall as soon as practicable transfer to the Controller any Data Subject’s request or question in connection with the (processing of) Personal data. On the written request of the Controller, the Processor shall assist and support the Controller in responding to such Data Subject’s requests insofar reasonably possible for the Processor.
If the Controller is of the opinion that a data protection impact assessment must be conducted, the Processor shall assist the Controller, upon its written request and at the Controller’s costs, in the carrying out of the data protection impact assessment.
If a Personal Data Breach occurs or has occurred, the Processor shall, without undue delay after becoming aware of it, notify the Controller in writing of the Personal Data Breach.
The Processor shall provide the Controller with the following information regarding the Personal Data Breach:
The Processor shall assist the Controller as much as reasonably possible when reporting a Personal Data Breach to the supervisory authority/ies and/or the Data Subject(s) affected.
The Processor undertakes to implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risks.
The Processor shall take into account (i) the information provided by the Controller regarding the processing activities conducted on behalf of the Controller when determining the appropriate technical and organisational security measures; (ii) the state of the art; (iii) the implementation costs related to these measures; (iv) the nature, scope, context and purposes of the processing; (v) the risks involved for the Data Subjects’ rights and freedoms, in particular in case of a Personal Data Breach; and (vi) the probability that the processing shall have an impact on the rights and freedoms of the Data Subjects. The Controller shall provide as much information as possible to enable the Processor to determine the necessary technical and organisational security measures to implement.
The Processor shall not transfer Personal Data to a country located outside of the European Economic Area (each a “Third Country”) unless the Controller has given its prior written consent to the transfer and/or (i) the transfer falls within the scope of an EU Commission adequacy decision in respect of that Third Country pursuant to Applicable Data Protection Law; (ii) the transfer falls within the scope of the EU-US Privacy Shield program; (iii) the recipient has entered into a contract with the Controller that contains model clauses that have been approved by the EU Commission or another competent public authority in accordance with Applicable Data Protection Law; or (iv) alternative appropriate safeguards have been provided pursuant to Applicable Data Protection Law.
The Data Processing Addendum shall enter into force on the date of the Agreement and automatically terminate on the date of the end of the Agreement.
Within thirty (30) calendar days after expiration or termination of this Data Processing Addendum, the Processor will, at the written request of the Controller and at the option of the Controller, (i) return to the Controller in a then commonly used electronic format all Personal Data that, as of the termination date or expiration date, are in the possession of the Processor; and/or (ii) destroy (any copies of) the Personal Data that, as of the termination date or expiration date, are in the possession of the Processor.
Subject matter of the processing
Processing of Personal Data in the context of the provision of software and/or services related to such software (as set out in the Purchase Order)
Duration of the processing
Validity of the Agreement
Nature and purposes of the processing
Provide the software and/or the services set out in the Purchase Order, in particular:
Microsoft Corporation, One Microsoft Way, Redmond WA, USA 98052 (Azure cloud infrastructure services)
Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105 (messaging services)
Mailgun Technologies, Inc. 548 Market St. #43099, San Francisco, CA 94104 (messaging services)