Data Processing Agreement
Data Processing Agreement
THIS AGREEMENT is made as of ____/_____/________ (the “Effective Date”).
(1) [COMPANY NAME], a company whose registered office is at [insert registered office address] (the “Controller”); and
(2) TagLayer BVBA, a company whose registered office is at Columbuslei 10, 2900 Schoten, Belgium, and listed in the Central Databank for Enterprises under number BE0649465874 (the “Processor”),
(each a “Party” and together referred to as the “Parties”).
(A) Controller intends to give access to and transfer certain (Personal) Data of its Visitors to Processor in order that it may be Processed in accordance with the terms of the General Terms & Conditions, (“Terms & Conditions”); and
(B) The Parties hereto have agreed to enter into this Data Processing Agreement (the “Agreement”) to govern the Parties’ rights and obligations in respect of the Processing of such (Personal) Data.
NOW IT IS AGREED as follows:
For the purposes of this Agreement:
Data Protection Law shall mean all applicable legislation relating to data protection and
privacy including without limitation the EU Data Protection Directive
95/46/EC and all local laws and regulations which amend or replace any
of them, including the GDPR, together with any national implementing
laws in any Member State of the European Union or, to the extent
applicable, in any other country, as amended, repealed, consolidated or
replaced from time to time. The terms “process”, “processes” and
“processed” will be construed accordingly.
Controller means the natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purpose and
means of the Processing of Personal Data.
GDPR means the General Data Protection Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal
data and on the free movement of such data.
Data Protection Authorities means the relevant statutory authority in each jurisdiction where
Personal Data is Processed by Processor or where the Controller is
Personal Data means any information relating to an identified or identifiable individual
where such information is contained within Customer Data and is
protected similarly as personal data or personally identifiable
information under applicable Data Protection Law.
Personal Data Breach means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to,
Personal Data transmitted, stored or otherwise processed.
Processing or Process or Processed means any operation or set of operations which are performed
upon Personal Data, (whether or not by automatic means)
including collection, recording, organization, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or
combination, blocking, erasure or destruction.
Processor means a natural or legal person, public authority, agency or other
body, which processes Personal Data on behalf of the Controller.
Sub-Processor means any party engaged by Processor to Process the Personal Data.
Sub-Processing refers to the act of procuring a Sub-Processor.
Service Agreement shall have the meaning given to it in the recitals.
2. Purpose for Processing
2.1 Processor shall safeguard the (Personal) Data disclosed or transferred to it and shall comply with the Data Protection Law to the full extent applicable to such (Personal) Data, as well as with the obligations imposed on it in this Agreement.
2.2 Processor shall only Process the (Personal) Data in accordance with the instructions of the Controller and solely for the purposes set forth in the Terms & Conditions.
2.3 All documents and other materials possibly provided by Controller to Processor containing (Personal) data and all copies made shall at all times, be and be deemed to be, the property of Controller.
3. Details of the Processing
a. Categories of Data Subjects: Controller’s visitors and employees. Data Subjects also include individuals attempting to communicate with or transfer Personal Data to the Controller’s end users.
b. Types of Personal Data. Contact Information, the extent of which is determined and controlled by the Customer in its sole discretion, and other Personal Data such as navigational data (including website usage information), system usage data, and other electronic data submitted, stored, sent, or received by end users via the Subscription Service.
c. Subject-Matter and Nature of the Processing. The Subject-Matter of Processing of Personal Data by Processor is the provision of the services to the Controller that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in this Agreement and an Order.
d. Purpose of the Processing. Personal Data will be Processed for purposes of providing the services set out and otherwise agreed to in this Agreement and any applicable Order.
4. Representations, Warranties and Obligations of Controller
4.1 Within the scope of the Agreement and in its use of the services, Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Processor and the Processing of Personal Data. For the avoidance of doubt, Controller’s instructions for the Processing of Personal Data shall comply with the Data Protection Law. This DPA is Customer’s complete and final instruction to Taglayer in relation to Personal Data and that additional instructions outside the scope of DPA would require prior written agreement between the parties. Instructions shall initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified or replaced by Controller in separate written instructions (as individual instructions).
Controller shall inform Processor without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data.
5. Representations, Warranties and Obligations of Processor
5.1 Processor agrees and warrants:
(a) Compliance with Instructions. The parties acknowledge and agree that Customer is the Controller of Personal Data and Taglayer is the Processor of that data. Processor shall collect, process and use Personal Data only within the scope of Controller’s Instructions. If the Processor believes that an Instruction of the Controller infringes the Data Protection Law, it shall immediately inform the Controller without delay. If Processor cannot process Personal Data in accordance with the Instructions due to a legal requirement under any applicable European Union or Member State law, Processor will (i) promptly notify the Controller of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Controller issues new instructions with which Processor is able to comply. If this provision is invoked, Processor will not be liable to the Controller under the Agreement for any failure to perform the applicable services until such time as the Controller issues new instructions in regard to the Processing.
(b) Security. Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, but are not be limited to:
i. the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control),
ii. the prevention of Personal Data Processing systems from being used without authorization (logical access control),
iii. ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),
iv. ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
v. ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems (entry control),
vi. ensuring that Personal Data is Processed solely in accordance with the Instructions (control of instructions),
vii. ensuring that Personal Data is protected against accidental destruction or loss (availability control).
(c) Confidentiality. Processor shall ensure that any personnel whom Processor authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities.
(d) Personal Data Breaches. Processor will notify the Controller as soon as practicable after it becomes aware of any of any Personal Data Breach affecting any Personal Data. At the Controller’s request, Processor will promptly provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Controller is required to do so under the Data Protection Law.
(e) Data Subject Requests. Processor will provide reasonable assistance, including appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Processor, Processor will promptly inform Controller and will advise Data Subjects to submit their request to the Controller. Controller shall be solely responsible for responding to any Data Subjects’ requests. Controller shall reimburse Processor for the costs arising from this assistance.
(f) In the event of Sub-Processing that it shall ensure Processing by the Sub-Processor will be carried out in accordance with Data Protection Laws and any other applicable local laws; that it shall impose legally binding contract terms on the Sub-Processor which are substantially the same as those contained in this Agreement and provide at least the same standard of protection for the Personal Data. Processor has the right to use Sub-Processors of its choice and can choose to subcontract its processing activities outside the European Economic Area. In such case, it shall however choose a Sub-Processor, which ensures that adequate safeguards are put in place to protect the Personal Data. Where the transfer is to a Sub-Processor in the United States of America, such safeguards may in particular result from the EU-US Privacy Shield self-certification scheme. Processor shall remain liable to Controller for any breach of the terms of this Agreement by any Sub-Processor and other subsequent third party processors appointed by it. Processor shall promptly notify Controller in the event that it is unable to comply with any of its obligations under this Agreement. In such cases, Controller may cease to transfer (Personal) Data to Processor;
(g) Deletion or Retrieval of Personal Data. Other than to the extent required to comply with Data Protection Law, following termination or expiry of the Agreement, Processor will delete all Personal Data (including copies thereof) processed pursuant to this DPA. If Processor is unable to delete Personal Data for technical or other reasons, Processor will apply measures to ensure that Personal Data is blocked from any further Processing.
Controller shall, upon termination or expiration of the Agreement and by way of issuing an Instruction, stipulate, within a period of time set by Processor, the reasonable measures to return data or to delete stored data. Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Agreement shall be borne by Controller.
(h) That upon written request, Processor shall provide Controller written evidence verifying (a) the security of Processor’s data facilities, files, documentation, and operations with respect to (Personal) Data and (b) Processor’s compliance with Controller’s instructions; and
6.1 Any notice or other communication required or permitted to be given by either Party hereunder shall be in writing, effective on receipt, and shall be sent by (a) hand delivery, or (b) registered mail, return receipt requested, or (c) reputable overnight delivery service with receipt confirmed, to the Party receiving such communication at the address set forth in the opening paragraph of this Agreement or to such other address as either Party may in the future specify to the other Party.
7. Term and Termination
7.1 This Agreement shall commence upon the Effective Date and shall remain in force and effect until the later of the date on which the Agreement terminates or expires, unless the Parties agree that earlier termination is required to comply with the requirements of the Data Protection Law or a decision of a Data Protection Authority.
8. Liability and Indemnification
8.1 Processor shall be liable for and shall indemnify Controller and its officers, directors, employees, agents or affiliates (collectively, the “Controller Indemnitees”) against any and all liability, loss, damages, costs, legal costs, professional and other expenses incurred by any Controller Indemnitee arising out of any claims or proceedings brought against Controller Indemnitee by any third party by reason of the Processor’s failure to comply with the provisions of this Agreement.
9.1 The invalidity or unenforceability of any parts of this Agreement for any reasons whatsoever shall not affect the validity or enforceability of the remainder. The same applies to any gap in the provisions of this Agreement.
9.2 This Agreement shall not be transferred or assigned by either Party except with the prior written consent of the other. However, the benefits and duties of this Agreement are, however, fully transferrable and assignable by each Party, without the consent of the other Party, to (a) an affiliate, (b) an acquiring company or (c) a successor by merger.
9.3 This Agreement together with the Service Agreement constitutes the entire agreement and understanding between the Parties with respect to its subject matter and replaces all previous agreements between, or understandings by, the Parties with respect to such subject matter. In the event of any conflict or inconsistency between the terms of this Agreement and those of the Service Agreement, the terms of this Agreement shall be controlling. This Agreement cannot be varied except by written instrument signed on behalf of both of the Parties.
9.4 This Agreement shall be governed by the laws of the country governing the Service Agreement. The courts of Antwerp (Belgium) are presumed to be exclusively competent.
AS WITNESS whereof the Parties or persons duly authorized on their behalf have executed this Agreement as of the Effective Date.
[COMPANY NAME] TagLayer BVBA
Willem Drijver, Co-Founder & CEO