Data Processing Addendum

Between:
FROOMLE NV;
hereinafter referred to as the “Processor”;
And:
THE CUSTOMER;
hereinafter referred to as the “Controller”;
Hereinafter together referred to as “the Parties”, or separately as “a Party”;
‍
WHEREAS :
> The Processor and the Controller have concluded an agreement related to provisions of Services and Deliverables by the Processor to the Controller, together with its annexes and any other agreement between the Parties hereinafter referred to as the “SaaS Agreement”;
> The SaaS Agreement necessitates the Processing by the Processor of Personal Data on behalf of the Controller;
> Parties now agree to a data processing agreement, defining the specific needs of the Controller in this respect, as stipulated below (hereafter referred to as the “Agreement”);
> This Agreement and its annexes set forth the terms and conditions pursuant to which Personal Data will be processed in the framework of the Agreement.

Article 1 - DEFINITIONS

In this Agreement, the following terms shall have the meanings set out below:
‍
"Authorised Sub-processors" means (a) those Sub-processors set out in Annex 3 and (b) any additional Sub-processors consented to in writing by Controller in accordance with the Sub-processing section.

"Sub-processor" means any Data Processor (including any third party) appointed by the Processor to Process Controller Personal Data on behalf of the Controller.

"Process/Processing", "Data Controller", "Data Processor", "Data Subject","Personal Data","Special Categories of Personal Data" and any further definition not included under this Agreement or the SaaS Agreement shall have the same meaning as in EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR").

“Data Protection Laws” means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") as well as any local data protection laws.

“Erasure" means the removal or destruction of Personal Data so that it cannot be recovered or reconstructed.

"EEA" means the European Economic Area.

"Third Country" means any country outside EU/EEA, except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries.

"Controller Personal Data" means the data described in Annex 1 and any other Personal Data processed by the Processor on behalf of the Controller pursuant to or in connection with the SaaS Agreement.

"Personal Data Breach"  means a breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed.

"Services" means the services supplied by the Processor to the Controller pursuant to the SaaS Agreement.

“Deliverables” means the products supplied by the Processor to the Controller pursuant to the SaaS Agreement.

"Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to Processors established in Third Countries, as approved by the European Commission Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these.

Article 2 – SCOPE

In the course of providing the Services and/or Deliverables to the Controller pursuant to the SaaS Agreement, the Processor may process Controller Personal Data on behalf of the Controller as per the terms of this Agreement. The Processor agrees to comply with the following provisions with respect to any Controller Personal Data.

To the extent required by applicable Data Protection Laws, the Processor shall obtain and maintain all necessary licenses, authorizations and permits necessary to Process Personal Data including the Controller Personal Data mentioned in Annex 1.  

The Processor shall maintain all the technical and organizational measures to comply with the requirements set forth in the Agreement and its Annexes.

Article 3 - PROCESSING OF CONTROLLER PERSONAL DATA

The Processor shall only process Controller Personal Data for the purposes of the SaaS Agreement. The Processor shall not process, transfer, modify, amend or alter the Controller Personal Data or disclose or permit the disclosure of the Controller Personal Data to any third party other than in accordance with Controller’s documented instructions, unless said processing is required by EU or Member State law to which the Processor is subject.

Article 4 - PROCESSOR PERSONNEL

The Processor shall take all reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller Personal Data, ensuring in each case that access is limited to those individuals who require access to the relevant Controller Personal Data.

The Processor shall ensure that all individuals which have a duty to Process Controller Personal Data:
> are informed of the confidential nature of the Controller Personal Data and are aware of the Processor's obligations under this Agreement and the SaaS Agreement in relation to the Controller Personal Data;
> have undertaken appropriate training in relation to the Data Protection Laws;
> are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
> are subject to user authentication and logon processes when accessing the Controller Personal Data in accordance with this Agreement, the SaaS Agreement and the applicable Data Protection Laws.

Article 5 –  PERSONAL DATA SECURITY

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall take all reasonable measures to implement appropriate technical and organizational measures (Annex 2) to ensure a level of Controller Personal Data security appropriate to the risk, including but not limited to:
> pseudonymization and encryption;
> the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
> the ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident; and
> a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

In assessing the appropriate level of security, the Processor shall take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed.

Article 6 – SUB-PROCESSOR

The Controller acknowledges and expressly agrees that the Processor may use third party Sub-processors for the provision of the Services as described in the SaaS Agreement after prior consent in writing of Controller.

Any such Sub-processors that provide services for the Controller and thereto Process Personal Data will be permitted to Process Personal Data only to deliver the Services and will be prohibited from Processing such Personal Data for any other purpose.

The Processor remains fully responsible for any such Sub-processor’s compliance with the Processor’s contractual obligations, including the present Agreement.

The Processor will, prior to the entrusting of services to such Sub-processor, carry out any relevant due diligence on such Sub-processor to assess whether it is capable of providing the level of protection for the Personal Data as is required by this Agreement, and provide evidence of such due diligence to the Controller where requested by the Controller or a regulator.

The Processor will enter into written agreements with any such Sub-processor which contain obligations no less protective than those contained in this Agreement, including the obligations imposed by the Standard Contractual Clauses of the European Commission, as applicable.

The Processor will make available to the Controller the current list of Sub-processors for the Services identified in Annex 3 to this Agreement. Such Sub-processors list will include the identities of those Sub-processors and their country of location. The Processor will provide the Controller with a notification of a new Sub-processor before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.

If the Controller objects to the use of a new Sub-processor that will be processing the Controller’s Personal Data, then the Controller will notify the Processor in writing within twenty-one (21) calendar days after receipt of the Processor’s written request to that effect. In such a case, the Processor will use reasonable efforts to change the affected Services or to recommend a commercially reasonable change to the Controller’s use of the affected Services to avoid the Processing of Personal Data by the Sub-processor concerned. If the Processor is unable to make available or propose such change within sixty (60) calendar days, the Controller may terminate the relevant part of the contractual relationship between the Parties regarding those Services which cannot be provided by the Processor without the use of the Sub-processor concerned. To that end, the Controller will provide written notice of termination that includes the reasonable motivation for non-approval.

Article 7 – DATA SUBJECT RIGHTS

Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights as laid down in the Data Protection Laws.

The Processor shall promptly notify the Controller if it receives a request from a Data Subject and/or competent authority under any applicable Data Protection Laws with respect to Controller Personal Data.

The Processor shall cooperate as requested by the Controller to enable the Controller to comply with any exercise of rights by a Data Subject under any Data Protection Laws with respect to Controller Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws with respect to Controller Personal Data or this Agreement, which shall include:
‍
> the provision of data requested by the Controller within a reasonable timescale specified by the Controller in each case, including details and copies of the complaint, communication or request and any Controller Personal Data it holds in relation to a Data Subject;
> where applicable, providing such assistance as is reasonably requested by the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by the Data Protection Laws;
> implementing additional technical and organisational measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications or requests.

It is however explicitly agreed between the Parties that any costs incurred by the Processor for the services delivered in relation to the aforementioned assistance will be charged to the Controller at the then current hourly rate of the Processor.

Article 8 – PERSONAL DATA BREACH

The Processor shall notify the Controller without undue delay and, in any case, within fourty-eight  (48) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. The Processor will provide the Controller with sufficient information to allow the Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall:
> describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
> communicate the name and contact details of the Processor's Data Protection Officer or other relevant contact from whom more information may be obtained;
> describe the estimated risk and the likely consequences of the Personal Data Breach; and
> describe the measures taken or proposed to be taken to address the Personal Data Breach.

The Processor shall without undue delay further investigate the Personal Data Breach and shall keep Controller informed of the progress of the investigation and take all reasonable steps to further minimize the impact. Both Parties agree to fully cooperate with such investigation.

In the event of a Personal Data Breach, the Processor shall not inform any third party without first obtaining the Controller’s prior written consent, unless notification is required by EU or Member State law to which the Processor is subject, in which case the Processor shall, to the extent permitted by such law, inform the Controller of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Controller before notifying the Personal Data Breach.

The Processor’s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by the Processor of any fault or liability with respect to the Personal Data Breach.

Any costs incurred by the Processor for the services delivered in relation to the aforementioned assistance related to Personal Data Breaches caused by the Controller, will be charged to the Controller at the then current hourly rate of the Processor.

Article 9 – DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments which are required under Article 35 of GDPR and with any prior consultations to any supervisory authority of the Controller which are required under Article 36 of GDPR, in each case solely in relation to Processing of Controller Personal Data by the Processor on behalf of the Controller and considering the nature of the processing and information available to the Processor.

Any costs incurred by the Processor for the services delivered in relation to the aforementioned assistance will be charged to the Controller at the then current hourly rate of the Processor.

Article 10 – ERASURE OR RETURN OF CONTROLLER PERSONAL DATA

The Processor shall promptly and, in any event, within 90 (ninety) calendar days of the earlier of: (i) cessation of Processing of Controller Personal Data by the Processor; or (ii) termination of the SaaS Agreement, either:
> return a complete copy of all Controller Personal Data to the Controller by secure file transfer and securely erase all other copies of Controller Personal Data Processed by the Processor or any Authorised Sub-processor; or
> securely wipe all copies of Controller Personal Data Processed by the Processor or any Authorised Sub-processor, and in each case, provide a written certification to the Controller that it has complied fully with the requirements of section Erasure or return of Controller Personal Data.

The Processor may retain Controller Personal Data to the extent required by Union or Member State law, and only to the extent and for such period as required by Union or Member State law, and always provided that the Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Union or Member State law requiring its storage and for no other purpose.

Article 11 – AUDIT RIGHTS

Upon reasonable written notice in advance, the Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and allow for, and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller of any premises where the Processing of Controller Personal Data takes place.

The Processor shall permit the Controller or another auditor mandated by the Controller to inspect, audit and copy any relevant records, processes and systems in order that the Controller may satisfy itself that the provisions of this Agreement are being complied with.

The Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to this section infringes the Data Protection Laws.

Article 12 – INTERNATIONAL TRANSFERS OF CONTROLLER PERSONAL DATA

The Processor shall not process Controller Personal Data nor permit any Authorised Sub-processor to process the Controller Personal Data in a Third Country, unless authorized in writing by Controller in advance, via an amendment to this Agreement.

When requested by Controller, the Processor shall promptly enter into (or procure that any relevant Sub-processor of the Processor enters into) an agreement with Controller including Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any Processing of Controller Personal Data in a Third Country, which terms shall take precedence over those in this Agreement.

Article 13 – CONTROLLER RESPONSIBILITIES

Controller shall comply with all applicable laws and regulations, including the Data Protection Laws.

Controller remains responsible for the lawfulness of the Processing of Controller Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of his or her Personal Data.

Controller remains fully responsible for Personal Data Breaches caused by Controller’s actions or negligence.  

With regard to the protection of the Data Subject’s rights pursuant to the applicable Data Protection Laws, Controller shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Controller shall take reasonable steps to keep Personal Data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.

With regard to components that Controller provides or controls, including but not limited to workstations connecting to the Processor’s IT-environment, data transfer mechanisms used and credentials issued to Controller personnel, Controller shall implement and maintain the required technical and organizational measures for data protection and will be solely liable for any damages caused by errors of the Controller in this respect.

Article 14 – LIABILITY

Either Party’s liability shall be limited, per contract year, to an amount of 250,000.00 EUR for direct damages.

Neither Party shall be liable for any indirect or consequential damages, such as (but not limited to) loss of revenue, loss of profit, loss of opportunity, loss of goodwill and third-party claims.

No limitation of liability shall apply in case of fraud, wilful intent, death and physical injury resulting from a Party’s negligence.

For the avoidance of doubt, nothing in this Section 6 shall be deemed to limit a data subjects rights to seek compensation from either Party pursuant to Article 82 of the GDPR.

Article 15 – GENERAL TERMS

Subject to this section, the Parties agree that this Agreement and the Standard Contractual Clauses shall terminate automatically upon termination of the SaaS Agreement.
‍
This Agreement shall be governed by the governing law of Belgium for so long as that governing law is the law of a Member State of the European Union.

With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the Parties, including but not limited to the SaaS Agreement, the provisions of this Agreement shall prevail with regard to the Parties’ data protection obligations for Personal Data of a Data Subject from a Member State of the European Union.

Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

IN WITNESS WHEREOF, this Agreement is entered into and becomes a binding part of the SaaS Agreement with effect from the Agreement effective date.

ANNEX 1: DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.

Article 1 - Data Subjects

> (potential) customers of the Controller,
> visitors of the Controller’s online touchpoints (website, messaging apps, mobile apps, kiosks, … ),
> recipients of the Controller’s (e)mail.

Article 2 - Categories of Personal Data

The Processor may Process (a subset of) the following categories of Personal Data:
> Purchase history of each customer, consisting of: customer-id, product-id, timestamp, channel
> Product-view history of each webpage visitor, consisting of: visitor-id, customer-id, item-id, timestamp, channel
> Click-history of each webpage visitor, consisting of: visitor-id, customer-id, item-id, timestamp, click-type, channel
> Email opens and clicks in emails consisting of: customer-id, open/click, product, response-id
> Metadata of each product-id as uploaded by the Controller.
> Customer device info: ip-adress, customer_id , client (browser) type, operating system

Article 3 - Purposes of Processing of Personal Data

Personal Data will be Processed for the purpose of:
> Execution of the Services under the SaaS Agreement and/or any other agreement in place between the Parties: providing personalised content recommendations on the Customer’s digital channels.

Article 4 - Duration of the Processing of Controller Personal Data

Personal data will be Processed for the duration of any agreement in place between the Parties.

Processor will delete all Personal data or return it the Controller, and delete existing copies, in the following  cases : (1) at first request of the Controller or, (2) at the latest  on termination of the Services for the Controller, unless Union or Member State law requires storage of the personal data of which the Data Controller shall be notified.

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

Article 1 - Organizational Security Controls

Organizational security controls shall include the following principles at a minimum.  

The Processor and the Processor personnel shall Process Controller Personal Data, and access and use any networks, systems and/or computers managed by Controller, only on a need-to-know basis and only to the extent necessary to perform the Services under the Agreement, the SaaS Agreement and/or any agreement in place between the Parties.

Prior to providing access to any Controller Personal Data to any Processor personnel, the Processor shall take reasonable steps to ensure continuing compliance of the level of security specified under this Agreement by such Processor personnel. The Processor personnel with access to Personal Data are subject to confidentiality obligations, and these are formally integrated into employment contracts.

The Processor shall maintain information security policies and procedures consistent with the provisions of this Agreement.  

Ownership for security and Data Protection: the Processor has appointed one or more individuals responsible for coordinating and monitoring the security rules and procedures as well as data protection compliance.

Risk Management: the Processor executes periodical risk assessments based on a formal risk management methodology.

The Processor shall take reasonable measures to terminate physical and logical access to Controller Personal Data by the Processor personnel no later than the date of separation or transfer to a role no longer requiring access to Controller Personal Data.

The Processor maintains a selection process by which it evaluates the security, privacy and confidentiality practices of a Sub-processor in regard to data handling.

Article 2 - Technical Security Controls

Technical security controls on the Processor information systems (any Processor systems and/or computers used to Process Controller Personal Data pursuant to the Agreement) shall include the following principles at a minimum.

The Processor shall use appropriately strong passwords consistent with technology industry practices, including minimum password length, lockout, expiration period and changing of default passwords.

The Processor shall implement and maintain controls to detect and prevent unauthorized access, intrusions and computer viruses.

The Processor shall maintain documented change management procedures that provide a consistent approach for controlling, implementing and documenting changes (including emergency changes) for the Processor information systems.

Unless otherwise expressly agreed in the Agreement, development and testing environments shall be physically and/or logically separated from production environments.  

The Processor shall maintain reasonable back-up and disaster recovery processes and procedures.  

Workstations shall not be left authenticated when unattended and shall be password or PIN protected when not in use.  

Personal Data on portable devices are encrypted.

The Processor has procedures for securely disposing of media and printed materials that contain Personal DataThe Processor standardly encrypts, or provides the mechanisms to Controller to encrypt, Personal Data that is transmitted over public networks.

Event Logging: the Processor logs access and use of its information systems containing Personal Data, registering the access ID, time and relevant activity.

Article 3 - Physical Security Controls

Physical security controls shall include the following principles at a minimum on all the Processor facilities where Controller Personal Data may be Processed.

Physically secure perimeters and external entry points shall be suitably protected against unauthorized access. Access to all locations shall be limited to Processor personnel and authorized visitors only. Reception areas shall be manned or have other means to control physical access.  

Visitors shall be required to sign a visitor register.

ANNEX 3: AUTHORISED SUB-PROCESSORS

List of approved Sub-processors as at the Agreement effective date to be included here. Please include (i) full legal name; (ii) processing activity; (iii) location of service centre(s).

Authorized sub- processor (full legal name): Google Ireland Ltd.
Processing activity: Cloud hosting and computing of data
Location of service centre(s).: Google Cloud Platform infrastructure at Europe-west-[1/2]

-
Last modified on March 13, 2023.
FROOMLE NV
Posthofbrug 6-8
2600 Antwerp
Belgium
Company number: 0654.854.720
‍Privacy@froomle.com