Data processing agreement
Limited company Bakeronline, with its registered office at Adolf Baeyensstraat 53, 9040 Ghent, Belgium, VAT BE 0543469620, hereby duly represented by its managing director Maxim Sergeant (p.p. Ennovator BVBA). Hereinafter referred to as ‘Bakeronline’;
The Customer, as identified in the Main Agreement.
Hereinafter collectively referred to as the ‘Parties’, and individually as a ‘Party’.
Within the context of the performance of certain activities and services for the Customer, Bakeronline shall have access to Personal Data and/or will have to Process this Personal Data, for which the Customer is responsible as ‘Controller’ in accordance with (i) the General Data Protection Regulation of 27 April 2016 (‘the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC’) and (ii) all (future) Belgian laws regarding the implementation of this Regulation (hereinafter referred to as the ‘Privacy Legislation’).
Through this Agreement Parties wish to determine in writing their mutual agreements with regard to (i) managing, securing and/or Processing of such Personal Data and (ii) Parties’ obligation to comply with the Privacy Legislation in the situations where Bakeronline serves as a Processor on behalf of the Customer. This Agreement is without prejudice to the Processing of Personal Data in situations where Bakeronline serves as a Controller as stated in the Main Agreement.
THEREFORE PARTIES HAVE AGREED AS FOLLOWS
ARTICLE 1: DEFINITIONS
1.1 In this Agreement, the following concepts have the meaning described in this article:
Agreement: this document, the ‘Data Processing Agreement’, including any annexes, which is part of the Main Agreement;
Assignment: All activities, performed by Bakeronline for the Customer, and any other form of cooperation whereby Bakeronline Processes Personal Data for the Customer, regardless of the legal nature of the agreement under which this Processing takes place;
Controller: The entity, which determines the purposes and means of the Processing of Personal Data;
Data Subject: A natural person to whom the Personal Data relates;
Data Breach: Unauthorized disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data, which are Processed by Bakeronline on behalf of the Customer;
GDPR: Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Personal Data: Any information relating to an identified or identifiable natural person;
Processor: The entity which Processes Personal Data on behalf of the Controller;
Process/Processing: Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, including, but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;
Sub-processor: Any Processor engaged by Bakeronline;
ARTICLE 2: ROLES OF THE PARTIES
2.1 Parties acknowledge and agree that in situations where the Customer acts as Controller with regard to use of the Services, Bakeronline acts as Processor on behalf of the Customer. Further, Bakeronline is allowed to engage Sub-processor(s) pursuant to the requirements set forth in Article 6.
ARTICLE 3: USE OF THE SERVICES
3.1 The Customer acknowledges explicitly that:
- The Customer shall be solely responsible for how it makes use of the Services to Process Personal Data as Controller;
- The Customer shall be solely responsible to comply with all laws and regulations (such as but not limited to the retention period) imposed on it by making use of the Services.
3.2 In case of misuse by the Customer of the Services, the Customer agrees that Bakeronline can never be held liable in this respect nor for any damage that would occur from such misuse.
3.3 The Customer therefore undertakes to safeguard Bakeronline when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.
ARTICLE 4: OBJECT
4.1 Customer acknowledges that as a consequence of making use of the Services of Bakeronline, the latter shall Process Personal Data as collected by the Customer.
4.2 Bakeronline shall Process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.
4.3 Bakeronline shall, in situations where Bakeronline serves as a Processor of Personal Data on behalf of the Customer, the Controller, only Process the Personal Data upon request of the Customer and in accordance with its instructions, as described in Annex I, unless any legislation states otherwise without prejudice to the Processing of Personal Data in situations where Bakeronline serves as a Controller as stated in the Main Agreement.
4.4 Notwithstanding 4.3, Bakeronline shall honour the Customer’s instructions, to the extent that:
- The Customer has informed Bakeronline of these instructions in advance and they have been accepted by Bakeronline in writing; and
- Bakeronline's systems allow this, thereby taking into account the functionalities of these systems that are provided by Bakeronline when Localtomorow receives the instructions from the Customer. If the Customer uses Bakeronline's systems and Bakeronline has not approved the Customer's instructions in writing, this will be at the Customer's own risk. If, in the Customer's opinion, Bakeronline's systems do not or insufficiently provide the possibility to support the Customer's instructions, the Customer will contact Bakeronline to further discuss these instructions. Bakeronline does not guarantee that the Customer's instructions are fully compatible or can be implemented by Bakeronline's systems.
4.5 The Customer, as Controller, owns and retains full control concerning (i) the Processing of Personal Data, (ii), the types of Personal Data Processed, (iii), the purpose of Processing Personal Data and (iv) the fact whether such Processing is proportionate (non-limitative). Moreover, the Customer shall be solely responsible to comply with all (legal) obligations in its capacity as Controller and shall have the sole responsibility for the accuracy, quality, and legality of the Personal Data, entered into the Services of Bakeronline, and the means by which it acquired such Personal Data. The responsibility and control concerning the Personal Data, subject to this Agreement, shall thus never be vested in Bakeronline.
4.6 Bakeronline shall assist the Customer in its GDPR responsibilities as Controller in the matter of processing security, Data Breach reporting to the data protection authority, data protection impact assessments (if applicable) and prior consultation.
ARTICLE 5: SECURITY MEASURES
5.1 Bakeronline has taken the following security measures, which are in accordance with the common practices in this industry:
- Physical measures for access security;
- Logical access control via passwords;
- Organizational measures for access security;
- Random monitoring of compliance with the policy;
- Protection of the network connections via Secure Socket Layer (SSL) technology;
- A secure internal network;
- Special purpose access restrictions;
- Inspection of granted access.
Additionally, Bakeronline will make the necessary effort to ensure that the security measures in place are sufficient, thereby taking into account the state of the art, the sensitivity of the Personal Data and the costs concerning the security. The Customer will only provide Personal Data to Bakeronline for Processing if it has made sure that the required security measures have been taken. The Customer is responsible for ensuring that the measures agreed between Parties are complied with.
ARTICLE 6: SUB-PROCESSORS
6.1 The Customer acknowledges and agrees that Bakeronline may engage third-party Sub-processors in connection with the Assignment. In such case, Bakeronline shall ensure that the Sub-processors are at least bound by the same obligations by which Bakeronline is bound under this Agreement. At the Customer’s request, Bakeronline will provide a list of involved Sub-processors.
ARTICLE 7: TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
7.1 The Customer explicitly agrees that Bakeronline can transfer Personal Data outside the European Economic Area (EEA) (this is the European Union, Liechtenstein, Iceland and Norway) as long as the rules with regard to transfer (44-50 GDPR) are respected. Any transfer of Personal Data outside the EEA to a recipient which residence or registered office does not fall under an adequacy decision issued by the European Commission, shall be governed by the terms of a data transfer agreement, which shall contain (i) standard contractual clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC) or (ii) other mechanisms foreseen by the Privacy Legislation and/or and other applicable rules concerning the Processing of Personal Data.
7.2 Bakeronline can transfer Personal Data outside the EEA if this transfer is necessary based on a binding European or Belgian rule of law. In such case, the Processor will notify the Controller about the rule of law in writing prior to the transfer, unless the binding rule of law prohibits this notification based on serious grounds of public interest.
ARTICLE 8: CONFIDENTIALITY AND SECRECY
8.1 Bakeronline shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without the prior written agreement of the Customer, unless when:
- Explicit written deviation from this Agreement;
- Such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case Bakeronline shall, prior to any disclosure and/or announcement, discuss the scope and manner thereof with the Customer.
8.2 Bakeronline shall ensure that its personnel, engaged in the performance of the Assignment, are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Bakeronline shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
8.3 Bakeronline shall ensure that its access to Personal Data is limited to such personnel performing the Assignment in accordance with the Agreement.
ARTICLE 9: NOTIFICATION
9.1 Bakeronline shall use its best efforts to inform the Customer within a reasonable term when it:
- Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Data;
- Has the intention to disclose Personal Data to a competent public authority.
9.2 Parties will report to each other and, in the given case, to the data protection authority concerned, all security and/or Data Breaches that have an impact on the performance of the Assignment, and in particular the protection of the Personal Data that they Process within the framework of the Main Agreement. The obligation to report, in any case, encompasses reporting the fact that a breach occurred. Additionally, the obligation to report encompasses:
- Reporting the (alleged) cause of the breach;
- What the (known and/or expected) consequence is;
- What the (proposed) solution is; and
- The contact details to follow up on the report .
ARTICLE 10: RIGHTS OF DATA SUBJECTS
10.1 To the extent the Customer – in its use of the Services – does not have the ability to correct, amend, block or delete Personal Data, as required by Privacy Legislation, Bakeronline shall – to the extent it is legally permitted to do so – comply with any commercially reasonable request by the Customer to facilitate such actions. To the extent legally permitted, the Customer shall be responsible for any costs arising from Bakeronline’s provision of such assistance.
10.2 Bakeronline shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. Bakeronline shall, however, not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to the Customer to which the Customer hereby agrees. Bakeronline shall provide the Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent the Customer does not have access to such Personal Data through its use of the Services. To the extent legally permitted, the Customer shall be responsible for any costs arising from Bakeronline’s provision of such assistance.
10.3 If Bakeronline has to erase the Personal Data of a Data Subject in case of the aforementioned assistance, the Customer acknowledges that Bakeronline cannot be held accountable when the Customer needs to Process the erased Personal Data again in the future as a part of an agreement between the Customer and one of its clients.
ARTICLE 11: RETURN AND DELETION OF PERSONAL DATA
11.1 Upon termination of the Main Agreement Bakeronline shall inform the Customer that he has the right to demand an export of the gathered Personal Data at that point in time taking into account the storage and anonymization measures as stated in the Main Agreement.
ARTICLE 12: CONTROL
12.1 The Customer may request Bakeronline to provide reasonable co-operation regarding an audit of the Bakeronline's ways of working and systems. If the Customer requests this, the audit will exclusively be performed by an independent third party appointed by both Parties, at the Customer's request. Audit requests must be submitted to Bakeronline no later than 10 days prior to the audit. They must include a description of which components will be audited and the audit process itself, and may not disrupt Bakeronline's business activities. Bakeronline shall lend its co-operation to the audit, and make all relevant information that is reasonably needed, including supporting data like system logs, available, and will make employees available, in as far as the direct and/or indirect consequences do not violate the (contractual) rights, duties or statutory requirements of the general services and do not harm Bakeronline's interests. Bakeronline's assistance will not extend further than a maximum of three man-days per calendar year. If Bakeronline's provided assistance exceeds this time limit, it will invoice the Customer for the additional time, at the normal hourly rates amounting to 150,00 euros (excl. VAT) upon the commencement of this Agreement. If the audit report, whose findings are accepted by both Parties, points to a serious error or gross negligence on the part of Bakeronline with a view to the GDPR, the Customer will not have to reimburse Bakeronline for its assistance to the audit.
ARTICLE 13: LIABILITY
13.1 Bakeronline's liability for loss suffered due to an attributable failure to perform with regard to providing the Processing of Personal Data, either due to a wrongful act or otherwise, will be limited per event (whereby a series of consecutive events is deemed a single event) to payment of the direct damages up to a maximum of the payments that Bakeronline receives for work performed pursuant to this Agreement in the month prior to the event giving rise to the damage. Bakeronline's liability for consequential damage, lost profit, missed savings, a loss of goodwill, loss due to business interruption, loss due to a failure to achieve the marketing targets, loss concerning the use of the Customer's data or databases, or loss, corruption or destruction of data or databases is also expressly excluded. The Customer expressly agrees to this exclusion. The preceding is without prejudice to each Party's obligation to indemnify the other Party for liability towards third parties that arises from a violation of their obligations in accordance with the GDPR. All compensation is subject to Article 82 (Right to compensation and liability) of the GDPR.
ARTICLE 14: MISCELLANEOUS
14.1 This Agreement enters into force on 25/05/2018 or on the date of the Main Agreement if this would be later in time and lasts as longs as the Assignment lasts. The provisions stated in this Agreement remain applicable as long as needed to settle this Agreement and for as far as they are meant to survive the end of the Agreement.
14.2 This Agreement and its annexes determine the rights and obligations of the Parties with regard to the object of the Agreement. It nullifies and replaces all previous written and/or oral proposals and agreements. All annexes form an integral part of this Agreement.
14.3 Deviations, alterations and/or additions to this Agreement shall only be valid and binding to the extent that they have been accepted in writing by both Parties.
14.4 This Agreement and the corresponding rights and obligations that exist in respect of the Parties, cannot be transferred, directly or indirectly, without the prior written consent of the other Party.
14.5 (Repeatedly) non-enforcement by a Party or by both Parties of any right or provision of this Agreement, can only be regarded as a toleration of a certain state, and does not lead to forfeiture.
14.6 This Agreement does not constitute a tacit waiver of rights. Except where explicitly provided for in this Agreement, a waiver of rights by either Party, or the circumstance that a Party does not submit a claim for an attributable failure to perform any provisions in this Agreement, does not constitute a waiver of rights concerning a subsequent attributable failure or would not otherwise affect the legal force of that provision. A Party cannot be deemed to have waived a right or claim pursuant to this Agreement, or concerning a breach of contract by the other Party, unless they expressly waive this right and notify the other Party in writing.
14.7 If one or more provisions of this Agreement are found to be invalid, illegal or unenforceable, in whole or in part, the remainder of that provision and of this Agreement shall remain in full force and effect as if such invalid, illegal or unenforceable provision had never been contained herein. Moreover, in such event, Parties shall negotiate to replace the invalid provision by an equivalent provision in accordance with the spirit of this Agreement. If Parties do not reach an agreement, then the competent court may mitigate the invalid provision to what is (legally) permitted.
14.8 This Agreement is governed by and must be interpreted according to Belgian law. Only courts of the judicial district of Ghent have the jurisdiction to hear disputes. Parties will initially aim to reach an amicable solution concerning disputes between Parties.
ANNEX I: PROCESSING OF PERSONAL DATA
i) The Customer Processes Personal Data from its clients via software and integrations developed by Bakeronline as Controller for the following purposes:
- Processing orders from the clients to the Customer;
- Answering to requests from the clients to the Customer;
- Marketing from the Customer to its clients.
ii) Within this context the Parties Process the following Personal Data:
- First and last name;
- Address (invoice and/or delivery address) if applicable;
- Email address;
- Phone number;
- Consumption habits (order time, content, type, origin, client, payment method, amount);
- Electronical identification data (IP address, cookies, …);
- Electronical localisation data (GPS if applicable);
- Financial identification data (bank account holder, cart number, bank account, payment method);
- Other Personal Data depending on the free fields added by the Data Subject and/or Customer.
iii) The categories of Data Subjects whose Personal Data shall be Processed within this context are the Customer’s clients. The Customer declares and warrants that the Data Subjects, whose Personal Data are supplied to Bakeronline by the Customer or by a third party, at the Customer's request, have given their unambiguous and express permission with regard to the Processing, which is part of the Services, or that the Customer may invoke any of the conditions in the GDPR based on which such permission is not required. The Customer declares that Bakeronline's planned Processing of Personal Data is not unlawful and does not violate the rights of third parties.
iv) Bakeronline shall retain the Personal Data as long as the Assignment and/or the Main Agreement is ongoing without prejudice to the measures related to Personal Data storage and anonymization as stated in the Main Agreement.
Finally, upon termination of the Assignment and/or the Main Agreement, Bakeronline shall also be entitled to retain the anonymized Personal Data (or part thereof) for statistical and analytical reasons.