Data Processing Contract
CHECKHUB S.R.L.
Appendix Processing of personal data
(hereinafter referred to as “DPA” or “Data Processing Contract”)
This Appendix (hereinafter referred to as the “DPA”) forms part of the contract (the “Contract”) between CHECKHUB S.R.L. whose registered office is at Cantersteen 10, 1000 Brussels (Belgium), registered at CBE under number 0643.862.739 (the “Processor”) and the Client, and which sets out the terms and conditions of the Services provided by the Processor (the “Services”). The DPA and the Contract are complementary and mutually explanatory. However, in the event of any inconsistency, the DPA shall prevail.
The purpose of this DPA entered into between the Processor and the Client pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the Processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”), is to define the conditions under which the Processor, in its capacity as Processor and within the framework of the Services defined in the Contract, processes personal data as defined in the GDPR on the instructions of the Client (“Personal Data”). The Processing of Personal Data by the Processor as a Controller is outside the scope of this DPA.
For the purposes of this DPA, the Processor shall act as “Processor” and the Client shall be presumed to act as “Controller”. The terms “Processor” and “Controller” shall have the meaning given to them within the GDPR.
If the Client acts as a processor on behalf of a third-party Controller, the Parties expressly agree that the following conditions shall apply:
- The Client shall ensure that (i) all necessary authorisations to enter into this DPA, including the appointment by the Client of the Processor as a sub-processor, have been obtained from the Controller (ii) a contract, which is in full compliance with the terms and conditions of the Contract (including this DPA), has been entered into with the Controller in accordance with Article 28 of the GDPR, (iii) all instructions received by the Processor from the Client in performance of the Contract and this DPA are fully consistent with the instructions of the Controller and (iv) all information communicated or made available by the Processor under this DPA is, where required, appropriately communicated to the Controller;
- the Processor (i) processes Personal Data only on the instructions of the Client and (ii) does not receive any instructions directly from the Controller, except in cases where the Client has materially disappeared or ceased to have a legal existence without the Client’s rights and obligations having been transferred to a third entity;
- The Client, who is fully responsible to the Processor for the proper performance of the Controller’s obligations under this DPA, indemnifies and holds harmless the Processor from (i) any failure of the Controller to comply with applicable law, and (ii) any action, claim or complaint by the Controller regarding the provisions of the Contract (including this DPA) or regarding instructions received by the Processor from the Client.
Whereas:
- The Processor provides a SaaS document management software to its clients.
- Pursuant to the Contract, certain Services are considered to be Processing of personal data under applicable data protection law.
- In this case, the Client appoints the Processor as a Processor to carry out such Processing of personal data on behalf of the Client and in accordance with the Contract and this DPA.
- For the purposes of compliance with the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and any other applicable national data protection laws (hereinafter referred to as the “Data Protection Act”), the Processor will process personal data, in accordance with the Contract and this DPA, as a processor;
- In order to comply with Article 28 of the GDPR and, in general, with the Data Protection Act, it is necessary that a written Contract is concluded between the Controller and the Processor confirming certain conditions under which the Processing will be carried out.
- The parties have therefore agreed to enter into this Contract to comply with this requirement.
It is now agreed as follows:
1. Scope of application
This DPA applies to the Processing of personal data carried out by the Processor in its capacity as “processor” in the performance of the Contract and the provision of the Services.
In addition to compliance with the Contract, the Processor is also Controller for certain personal data processing activities of its own, some of which are intrinsic to the Processor’s operations and security standards. Such data processing activities are outside the scope of this DPA.
2. Definitions
In the performance of the Contract and for the purposes of this DPA, the terms “Controller”, “Processor”, “Representative”, “Data Subject”, “Personal Data”, “Processing”, “Third Party”, “Personal Data Breach”, “Supervisory Authority” and “Data Protection Officer” shall have the meanings given to them by the GDPR (and, in general, any other terms defined by that regulation).
3. Details of the PROCESSING activity
All the information regarding the processing of personal data by the Processor, on the instructions of the Controller in the context of the use of the aforementioned Services, for which the Parties have entered into a Contract, is available in the annex hereto.
4. Obligations of all parties
All parties undertake to comply with their respective obligations under the provisions of the GDPR.
All parties and, where appropriate, their representatives, shall cooperate, upon request, with the supervisory authority in the performance of its tasks.
5. SPECIFIC obligations of the PROCESSOR
5.1. Instructions from the Controller
For the purposes of Processing under this DPA and in compliance with the Contract, the Processor shall process the personal data processed only in accordance with the Client’s instructions.
The Client hereby instructs the Processor to carry out (i) any Processing necessary for the provision of the Services by the Processor to the Client; and (ii) any additional or ancillary Processing that the Client deems necessary to ensure the provision of the Services, including any support, enhancement and/or development of solutions or any other action that the Processor deems necessary, at any time, by taking appropriate technical and organisational measures and in accordance with the provisions of this schedule. Given the nature of the Services, the Contract stipulates the Client’s full and final instructions to the Processor regarding the Processing of personal data.
The Processor and any person acting under its authority shall only process Personal Data on the instructions of the Client (including in relation to transfers of Personal Data to a third country or international organisation), unless the Processor is required to do so by the law of the Union or of a Member State to which the Processor is subject (in which case the Processor shall inform the Client prior to Processing, unless such information is prohibited by law for important reasons of public interest)
The Processor shall inform the Client immediately if, in his opinion, an instruction from the Client violates a provision of the GDPR.
5.2. Privacy
The Processor ensures that the persons authorised to process the Personal Data Processed have undertaken to respect the confidentiality of the data or are subject to an appropriate legal obligation of confidentiality.
5.3. Security of Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the more or less likely and more or less serious risks to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as necessary, the measures referred to in Article 32.1 of the GDPR.
In assessing the appropriate level of security, the Processor shall take into account in particular the risks presented by the Processing, in particular a breach of personal data.
5.4. Use of sub-processors’ services
The Client grants the Processor general permission to appoint and use the services of its own sub-processors (hereinafter referred to as ” Sub-processors”).
The Processor shall inform the Client if it intends to engage any Sub-processors (other than current Sub-processors which the Processor may continue to use without further approval of the Client) to assist the Processor in fulfilling its obligations under this DPA or the Contract or to delegate all or part of the Processing activities to such Sub-processors.
In such event, the Processor shall notify the Client of its intention to engage a Sub-processor and the Client shall have the right to object to such engagement if it has legitimate grounds to object. In such event, the Client shall notify the Processor in writing of any objection within fifteen (15) days of receipt of notice of the proposed engagement of a follow-on Sub-processor. The Client shall notify the Processor by e-mail in accordance with Section 12 of this DPA. The Processor shall ensure that its own Sub-processor undertakes to comply with the same data protection obligations, in particular with regard to the guarantees of implementation of appropriate technical and organisational measures concerning the Processing activities. In any case, the Processor remains liable to the Client for the acts and omissions of its own Sub-processors in the field of data protection when the latter are acting on the instructions of the Processor.
5.5. Assistance for the execution of the obligations of the Controller
5.5.1. Rights of the Data Subjects
The Client is fully responsible for informing the Data Subjects of their rights and for respecting these rights, including the rights of access, rectification, deletion, limitation or portability.
The Processor shall provide such cooperation and assistance as is reasonably necessary to respond to data subjects’ requests. Such reasonable cooperation and assistance may include (a) communicating to the Client any requests received directly from the data subject and (b) enabling the Client to design and deploy the technical and organizational measures necessary to respond to the data subject’s requests. The Client is solely responsible for responding to such requests.
This assistance is not included in the services and will be invoiced by the Processor to the Client as additional remuneration on the basis of the Processor’s standard hourly rate.
5.5.2. Safety issues
Taking into account the nature and information available to the Processor (and remaining within the limits of its limited control over the Processing), and at the express request of the Client, the Processor may assist the Client in ensuring that the Client complies with the obligations set out in Articles 32 to 36 of the Regulation (security obligations, obligations in the event of a breach of personal data, and obligations to carry out, in certain circumstances, data protection impact assessments). This assistance is not included in the services and will be invoiced by the Processor to the Client, as an additional fee, on the basis of the Processor’s standard hourly rate.
If the results of any data protection impact assessment relating to the Processing of Personal Data Processed and the Services involve a substantial change to the Services provided by the Processor, the Client and the Processor agree to renegotiate the terms of the Contract accordingly (taking into account such results as well as any advice the parties may have received from the Supervisory Authority).
5.5.3. Violations of the protection of personal data
If the Processor becomes aware of an incident affecting the Client’s Personal Data (unauthorised access, loss, disclosure or alteration of data), the Processor shall inform the Client as soon as possible, and at the latest 72 hours after being aware of it.
The notification shall (i) describe the nature of the incident, (ii) describe the likely consequences of the incident, (iii) describe the actions taken or proposed to be taken by the Processor in response to the incident, and (iv) specify who is the contact person at the Processor.
This assistance is not included in the services and will be invoiced by the Processor to the Client as additional remuneration on the basis of the Processor’s standard hourly rate
5.5.4. Data protection impact assessment and prior consultation
The Processor will provide reasonable assistance to the Client in connection with any data protection impact assessment and prior consultation with the Supervisory Authorities or other relevant data privacy authorities, which the Client reasonably considers to be required by Articles 35 or 36 of the GDPR or any equivalent provision of the Data Protection Act.
This assistance is not included in the services and will be invoiced by the Processor to the Client as additional remuneration on the basis of the Processor’s standard hourly rate.
5.6. Accountability and Audit
5.6.1. Audit
Upon written request from the Client, the Processor shall make available to the Client all information necessary to demonstrate compliance with the obligations set forth in this DPA.
Any information provided to the Client under this clause which is not available on the Processor’s Website shall be deemed to be confidential information of the Processor under the Contract. Where the information is not confidential or sensitive, it will be made available by the Processor through a simple process. Where the information is confidential, the Processor may make it available to the Client on request, but may require the Client to first sign a non-disclosure agreement. The Processor may, in its sole discretion, choose to withhold certain highly sensitive security information.
The Processor may require the Client to pay a fee for the information (such additional fee will be reasonable and will not be used to prevent the Client from accessing the information on the security controls of the service).
If, in the reasonable opinion of the Client, sufficient information to confirm and demonstrate compliance with the terms of this DPA is not provided, the Client shall have the right to appoint an independent third party auditor with the requisite professional qualifications and bound by an obligation of confidentiality, which auditor shall be reasonably acceptable to the Processor, to verify its compliance with this DPA and the data protection laws required to determine whether the representations submitted by the Processor under this PAD are true and complete.
The Client and the Processor shall agree on the scope, timing and duration of the audit. The Client shall promptly notify the Processor of any non-conformity found during an audit. The Client may not audit the Processor more than once per year. The Client shall be responsible for all costs and fees associated with such an audit, including, but not limited to, the professional fees of any auditor and all reasonable costs and fees for the Processor’s time spent on such an audit, which shall be charged by the Processor as additional hourly compensation. All information processed or created in the course of an audit shall be considered confidential information of the Processor. Before sharing such information with the Client, the Processor may require that the Client first execute a non-disclosure agreement.
If a Supervisory Authority requires an audit of the Services in order to verify or monitor the Client’s compliance with data protection laws, the Processor shall cooperate with such audit. Likewise, the costs of such an audit shall be borne by the Client.
5.6.2. Liability
The Processor shall only be liable for damages caused by Processing for which (i) it has failed to comply with the obligations under the GDPR that are specifically incumbent on Processors or for which (ii) it has acted outside of or contrary to the lawful instructions of the Client. In such cases, the Contract’s provision on Liability shall apply.
Where the Processor and the Client are involved in a Processing under this Contract which has caused damage to a data subject, the Client shall firstly pay the full amount of the actual compensation (or any other compensation) due to the data subject and secondly claim from the Processor that part of the compensation which corresponds to the Processor’s share of responsibility for the damage, it being understood that the limitation of liability clauses provided for in the Contract shall remain applicable.
5.7. Transfer of data outside the European Union
The Processor shall inform the Client of any transfer of data to a country outside the European Union.
Such a transfer can only take place if a framework mechanism has been validly put in place by the Processor in order to legally cover such a transfer, namely :
- The transfer shall only take place to a country for which the European Commission has taken an adequacy decision ;
- The transfer shall take place under the cover of standard data protection clauses adopted by the Commission or by a supervisory authority with the approval of the Commission ;
- The transfer takes place within an enterprise group bound by binding corporate rules ; or
- In another case permitted under Chapter V of the GDPR.
5.8. Termination of the provision of services related to the Processing
The Processor shall delete or return all Personal Data Processed to the Client after the end of the provision of the Services relating to the Processing or in the event of termination of the DPA, and shall delete existing copies, unless the Union or Member State legislation applicable to the Processor requires the storage of Personal Data Processed. Thereafter, the Processor shall no longer process such Personal Data.
6. Duration of THIS AGREEMENT
This DPA shall come into force on the Effective Date and shall remain in force thereafter for as long as the Contract remains in force or unless terminated by either party in accordance with Section 7.
7. Cancellation
This DPA shall terminate in any case where the Contract terminates.
Notwithstanding any other provision hereof, any breach of this DPA shall be deemed cause for early termination of this DPA, which shall entitle the parties, at their option and in addition to any other remedy they may have at law, to terminate this DPA with immediate effect by written notice to the other party:
- Any breach of any of the obligations set forth in this DPA that has not been remedied within thirty (30) days after written notice to the breaching party specifying the breach and requesting that it be remedied; or
- The extinction of the legal personality of one of the parties, the suspension of payments, the judicial opening of insolvency proceedings or the declaration of bankruptcy or any other insolvency or similar situation.
8. Disclosures
The Processor shall not disclose the Personal Data Processed in accordance with the Contract and this DPA to any third party, or class of third parties, without the consent of the Client, unless the Union or Member State legislation applicable to the Processor requires otherwise.
9. Various
Unless expressly modified in this DPA, the Contract shall remain in full force and effect. In the event of any conflict or inconsistency between the provisions of this DPA and the Contract, the provisions of this DPA shall prevail.
The purpose of this DPA is to ensure an adequate level of protection for the personal data of data subjects. The parties intend to interpret this DPA in light of the GDPR.
10. Applicable law
The Parties agree that laws of Belgium, with the exception of conflict of laws rules, shall apply to any dispute relating to the Processing of the Personal Data and that the competent courts of Brussels shall have exclusive jurisdiction in this matter.
Whenever there are changes to the legal provisions referred to in this DPA or to the requirements of the GDPR relating to the rights or obligations created by this DPA, or if the relevant Supervisory Authority makes changes to the best practice guidance, the Parties shall agree, as necessary, on the amendments to be made to this DPA.
11. Notifications
Any notification or other communication under this DPA will be made by e-mail.
11. List of subprocessors
The full list of subprocessors is available here: https://checkhub.io/subprocessors
Last updated: 08/04/24