Data Protection Policy

This Data Processing Policy (hereinafter the “Agreement”) with regard to the processing of Personal Data (as defined hereinafter) is entered into between:

  1. Faction xyz bvba (hereinafter “Faktion” and/or the “PROCESSOR”); and
  2. You being a customer of Faktion or a visitor on the Faktion website (hereinafter the “CUSTOMER” and/or “CONTROLLER”)

The CONTROLLER and the PROCESSOR will be referred together as the “Parties” and individually as a “Party” hereafter.

This Agreement regarding the processing of Personal Data was drafted and entered into in order for the Parties to comply with the obligations set forth in the General Data Protection Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 (hereafter the “GDPR”). This Agreement contains the rights and obligations of the CONTROLLER and the PROCESSOR with regard to the processing of Personal Data.


For the purpose of this Agreement, the following definitions apply: 1.1. “Agreement”shallmeanthisdataprotectionagreement;

1.2. “ConfidentialInformation”ofaPartymeanstheinformationofsuchParty,whetherinwritten, oral, electronic or other form, and which (i) is explicitly marked as confidential or proprietary, or (ii) should reasonably be considered confidential or is traditionally recognized to be of a confidential
nature, regardless of whether or not it is expressly marked as confidential, including but not limited to, information and facts concerning business plans, customers, prospects, personnel, suppliers, partners, investors, affiliates or others, training methods and materials, financial information, marketing plans, sales prospects, client lists, inventions, program devices, discoveries, ideas, concepts, know-how, techniques, formulas, blueprints, software (in object and source code form), documentation, designs, prototypes, methods, processes, procedures, codes, and any technical or trade secrets, including all copies of any of the foregoing or any analyses, studies or reports that contain, are based on, or reflect any of the foregoing. The Confidential Information of Faktion shall include, without limitation, the Licensed Materials;

1.3. “CommercialOffer”shallmeanthecommercialofferbetweenthePROCESSORandthe CONTROLLER;

1.4. “Controller”shallmeanthenaturalorlegalperson,publicauthority,agencyoranyotherbody which, alone or jointly with others, that determines the purposes and means of the processing of Personal Data carried out under his authority, for the purposes of this Agreement understood to be the CONTROLLER;

1.5. “DataSubject”shallmeananidentifiedoridentifiablenaturalperson;

1.6. “GeneralTermsandConditions”shallmeanthegeneraltermsandconditionsofthePROCESSOR;

1.7. “Employee”meansanindividualwhoishiredbyanemployerandhasenteredintoorworksunder a contract of employment for the provision of labour services in exchange for a wage or a fixed payment. An Employee does not provide professional services as part of an independent business. Agents, distributors, advisors, consultants, freelancers, (independent) (sub)contractors or any other third party are not considered Employees for the purposes of this Agreement;

1.8. “PersonalData”shallmeanallinformationrelatingtoaDataSubject;

1.9. “PersonalDataBreach”shallmeanabreachofsecurityleadingtotheaccidentalorunlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

1.10. “Processor” shall mean a natural or legal person, public authority, agency or any other body which is authorised to process Personal Data on behalf of the controller, such as PROCESSOR;

1.11. “SecurityMeasures”shallmeanthosemeasuresaimedatprotectingPersonalDataagainst accidental or unlawful destruction or loss, as well as against non-authorised access, alteration or transmission;

1.12. “Services”shallmeantherighttousetheProduct,Customizations,MaintenanceServices, Professional Services and Hosting Services provided by Faktion, in the context of services performed by PROCESSOR for the CONTROLLER, as described in the Main Agreement;

1.13. “StatementofWork”shallmeanthestatementofworkbetweentheCONTROLLERandthe PROCESSOR;

1.14. “Subprocessor” shall mean any processor engaged as a subcontractor by the PROCESSOR and who agrees to process Personal Data for and on behalf of the CONTROLLER in accordance with this Agreement;

1.15. “SupervisoryAuthority”shallmeananindependentpublicauthoritywhichisestablishedbya memberstatepursuanttoArticle51oftheRegulation;

1.16. “Third Party” shall mean any party who is not a Data Subject, Controller, Processor or Subprocessor under this Agreement or a person who is authorised to process Personal Data under the direct authority oftheCONTROLLERorPROCESSOR.


2.1 The CONTROLLER wishes to entrust the PROCESSOR with the processing of Personal Data. The PROCESSOR shall process the Personal Data in name of and on behalf of the CONTROLLER. For the performance of Services, the CONTROLLER is responsible for the processing of personal data, and the PROCESSOR is a data processor.

  1. 2.2  The PROCESSOR performs the Services in accordance with the provisions of this Agreement.
  2. 2.3  Both Parties explicitly commit to comply with the provisions of the relevant applicable data

protection laws and shall not do or omit anything that may cause the other Party to infringe the relevant and applicable data protection laws.

2.4 Processing Activities. The processing carried out by the PROCESSOR in name and on behalf of the CONTROLLER relates to the Services performed by the PROCESSOR. The Processing Activities consist of: » Use,performance,deliveryandimprovementoftheServicesandinternalbusinesspurposes

» Bigdataanalysis,machinelearningandstatisticalandscientificstudies

2.5 Categories of Personal Data. The Personal Data that are processed are data relating to individuals about whom data is provided to the PROCESSOR via the Services by or at the direction of the CONTROLLER or by the end users of the CONTROLLER.

2.6 Data Subjects. The Data Subjects include the individuals about whom data is provided to the PROCESSOR via the Services by or at the directions of the CONTROLLER or by the end users of the CONTROLLER.

2.7 Purposes. The PROCESSOR shall only use the Personal Data to ensure a good performance and delivery of the Services in accordance with the provisions of this Agreement. Moreover, the PROCESSOR shall be allowed to process the Personal Data to improve the Services.

2.8 Only those Personal Data which are mentioned in Article 2.5 may and shall be processed by the PROCESSOR. Furthermore, Personal Data shall only be processed in light of the purposes which are determined in this Article by the Parties.

2.9 Both Parties shall undertake to adopt appropriate measures to ensure that the Personal Data are not used improperly or acquired by an unauthorised Third Party.


3.1 This Agreement shall apply as long as the PROCESSOR processes Personal Data in name of and on behalf of the CONTROLLER as part of the Services.

3.2 In the event of a breach of this Agreement or the applicable provisions of the Regulation, the CONTROLLER can instruct the PROCESSOR to stop further processing of the Personal Data with immediate effect.

3.3 In the event of the end of the commercial relationship or delivery of Services by the Processor, the PROCESSOR shall anonymise or pseudonimise to a maximum extent the Personal Data it has received or obtained in the performance of the Services solely for the following internal purposes:

» TocomplywithlegalobligationsandfurtherimprovetheServicesdeliveredbythePROCESSOR.


4.1 The PROCESSOR processes the Personal Data only on the instructions of the CONTROLLER and in any case in accordance with the agreed Processing Activities as set out in Article 2.4 of this Agreement in order to perform the Services. The PROCESSOR shall not further process the Personal Data subject to this Agreement in a manner which is incompatible with these instructions and the provisions laid down in this Agreement.

4.2 The CONTROLLER can make limited changes to the instructions unilaterally. The PROCESSOR shall be consulted before any significant changes are made to the instructions. Changes affecting the core of the Agreement must be agreed upon by both Parties.

4.3 The PROCESSOR processes the Personal Data in accordance with Article 4.1 of this Agreement, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which PROCESSOR is subject; in such a case, the PROCESSOR shall inform the CONTROLLER of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.


5.1 Compliance with legislation. The PROCESSOR shall assist the CONTROLLER in ensuring compliance with its obligations pursuant to the Regulation, taking into account the nature of processing and the information available to the PROCESSOR.

5.2 Personal Data Breach. In the case of a Personal Data Breach related to the subject of the processing of this Agreement, the PROCESSOR shall notify the CONTROLLER without undue delay after becoming aware of a Personal Data Breach.

This notification shall at least include following information, to the extent practicable: a. The nature of the Personal Data Breach;
b. The categories of Personal Data that are affected;
c. The categories and approximate number of Data Subjects concerned;

d. The categories and approximate number of personal data records concerned; e. The likely consequences of the Personal Data Breach;
f. MeasurestakenorproposedtobetakentoaddressthePersonalDataBreach,

including, where appropriate, measures to mitigate its possible adverse effects.

5.3 In case the PROCESSOR makes use of a Subprocessor, the PROCESSOR shall require the Subprocessor to provide it with the same information when a Personal Data Breach takes place at the Subprocessor. The PROCESSOR shall promptly relay the information received from the Subprocessor to the CONTROLLER.

5.4 The PROCESSOR and its Subprocessor(s) shall appoint among their Employee a single point of contact who shall be responsible for all communication between the PROCESSOR, the Subprocessor(s) and the CONTROLLER in the event of an incident which has led or may lead to an accidental or non- authorised destruction or loss or a non-authorised access, alteration or transmission of the Personal Data processed on behalf of CONTROLLER.

5.5 The CONTROLLER shall exclusively decide, at its own discretion and in compliance with the relevant and applicable data protection laws, whether or not Data Subjects whose Personal Data have been impactedbyaPersonalDataBreachshallbenotifiedofthis.ItistheresponsibilityoftheCONTROLLERto notify the Supervisory Authority of a Personal Data Breach.

5.6 The Parties, and if applicable the Subprocessor(s) shall ensure to work together in good faith to limit possibleadverseeffectsofaPersonalDataBreach.

5.7 Data Processing Impact Assessment. Furthermore, the PROCESSOR shall assist the CONTROLLER
as it carries out a Data Protection Impact Assessment in accordance with Article 35 of the Regulation. However,thePROCESSOR,atitsowndiscretion,isfreetochargeadditionalcostsfortheperformanceof these services. These costs shall at all times be in relation to the delivered performances.


6.1 The PROCESSOR shall provide the CONTROLLER, at any time upon request of CONTROLLER (however such request needs to be made giving the PROCESSOR a reasonable delay to comply with such request),withthefollowinginformationasdeterminedbytheprovisionsofthisclause:

» Allrelevantdetailsregardingitsowncorporatestructure,aswellasaccurateand up-to-date identifying information on all of PROCESSORS’ entities involved in the processing of Personal Data, including the location of their main establishment;

» Geographicaldetailsofprocessinglocations,includingback-upandredundancyfacilities; » Thephysical,organisational,technicalandlogicalSecurityMeasuresthatthePROCESSOR

and its Subprocessor(s) have implemented, as set out in Article 11 of this Agreement.


7.1 The PROCESSOR shall handle all reasonable requests of the CONTROLLER concerning the processing of Personal Data related to this Agreement, promptly or within a reasonable time (depending on the legal obligations defined in the Regulation) and in a proper manner.

7.2 The PROCESSOR guarantees that there are no obligations that arise from any applicable legislation that make it impossible to comply with the obligations of this Agreement.

7.3 The PROCESSOR undertakes to not process Personal Data for another purpose than the performance of the Services and the compliance with the responsibilities of this Agreement in accordance with the instructions of the CONTROLLER; if the PROCESSOR, for any reason, cannot comply with this requirement, he shall notify the CONTROLLER without reasonable delay thereabout.

7.4 The PROCESSOR shall notify the CONTROLLER without reasonable delay if he is of the opinion that an instruction from the CONTROLLER violates the applicable legislation related to data protection.

7.5 The PROCESSOR shall ensure that the access to, the inspection, the processing and the disclosure of Personal Data shall only take place in accordance with the principle of proportionality and the ‘need-to- know’ principle (i.e. data are only disclosed to the persons that require Personal Data for the performance of the Services).


8.1 The CONTROLLER shall render all assistance needed and shall cooperate in good faith with the PROCESSOR in order to ensure that all processing of Personal Data complies with the requirements of the Regulation particularly with the principles relating to processing of Personal Data.

8.2 The CONTROLLER shall agree with the PROCESSOR on appropriate communication channels in order to ensure that instructions, directions and other communications regarding Personal Data that are processed by the PROCESSOR on behalf of the CONTROLLER is well received between the Parties. The CONTROLLER shall notify the PROCESSOR of the identity of the single point of contact at the CONTROLLER that the PROCESSOR is required to contact in application of this Article 8.2.

8.3 The CONTROLLER warrants that it shall not issue any instructions, directions or requests to the PROCESSOR, which do not comply with the provisions of the Regulation.

8.4 TheCONTROLLERshallrendertheassistanceneededforthePROCESSORand/oritsSubprocessor(s) to comply with a request, order, inquiry or subpoena directed at the PROCESSOR or its Subprocessor(s) by a competent national governmental or judicial authority.

8.5 The CONTROLLER warrants that it shall not issue instructions, directions or requests to the PROCESSOR which would require the PROCESSOR and/or its Subprocessor(s) to violate any obligations imposed by applicable mandatory national law to which the PROCESSOR and/or its Subprocessor(s) are subject.

8.6 TheCONTROLLERwarrantsthatitshallcooperateingoodfaithwiththePROCESSORinorderto mitigate the adverse effects of a security incident impacting Personal Data processed by the PROCESSOR and/or its Subprocessor(s) on behalf of the CONTROLLER.


9.1 Parties agree that the CONTROLLER by means of this Agreement gives the PROCESSOR a general written authorisation to work with the Subprocessors, belonging to categories as indicated in Article 9.5. As such, the PROCESSOR shall at its sole discretion inform the CONTROLLER of any intended changes concerning the addition or replacement of other processors, thereby giving the CONTROLLER the opportunity to object to such changes.

9.2 Without prejudice to the foregoing, the Parties agree that the PROCESSOR shall not be required to disclose the identity of each Subprocessor (categories of Subprocessor shall suffice). Notwithstanding the above, the CONTROLLER can at all times request the PROCESSOR to disclose the identity of a Subprocessor and the PROCESSOR shall do so if such disclosure does not constitute a breach of any confidentiality engagement or trade secret provision the PROCESSOR has entered into with the relevant Subprocessor, or does not harm the intellectual property rights or know how rights of PROCESSOR. If the PROCESSOR cannot disclose the identity of a Subprocessor, the PROCESSOR shall be obliged to provide a formaljustificationinwriting.

9.3 The PROCESSOR shall ensure that its Subprocessors will be bound to substantially the same obligations with respect to Personal Data as to which the PROCESSOR is bound by this Agreement.

9.4 The PROCESSOR shall relay the purposes determined and instructions issued by the CONTROLLER inanaccurateandpromptmannertotheSubprocessor(s)whenandwherethesepurposesand instructions pertain to the part of the processing in which the Subprocessor(s) is(are) involved.

9.5 As part of this Agreement the PROCESSOR makes use of the following categories of Subprocessors inordertoensuretheperformanceoftheServicestotheDataSubjects,includingbutnotlimitedto:

» emailproviders,accountingsoftwareproviders,payroll administrators, software providers, cloud providers.


10.1 Takingintoaccountthenatureoftheprocessing,thePROCESSORassiststheCONTROLLERby appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the CONTROLLER’s obligation to respond to requests for exercising the Data Subject’s rights laid down in ChapterIIIoftheRegulation.

10.2 WithrespecttoanyrequestfromDataSubjectsregardingtheirrightsconcerningtheprocessing of Personal Data pertaining to them by the PROCESSOR and/or its Subprocessor(s), the following conditions apply:

» ThePROCESSORshallonabesteffortsbasispromptlyinformtheCONTROLLERofany request made by a Data Subject with regard to the Personal Data the PROCESSOR and/ or its Subprocessor(s) processes on behalf of the CONTROLLER, without giving any consequence to such request unless explicitly authorised by the CONTROLLER to do so;

» ThePROCESSORshallpromptlycomplyandshallrequireitsSubprocessor(s)topromptly comply with any request made by the CONTROLLER in order for the CONTROLLER to comply with a request made by the Data Subject who wishes to exercise one of its rights;

» StrictlyinrelationtotheprocessingofPersonalDataunderthisAgreement,thePROCESSOR shall, upon request of the CONTROLLER and upon best efforts basis render all assistance required and provide all information necessary for the CONTROLLER to defend its interests in
any proceedings – legal, arbitral or others – brought against the CONTROLLER or its Employee for any violation of fundamental rights to privacy and protection of Personal Data of Data Subjects. The PROCESSOR may in its sole discretion charge fees CONTROLLER for such assistance.


11.1 ThroughoutthetermofthisAgreementthePROCESSORshallhaveinplaceandmaintain appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the Data Subject.

The PROCESSOR shall amongst others have in place technical and organisational measures against unauthorised and unlawful processing and shall on a regular basis evaluate and adjust if required, the appropriateness of the Security Measures.

11.2 Moreinparticular,thePROCESSORshallimplementappropriatetechnicalandorganisational measurestoensurealevelofsecurityappropriatetotherisk,accordingtoArticle32oftheRegulation.

11.3 Inassessingtheappropriatelevelofsecurity,accountwastakeninparticularoftherisksthat are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthoriseddisclosureof,oraccesstoPersonalDatatransmitted,storedorotherwiseprocessed.

11.4 ThePROCESSORhasimplemented,amongstothers,butnotlimitingto,thefollowinggeneral physical, logical, technical and organisational security measure known as Faktion Technical and Organizational Measures, set forth in Annex 1 of this Agreement.

Article12: AUDIT

12.1 ThePROCESSORacknowledgesthattheCONTROLLERisunderthesupervisionofa/several Supervisory Authority/ies. The PROCESSOR acknowledges that any involved Supervisory Authority will have the right to perform an audit at any time, and in any case during the normal office hours of the PROCESSOR, during the term of this Agreement to assess whether the PROCESSOR is compliant to the Regulation and the provisions of this Agreement. The PROCESSOR shall provide the necessary cooperation.

12.2 TheCONTROLLERshallonlyhavearighttoauditthePROCESSORiftheCONTROLLERhasjustifiable grounds to request such audit and if such grounds are communicated and demonstrated in writing
to the PROCESSOR. Justifiable grounds shall mean a (strong presumption of a data breach in the meaning of Article 4 of the GDPR (and in the case of an actual data breach if such data breach has not been notified and no remediation actions have been taken), destruction of confidential Personal Data, material breach of any of the PROCESSOR’s obligations under this Agreement). In such event and upon written request of the CONTROLLER, the PROCESSOR will provide an independent third party, certified auditor, appointed by the CONTROLLER or the involved Supervisory Authority access to the relevant parts of the administration of the PROCESSOR and all locations and information of interest of the PROCESSOR (and those of its agents, subsidiaries and sub-contractors) to determine if the PROCESSOR is compliant with the Regulation and the provisions of this Agreement. On request of the PROCESSOR, the concerned parties shall agree a confidentiality agreement.

12.3 TheCONTROLLERshalltakeallappropriatemeasurestominimiseanyobstructioncausedbythe audit on the daily functioning of the PROCESSOR or the Services performed by the PROCESSOR.

12.4 If there is agreement between the PROCESSOR and the CONTROLLER on a material shortcoming in the compliance with the Regulation and/or the Agreement, as revealed in the audit, the PROCESSOR shall recover this failure as soon as possible. The Parties can agree to have a plan in place, including a timescale to implement this plan, to respond to the shortcomings revealed in the audit.

12.5 TheCONTROLLERwillbearthecostsofanyperformedauditinthemeaningofthisArticle.Although, when the audit has revealed that the PROCESSOR is manifestly not compliant to the Regulation and/or the provisions of this Agreement, the PROCESSOR shall bear the costs of such audit.


13.1 ThetransferofPersonalDatatoThirdPartiesinanymannerpossibleisprohibited,unlessitis permitted under this Agreement, legally required, or in case the PROCESSOR has obtained the explicit consent of the CONTROLLER to do so. In the case a legal obligation applies to the transfer of Personal Data, which is subject to this Agreement, to Third Parties, the PROCESSOR shall notify the CONTROLLER prior to the transfer.


14.1 InordertoprovidetheServices,thePartiesagreethatinsomecases,PersonalDatacanbe transferred to and/or kept outside the European Economic Area (EEA) and even to or in a country that does not fall under an adequacy decision issued by the European Commission. Such transfer however shall be governed by:

(i) the Regulation or Binding Corporate Rules for any internal entities of the PROCESSOR; or

(ii) the terms of a data transfer agreement containing standard contractual clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC), or by other mechanisms foreseen by the applicable data protection law.


15.1 ThePROCESSORshallinformtheCONTROLLERimmediatelyofanyrequest,order,inquiryor subpoena by a competent national governmental or judicial authority directed at the PROCESSOR or
its Subprocessor which entails the communication of Personal Data processed by the PROCESSOR or a Subprocessor for and on behalf of the CONTROLLER or any data and/or information associated with such processing.

15.2 Withoutprejudicetoarticle15.1ofthisAgreement,thePROCESSORwarrantsthatthereareno obligations of applicable statutory law, which make it impossible for the PROCESSOR to comply with its obligations under this Agreement.


16.1 ThePROCESSORcommitsitselftohandlethePersonalDataanditsprocessingwithutter confidentiality. The PROCESSOR shall guarantee the confidentiality with measures that are not less restrictive than the measures he uses to protect his own confidential material, including Personal Data.

16.2 ThePROCESSORensuresthatemployeesortheSubprocessorsauthorisedtoprocessthePersonal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Article17: LIABILITY

17.1 ThePROCESSORisliableforthedamagecausedbyprocessingonlywhereithasnotcompliedwith the obligations of the Regulation specifically directed to processors or where it has acted outside or contrary to lawful and fair instructions of the CONTROLLER.

17.2 APartyisliable(contractualorintort/delict(includingdefault)orbyanymeansassociatedwith this Agreement, including liability for severe misconduct) for verified shortcomings attributable to her. The liability of the Parties for a breach under this Agreement, shall be limited to suffered foreseeable, direct and personal damages, with the exclusion of consequential damage (even if informed about
the possibility of such consequential damage or if the likelihood of such consequential damage was reasonably foreseeable), where ‘’consequential damage’’ means: damage or loss that did not derive directly and immediately from a breach of contract and/or extracontractual non-performance, but instead indirectly and/or after a certain lapse of time, including, but not limited to loss of income, interruption or stagnation of operations, increase of staff costs and/or the costs of staff cuts, damage consisting of or as a result of claims from third parties, lack of expected savings or advantages and loss of data, profit, time or income, loss of orders, loss of customers, increase of overhead costs, consequences of a strike, irrespective of the causes.

17.3 IfitappearsthatboththeCONTROLLERandthePROCESSORareresponsibleforthedamagecaused by the processing of Personal Data, both Parties shall be liable and pay damages, in accordance with their individual share in the responsibility for the damage caused by the processing.

17.4 InanyeventthetotalliabilityofthePROCESSORunderthisAgreementshallbelimitedtothecause of damage and to the amount that equals the total amount of fees paid by the CONTROLLER to the PROCESSOR for the delivery and performance of the Services for a period not more than twelve months immediately prior to the cause of damages. In no event shall the PROCESSOR be held liable if the PROCESSORcanproveheisnotresponsiblefortheeventorcausegivingrisetothedamage.


18.1 ThePROCESSORagreesthatiftheDataSubjectfilesaclaimfordamagesunderthisAgreement,the PROCESSOR will accept the decision of the Data Subject:

» Toreferthedisputetomediationbyanindependentperson;

» ToreferthedisputetotherelevantcourtsinBrussels,Belgium.

18.2 ThePartiesagreethatthechoicemadebytheDataSubjectwillnotprejudicetheDataSubject’s substantive or procedural rights to seek remedies in accordance with other provisions of applicable national or international law.


19.1 ThisAgreementshallapplyaslongasthePROCESSORprocessesPersonalDataonbehalfofthe CONTROLLER and at least as long as the Main Agreement is in place.

19.2 IntheeventofbreachofthisAgreementortheRegulation,theCONTROLLERcaninstructthe PROCESSORtostopfurtherprocessingoftheinformationwithimmediateeffect.

19.3 Withoutprejudicetoarticle3.3,thePROCESSORshallnotstorethedataanylongerthanneeded
to perform the Service(s) for which the data is provided. At the choice of CONTROLLER, the PROCESSOR shall delete or return all the Personal Data to the CONTROLLER after the end of the provision of Services in relation to processing, and deletes existing copies, and will certify that it has done so, unless legal obligation, Union or Member State law requires storage of the Personal Data. The Personal Data shall be provided to the CONTROLLER without charge, unless otherwise agreed upon.

ANNEX I: Technical and Organizational Measures

ThisannexdescribesallsecurityandorganizationalmeasuresandeffortstakenbyPROCESSORtoensure the security and quality of the data it processes via its Cloud Platform “Faktion”, such as the type of device, operating system, type of mobile browser, use of a specific application, real-time location based on information provided by device operating system, messages, data, and (to the extent permission is granted) emails and instant messages (collectively the ‘Data’).

Entrance Control

By applying the following measures, PROCESSOR prevents the entrance of non-authorized persons to data-processing installations in which Data are processed or used:

Data is collected and processed by PROCESSOR on two locations:

  1. FordevelopmentandtestingpurposesinthePROCESSORheadquartersinAntwerp,Belgium,as well as secured offshore development hubs contractually controlled by PROCESSOR. All facilities are duly secured by key locks and alarm systems, and have a 24/7/365 camera controlled entrance, registering all entering and exiting individuals.
  2. For testing, staging and production purposes the physical access to the cloud computing platform is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. All entrances to the data centers, including the main entrance, the loading dock, and any roof doors/hatches, aresecuredwithintrusiondetectiondevicesthatgeneratealarmsifadoorisforcedopenorheld open. In addition to electronic mechanisms, data centers utilize trained security guards 24×7, who are stationed in and around the building. Physical access points to server locations are recorded by closed circuit television camera (CCTV).

Utilization Control

By applying the following measures, PROCESSOR prevents the utilization of data-processing systems by non-authorized persons:

PROCESSOR employs two types of data-processing systems:

  1. Laptopsaslocalworkstations:Everysoftwaredeveloperhasalaptopassignedtohim/herwhichis used to develop data processing systems. Every laptop is fitted with a personal password-protected user account for the software developer.
  2. Cloud servers operated: Access to the cloud environment is managed by personal password- protected user accounts managed through centralized a user management service. Tokens for programmatic access (access token, secret key) to data processing systems are attached to the personal user accounts and can be retracted at any time.

Access Control

By applying the following measures, PROCESSOR ensures that persons authorized to use a data- processing system will only have access to those data that they have been authorized for and that, neither during the processing nor after storage, Data can be read, copied, altered or removed without a respective authorization.

PROCESSOR employees, i.e. software developers, that are authorized to use data processing systems are provided with a personal cloud user account and tokens. Specific accounts are in place to restrict certain access to Data depending on the job content and contribution to the PROCESSOR solution.

Transmission Control

By applying the following measures, PROCESSOR ensures that Data cannot be read, copied, altered or removed during electronic data transmission without authorization and that it is possible to check and determine at which points a transmission of personal data by means of data transmission installations is intended:

1. PROCESSORemploysanSSLconnectionforalldatatransmissioninandoutofthePROCESSOR platform. The connection uses TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.

2. Centralized firewall infrastructure with DLP enabled, ensures no uncontrolled data leakage is possible from within the PROCESSOR premises.

3. An architectural overview of the project platform is being kept up to date

4. The cluster is a private network of which we keep an up to date list of all entry points, connections to the cluster through SSL. Exceptions must be added to the firewall in order to make a connection to the web application or through centralized proxies and gateways.


By applying the following measures, PROCESSOR ensures that it is possible to check and determine subsequently whether and by whom Data have been entered into data-processing systems, altered or removed.

Order Control

By applying the following measures, PROCESSOR ensures that Data subject to job processing are processed in strict accordance with the instructions given by the principal:

1. AccesstoDataandserversisgrantedviaanencryptedconnectionandallaccessisloggedandcan be traced by PROCESSOR’s DPO team. Specific accounts are in place to restrict certain access to Data.

Availability Control

By applying the following measures, PROCESSOR ensures that Data are protected against accidental destruction or loss:

1. PersonaldataarrivingatthePROCESSORplatformisconsolidatedas-isintoaMasterDatasetwhich can be interpreted as an append-only log of events. This Master Dataset is stored on databases on the cloud computing environment. Data is stored on a high-availability setup with replication, for resilience against catastrophic loss of two nodes simultaneously.

Data protection controls

PROCESSOR foresees following additional controls for data that is processed on local or cloud storage

1. Storageencryptionoflocalinfrastructure,wheretheSANstorageisusing128-bitAESkeysbased encryption to secure the data at rest. Data transfer (in transit) is secured using 256-bit SSL/TLS encryption.

2. Anti-virus and anti-malware, ensures the confidentiality and integrity of the operating systems, applications and other software used by PROCESSOR employees and applications.

3. Data Minimization: it follows from the Cached Data Inventory (see point 4) that PROCESSOR only caches the absolute minimum of data sets in performing the project. Only if the outcome of the project benefits from the many advantages of caching, this technique is applied.

4. Purpose Limitation: the same holds true with regard to the data protection principle of purpose limitation. The cached data is only used in the scope of the project and for the duration thereof, after which cached data is cleaned (Secure deletion (DoD 5220.22-M ECE wiping)).

Other Kinds of Control

All employees and consultants working for PROCESSOR are subject to individual confidentiality agreements.

Inquiry for your POC