Processor agreement

Parties:
⦁ You as the customer, hereinafter referred to as the “Controller”;
and
⦁ the private company Fairtual Technologies BV, having its registered office in Belgium, 8000 Bruges, Queen Elisabeth Avenue 18 and its principal place of business in Belgium, 8000 Bruges, Queen Elisabeth Avenue 18, represented in this matter by its director, Mr Diego Dupont, hereinafter referred to as “Processor”.

Considerations:
⦁ Processor has entered into one or more agreements with Processor for the provision of various services by Processor to Processor or will enter into such an agreement. This agreement or these agreements together shall hereinafter be referred to as “the Master Agreement”.

⦁ Processor will process data for which Processor is and remains responsible when executing the Master Agreement. This data includes personal data within the meaning of the General Data Protection Regulation (EU 2016/679), hereinafter referred to as the “AVG”.

⦁ In view of the provisions of Article 28(3) of the AVG, the parties wish to lay down the conditions for the processing of this personal data in this agreement.

Agreement:

⦁ Scope
⦁ This Agreement shall apply to the extent that the provision of services under the Master Agreement involves one or more of the processing operations listed in Schedule 1.
⦁ The processing operations of Annex 1 that take place when providing the services are hereinafter referred to as “the Processing Operations”. The personal data processed thereby: “the Personal Data”.
⦁ With regard to the Processing operations, the Controller is the person responsible for processing and the Processor is the Processor. The natural persons who actually use the services of Processor under the Master Contract and, if applicable, their representatives, are also referred to hereinafter as “the End Users”.
⦁ All terms used in this Agreement shall have the meaning given to them in the AVG.
⦁ The Annexes form part of this Agreement. It is about:
Annex 1 the Processing, the Personal Data and the retention periods;
Appendix 2 the Sub-processors and categories of Sub-processors which the Controller approves;
Annex 3 the technical and organisational measures of the Processor;
Annex 4 Information in the event of a data breach.

⦁ Subject
⦁ Processor undertakes to Process Personal Data only for the purposes of the activities specified in this Processing Agreement and/or the Master Agreement. Processor guarantees that, without the express and written consent of Processor, it will not in any way use the Personal Data Processed under this Processing Agreement for its own purposes or the purposes of third parties, unless a legal provision applicable to Processor obliges it to process. In that case, the Processor shall notify the Controller of that legal provision without delay, prior to the Processing, unless that legislation prohibits such notification for important reasons of public interest.
⦁ Processor shall keep Processor’s Personal Data separate from (Personal) Data that it processes for itself or for third parties.
⦁ Processor shall carry out the Processing in a proper and careful manner.

3 Security measures
⦁ Processor shall take all technical and organisational security measures required of it under the AVG and in particular under Article 32 AVG.
⦁ Processor shall provide a document stating the appropriate technical and organisational measures. This document will be attached as Annex 3 to this Processing Agreement.

4 Data breaches
⦁ Processor shall inform Controller without unreasonable delay, but in any event within 24 hours, of any “personal data breach” as referred to in Article 4(12) of the AVG. Such a breach is hereinafter referred to as a “data breach”.
⦁ The Processor will provide the Controller, without unreasonable delay, with all information that it possesses and that is necessary to fulfil the obligations under Article 33 of the AVG and will provide all cooperation requested by the Controller. Processor shall provide the relevant information as soon as possible in a common format to be determined by Processor. Furthermore, Processor will keep Controller informed of any new developments concerning the Data Leak and take all reasonable measures to remedy the Data Leak and limit the consequences (or possible consequences) thereof as much as possible. Processor shall also take those measures which are necessary to prevent a repetition of the Data leak.
⦁ Processor shall not inform Controller of a Data Breach if it is absolutely clear that the Data Breach does not pose any risk to the rights and freedoms of natural persons. If there is any doubt about this, the Processor will report the Data Leak to the Processing Responsible Party in order to enable it to form its own opinion about a possible report of the Data Leak. Processor shall document all breaches, including those that do not have to be reported to Controller, and provide such documentation to Controller once a quarter, or sooner if Controller so requests. The documentation shall contain at least the information set out in Annex 4.
⦁ It is the sole responsibility of the Processing Party to determine whether a Data Leak detected at the Processor is reported to the competent authority and/or to the parties concerned.

5 Use of Subprocessors
⦁ The Processor is entitled to engage third parties as Subprocessors for the purposes of Processing without the prior written consent of the Processor.
⦁ The Processor shall ensure that the third party or parties concerned enter into an agreement in which it will comply with at least the same legal obligations as those of the Processor.
⦁ Processor shall inform Controller of the Subprocessors it has engaged. Controller may then object to additions or replacements in relation to the Processor’s Subprocessors.
⦁ in any event, the Processing Party hereby gives its consent to the engagement of the Subprocessors and/or categories of Subprocessors listed in Appendix 2.

6 Duty of confidentiality
⦁ Processor shall keep the Personal Data secret. Processor shall ensure that the Personal Data do not directly or indirectly become available to third parties. Third parties also include the staff of the Processor insofar as it is not necessary for them to take cognisance of the Personal Data. This prohibition does not apply if this agreement provides otherwise and/or insofar as a statutory regulation or judgment obliges any disclosure.
⦁ Processor shall ensure that persons, not limited to employees, who participate in the Processing at Processor are bound by a confidentiality obligation in respect of the Personal Data.

⦁ Processor shall inform Controller of any request to inspect, provide or otherwise retrieve the Personal Data, in violation of the confidentiality obligation contained in this Article.

7 Storage periods and deletion
⦁ The Controller is responsible for determining the retention periods in respect of the Personal Data. Insofar as Personal Data are under the control of the Controller, he himself shall delete them in good time.
⦁ Processor will delete the Personal Data within thirty days of the end of the Main Agreement or, at Processor’s option, transfer it to Processor, unless the Personal Data must be retained for a longer period, such as in the context of Processor’s legal or other obligations, or if Processor requests that Personal Data be retained for a longer period and Processor and Processor agree on the costs and other conditions of that longer retention, the latter without prejudice to Processor’s responsibility to observe the statutory retention periods. Translated with www.DeepL.com/Translator (free version) Any transfer to the Processor will be at the expense of the Processor.
⦁ At the request of the Processing Party, the Processing Party shall declare that the deletion referred to in the previous paragraph has taken place. The Processing Agent may, at its own expense, have an inspection carried out to determine whether this has indeed taken place. Article 10 of this Agreement shall apply to such control. To the extent necessary, Processor shall inform all Subprocessors involved in the processing of Personal Data of a termination of the Master Agreement and instruct them to act as provided herein.
⦁ Unless the parties agree otherwise, the Processing Agent shall itself arrange for a back up of the Personal Data.

8 Rights of data subjects
⦁ If the Processing Agent itself has access to the Personal Data, it shall comply with all requests from the Data Subjects in respect of the Personal Data. Any requests received by the Processor shall be immediately forwarded to the Processing Owner, which shall be responsible for dealing with the request.
⦁ Only to the extent that the provisions of the preceding paragraph are not possible, Processor will provide its full and timely cooperation to Processor in order to:
⦁ after approval by and on the instructions of the Processing Agent, to allow those concerned to inspect the Personal Data relating to them,
⦁ Remove or correct personal data,
⦁ demonstrate that Personal Data has been deleted or corrected if it is incorrect (or, in the event that the Controller does not agree that the Personal Data is incorrect, record the fact that the data subject considers his/her Personal Data to be incorrect)
⦁ provide the Personal Data in question to the Processing Agent or to a third party designated by the Processing Agent in a structured, common and machine-readable form, and
⦁ otherwise enable Processor to comply with its obligations under the AVG or under other applicable laws relating to the processing of the Personal Data.

⦁ The costs of and requirements for the cooperation mentioned in the previous paragraph shall be determined jointly by the parties. Without an agreement to this effect, the costs shall be borne by the Processing Agent.

⦁ Liability
⦁ Processor shall be liable to Processor for all damages and costs incurred by Processor as a result of an imputable failure by Processor to comply with its obligations under this Agreement, including but not limited to the damages caused by Processor when processing fails to comply with obligations of the AVG specifically addressed to Processor or if Processor’s lawful instructions are violated.
⦁ The Processor shall indemnify the Processing Party against all third-party claims resulting from an attributable failure by the Processor to fulfil its obligations to the Processing Party under this agreement.
⦁ Without prejudice to the provisions of this Article 9, the liability provisions of the Master Agreement shall apply in full.

⦁ Control
⦁ The Processing Agent will have the right to verify compliance with the provisions of this agreement at its own expense when there is reasonable cause to do so, and in any event once a year, or to have this verified by an independent chartered accountant or chartered computer specialist.
⦁ If such an audit reveals that Processor has not or not properly complied with this Agreement and/or applicable legal provisions governing the Processing of Personal Data, Processor shall bear the costs of the audit. Processor shall also remedy the shortcomings without delay after becoming aware of them. This is without prejudice to the other rights of the Processing Agent.
⦁ Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of the AVG. If the third party engaged by the Controller gives an instruction which, in the opinion of the Controller, violates the AVG, the Controller shall immediately inform the Controller thereof.
⦁ The investigation of the Controller will always be limited to the systems of the Processor used for the Processing. The Processor will keep the information found during the verification confidential and will only use it to verify the Processor’s compliance with the obligations under this Agreement and will delete the information or parts of it as soon as possible. The Controller warrants that any third parties engaged will also assume these obligations.
Processor shall carry out periodic security audits (or have them carried out) and shall provide an annual summary of the results of this audit, which shall at least include an overview of the risks as well as the measures to be taken to limit and remedy these risks.

⦁ Processing of Personal Data outside the European Economic Area
⦁ The transfer of Personal Data by Processor outside the European Economic Area is only permitted in compliance with the applicable legal obligations.

⦁ Other provisions
⦁ Amendments to this agreement are valid only if they have been agreed in writing between the parties.
⦁ The parties will adapt this agreement to changed or supplemented regulations, additional instructions from the relevant authorities and evolving insight in the application of the AVG (for example through, but not limited to, case law or reports), the introduction of standard provisions and/or other events or insights that make such adaptation necessary.
⦁ This agreement lasts for the duration of the Master Agreement. The provisions of this Agreement shall remain in force to the extent necessary for the settlement of this Agreement and to the extent necessary to survive the end of this Agreement. The latter category of provisions includes, but is not limited to, the provisions on confidentiality and disputes.
⦁ This agreement prevails over any other agreement between the Controller and the Processor.
⦁ This agreement is governed exclusively by Belgian law.
⦁ Parties shall submit their disputes in connection with this agreement exclusively to the Court of Bruges.
_________________________ __________________________________

By:

By:

On behalf of: Fairtual Technologies BV On behalf of:
On: On:
At: At:
Annex 1
Processing of personal data and retention periods
Annexes 1 and 2 must be filled in as completely as possible by the controller
This Annex is part of the Processing Agreement and must be initialled by the parties.

⦁ The Personal Data that parties expect to process:
[Description of the personal data processed under this agreement, e.g. the data described below. Please complete].

⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………
⦁ …………………………………………………………………………………

⦁ The nature, use and purpose of the processing of Personal Data:
[Description of what will be done with the Personal Data (e.g. storage in a file, e-mailing, etc.), what is the purpose of the processing (e.g. marketing, customer acquisition, contract performance) and what means will be used (e.g. CRM software)].
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….

⦁ The categories of Data Subjects to which the Personal Data relates
[Description of the categories of Data Subjects, e.g. website visitors, subscribers, suppliers, children, employees].
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….

⦁ The periods of use and retention of the (different types of) Personal Data:
[Beschrijving van de gebruiks- en bewaartermijnen die verwerker dient aan te houden]
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………….

Annex 2

Subprocessors/categories of Subprocessors
This Annex is part of the Processing Agreement and must be initialled by the parties.
This Annex contains an overview of the Subprocessors as referred to in Article 5.4 of this Agreement.

Name sub-processor Address Contact details Purpose of sub-processor
C Bloom Comm. V. Blauwvoetstraat 49 – 8310 Assebroek info@cbloom.be
GSM:+32478211899 BE0518.858.245
3D Design
Sliced Comm. V. Watermolenstraat 23, 9230 Wetteren info@sliced.be
GSM:+32496660979 BE0739734272
IT – Development
Combell NV Skaldenstraat 121, 9042 Gent administratie@combell.com
BTW: BE 0541.977.701
Hosting
Whereby AS Gate 1, N° 107, 6700 Maloly, Norway pro@whereby.com Video meetings
tawk.to inc. 187 East Warm Spring Rd, SB298
Las Vegas, NV, 89119
support@tawk.to Written Chat booths
Chatwee Sp. Piotrkowska 4, 62-610 Sompolno, Polnad VAT ID: PL6652990463

https://chatwee.com/
Written Chat (Network Café)


Annex 3

Security measures of Processor (see downloads)

Annex 4
Information in the event of a data breach

The Processor will provide all information that the Processor deems necessary to be able to assess the Data Leak or incident. In doing so, Processor will provide Processor with at least the following information:
⦁ what is the (alleged) cause of the Data breach or incident;
⦁ what the (as yet known and/or expected) consequence is;
⦁ what the proposed solution is;
⦁ the contact details for the follow-up of the report;
⦁ (an estimate of) the number of persons whose data are affected by the Data Breach or incident;
⦁ a description of the category of data subjects involved in the Data Breach or incident;
⦁ the type or types of Personal Data involved in the Data Breach or incident;
⦁ the date/period when the Data breach or incident occurred;
⦁ the date and time on which the Data Leak or incident became known to the Processor or to a third party or subprocessor engaged by it;
⦁ whether the data has been encrypted, hashed or otherwise made inaccessible to unauthorised persons;
⦁ what measures have been taken to end the Data Breach or incident and to limit the consequences of the breach.

Scroll to top