- About this Data Processor Agreement
This Data Processor Agreement supersedes and replaces all previous agreements made in respect of Processing Personal Data and data protection. Parties agree that Rombit Technics NV is a Processor and the Customer is a Controller in respect of all Products provided by Rombit Technics NV related to the Agreement. The aforementioned indication of the Parties as Controller and Processor is consistent with the terms and definitions given within the Data Protection Laws. In the performance of the Services and provision of Products related to the Agreement, Rombit Technics NV will receive and Process Personal Data for the benefit of the Customer and according to its instructions and purpose. Specific legislation applies to such Processing, including among others the Data Protection Laws. By means of this Data Processor Agreement (hereafter the “DPA”) Parties wish to lay down their specific agreements in respect to Processing Personal Data within the framework of the Agreement.
Regarding the interpretation of this DPA, the definitions in the Agreement will also apply to this DPA, unless this DPA expressly deviates from those definitions. The notions Controller, Processor, Process, (Data) Breach, Supervisory Authority, Personal Data, Data Protection Officer will be defined as the terms used in the applicable Data Protection Laws.
“Subcontractor” refers to any third party that is involved in the Processing of Personal Data by Rombit Technics NV;
“Third Party” means a natural or legal person, a government agency, a service or other body, not being the Data Subject, neither the Customer nor Rombit Technics NV, nor the persons authorized under direct authority of the Customer or Rombit Technics NV to process the Personal Data.
- Object of this DPA
This DPA determines the conditions of the Processing by Rombit Technics NV, on a self-employed basis, of the Personal Data communicated by or at the initiative of the Customer and in the context of the Agreement; this Processing will exclusively take place for the benefit of the Customer and for the purpose as defined by the Customer.
The nature and purpose of the Processing, a list and the type of Personal Data as well as the categories of the Data Subjects, taking into account the Services to be performed, are detailed in Schedule 4 to the Purchase Order (Data Processing Details).
Rombit Technics NV will only process the Personal Data according to the documented instructions of the Customer and will not use these Personal Data for its own purpose.
If Rombit Technics NV is legally obliged to proceed with any Processing of Personal Data, Rombit Technics NV, unless this would violate applicable mandatory rules, will inform the Customer of such obligation.
- Compliance with Data Protection Regulations
The Customer and Rombit Technics NV shall comply with their obligations under applicable legislation.
This DPA is applicable to every Processing of Personal Data executed in the context of the Agreement.
This DPA applies as long as Rombit Technics NV processes Personal Data made available by the Customer in the context of the Agreement. This DPA ends automatically upon termination of the Agreement; the provisions of this DPA that are either expressly or implicitly (given their nature) intended to have effect after termination of the DPA shall survive the end of the Agreement as regards the Personal Data communicated by or at the initiative of the Customer in the context of the Agreement.
- Technical and organizational protection measures
Rombit Technics NV and Customer offer adequate guarantees with regard to the implementation of appropriate technical and organizational measures so that the Processing complies with GDPR requirements and that the protection of the Data Subject’s rights is guaranteed.
- Records of processing activities
Each Party and, where applicable, their representatives, shall maintain a register of the processing activities under their responsibility. Each such register shall contain at least all legally required data.
- Data Protection Officer
If required by law, the Customer and/or Rombit Technics NV will appoint a Data Protection Officer. The name and the contact details of the Data Protection Officer (or any other person responsible for privacy related matters) can be found in Schedule 4 to the Purchase Order (Data Processing Details).
- Storage of Personal Data
Rombit Technics NV will not keep the Personal Data any longer than as required for Processing of such Personal Data in the context of the Agreement. The Customer will not instruct Rombit Technics NV to store any Personal Data longer than necessary. The agreed storage period can be found in Schedule 4 to the Purchase Order (Data Processing Details).
Unless storage of the Personal Data is mandatory under Union or Member State law, Rombit Technics NV shall, within a reasonable period after the end of the Processing services, at the option of the Customer, either erase, if reasonably possible, all Personal Data or return it to the Customer and delete existing copies.
The Customer and Rombit Technics NV shall take all appropriate technical and organizational measures as referred to in Article 32 GDPR to ensure a level of security appropriate to the risk. The measures taken by Rombit Technics NV are available on request.
Rombit Technics NV shall, taking into account the nature of the Processing and the information available, assist the Customer in ensuring compliance with the obligations resulting from Articles 32 to 36 GDPR. The Customer will reimburse Rombit Technics NV for services rendered in the context of providing assistance in fulfilling the aforementioned obligations according to Article 18 “Costs” of this DPA.
Only those agents of Rombit Technics NV who are involved in the Processing of Personal Data may be informed about the Personal Data. Rombit Technics NV ensures that persons authorized to process the Personal Data are committed to confidentiality by contract or are under an appropriate statutory obligation of confidentiality.
- Code of Conduct and Certification
Adherence by Rombit Technics NV to an approved code of conduct as referred to in Article 40 GDPR, or an approved certification mechanism as referred to in Article 42 GDPR may be used as an element of proof of sufficient guarantees as referred to in GDPR.
- Data Subject’s rights
Taking into account the nature of the Processing, Rombit Technics NV shall use its best efforts, by taking appropriate technical and organizational, to assist the Customer in the fulfillment of its obligation to respond to requests from Data Subjects.
For all services performed by Rombit Technics NV in the context of the treatment of such requests from Data Subjects, the Customer will pay Rombit Technics NV in accordance with Article 18 “Costs” of this DPA.
- Duty to notify
Upon becoming aware of a Personal Data Breach Rombit Technics NV shall notify the Customer thereof without undue delay.
At the request of the Customer, Rombit Technics NV will cooperate with the investigation and elaboration of the measures necessary in case of any Breaches.
The Parties will keep each other informed of any new developments with regard to any Breach and of the measures they take to limit its consequences and to prevent the repetition of such Breach.
It is the responsibility of the Customer to report any Breach to the Supervisory Authority or the Data Subject, as required.
The Customer expressly authorizes Rombit Technics NV to engage Subcontractors for the processing of Personal Data. The Customer grants a proxy to Rombit Technics NV to decide with which Subcontractor(s) Rombit Technics NV cooperates. Rombit Technics NV shall keep a list of all Subcontractors engaged, which can be consulted by the Customer upon simple request. The Customer can only refuse a Subcontractor proposed by Rombit Technics NV on the basis of a well-founded justification submitted in writing.
Rombit Technics NV will conclude a separate subcontracting agreement with each Subcontractor.
In this subcontracting agreement, similar data protection obligations as set out in this DPA shall be imposed on the Subcontractor.
In the event the Subcontractor fails to fulfill its data protection obligations, Rombit Technics NV shall remain fully liable to the Customer for the performance of the obligations of that Subcontractor in accordance with Article 20 of this DPA.
- Transfers of Personal Data
The Processing of Personal Data will exclusively take place within the EEA.
The Processing or transfer of Personal Data outside the EEA can only occur in compliance with applicable legislation. Rombit Technics NV can sign standard contractual clauses, codes of conduct or any other instruments adopted by the European Commission, which ensures that the transfer of Personal Data to a country outside the EEA complies with appropriate safeguards as required by the GDPR.
- Data Protection Impact Assessment
When a ‘Data Protection Impact Assessment’ or a ‘prior consultation’ is required according to Article 35 and 36 GDPR, the Customer will implement such assessment. At the request of the Customer, Rombit Technics NV will assist in this assessment as well as in the compliance with any required measures.
The Customer will reimburse Rombit Technics NV for the services so rendered in relation to this assessment and the compliance with any required measures in accordance with Article 18 “Costs” of this DPA.
- Audit – inspection
Each Party shall allow the other Party and its authorized auditors to perform audits regarding the compliance by a Party with its obligations under this DPA and the applicable legislation in respect of data protection.
Each Party shall use its best efforts to cooperate with those audits and to make available to the other Party all information necessary to prove compliance with the obligations of such Party. A Party shall immediately inform the other Party if, in its opinion, an instruction infringes the applicable legislation. In case the audit required more than one business day of services of the Party which is being audited, the auditing Party will compensate the services provided on a time and material basis (at standard rates applicable at that moment in time).
Upon the performance of any such audit, the confidentiality obligations of the Parties with respect to third parties must be taken into account. Both the Parties and their auditors must keep the information collected in connection with an audit secret and use it exclusively to verify the compliance by the other Party with this DPA and the applicable laws and regulations in respect of data protection.
The Customer and Rombit Technics NV and where applicable their representatives, shall cooperate, upon request, with the Supervisory Authority in the performance of its tasks.
The services to be performed under this Agreement for which Rombit Technics NV may charge the Customer, will be charged on the basis of the hours worked and the applicable standard hourly rates of Rombit Technics NV. Rombit Technics NV will invoice these amounts on a monthly basis.
Payment by the Customer to Rombit Technics NV for the services under this Agreement will take place in accordance with the provisions in the Agreement.
- Notice of default
When Rombit Technics NV fails to comply with its obligations under this DPA, the Customer shall first send a registered notice of default (in compliance with article “Notices” of the Terms and Conditions). This notice shall clearly mention the defaults that occurred, and, if redress is possible, a proposal of remedial measures and a reasonable term for their implementation.
Limitations of liability in Rombit Technics NV Terms and Conditions are applicable to this DPA and all services provided in respect of this DPA.
Rombit Technics NV is in any case only liable for the damage caused by Processing if it (a) did not comply with its specific obligations of the GDPR, or (b) acted outside or in violation of the lawful instructions of the Customer.
- Other provisions
The miscellaneous provisions of Rombit Technics NV Terms and Conditions are applicable to this DPA.