Data Processing Agreement

About this Data Processing Agreement

This Data Processing Agreement supersedes and replaces all previous agreements made in respect of Processing Personal Data and data protection. Parties agree that Expect Me is a Processor and the Client is a Controller in respect of all Services provided by Expect Me related to the Agreement. The aforementioned indication of the Parties as Controller and Processor is consistent with the terms and definitions given within the GDPR. By means of this Data Processor Agreement (hereafter the “DPA”) Parties wish to lay down their specific agreements in respect to Processing Personal Data within the framework of the Agreement.

1. Definitions

Regarding the interpretation of this DPA, the definitions as concluded in the Agreement and in the GDPR will also apply to this DPA, unless this DPA expressly deviates from those definitions.
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her;
“Controller” or “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data (i.e. the Client);
“(Personal) Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
“Data Subject” a natural person who is identified or identifiable by the Personal Data. an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“GDPR” Regulation (EU) 2016/679 of the European Parliament and of Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Personal Data” means any information relating to an identified or identifiable natural person as defined in the GDPR;
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection,recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller (i.e. Expect Me);
“Subcontractor”: refers to any third party that is involved in the Processing of Personal Data by the Processor;
“Supervisory Authority”: refers independent government body who is responsible for monitoring the application of GDPR;
“Third Party”: a natural or legal person, a government agency, a service or other body, not being the Data Subject, neither the Controller nor the Processor, nor the persons authorized under direct authority of the Controller or the Processor to process the Personal Data;

2. Object of this DPA

2.1 This DPA determines the conditions of the Processing by the Processor, on a self-employed basis, of the Personal Data communicated by or at the initiative of the Controller and in the context of the Agreement; this Processing will exclusively take place for the benefit of the Controller and for the purpose as defined by the Controller.
2.2 The nature and purpose of the Processing, a list and the type of Personal Data as well as the categories of the Data Subjects, taking into account the Services to be performed, are detailed in the Data Processing Details.
2.3 The Processor will only process the Personal Data according to the documented instructions of the Controller, and will not use these Personal Data for its own purpose.
The Controller warrants that it shall not issue instructions, directions or requests to the Processor which would require the Processor and/or its Sub-processor(s) to violate any obligations imposed by applicable mandatory national law to which the Processor and/or its Sub-processor(s) are subject. In particular, the Controller guarantees that it shall comply with all applicable data protection legislation and herby guarantees expressly that the content, use and instructions for the Processing of Personal Data referred to in this DPA are not unlawful so that the protection of the rights of Data Subjects is ensured and so that the Processing activities do not infringe the rights of third parties. The Controller shall indemnify the Processor against all claims related thereto.
2.4 If the Processor is legally obliged to proceed with any Processing of Personal Data, the Processor, unless this would violate applicable mandatory rules, will inform the Controller of such obligation.

3. Compliance with Data Protection Regulations

The Controller and the Processor are obliged to comply with their obligations under applicable legislation (but possibly also codes of conduct, standard contractual clauses, other related regulations).

4. Term

4.1 This DPA is applicable to every Processing of Personal Data executed in the context of the Agreement.
4.2 This DPA applies as long as the Processor processes Personal Data made available by the Controller in the context of the Agreement. This DPA ends automatically upon termination of the Agreement; the provisions of this DPA that are either expressly or implicitly (given their nature) intended to have effect after termination of the DPA shall survive the end of the Agreement as regards the Personal Data communicated by or at the initiative of the Controller in the context of the Agreement.

5. Technical and organizational protection measures

The Processor and Controller offer adequate guarantees with regard to the implementation of appropriate technical and organizational measures so that the Processing complies with GDPR requirements and that the protection of the Data Subject’s rights is guaranteed.

6. Records of processing activities

Each Party and, where applicable, their representatives, shall maintain a register of the processing activities under their responsibility. Each such register shall contain at least all legally required data.

7. Data Protection Officer

If required by law, the Controller and/or the Processor will appoint a Data Protection Officer. The name and the contact details of the Data Protection Officer (or any other person responsible for privacy related matters) can be found in the Data Processing Details.

8. Storage of Personal Data

8.1 The Processor will not keep the Personal Data any longer than as required for Processing of such Personal Data in the context of the Agreement. The Controller will not instruct the Processor to store any Personal Data longer than necessary. The agreed storage period can be found in the Order (Data Processing Details).
8.2 Unless storage of the Personal Data is mandatory under Union or Member State law, the Processor shall, within a reasonable period after the end of the Processing services, at the option of the Controller, either erase all Personal Data or return it to the Controller and delete existing copies.

9. Security

9.1 The Controller and the Processor shall take all appropriate technical and organizational measures as referred to in Article 32 GDPR to ensure a level of security appropriate to the risk. The measures taken by the Processor are available on request.
9.2 The Processor shall, taking into account the nature of the Processing and the information available, assist the Controller in ensuring compliance with the obligations resulting from Articles 32 to 36 GDPR. The Controller will reimburse the Processor for services rendered in the context of providing assistance in fulfilling the aforementioned obligations according to Article 17 “Costs” of this DPA.
9.3 Only those agents of the Processor who are involved in the Processing of Personal Data may be informed about the Personal Data. The Processor ensures that persons authorized to process the Personal Data are committed to confidentiality by contract or are under an appropriate statutory obligation of confidentiality.
9.4 The Processor may only provide Personal Data to Third Parties with the prior written approval of the Controller.

10. Data Subject’s rights

10.1 Taking into account the nature of the Processing, the Processor shall use best efforts, by taking appropriate technical and organizational, to promptly inform the Controller of any request made by a Data Subject with regard to the Personal Data the Processor and/or its Sub-processor(s) processes on behalf of the Controller, without giving any consequence to such request unless explicitly authorized by the Controller to do so and to assist the Controller in the fulfillment of its obligation to respond to requests from Data Subjects.
10.2 For all services performed by the Processor in the context of the treatment of such requests from Data Subjects, the Controller will pay the Processor in accordance with Article 17 “Costs” of this DPA.

11. Duty to notify

11.1 Upon becoming aware of a Personal Data Breach the Processor shall notify the Controller thereof without undue delay. This notification shall at least include following information, to the extent practicable:
a. The nature of the Personal Data Breach;
b. The categories of Personal Data that are affected;
c. The categories and approximate number of Data Subjects concerned;
d. The categories and approximate number of personal data records concerned;
e. The likely consequences of the Personal Data Breach;
f. Measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
11.2 At the request of the Controller, the Processor will cooperate with the investigation and elaboration of the measures necessary in case of any Breaches.
11.3 The Parties will keep each other informed of any new developments with regard to any Breach and of the measures they take to limit its consequences and to prevent the repetition of such Breach.
11.4 It is the responsibility of the Controller to report any Breach to the Supervisory Authority or the Data Subject, as required.

12. Subcontracting

12.1 The Controller expressly authorizes the Processor to engage Subcontractors for the processing of Personal Data. The Controller grants a proxy to the Processor to decide with which Subcontractor(s) the Processor cooperates. The Processor shall keep a list of all Subcontractors engaged, which can be consulted by the Controller upon simple request. The Controller can only refuse a Subcontractor proposed by the Processor on the basis of a well-founded justification submitted in writing.
12.2 The Processor will conclude a separate subcontracting agreement with each Subcontractor.
12.3 In this subcontracting agreement, the same data protection obligations as set out in this DPA shall be imposed on the Subcontractor.
12.4 In the event the Subcontractor fails to fulfill its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the obligations of that Subcontractor in accordance with Article 19 of this DPA.

13. Transfers of Personal Data

13.1 Unless specifically requested otherwise by Controller, the Processing of Personal Data will exclusively take place within the EEA.
13.2 The Processing or transfer of Personal Data outside the EEA can only occur with the specific prior written consent of the Controller and/or in compliance with applicable legislation. The Processor can sign standard contractual clauses, codes of conduct or any other instruments adopted by the European Commission, which ensures that the transfer of Personal Data to a country outside the EEA complies with appropriate safeguards as required by the GDPR.
13.3 Such consent of the Controller is not required when the transfer of Personal Data to countries outside the EEA is mandatory under EU or Member State law provisions.

14. Data Protection Impact Assessment

14.1 When a ‘Data Protection Impact Assessment’ or a ‘prior consultation’ is required according to Article 35 and 36 GDPR, the Controller will implement such assessment. At the request of the Controller, the Processor will assist in this assessment as well as in the compliance with any required measures, as reasonably required in carrying out such an assessment;
14.2 The Controller will reimburse the Processor for the services so rendered in relation to this assessment and the compliance with any required measures in accordance with Article 17 “Costs” of this DPA.

15. Audit – inspection

15.1 Each Party shall allow the other Party and its authorized auditors to perform audits regarding the compliance by a Party with its obligations under this DPA and the applicable legislation in respect of data protection.
15.2 Each Party shall use its best efforts to cooperate with those audits and to make available to the other Party all information necessary to prove compliance with the obligations of such Party. A Party shall immediately inform the other Party if, in its opinion, an instruction infringes the applicable legislation. In case the audit requires more than four (4) hours of services of the Party which is being audited, the auditing Party will compensate the services provided on a time and material basis (at standard rates applicable at that moment in time).
15.3 Upon the performance of any such audit, the confidentiality obligations of the Parties with respect to Third Parties must be taken into account. Both the Parties and their auditors must keep the information collected in connection with an audit secret and use it exclusively to verify the compliance by the other Party with this DPA and the applicable laws and regulations in respect of data protection.
15.4 The Controller and the Processor and where applicable their representatives, shall cooperate, upon request, with the Supervisory Authority in the performance of its tasks.

16. Costs

16.1 The services to be performed under this Agreement for which the Processor may charge the Controller, will be charged on the basis of the hours worked and the applicable standard hourly rates of the Processor. The Processor will invoice these amounts on a monthly basis.
16.2 Payment by the Controller to the Processor for the services under this Agreement will take place in accordance with the provisions in the Agreement.

17. Notice of default

When the Processor fails to comply with its obligations under this DPA, the Controller shall first send a registered notice of
default (in compliance with article 17.4 “Notices” of the Terms and Conditions). This notice shall clearly mention the defaults that occurred, and, if redress is possible, a proposal of remedial measures and a reasonable term for their implementation.

18. Liability

18.1 Limitations of liability in the Terms and Conditions are applicable to this DPA and all services provided in respect of this DPA.
18.2 The Processor is in any case only liable for the damage caused by Processing if it (a) did not comply with its specific obligations of the GDPR, or (b) acted outside or in violation of the lawful instructions of the Controller.

19. Other provisions

The provisions of the Terms and Conditions concerning changes, completeness of the agreement, applicable law and competent court are applicable to this DPA.