Baldwin IoT Services
Data Processing Agreement
Article 1 - Definitions
Definitions
Data Processing Agreement
Means the present data processing agreement, including its annexes.
Agreement
Means the agreement between the Controller and the Processor concerning the IoT Data Processing Service as described herein and incorporated in:
DESCRIPTION OF THE COMMERCIAL AGREEMENT:
___________________________________________________________________________________________
Data Subject(s)
Data Protection Act
Means the identifiable or identified natural person(s) whose Personal Data is or are processed; means the Act of 30 July 2018 concerning the protection of natural persons with regard to the processing of Personal Data. ECA means the Act of 13 June 2005 concerning Electronic Communications; General Data Protection Regulation or GDPR means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Personal Data
Means any information which the Processor processes on behalf of the Controller within the framework of the Agreement and which can directly or indirectly identify the Data Subject;
Personal Data Breach
Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
Special Categories of Personal Data
Means one or more of the following categories of Personal Data: Data Concerning Health, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning a natural person's sex life or sexual orientation, Genetic Data, Biometric Data or Judicial Data.
Article 2 - Data processing
2.1. Baldwin, acting as a Processor (hereafter “Processor”) shall process the Personal Data in the name and on behalf of the Buyer, acting as a Controller (hereafter “Controller”). The Processor is not allowed to process the Personal Data in any form and in no way for his own account nor for the account of a third party. The Processor has no control on the purpose of the processing of Personal Data, nor may he independently take decisions concerning the use, storage or disclosure of the Personal Data, unless and to the extent it has been expressly agreed upon in a Data Processing Agreement, or instructed by the Controller, or when Processor has good faith that disclosure is reasonably necessary to comply with a law, regulation or compulsory legal request. The Processor informs the Controller if he cannot comply with the instructions of the Controller or the obligations following this Data Processing Agreement, without undue delay and grants the right to the Controller to suspend the disclosure and transfer of Personal Data and/or to terminate this Data Processing Agreement in accordance with a Data Processing Agreement.
2.2. The Controller shall ensure that any disclosure of Personal Data to Processor is Personal Data that has been collected lawfully, i.e. processed on a legal basis as described in the articles 6-10 of the GDPR. The Controller shall indemnify Processor against all losses, expenses and liabilities incurred by Processor arising directly or indirectly from the Controller’s breach of this obligation.
2.3. The subject, duration, nature and purpose of the processing, as well as the type of Personal Data being processed and the categories of Data Subjects, are listed in Annex 1. The Processor commits to process the Personal Data in accordance with the content of Annex 1, in particular regarding the location of the processing. Any change in one of the elements listed in Annex 1, will result in an amendment of Annex 1, as mutually agreed by the Parties. If the Processor is aware of the fact that one of the elements listed in Annex 1 will be changed, he must promptly inform the Controller hereof in writing.
2.4. The Processor only processes the Personal Data for the performance of its obligations under the Agreement, in accordance with the Data Processing Agreement and the written instructions of the Controller and shall perform the processing at all times with state of the art security measures and at all times in accordance with the minimum organizational and technical security measures as set out in Annex 2 to this Data Processing Agreement.
2.5. If the Processor processes one or more Special Categories of Personal Data in the name and on behalf of the Controller, it undertakes to comply with the additional specific obligations of Annex 3. In the event of any conflict or inconsistencies between the provisions of this Data Processing Agreement and Annex 3, the provisions of Annex 3 shall prevail. If the Processor does not process Special Categories of Personal Data in the name of and on behalf of the Controller, then this Article and Annex 3 are not applicable.
2.6. The Parties will, each in their respective capacity, process the Personal Data in accordance with the Data Protection Act, the ECA, the GDPR as of 25 May 2018, and any other applicable regulation to which the Controller and/or the Processor are subject.
2.7. The Processor acknowledges being granted or subject to the Processor-oriented rights and obligations under the Data Protection Act and the GDPR. The Processor acknowledges that the Controller is granted or subject to the Controller-oriented rights and obligations under the Data Protection Act and the GDPR.
Article 3 - Confidentiality
3.1. Regardless the type of Personal Data entrusted by Controller to Processor, the Processor shall treat the existence of the processing in name of and on behalf of the Controller, and the Personal Data, as strictly confidential. This duty of confidentiality is more stringent for the processing of Special Categories of Personal Data.
3.2. The Processor shall not disclose, in any form (including in the form of anonymous or anonymized Personal Data) or manner whatsoever, the Personal Data to third parties or grant third parties access to Personal Data, including to sub-processors, except in the cases and under the conditions provided for in Article 3.3. The Processor shall exclusively and always process the personal data in the name and on behalf of the Client in order to perform this Data Processing Agreement and in no way for his own account nor for the account of a third party.
3.3. The Processor may grant third parties access to the Personal Data in the event: (i) the Controller gave its prior and explicit written approval – the Controller hereby agrees that access to the Personal Data is being granted to third parties listed in Annex 1. In the event the Controller agrees to grant such access to new third parties in the course of the Agreement, Annex 1 shall be amended accordingly by mutual consent. (ii) The Processor is required to grant such access under a mandatory provision of law. In this case unless such notification is prohibited by law or by overriding reasons of general interest, the Processor shall notify the Controller in advance and in writing about the request to access Personal Data, the relevant mandatory provision and the response the Processor intends to give to this request.
3.4. Except in the cases set out in Article 3.3 (ii), in the event the Processor grants third parties access to the Personal Data, it undertakes that each third party will be subject to contractual obligations at least equivalent to the ones to which the Processor is itself subject vis-à-vis the Controller under this Data Processing Agreement. The Processor guarantees that each third party, to whom it grants access to the Personal data, shall comply with these obligations. The Processor provides to Controller, on its request and without undue delay, a copy of the sub-processing agreement(s).
3.5. The Processor can grant its employees access to the Personal Data in accordance with the need-to-know principle, i.e. to the extent the employees need such access to the Personal Data in order to allow a proper performance of the Processor’s obligations under the Agreement and under the Data Processing Agreement. Processor shall impose a contractual confidentiality obligation upon the employees, that may have access to the Personal Data in order to perform the data processing, whose confidentiality obligation is identical to the present Article.
3.6. The Processor shall be responsible for complying with the duty of confidentiality by all people (i.e. employees, authorized partners and contractors) who are aware of the personal data and/or of its processing. This duty of confidentiality also continues to apply for 10 years after termination of present Data Processing Agreement.
Article 4 – Obligation to assist
4.1. The Processor commits to assist the Controller in ensuring compliance with its legal obligations under the Data Protection Act, the ECA (if applicable) and the GDPR. In this regard the Processor shall respond within a reasonable delay to any request for assistance made by the Controller. In the event the Processor is of the opinion that a Controller’s request or instruction infringes the Data Protection Act, the ECA (if applicable) or the GDPR, he will immediately notify the Controller. This assistance provided by the Processor to the Controller shall be subject to reasonable compensation.
4.2. Upon the Controller’s request, the Processor shall inform the Controller about the modalities of its Personal Data’s processing and shall grant access to the processed Personal Data and to all documents, buildings, systems, software, hardware, databases, installations and infrastructure necessary to enable the Controller to verify compliance with the Data Protection Act, the ECA (if applicable) and the GDPR.
4.3. Upon the Controller’s request, the Processor shall accept and cooperate with audits and inspections of its Personal Data’s processing so that the Controller is able to verify whether the Processor complies with its obligations following this Data Processing Agreement and the applicable data protection laws (GDPR and national data protection laws). The Controller may itself carry out these audits and inspections or mandate a third party thereto. If the Controller mandates a third party, such third party shall not be a direct competitor of Processor and such third party shall agree to be bound by confidentiality obligations that are no less protective than those set out in Article 3 of the Data Processing Agreement.
4.4. The Processor shall immediately transfer to the Controller any Data Subject’s request or question in connection with the (processing of) Personal data. The Controller shall decide on the response to be given in that regard. On request of the Controller, the Processor shall assist and support the Controller in responding to such data subject’s requests insofar reasonably possible for the Processor. In particular, the Processor shall, if and to the extent that it falls within its technical capabilities and powers under the Data Processing Agreement, comply within 5 working days with any Controller’s request regarding the response or execution of the Data Subjects’ requests. The Processor shall be entitled to reasonable compensation for this assistance.
4.5. To the extent that the Processor itself has communicated Personal Data to third parties, it shall without delay transfer to these third parties every Personal Data’s alteration, erasure or restriction of which it becomes aware.
4.6. The Processor undertakes to assist the Controller in determining whether a data protection impact assessment is necessary for the Controller’s processing of Personal Data. This implies for example that if the Processors’ processing requires the use of new technologies, or if the Processor considers it plausible that the used technology may qualify as “new” and such new technology is likely to result in a high risk to the rights and freedoms of natural persons, the Processor notifies the Controller accordingly before starting the Personal Data’s processing.
4.7. If the Controller is of the opinion that a data protection impact assessment must be conducted, the Processor commits itself to assist the Controller, upon its written request, in executing the data protection impact assessment. In such case the Processor provides the Controller with at least the information set out in Annex 3, and shall only begin the processing after receipt of the (evaluation of the) data protection impact assessment and the Controller’s written instructions in that regard. The Processor shall be entitled to reasonable compensation for this assistance.
4.8. In the event a Data Subject wishes to exercise her/his right to data portability regarding Personal Data processed by the Processor in the name of and on behalf of the Controller, the Processor shall communicate the relevant Personal Data in a structured, standard and machine-readable form to the Controller or, at the request of the Controller, to the Data Subject. The Processor shall be entitled to reasonable compensation for this assistance.
Article 5 – Personal Data Breach
5.1. If a Personal Data Breach occurs or has occurred, the Processor shall, immediately after becoming aware of it, notify the Controller’s legal department by telephone and by e-mail.
5.2. The Processor provides the Controller upon the notification of the incident, or if this is not feasible without undue delay after the notification of the Personal Data Breach, with the following information regarding the Personal Data Breach: (i) the nature of the Personal Data Breach, (ii) where possible the categories of Data Subject(s), (iii) the estimated amount of Data Subject(s), (iv) the categories of Personal Data, (v) the estimated amount of Personal Data, (vi) the name and contact details of the data protection officer if the Processor has appointed such an officer, or in the event that there is no data protection officer, another contact point where more information on the Personal Data Breach can be obtained, (vii) the likely consequences and risks, including the likely consequences and risks for the Data Subjects, (viii) the measures taken to address the Personal Data Breach, including, where appropriate, the measures to mitigate its possible adverse effects.
5.3. The Processor shall assist the Controller as much as possible when reporting a Personal Data Breach to the supervisory authority and/or the Data Subject(s). The Processor shall in any event respond on a priority basis to any question/request from the Controller regarding the Personal Data Breach.
Article 6 – Organizational and technical security measures
6.1. The Processor undertakes to implement and comply with the appropriate technical and organizational security measures necessary for the Personal Data’s protection. The Processor will describe these measures in a security policy.
6.2. The Processor shall take into account the information provided by the Controller regarding the processing activities conducted on behalf of the Controller, when determining the appropriate technical and organizational security measures, (i) the state of the art, (ii) the implementation costs related to these measures, (iii) the nature, scope, context and purposes of processing, (iv) the risks involved for the Data Subjects’ rights and freedoms, in particular in case of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or non-authorized access to Personal Data transmitted, stored or otherwise processed, and (v) the probability that the processing shall have an impact on the rights and freedoms of the Data Subjects. Without receiving sufficient and detailed information from the Controller, the Processor shall not be able to determine the necessary technical and organizational security measures.
6.3. The Processor shall update these measures on a regular basis according to the criteria referred to in Article 6.2 and by taking any incident into account.
6.4. The Processor shall implement the minimal appropriate technical and organizational security measures as defined by the Belgian Data Protection Authority and the security measures as listed in Annex 2.
Article 7 – Liability
7.1. The Processor is liable and shall indemnify the Controller for all principal sums, costs, interests and other expenses for the payment of damages caused to or claims from third parties, including the Data Subject, fines, administrative sanctions and other legal costs and other requirements by virtue of claims that may be filed against the Controller by individuals, by a data protection authority or by a government due to the Processor’s breach of the Data Processing Agreement, the obligations specifically imposed on the Processor by the Data Protection Act, the ECA (if applicable) and/or the GDPR.
7.2. The Processor shall indemnify the Controller for all damages caused by third parties (i.e. sub-processors) appointed by the Processor.