Elium Data Processing Agreement
Last updated on May 3, 2019
This Data Processing Agreement (the “DPA”) is made between the Subscriber, as registered in the Order Form, hereinafter called “Subscriber”, and Whatever SA, with registered office at Rue Emile Francqui 1, 1435 Mont-Saint-Guibert, Belgium, and listed in the national Companies Register under company number: 0889.962.726, hereafter referred to as “Elium”, Hereinafter called separately the “Party”, or collectively the “Parties”. Preamble Given that :
- The Parties wish to enter into a Service Plan Agreement (hereafter the “Agreement”);
- The Parties wish that the Processing of Data be executed according to the provisions of the General Data Protection Regulation (hereafter the “GPDR”), and of all applicable Data Protection legislation;
- The Agreement is therefore completed with the present appendix to it (hereinafter, “Appendix”) that becomes an inherent part of the Agreement;
- Within the scope of the Appendix, the Subscriber Processes Data for which it is the Controller, and possibly Data for which it is a Processor on behalf of third-party controllers;
- Within the scope of the Appendix, Elium is the Processor of the Data which it receives from the Subscriber, or to which the Subscriber gives it access.
The Parties have agreed that the preamble in the Appendix is binding on them and further also agree as follows :
In this agreement, the following terms will have the following meaning, taken from the GDPR Regulation :
|Article||unless specified otherwise, it refers to an article of the Appendix.|
|Controller||see Data Controller.|
|Data||see Personal Data.|
|Data Breach||a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed » (GDPR Article 4.12).|
|Data Controller or simply Controller||the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law » (GDPR Article 4.7). Within the scope of the Agreement, the Controller is the Subscriber.|
|Data Processor or simply Processor||a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller » (GDPR Article 4.8). Within the scope of the Agreement, the Processor is Elium.|
|Data Subject||an identified or identifiable natural person (GDPR Article 4.1).|
|Data Subprocessor or simply Subprocessor||third parties possibly engaged by Elium to provide parts of the Services, as specified under Article 12.|
|Documented Instructions||are the functional specifications of the Service Plan, complemented with any documented instructions from the Subscriber which have been expressly approved by Elium.|
|Notification||is the official notification of one Party to the other Party, according to the provisions of Article 16.|
|Personal Data or simply Data||any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person » (GDPR Article 4.1). In the Appendix, Data refers to the personal data which Elium receives from the Subscriber, or to which the Subscriber gives it access.|
|Processing, and, by extension, Process or Processed||any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction » (GDPR Article 4.2).|
|Processor||see Data Processor.|
|Services||the services provided by Elium to the Subscriber under the Agreement.|
|Subprocessor||see Data Subprocessor.|
|Subscriber||the person who executes and approves the Agreement, and administers the Seat(s).|
|Term||the period from the date of signature of the Appendix until the end of provision of the Services, including, as the case may be, any post-termination period during which Elium may continue to provide the Services for transitional purposes.|
|Third Country||is a country outside of the European Economic Area (EU + Iceland, Lichtenstein, Norway).|
In the performance of its missions, the Subscriber Processes Data. In order to execute the Processing covered by the Agreement, the Subscriber will give access to, and/or transfer to Elium the Data which the Subscriber deems necessary.
The provisions of the Appendix apply during the Term and will remain in effect until deletion of all Data by Elium or by the Subscriber as specified in Article 10.
4. Data and Processing of Data
The Subscriber certifies that it has collected the Data – be it “normal” Data (in the sense of GDPR Article 6) or “special” or “sensitive” Data (in the sense of GDPR Article 9) - in accordance with all applicable legislation with respect to data protection.
The details of Processing entrusted by the Subscriber to Elium (i.e. the object of Processing, the nature and purpose of Processing, the type of Data, the categories of data subjects, the Subprocessors and the security measures applied by Elium) are specified in Schedule 1 to the Appendix.
Elium recognises the importance of appropriate Data protection and confirms that each Processing will be executed in accordance with the Documented Instructions and to any applicable legislation with respect to data protection.
Elium Processes the Data only on the Documented Instructions, including with regard to transfers of Data to a Third Country or an international organization, unless required to do so by Union or Member State law to which Elium is subject; in such a case, Elium shall inform the Subscriber of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest (GDPR Article 28.3.a).
Elium shall immediately inform the Subscriber if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions (GDPR Article 28.3.last §).
Unless forbidden by law, Elium will inform the Subscriber without delay when Elium or any of its Subprocessors :
- receives a question, a summons or a request for inspection or audit from a competent public authority regarding the Processing;
- intends to divulge Data to any competent public authority outside of the contractual Processing scope; upon the request of the Subscriber, Elium will communicate to it a copy of the documents supplied to the competent authority.
With regard to the Processing, the complete instructions of the Subscriber to Elium comprise the Agreement and its Appendixes, the other documents included or incorporated by reference as well as any other agreement between the Parties, including any complementary or alternative instruction agreed in writing between the Parties.
Elium recognises that, if it determines the purposes and means of Processing, Elium shall be considered to be a Controller in respect of that Processing (GDPR Article 28.10).
5. Records of Processing activities
These records comprise (GDPR Article 30.2) : a) the name and contact details of Elium and of the Subscriber, and of the data protection officer; b) the categories of Processing carried out on behalf of the Subscriber; c) where applicable, transfers of personal data to a Third Country or an international organisation, including the identification of that Third Country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) [of the GDPR], the documentation of suitable safeguards; d) a general description of the technical and organisational security measures referred to in GDPR Article 32 §1.
6. Security and protection of Data
Elium certifies that it will inform and train its collaborators who Process Data, in accordance with applicable regulatory provisions.
Elium is responsible for the user identity management and for the authentication methods such as passwords and tokens attributed to its collaborators. Elium recognises that the protection of these authentication methods is an integral part of its own security policies and procedures, and takes all necessary measures to protect them adequately.
Elium and its collaborators will only access the Data supplied by the Subscriber for the purposes directly bound to their mission, as described in the Agreement.
When deleting Data, electronic media or paper documents during the Term, Elium shall in all circumstances delete them in a sure manner, in such way that their results will cease to be either readable or usable for any purpose whatsoever.
The Subscriber agrees that, without prejudice to Elium’s obligations under this Article and Article 12 (Data Breach), the Subscriber is the sole responsible for (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Data, and (2) securing the account authentication credentials, systems and devices which the Subscriber uses to access the Data.
Elium has no obligation to protect Data that the Subscriber elects to store or transfer outside of Elium’s and its Subprocessors’ systems (for example, on-premises or offline storage).
7. Technical and organizational measures for the protection of Data
Elium shall take appropriate technical and organisational measures to (1) protect the Data from any Data Breach, as specified under Article 12 (Data Breach), and (2) provide commercially reasonable assistance to help the Subscriber fulfil its obligation to follow up on the requests brought by the Data Subjects in the exercise of their rights (GDPR Article 28.3.e), as specified under Article 12.
8. Confidentiality of Data
Elium warrants that the persons it authorises to Process the Data will respect the confidentiality of said Data, especially if and where they would otherwise not be submitted to an appropriate legal obligation of confidentiality (GDPR Article 28.3.b).
9. Deletion of Data and disposal of Data at the end of the Agreement
During the Term : Elium’s Services include tools enabling the Subscriber to delete Data during the Term in a manner consistent with the functionality of the Services. In case the available tools do not enable such deletion, the Subscriber may instruct Elium to delete the relevant Data from Elium’s systems in accordance with the applicable law (GDPR Article 28.3.g). Elium will comply with this instruction as soon as reasonably practicable, unless EU or EU Member State law requires storage of the Data.
At the end of the Term : Within a reasonable timeframe before the end of the provision of Services, the Subscriber may require that Elium transfers all Data back to it ; either following the successful transfer of all Data, or without delay if such transfer was not requested within ten (10) working days of the end of the provision of the Services, Elium (1) deletes all Data from its systems, and (2) deletes all existing copies, unless Union or Member State law requires storage of the Data (GDPR Article 28.3.g).
Deletion : When it deletes Data or electronic media or paper documents, Elium always deletes them in a secure manner, in such a way that their results are neither readable nor usable for any purpose. For the sake of clarity, | delete » or | deletion » means the complete, integral and irreversible erasure of the Data.
10. Location of the Processing of Data
No transfer of Data to a Third Country or to an international organization will be authorised except with the Subscriber’s prior written agreement ; if Elium is submitted to a different legal obligation, then it will inform the Subscriber of such legal obligation before the Processing, unless that law prohibits such information on important grounds of public interest (GDPR Article 28.3.a).
Any transfer of Data by Elium to a Third Country shall be submitted to the respect of legally recognised mechanisms for Data transfer to a Third Country, including the execution of an additional Agreement for Data Processing on the basis of standard data protection provisions approved by the European Commission.
The list of Subprocessors identified at the date of signature of this Appendix is specified in Schedule 1.
The Subscriber gives a general authorisation to Elium to engage Subprocessors (GDPR Article 28.2).
Elium will notify the Subscriber of any update to the list of Subprocessors, at least thirty (30) days before the new Subprocessor Processes its Data, thereby giving the Subscriber the opportunity to object to such change (GDPR Article 28.2). Such Notification will be made according to Article 16.
If the Subscriber has justified and reasonable objections to a new Subprocessor, properly notified to Elium, the Subscriber’s sole and exclusive remedy will be to terminate the Agreement immediately, upon written notice to Elium, provided such notice is issued within thirty (30) days of Elium’s Notification to the Subscriber.
With each Subprocessor, Elium shall execute written Agreements containing obligations which are no less protecting than the obligations of the Appendix, in particular with respect to sufficient warranties about the implementation of appropriate technical and organisational measures, in such a way that the Processing will meet the contractual requirements (GDPR Article 28.4). In particular, Elium will ensure that each Subprocessor which Processes Data (1) shall be authorised to Process these Data exclusively to execute the Processing specified by Elium, and (2) shall refrain from using these Data for any other purpose.
In case the Subprocessor does not fulfil its obligations with respect to Data protection, Elium remains totally responsible towards the Subscriber of the performance by the Subprocessor of its obligations according to the Agreement, including the Appendix covering Data protection.
12. Data Breach
When it notices a Data Breach or when it is victim of one, or when it is notified of one by a Subprocessor, Elium will deliver a Notification to the Subscriber without undue delay after having become aware of it.
Elium will not assess the contents of Data involved in a Data Breach. The Subscriber is the sole responsible for (1) complying with incident notification laws applicable to the Subscriber, and (2) fulfilling any third-party notification obligation related to any Data Breach.
Elium agrees to cooperate with the Subscriber to the examination of the Data Breach, and to provide commercially reasonable assistance as necessary to mitigate or remediate the Data Breach (GDPR Article 33.5).
Elium’s notification of, or response to, a Data Breach under this Article will in no way be construed as an acknowledgement of any fault or liability with respect to such Data Breach.
13. Data Subject requests
The Subscriber is the sole responsible for processing the requests from Data Subjects in connection with the Processing.
When Elium is able to identify with certainty, with a reasonable effort, the relationship between the Data Subject and the Subscriber, Elium shall promptly inform the Subscriber of the request of the Data Subject or of any other request relating to the Agreement received by it or by any Subprocessor. Elium shall not respond to the substance of the request but shall acknowledge receipt of it.
If Elium cannot identify with certainty the relationship between the Data Subject and the Subscriber, Elium's only obligation is to reply to the Data Subject that it is not the controller of the Data Subject's personal data and that the Data Subject must address his request to the controller concerned.
Elium will provide commercially reasonable assistance to the Subscriber in fulfilling its obligation to respond to requests from Data Subjects (GDPR Article 28.3.e).
Where the Subscriber is required to provide information to a Data Subject in connection with the Processing or to take any other action reasonably required to comply with the Data Subject's requests, Elium shall make all required information available to the Subscriber in a format required to comply with such requests from the Data Subject.
In the event of a dispute or other claim by a Data Subject concerning the Processing against a Party, the Parties shall inform each other without delay and undertake to cooperate and coordinate with a view to effectively defending themselves against such claims and/or settling them amicably and promptly.
14. Data Protection Impact Analysis
If the Subscriber is obliged to perform a data protection impact analysis, Elium will provide commercially reasonable assistance and support to the Subscriber in the performance of such analysis in order to enable the Subscriber to respect its obligations with regard to that matter.
15. Audit and compliance
The Subscriber reserves the right to proceed with any verification which it would deem useful to establish the respect by Elium of the obligations specified in the Agreement.
The Subscriber has the right to carry out an audit mission, at its own costs, at most once (1) a year at the Elium premises where the Data is being Processed, to check the proper respect of the Agreement.
Upon request from the Subscriber, Elium shall communicate to the Subscriber all information necessary to (1) demonstrate the respect of its obligations, to (2) enable the performance of audit missions, including inspections, by the Subscriber or another auditor mandated by it, or a competent authority, and to (3) contribute to these audit missions (GDPR Article 28.3.h).
Upon request from the Subscriber, Elium shall make commercially reasonable efforts to communicate to the Subscriber all information necessary to (1) demonstrate the respect of its obligations, to (2) enable the performance of audit missions, including inspections, by the Subscriber or another auditor mandated by it, or a competent authority, and to (3) contribute to these audit missions (GDPR Article 28.3.h). This information shall be considered as Elium’s Confidential Information under the confidentiality provisions of the Agreement.
A notification from Elium to the Subscriber will be sent to the Subscriber’s e-mail address specified in the Order Form, using e-mail with registered return receipt, and will be deemed having been received one (1) working day after the date of electronic mailing.
A notification from the Subscriber to Elium will be sent to firstname.lastname@example.org using e-mail with registered return receipt, and will be deemed having been received: one (1) working day after the date of electronic mailing.
In case of discrepancy between the terms of the DPA and those of the body of the Agreement, the DPA terms will prevail.
18. Processing details
18.1 Subject-matter of the Processing
Elium’s provision of the Services and related technical support to the Subscriber.
18.2 Duration of the Processing
The applicable Subscription Term (as defined in the Terms) plus the period from expiry of such Subscription Term until deletion of all Service Data by Elium in accordance with the DPA.
18.3 Nature and purpose of the Processing
Elium Processes the Data for the purposes of providing the Services and the related technical support to the Subscriber in accordance with the DPA.
18.4 Categories of Data
The Data may include the following categories of data: user IDs, email, documents, presentations, images, calendar entries, tasks and other data.
18.5 Data Subjects
The Data may concern the following categories of Data Subjects: the Users.