Data Processing Agreement ("GDPR")
This Data Processing Agreement (hereinafter the “Agreement”) with regard to the processing of Personal Data (as defined hereinafter) is entered into between:
i) Chatlayer bv (hereinafter “Chatlayer.ai” and/or the “PROCESSOR”); and
ii) You being a customer of Chatlayer (hereinafter the “CUSTOMER” and/or “CONTROLLER”) and the party for which Chatlayer performs certain Services (as defined hereinafter). This Agreement forms an integral part of the General Terms and Conditions, Commercial Offer, Statement of Work and/or other contractual agreements or documentations as agreed upon between the CONTROLLER and the PROCESSOR for the performance of PROCESSOR’s Services (hereinafter: the ‘Main Agreement’’). This Agreement sets forth the terms and conditions pursuant to which Personal Data will be processed in the framework of the Main Agreement.
The CONTROLLER and the PROCESSOR will be referred together as the “Parties” and individually as a “Party” hereafter.
This Agreement regarding the processing of Personal Data was drafted and entered into in order for the Parties to comply with the obligations set forth in the General Data Protection Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 (hereafter the “GDPR”). This Agreement contains the rights and obligations of the CONTROLLER and the PROCESSOR with regard to the processing of Personal Data.
Article 1. DEFINITIONS
For the purpose of this Agreement, the following definitions apply:
1.1. “Agreement” shall mean this data protection agreement;
1.2. “Confidential Information” of a Party means the information of such Party, whether in written, oral, electronic or other form, and which (i) is explicitly marked as confidential or proprietary, or (ii) should reasonably be considered confidential or is traditionally recognized to be of a confidential nature, regardless of whether or not it is expressly marked as confidential, including but not limited to, information and facts concerning business plans, customers, prospects, personnel, suppliers, partners, investors, affiliates or others, training methods and materials, financial information, marketing plans, sales prospects, client lists, inventions, program devices, discoveries, ideas, concepts, know-how, techniques, formulas, blueprints, software (in object and source code form), documentation, designs, prototypes, methods, processes, procedures, codes, and any technical or trade secrets, including all copies of any of the foregoing or any analyses, studies or reports that contain, are based on, or reflect any of the foregoing. The Confidential Information of Chatlayer shall include, without limitation, the Licensed Materials;
1.3. “Commercial Offer” shall mean the commercial offer between the PROCESSOR and the CONTROLLER;
1.4. “Controller” shall mean the natural or legal person, public authority, agency or any other body which, alone or jointly with others, that determines the purposes and means of the processing of Personal Data carried out under his authority, for the purposes of this Agreement understood to be the CONTROLLER;
1.5. “Data Subject” shall mean an identified or identifiable natural person;
1.6. “General Terms and Conditions” shall mean the general terms and conditions of the PROCESSOR;
1.7. “Employee” means an individual who is hired by an employer and has entered into or works under a contract of employment for the provision of labour services in exchange for a wage or a fixed payment. An Employee does not provide professional services as part of an independent business. Agents, distributors, advisors, consultants, freelancers, (independent) (sub)contractors or any other third party are not considered Employees for the purposes of this Agreement;
1.8. “Personal Data” shall mean all information relating to a Data Subject;
1.9. “Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
1.10. “Processor” shall mean a natural or legal person, public authority, agency or any other body which is authorised to process Personal Data on behalf of the controller, such as PROCESSOR;
1.11. “Security Measures” shall mean those measures aimed at protecting Personal Data against accidental or unlawful destruction or loss, as well as against non-authorised access, alteration or transmission;
1.12. “Services” shall mean the right to use the Product, Customizations, Maintenance Services, Professional Services and Hosting Services provided by Chatlayer, in the context of services performed by PROCESSOR for the CONTROLLER, as described in the Main Agreement;
1.13. “Statement of Work” shall mean the statement of work between the CONTROLLER and the PROCESSOR;
1.14. “Subprocessor” shall mean any processor engaged as a subcontractor by the PROCESSOR and who agrees to process Personal Data for and on behalf of the CONTROLLER in accordance with this Agreement;
1.15. “Supervisory Authority” shall mean an independent public authority which is established by a member state pursuant to Article 51 of the Regulation;
1.16. “Third Party” shall mean any party who is not a Data Subject, Controller, Processor or Subprocessor under this Agreement or a person who is authorised to process Personal Data under the direct authority of the CONTROLLER or PROCESSOR.
Article 2. SUBJECT-MATTER OF THE AGREEMENT
2.1 The CONTROLLER wishes to entrust the PROCESSOR with the processing of Personal Data. The PROCESSOR shall process the Personal Data in name of and on behalf of the CONTROLLER. For the performance of Services, the CONTROLLER is responsible for the processing of personal data, and the PROCESSOR is a data processor.
2.2 The PROCESSOR performs the Services in accordance with the provisions of this Agreement.
2.3 Both Parties explicitly commit to comply with the provisions of the relevant applicable data protection laws and shall not do or omit anything that may cause the other Party to infringe the relevant and applicable data protection laws.
2.4 Processing Activities. The processing carried out by the PROCESSOR in name and on behalf of the CONTROLLER relates to the Services performed by the PROCESSOR. The Processing Activities consist of:
Use, performance, delivery and improvement of the Services and internal business purposes
Big data analysis, machine learning and statistical and scientific studies
2.5 Categories of Personal Data. The Personal Data that are processed are data relating to individuals about whom data is provided to the PROCESSOR via the Services by or at the direction of the CONTROLLER or by the end users of the CONTROLLER.
2.6 Data Subjects. The Data Subjects include the individuals about whom data is provided to the PROCESSOR via the Services by or at the directions of the CONTROLLER or by the end users of the CONTROLLER.
2.7 Purposes. The PROCESSOR shall only use the Personal Data to ensure a good performance and delivery of the Services in accordance with the provisions of this Agreement. Moreover, the PROCESSOR shall be allowed to process the Personal Data to improve the Services.
2.8 Only those Personal Data which are mentioned in Article 2.5 may and shall be processed by the PROCESSOR. Furthermore, Personal Data shall only be processed in light of the purposes which are determined in this Article by the Parties.
2.9 Both Parties shall undertake to adopt appropriate measures to ensure that the Personal Data are not used improperly or acquired by an unauthorised Third Party.
Article 3. DURATION OF THE PROCESSING
3.1 This Agreement shall apply as long as the PROCESSOR processes Personal Data in name of and on behalf of the CONTROLLER as part of the Services.
3.2 In the event of a breach of this Agreement or the applicable provisions of the Regulation, the CONTROLLER can instruct the PROCESSOR to stop further processing of the Personal Data with immediate effect.
3.3 In the event of the end of the commercial relationship or delivery of Services by the Processor, the PROCESSOR shall anonymise or pseudonimise to a maximum extent the Personal Data it has received or obtained in the performance of the Services solely for the following internal purposes:
To comply with legal obligations and further improve the Services delivered by the PROCESSOR.
Article 4. CONTROLLERS’ INSTRUCTIONS
4.1 The PROCESSOR processes the Personal Data only on the instructions of the CONTROLLER and in any case in accordance with the agreed Processing Activities as set out in Article 2.4 of this Agreement in order to perform the Services. The PROCESSOR shall not further process the Personal Data subject to this Agreement in a manner which is incompatible with these instructions and the provisions laid down in this Agreement.
4.2 The CONTROLLER can make limited changes to the instructions unilaterally. The PROCESSOR shall be consulted before any significant changes are made to the instructions. Changes affecting the core of the Agreement must be agreed upon by both Parties.
4.3 The PROCESSOR processes the Personal Data in accordance with Article 4.1 of this Agreement, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which PROCESSOR is subject; in such a case, the PROCESSOR shall inform the CONTROLLER of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Article 5. ASSISTANCE TO THE CONTROLLER
5.1 Compliance with legislation. The PROCESSOR shall assist the CONTROLLER in ensuring compliance with its obligations pursuant to the Regulation, taking into account the nature of processing and the information available to the PROCESSOR.
5.2 Personal Data Breach. In the case of a Personal Data Breach related to the subject of the processing of this Agreement, the PROCESSOR shall notify the CONTROLLER without undue delay after becoming aware of a Personal Data Breach.
This notification shall at least include following information, to the extent practicable:
a. The nature of the Personal Data Breach;
b. The categories of Personal Data that are affected;
c. The categories and approximate number of Data Subjects concerned;
d. The categories and approximate number of personal data records concerned;
e. The likely consequences of the Personal Data Breach;
f. Measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.3 In case the PROCESSOR makes use of a Subprocessor, the PROCESSOR shall require the Subprocessor to provide it with the same information when a Personal Data Breach takes place at the Subprocessor. The PROCESSOR shall promptly relay the information received from the Subprocessor to the CONTROLLER.
5.4 The PROCESSOR and its Subprocessor(s) shall appoint among their Employee a single point of contact who shall be responsible for all communication between the PROCESSOR, the Subprocessor(s) and the CONTROLLER in the event of an incident which has led or may lead to an accidental or non-authorised destruction or loss or a non-authorised access, alteration or transmission of the Personal Data processed on behalf of CONTROLLER.
5.5 The CONTROLLER shall exclusively decide, at its own discretion and in compliance with the relevant and applicable data protection laws, whether or not Data Subjects whose Personal Data have been impacted by a Personal Data Breach shall be notified of this. It is the responsibility of the CONTROLLER to notify the Supervisory Authority of a Personal Data Breach.
5.6 The Parties, and if applicable the Subprocessor(s) shall ensure to work together in good faith to limit possible adverse effects of a Personal Data Breach.
5.7 Data Processing Impact Assessment. Furthermore, the PROCESSOR shall assist the CONTROLLER as it carries out a Data Protection Impact Assessment in accordance with Article 35 of the Regulation. However, the PROCESSOR, at its own discretion, is free to charge additional costs for the performance of these services. These costs shall at all times be in relation to the delivered performances.
Article 6. INFORMATION OBLIGATIONS
6.1 The PROCESSOR shall provide the CONTROLLER, at any time upon request of CONTROLLER (however such request needs to be made giving the PROCESSOR a reasonable delay to comply with such request), with the following information as determined by the provisions of this clause:
All relevant details regarding its own corporate structure, as well as accurate and up-to-date identifying information on all of PROCESSORS’ entities involved in the processing of Personal Data, including the location of their main establishment;
Geographical details of processing locations, including back-up and redundancy facilities;
The physical, organisational, technical and logical Security Measures that the PROCESSOR and its Subprocessor(s) have implemented, as set out in Article 11 of this Agreement.
Article 7. PROCESSORS’ OBLIGATIONS
7.1 The PROCESSOR shall handle all reasonable requests of the CONTROLLER concerning the processing of Personal Data related to this Agreement, promptly or within a reasonable time (depending on the legal obligations defined in the Regulation) and in a proper manner.
7.2 The PROCESSOR guarantees that there are no obligations that arise from any applicable legislation that make it impossible to comply with the obligations of this Agreement.
7.3 The PROCESSOR undertakes to not process Personal Data for another purpose than the performance of the Services and the compliance with the responsibilities of this Agreement in accordance with the instructions of the CONTROLLER; if the PROCESSOR, for any reason, cannot comply with this requirement, he shall notify the CONTROLLER without reasonable delay thereabout.
7.4 The PROCESSOR shall notify the CONTROLLER without reasonable delay if he is of the opinion that an instruction from the CONTROLLER violates the applicable legislation related to data protection.
7.5 The PROCESSOR shall ensure that the access to, the inspection, the processing and the disclosure of Personal Data shall only take place in accordance with the principle of proportionality and the ‘need-to-know’ principle (i.e. data are only disclosed to the persons that require Personal Data for the performance of the Services).
Article 8. CONTROLLERS’ OBLIGATIONS
8.1 The CONTROLLER shall render all assistance needed and shall cooperate in good faith with the PROCESSOR in order to ensure that all processing of Personal Data complies with the requirements of the Regulation particularly with the principles relating to processing of Personal Data.
8.2 The CONTROLLER shall agree with the PROCESSOR on appropriate communication channels in order to ensure that instructions, directions and other communications regarding Personal Data that are processed by the PROCESSOR on behalf of the CONTROLLER is well received between the Parties. The CONTROLLER shall notify the PROCESSOR of the identity of the single point of contact at the CONTROLLER that the PROCESSOR is required to contact in application of this Article 8.2.
8.3 The CONTROLLER warrants that it shall not issue any instructions, directions or requests to the PROCESSOR, which do not comply with the provisions of the Regulation.
8.4 The CONTROLLER shall render the assistance needed for the PROCESSOR and/or its Subprocessor(s) to comply with a request, order, inquiry or subpoena directed at the PROCESSOR or its Subprocessor(s) by a competent national governmental or judicial authority.
8.5 The CONTROLLER warrants that it shall not issue instructions, directions or requests to the PROCESSOR which would require the PROCESSOR and/or its Subprocessor(s) to violate any obligations imposed by applicable mandatory national law to which the PROCESSOR and/or its Subprocessor(s) are subject.
8.6 The CONTROLLER warrants that it shall cooperate in good faith with the PROCESSOR in order to mitigate the adverse effects of a security incident impacting Personal Data processed by the PROCESSOR and/or its Subprocessor(s) on behalf of the CONTROLLER.
Article 9. THE USE OF SUBPROCESSORS
9.1 Parties agree that the CONTROLLER by means of this Agreement gives the PROCESSOR a general written authorisation to work with the Subprocessors, belonging to categories as indicated in Article 9.5. As such, the PROCESSOR shall at its sole discretion inform the CONTROLLER of any intended changes concerning the addition or replacement of other processors, thereby giving the CONTROLLER the opportunity to object to such changes.
9.2 Without prejudice to the foregoing, the Parties agree that the PROCESSOR shall not be required to disclose the identity of each Subprocessor (categories of Subprocessor shall suffice). Notwithstanding the above, the CONTROLLER can at all times request the PROCESSOR to disclose the identity of a Subprocessor and the PROCESSOR shall do so if such disclosure does not constitute a breach of any confidentiality engagement or trade secret provision the PROCESSOR has entered into with the relevant Subprocessor, or does not harm the intellectual property rights or know how rights of PROCESSOR. If the PROCESSOR cannot disclose the identity of a Subprocessor, the PROCESSOR shall be obliged to provide a formal justification in writing.
9.3 The PROCESSOR shall ensure that its Subprocessors will be bound to substantially the same obligations with respect to Personal Data as to which the PROCESSOR is bound by this Agreement.
9.4 The PROCESSOR shall relay the purposes determined and instructions issued by the CONTROLLER in an accurate and prompt manner to the Subprocessor(s) when and where these purposes and instructions pertain to the part of the processing in which the Subprocessor(s) is(are) involved.
9.5 As part of this Agreement the PROCESSOR makes use of the following categories of Subprocessors in order to ensure the performance of the Services to the Data Subjects, including but not limited to:
email providers, accounting software providers, payroll administrators, software providers, cloud providers.
Article 10. RIGHTS OF THE DATA SUBJECTS
10.1 Taking into account the nature of the processing, the PROCESSOR assists the CONTROLLER by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the CONTROLLER’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the Regulation.
10.2 With respect to any request from Data Subjects regarding their rights concerning the processing of Personal Data pertaining to them by the PROCESSOR and/or its Subprocessor(s), the following conditions apply:
The PROCESSOR shall on a best efforts basis promptly inform the CONTROLLER of any request made by a Data Subject with regard to the Personal Data the PROCESSOR and/ or its Subprocessor(s) processes on behalf of the CONTROLLER, without giving any consequence to such request unless explicitly authorised by the CONTROLLER to do so;
The PROCESSOR shall promptly comply and shall require its Subprocessor(s) to promptly comply with any request made by the CONTROLLER in order for the CONTROLLER to comply with a request made by the Data Subject who wishes to exercise one of its rights;
Strictly in relation to the processing of Personal Data under this Agreement, the PROCESSOR shall, upon request of the CONTROLLER and upon best efforts basis render all assistance required and provide all information necessary for the CONTROLLER to defend its interests in any proceedings – legal, arbitral or others – brought against the CONTROLLER or its Employee for any violation of fundamental rights to privacy and protection of Personal Data of Data Subjects. The PROCESSOR may in its sole discretion charge fees CONTROLLER for such assistance.
Article 11. SECURITY MEASURES
11.1 Throughout the term of this Agreement the PROCESSOR shall have in place and maintain appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the Data Subject.
The PROCESSOR shall amongst others have in place technical and organisational measures against unauthorised and unlawful processing and shall on a regular basis evaluate and adjust if required, the appropriateness of the Security Measures.
11.2 More in particular, the PROCESSOR shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, according to Article 32 of the Regulation.
11.3 In assessing the appropriate level of security, account was taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
11.4 The PROCESSOR has implemented, amongst others, but not limiting to, the following general physical, logical, technical and organisational security measure known as Chatlayer Technical and Organizational Measures, set forth in Annex 1 of this Agreement.
Article 12. AUDIT
12.1 The PROCESSOR acknowledges that the CONTROLLER is under the supervision of a/several Supervisory Authority/ies. The PROCESSOR acknowledges that any involved Supervisory Authority will have the right to perform an audit at any time, and in any case during the normal office hours of the PROCESSOR, during the term of this Agreement to assess whether the PROCESSOR is compliant to the Regulation and the provisions of this Agreement. The PROCESSOR shall provide the necessary cooperation.
12.2 The CONTROLLER shall only have a right to audit the PROCESSOR if the CONTROLLER has justifiable grounds to request such audit and if such grounds are communicated and demonstrated in writing to the PROCESSOR. Justifiable grounds shall mean a (strong presumption of a data breach in the meaning of Article 4 of the GDPR (and in the case of an actual data breach if such data breach has not been notified and no remediation actions have been taken), destruction of confidential Personal Data, material breach of any of the PROCESSOR’s obligations under this Agreement). In such event and upon written request of the CONTROLLER, the PROCESSOR will provide an independent third party, certified auditor, appointed by the CONTROLLER or the involved Supervisory Authority access to the relevant parts of the administration of the PROCESSOR and all locations and information of interest of the PROCESSOR (and those of its agents, subsidiaries and sub-contractors) to determine if the PROCESSOR is compliant with the Regulation and the provisions of this Agreement. On request of the PROCESSOR, the concerned parties shall agree a confidentiality agreement.
12.3 The CONTROLLER shall take all appropriate measures to minimise any obstruction caused by the audit on the daily functioning of the PROCESSOR or the Services performed by the PROCESSOR.
12.4 If there is agreement between the PROCESSOR and the CONTROLLER on a material shortcoming in the compliance with the Regulation and/or the Agreement, as revealed in the audit, the PROCESSOR shall recover this failure as soon as possible. The Parties can agree to have a plan in place, including a timescale to implement this plan, to respond to the shortcomings revealed in the audit.
12.5 The CONTROLLER will bear the costs of any performed audit in the meaning of this Article. Although, when the audit has revealed that the PROCESSOR is manifestly not compliant to the Regulation and/or the provisions of this Agreement, the PROCESSOR shall bear the costs of such audit.
Article 13. TRANSFER TO THIRD PARTIES
13.1 The transfer of Personal Data to Third Parties in any manner possible is prohibited, unless it is permitted under this Agreement, legally required, or in case the PROCESSOR has obtained the explicit consent of the CONTROLLER to do so. In the case a legal obligation applies to the transfer of Personal Data, which is subject to this Agreement, to Third Parties, the PROCESSOR shall notify the CONTROLLER prior to the transfer.
Article 14. INTERNATIONAL TRANSFER
14.1 In order to provide the Services, the Parties agree that in some cases, Personal Data can be transferred to and/or kept outside the European Economic Area (EEA) and even to or in a country that does not fall under an adequacy decision issued by the European Commission. Such transfer however shall be governed by:
(i) the Regulation or Binding Corporate Rules for any internal entities of the PROCESSOR; or
(ii) the terms of a data transfer agreement containing standard contractual clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC), or by other mechanisms foreseen by the applicable data protection law.
Article 15. CONDUCT IN RELATION TO NATIONAL GOVERNMENTAL AND JUDICIAL AUTHORITIES
15.1 The PROCESSOR shall inform the CONTROLLER immediately of any request, order, inquiry or subpoena by a competent national governmental or judicial authority directed at the PROCESSOR or its Subprocessor which entails the communication of Personal Data processed by the PROCESSOR or a Subprocessor for and on behalf of the CONTROLLER or any data and/or information associated with such processing.
15.2 Without prejudice to article 15.1 of this Agreement, the PROCESSOR warrants that there are no obligations of applicable statutory law, which make it impossible for the PROCESSOR to comply with its obligations under this Agreement.
Article 16. CONFIDENTIALITY
16.1 The PROCESSOR commits itself to handle the Personal Data and its processing with utter confidentiality. The PROCESSOR shall guarantee the confidentiality with measures that are not less restrictive than the measures he uses to protect his own confidential material, including Personal Data.
16.2 The PROCESSOR ensures that employees or the Subprocessors authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Article 17. LIABILITY
17.1 The PROCESSOR is liable for the damage caused by processing only where it has not complied with the obligations of the Regulation specifically directed to processors or where it has acted outside or contrary to lawful and fair instructions of the CONTROLLER.
17.2 A Party is liable (contractual or in tort/delict (including default) or by any means associated with this Agreement, including liability for severe misconduct) for verified shortcomings attributable to her. The liability of the Parties for a breach under this Agreement, shall be limited to suffered foreseeable, direct and personal damages, with the exclusion of consequential damage (even if informed about the possibility of such consequential damage or if the likelihood of such consequential damage was reasonably foreseeable), where ‘’consequential damage’’ means: damage or loss that did not derive directly and immediately from a breach of contract and/or extracontractual non-performance, but instead indirectly and/or after a certain lapse of time, including, but not limited to loss of income, interruption or stagnation of operations, increase of staff costs and/or the costs of staff cuts, damage consisting of or as a result of claims from third parties, lack of expected savings or advantages and loss of data, profit, time or income, loss of orders, loss of customers, increase of overhead costs, consequences of a strike, irrespective of the causes.
17.3 If it appears that both the CONTROLLER and the PROCESSOR are responsible for the damage caused by the processing of Personal Data, both Parties shall be liable and pay damages, in accordance with their individual share in the responsibility for the damage caused by the processing.
17.4 In any event the total liability of the PROCESSOR under this Agreement shall be limited to the cause of damage and to the amount that equals the total amount of fees paid by the CONTROLLER to the PROCESSOR for the delivery and performance of the Services for a period not more than twelve months immediately prior to the cause of damages. In no event shall the PROCESSOR be held liable if the PROCESSOR can prove he is not responsible for the event or cause giving rise to the damage.
Article 18. MEDIATION AND JURISDICTION
18.1 The PROCESSOR agrees that if the Data Subject files a claim for damages under this Agreement, the PROCESSOR will accept the decision of the Data Subject:
To refer the dispute to mediation by an independent person;
To refer the dispute to the relevant courts in Brussels, Belgium.
18.2 The Parties agree that the choice made by the Data Subject will not prejudice the Data Subject’s substantive or procedural rights to seek remedies in accordance with other provisions of applicable national or international law.
Article 19. TERMINATION OF THE AGREEMENT
19.1 This Agreement shall apply as long as the PROCESSOR processes Personal Data on behalf of the CONTROLLER and at least as long as the Main Agreement is in place.
19.2 In the event of breach of this Agreement or the Regulation, the CONTROLLER can instruct the PROCESSOR to stop further processing of the information with immediate effect.
19.3 Without prejudice to article 3.3, the PROCESSOR shall not store the data any longer than needed to perform the Service(s) for which the data is provided. At the choice of CONTROLLER, the PROCESSOR shall delete or return all the Personal Data to the CONTROLLER after the end of the provision of Services in relation to processing, and deletes existing copies, and will certify that it has done so, unless legal obligation, Union or Member State law requires storage of the Personal Data. The Personal Data shall be provided to the CONTROLLER without charge, unless otherwise agreed upon.
Article 20. ANNEX I:Technical and Organizational Measures
This annex describes all security and organizational measures and efforts taken by PROCESSOR to ensure the security and quality of the data it processes via its Cloud Platform “Chatlayer”, such as the type of device, operating system, type of mobile browser, use of a specific application, real-time location based on information provided by device operating system, messages, data, and (to the extent permission is granted) emails and instant messages (collectively the ‘Data’).
Article 21. Entrance Control
By applying the following measures, PROCESSOR prevents the entrance of non-authorized persons to data-processing installations in which Data are processed or used:
Data is collected and processed by PROCESSOR on two locations:
- For development and testing purposes in the PROCESSOR headquarters in Antwerp, Belgium, as well as secured offshore development hubs contractually controlled by PROCESSOR. All facilities are duly secured by key locks and alarm systems, and have a 24/7/365 camera controlled entrance, registering all entering and exiting individuals.
- For testing, staging and production purposes the physical access to the cloud computing platform is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. All entrances to the data centers, including the main entrance, the loading dock, and any roof doors/hatches, are secured with intrusion detection devices that generate alarms if a door is forced open or held open. In addition to electronic mechanisms, data centers utilize trained security guards 24×7, who are stationed in and around the building. Physical access points to server locations are recorded by closed circuit television camera (CCTV).
Article 22. Utilization Control
By applying the following measures, PROCESSOR prevents the utilization of data-processing systems by non-authorized persons:
PROCESSOR employs two types of data-processing systems:
- Laptops as local workstations: Every software developer has a laptop assigned to him/her which is used to develop data processing systems. Every laptop is fitted with a personal password-protected user account for the software developer.
- Cloud servers operated: Access to the cloud environment is managed by personal password-protected user accounts managed through centralized a user management service. Tokens for programmatic access (access token, secret key) to data processing systems are attached to the personal user accounts and can be retracted at any time.
Article 23. Access Control
By applying the following measures, PROCESSOR ensures that persons authorized to use a data-processing system will only have access to those data that they have been authorized for and that, neither during the processing nor after storage, Data can be read, copied, altered or removed without a respective authorization.
PROCESSOR employees, i.e. software developers, that are authorized to use data processing systems are provided with a personal cloud user account and tokens. Specific accounts are in place to restrict certain access to Data depending on the job content and contribution to the PROCESSOR solution.
Article 24. Transmission Control
By applying the following measures, PROCESSOR ensures that Data cannot be read, copied, altered or removed during electronic data transmission without authorization and that it is possible to check and determine at which points a transmission of personal data by means of data transmission installations is intended:
- PROCESSOR employs an SSL connection for all data transmission in and out of the PROCESSOR platform. The connection uses TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
- Centralized firewall infrastructure with DLP enabled, ensures no uncontrolled data leakage is possible from within the PROCESSOR premises.
- An architectural overview of the project platform is being kept up to date
- The cluster is a private network of which we keep an up to date list of all entry points, connections to the cluster through SSL. Exceptions must be added to the firewall in order to make a connection to the web application or through centralized proxies and gateways.
Article 25. Input Control
By applying the following measures, PROCESSOR ensures that it is possible to check and determine subsequently whether and by whom Data have been entered into data-processing systems, altered or removed.
Article 26. Order Control
By applying the following measures, PROCESSOR ensures that Data subject to job processing are processed in strict accordance with the instructions given by the principal:
- Access to Data and servers is granted via an encrypted connection and all access is logged and can be traced by PROCESSOR’s DPO team. Specific accounts are in place to restrict certain access to Data.
Article 27. Availability Control
By applying the following measures, PROCESSOR ensures that Data are protected against accidental destruction or loss:
- Personal data arriving at the PROCESSOR platform is consolidated as-is into a Master Dataset which can be interpreted as an append-only log of events. This Master Dataset is stored on databases on the cloud computing environment. Data is stored on a high-availability setup with replication, for resilience against catastrophic loss of two nodes simultaneously.
Article 28. Data protection controls
PROCESSOR foresees following additional controls for data that is processed on local or cloud storage
- Storage encryption of local infrastructure, where the SAN storage is using 128-bit AES keys based encryption to secure the data at rest. Data transfer (in transit) is secured using 256-bit SSL/TLS encryption.
- Anti-virus and anti-malware, ensures the confidentiality and integrity of the operating systems, applications and other software used by PROCESSOR employees and applications.
- Data Minimization: it follows from the Cached Data Inventory (see point 4) that PROCESSOR only caches the absolute minimum of data sets in performing the project. Only if the outcome of the project benefits from the many advantages of caching, this technique is applied.
- Purpose Limitation: the same holds true with regard to the data protection principle of purpose limitation. The cached data is only used in the scope of the project and for the duration thereof, after which cached data is cleaned (Secure deletion (DoD 5220.22-M ECE wiping)).
Article 29. Other Kinds of Control
All employees and consultants working for PROCESSOR are subject to individual confidentiality agreements.