Data Processing Agreement

The following document is part of our general terms of service, the service contract, and/or any other contract concluded in writing or electronically between Woobie (hereinafter referred to as the "Subprocessor") and the client (hereinafter referred to as the "Data Controller").

By accepting the General Terms, the Service Contract, and/or any other contract concluded in writing or electronically with iGLOO, the client expressly agrees to the application of this addendum. The clauses set out below concern the processing of personal data by iGLOO on behalf of the client and form a data processing agreement between iGLOO and the client (hereinafter, the "Data Processing Agreement").

The Data Controller and the Subprocessor are hereinafter collectively referred to as the "Parties".

 

Whereas:

(A) The Data Controller and the Subprocessor have concluded a service contract under which the Subprocessor has agreed to carry out data processing, including Personal Data as defined below, on behalf of the Data Controller (hereinafter, the "Main Contract");

 

(B) The Parties have entered into this Data Processing Agreement, which aims to define the respective rights and obligations of the Parties in accordance with the Privacy Legislation as defined below.

 

It has been agreed as follows:

Definitions

The following terms are defined as follows:

 

General Data Protection Regulation or GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, applicable from 25 May 2018.

 

Data Subject

The identified or identifiable natural person whose Personal Data are the subject of the Processing Operations defined below.

 

Data Controller

The natural or legal person who determines the purposes and means of the processing of Personal Data.

 

Subprocessor

iGLOO, which, as a legal entity, processes Personal Data on behalf of the Data Controller.

 

Sub-subprocessor

The natural or legal person who, at the request of the Subprocessor but without being under its direct authority, processes Personal Data on behalf of the Data Controller.

 

Personal Data

Any information relating to an identified or identifiable natural person; a "identifiable natural person" is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

 

Privacy Legislation

All rules relating to the processing of personal data applicable in Belgium, including the Act of 8 December 1992 on the protection of privacy with regard to the processing of personal data and, from 25 May 2018, the GDPR.

 

Processing Operation

Any operation or set of operations performed or not using automated processes applied to data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure, or destruction.

 

Data Breach

Any security breach leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

 

Supervisory Authority

Currently, the Commission for the Protection of Privacy and, from 25 May 2018, the Data Protection Authority.

 

Personnel

Persons designated by the Parties to perform the contract and who are under their direct authority.

 

Purpose of the Agreement

1. This Data Processing Agreement defines the conditions under which the Subprocessor undertakes to carry out on behalf of the Data Controller the Processing Operations defined below.

 

2. The Parties agree that this Data Processing Agreement forms an integral part of the Main Contract between the Data Controller and the Subprocessor.

Description of the Processing Operations covered by the Data Processing Agreement

1. The Subprocessor undertakes to process Personal Data only based on written instructions from the Data Controller, arising from the Main Contract. The Main Contract and the Data Processing Agreement together determine the subject matter and duration of the Processing Operations.

2. The Subprocessor is a web agency providing clients with services such as custom website and mobile app development, hosting and maintenance, IT consulting and auditing, e-marketing and email services, SEO services, and reporting, among others. The Subprocessor and its Personnel are authorized to process on behalf of the Data Controller the Personal Data necessary to provide these services.

3. During the term of the Data Processing Agreement, Personal Data are subject to the following Processing Operations: collection, recording, organization, structuring, storage, modification, retrieval, use, communication, making available, alignment, restriction, and erasure of Personal Data.

4. Categories of Personal Data involved in the Processing Operations include first and last name, gender, date and place of birth, email address, postal address, IP address, signature, bank details, phone number, log information, hyperlinks to social media accounts.

5. Categories of Data Subjects involved in the Processing Operations include visitors and users of the Data Controller's website and/or mobile app, as well as clients of the Data Controller. Among these may be children.

Rights and Obligations of the Data Controller

1. The Data Controller is responsible for providing the information referred to in Articles 13 and 14 of the GDPR to the Data Subjects affected by the Processing Operations under this Data Processing Agreement.

2. The Data Controller makes the Personal Data subject to this Data Processing Agreement available to the Subprocessor. The Data Controller determines the means and purposes of the processing and ensures the lawfulness of the processing, including the transfer of Personal Data to the Subprocessor.

3. The Data Controller provides the Subprocessor with written instructions regarding the processing. The Data Controller ensures that these instructions comply with Privacy Legislation and immediately notifies the Subprocessor of any changes to the originally planned Processing Operations.

4. The Data Controller is fully responsible for processing Personal Data carried out by its Personnel.

5. The Data Controller keeps a record of processing activities carried out under its responsibility, in accordance with Article 30(1) of the GDPR.

6. The Data Controller retains ownership of the Personal Data, information, and materials made available to the Subprocessor for the execution of the Data Processing Agreement.

Rights and Obligations of the Subprocessor

1. The Subprocessor shall process only the Personal Data strictly necessary to perform the Main Contract. Furthermore, the Subprocessor undertakes to process Personal Data solely for the purpose(s) defined in the Data Processing Agreement and for no other purposes than those determined by the Data Controller.

2. The Subprocessor shall process Personal Data in accordance with the written instructions of the Data Controller and the provisions of this Data Processing Agreement. If the Subprocessor considers an instruction to constitute a breach of privacy legislation, it shall immediately inform the Data Controller. This obligation to inform constitutes only an obligation of means and does not engage the Subprocessor's liability. Moreover, if the Subprocessor must transfer data to a third country or international organization under EU or member state law, it must inform the Data Controller unless prohibited by law for important public interest reasons.

3. The Subprocessor guarantees the confidentiality of Personal Data made available in the context of this Agreement. This confidentiality obligation also applies to all members of its Personnel involved in performing the Main Contract.

4. The Subprocessor shall not carry out any processing outside the European Economic Area without prior written consent from the Data Controller. This includes storage and transmission of data to a third country. The Subprocessor shall ensure that the third country provides adequate protection, or otherwise implement appropriate safeguards by contract or obtain explicit consent from the Data Subjects.

5. The Subprocessor processes Personal Data only as long as necessary to perform the Main Contract. Once the Main Contract service has been fully executed, the Subprocessor shall, within a reasonable time, cease all processing of Personal Data except as necessary for deletion or return of data to the Data Controller, unless otherwise agreed in writing.

6. Whenever possible, the Subprocessor shall assist the Data Controller in fulfilling its obligations regarding Data Subject rights, including access, rectification, erasure, objection, restriction, portability, and rights not to be subject to automated decisions (including profiling). Requests received directly by the Subprocessor shall be forwarded immediately to the Data Controller.

7. The Subprocessor assists the Data Controller in conducting data protection impact assessments and prior consultations with supervisory authorities. Parties may agree on remuneration or reimbursement mechanisms for the Subprocessor.

8. The Subprocessor is authorized to make one or more copies and/or backups of Personal Data if necessary for executing the Main Contract. Such data enjoy the same protection as the original data.

9. The Subprocessor maintains a written record of processing activities performed for the Data Controller, including all information required under Article 30(2) of the GDPR.

10. The Subprocessor limits access to Personal Data to personnel who require it to execute the Processing Operations defined in the Agreement. Personnel are bound by confidentiality obligations and informed of Privacy Legislation.

11. The Subprocessor communicates the name and contact details of its Data Protection Officer (DPO) if required under Article 37 of the GDPR.

Sub-subprocessing

1. The Subprocessor may delegate processing obligations to another Subprocessor only with prior written consent from the Data Controller. The Data Controller may refuse only for legitimate reasons. The initial Subprocessor remains the point of contact.

2. Use of Sub-subprocessors outside the EEA requires prior specific written consent. They must ensure an adequate level of data protection, otherwise appropriate contractual safeguards or explicit consent from Data Subjects must be obtained.

3. The initial Subprocessor must ensure Sub-subprocessors provide the same guarantees regarding technical and organizational measures as required under the GDPR, particularly Article 32.

4. Obligations in Article 5 of this Agreement fully apply to Sub-subprocessors. These are formalized in a contract between the initial Subprocessor and the Sub-subprocessor. The initial Subprocessor remains fully responsible to the Data Controller.

5. The following Sub-subprocessors may be used: Amazon Web Services, Google, OVH, Heroku, Cloudflare, Mailgun, SendGrid, Mailchimp, SendInBlue, Pingdom, Updown, Digital Ocean, Combell, Internet Vista, InVision, PO Editor, ShareThis. Changes require prior consent from the Data Controller per Article 6.1.

Confidentiality

1. The Subprocessor must maintain confidentiality of Personal Data processed under this Agreement. This applies to all information provided by the Data Controller and to personnel and Sub-subprocessors.

2. Confidentiality starts from negotiation of the Main Contract, continues during its term, and survives its termination.

3. Confidentiality does not apply where disclosure is legally required, by judicial decision, if information is already public, or authorized by the Data Controller.

Security Measures

1. The Data Controller and Subprocessor shall implement technical and organizational measures ("Security Measures") to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, especially during transmission, or other unlawful processing.

2. Security Measures ensure a level of protection appropriate to the risk. Factors considered include technology, implementation costs, nature, scope, context, purposes of processing, and risks to Data Subjects' rights.

3. The Subprocessor informs the Data Controller of Security Measures implemented. If technological changes require updates, the Subprocessor informs the Data Controller and estimates costs. Refusal by the Data Controller absolves the Subprocessor of liability for breaches arising from inaction by the Data Controller.

4. Both Parties shall make reasonable efforts to ensure their systems and services meet confidentiality, integrity, availability, and resilience requirements, considering technology and cost.

Notification of a Personal Data Breach

1. The Subprocessor shall notify the Data Controller of any Personal Data Breach as soon as possible, and no later than 24 hours after becoming aware. The notification includes all necessary documentation to enable the Data Controller to notify authorities and/or Data Subjects if required. Information includes nature, categories, and approximate number of Data Subjects affected, categories and number of Personal Data records, likely consequences, and measures taken to mitigate.

2. Upon request, the Subprocessor shall notify the supervisory authority on behalf of the Data Controller within 72 hours unless the breach poses no risk to Data Subjects' rights.

3. Upon request, the Subprocessor shall notify Data Subjects on behalf of the Data Controller if the breach is likely to pose a high risk to their rights and freedoms.

4. The decision to notify authorities and/or Data Subjects rests with the Data Controller.

Intellectual Property

1. Intellectual property rights to information and materials provided to the Subprocessor remain with the Data Controller. This includes copyright and sui generis database rights.

2. The Data Controller grants the Subprocessor a limited license to use the information strictly necessary for the performance of the Processing Operations within the framework of the Data Processing Agreement. The Subprocessor is not authorized to modify, reproduce, or communicate to the public the protected elements, except with prior written agreement from the Data Controller.

Duration and Termination of the Data Processing Agreement

1. This Data Processing Agreement enters into force on the day the Main Contract enters into force and ends at the same time as the Main Contract. This Data Processing Agreement cannot be terminated independently of the Main Contract, unless termination is necessary to comply with Privacy Legislation or a decision of the Supervisory Authority.

2. Upon termination of this Data Processing Agreement, the Subprocessor must return to the Data Controller all Personal Data. It also provides all information and documentation necessary for the further processing of such data. After returning the Personal Data to the Data Controller, the Subprocessor immediately ceases all processing of Personal Data and destroys all existing copies in its information systems. The costs related to returning the Personal Data and destroying the copies are borne by the Data Controller.

Final Provisions, Applicable Law and Competent Court

1. This Data Processing Agreement cannot be assigned by either Party to a third party without the prior written authorization of the other Party. This prohibition does not, however, apply to the assignment of the Data Processing Agreement to associated or acquired companies or to the successors of the Parties, for which no authorization is required.

2. This Data Processing Agreement expresses the full and complete will of the Parties for everything concerning the subject matter of the Data Processing Agreement and is intended to replace any prior or pre-existing agreement between the Parties on this subject. This Data Processing Agreement can only be modified by mutual written agreement of the Parties.

3. The nullity or illegality of a provision, in whole or in part, of this Data Processing Agreement will not affect the validity and application of the other provisions of the Data Processing Agreement. The Parties undertake to replace the null or illegal provision with another provision valid in law and enforceable. The Parties will act in good faith and prefer the adoption of a provision of similar scope. If this proves impossible, only the null or illegal provision will be considered non-existent.

4. The titles and subtitles used in this Data Processing Agreement are for purely illustrative purposes.

5. This Data Processing Agreement is subject to Belgian law. In case of disputes arising from the execution or interpretation of the Data Processing Agreement, the Parties undertake to do everything possible to find an amicable solution. To this end, they undertake to favor a reasonable interpretation of the Data Processing Agreement. In the absence of an amicable resolution, the dispute may be submitted to an arbitration and mediation center (such as CEPANI) or to the competent courts. The only competent court is the court of the judicial district where the registered office of the Subprocessor is located.