When the customer (hereinafter the ‘Customer’) relies on the Services of SENSOLUS NV – VAT 0543.551.277 (hereinafter ‘Sensolus’), Sensolus:
These data processing terms (hereinafter the ‘Terms’) apply to the processing of personal data by Sensolus for the Customer and determines:
These Terms are inherently linked to the Services of Sensolus and replace any previously applicable data processing terms as soon as an agreement with Sensolus is concluded or the Customer accepts these Terms.
In these Terms, the following concepts have the meaning described in this article (when written with a capital letter):
Affiliated Companies: Any company affiliated and/or associated with the Customer in accordance with article 1:20 and 1:21 of the Belgian Companies and Associations Code. When the Customer is to be consider controller jointly with one or more of its Affiliated Companies, each reference to the Customer in these Terms includes the relevant Affiliated Companies as well;
Privacy Legislation:
(i) The Belgian Privacy Law of 30 July 2018 concerning the protection of individuals with regards to the processing of personal data;
(ii) The General Data Protection Regulation 2016/679 of April 27 , 2016 (‘GDPR’) on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC; and/or
(iii) Other applicable rules concerning the processing of personal data by Sensolus;
Services: All industrial IoT related services provided by Sensolus to the Customer;
Sub-processor: Any processor engaged by Sensolus.
All other definitions used in these Terms (such as but not limited to personal data, processing and personal data breach) have the meaning as described in the GDPR.
3.1 Parties acknowledge and agree that with regard to the processing of personal data, the Customer shall be considered ‘controller’ and Sensolus ‘processor’ in accordance with the Privacy Legislation. Sensolus shall process the personal data at any time in a proper and careful way and in accordance with the Privacy Legislation.
3.2 Sensolus shall only process the personal data in accordance with the documented instructions of the Customer, as described in Annex I, unless when the processing is required by a Union or Member State law to which Sensolus is subject. In that case, Sensolus shall inform the Customer of the legal requirement before processing, unless when the applicable law prohibits sharing such information on important grounds of public interest.
3.3 The Customer owns and retains full control concerning (i) the use of personal data, (ii), the types of personal data processed, (iii), the purpose of processing and (iv) the fact whether such processing is proportionate (non-limitative).
3.4 Sensolus shall treat all personal data as strictly confidential and thus not disclose nor transfer any personal data to third parties without the prior written consent of the Customer (without prejudice to article 5), unless when such disclosure is required by law, by a court or by a government decision.
4.1 Taking into account the state of the art, Sensolus implements appropriate technical and organisational measures for the protection of (i) personal data – including protection against careless, improper, unauthorised or unlawful use and/or processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of personal data, as set forth in Annex III.
5.1 The Customer acknowledges and agrees that Sensolus may engage third-party Sub-processors in connection with the Services. Sensolus ensures that the Sub-processors are at least bound by the same obligations by which Sensolus is bound under these Terms.
5.2 Sensolus added a list in Annex II concerning the current Sub-processors on which it appeals for the performance of the Services.
5.3 Sensolus shall update the list whenever a Sub-processor changes (e.g. a new Sub-processor was added, a Sub-processor was substituted, etc.) and will notify the Customer when (significant) changes are made. If the Customer wishes to exercise its right to object, it shall notify Sensolus in writing and in a reasoned manner by the latest within thirty (30) days after the notification.
5.4 Sensolus ensures its employees, agents and/or approved Sub-processors respect the confidential nature of the personal data and are bound by similar privacy and confidentiality obligations as Sensolus is under these Terms.
6.1 Any transfer of personal data outside the EEA by Sensolus to a Sub-processor whose domicile or registered office is in a country which does not fall under the adequacy decision enacted by the European Commission, shall be subject to one or more of the listed EU-approved safeguards:
7.1 Sensolus shall use its best efforts to inform the Customer within a reasonable term when it:
7.2 In case of a personal data breach, Sensolus:
8.1 If a data subject invokes its privacy rights under the Privacy Legislation and the Customer itself does not have the ability to carry out the request, Sensolus shall assist the Customer in doing so (as long as commercially reasonable).
8.2 Sensolus shall promptly notify the Customer if it receives a request directly from a data subject invoking its privacy rights under the Privacy Legislation. Sensolus shall not respond to any such data subject request without the Customer’s prior written consent, except to confirm that the request is sent to the Customer.
9.1 Sensolus and the Customer are each individually liable towards authorised supervisory authorities and/or data subjects for claims and/or fines that are the result of their own breach of or non-compliance with (i) the provisions of these Terms, and (ii) the Privacy Legislation or other applicable rules concerning personal data. Sensolus and the Customer indemnify the other party in this regard.
9.2 If the Customer and Sensolus have a direct contractual relation, the liability of Sensolus for a breach of these Terms is limited as described in the applicable contractual documentation. If the Customer and Sensolus have no direct contractual relation (i.e. the Customer relies on a certified partner of Sensolus), Sensolus is solely liable towards the Customer if it processed the personal data inconsistent with its documented instructions (cfr. Annex I).
10.1 Sensolus shall only retain the personal data as long as necessary to perform the Services.
10.2 When the Customer informs Sensolus it will no longer rely on the Services, the Customer shall be notified by Sensolus of its possibility to export the personal data through the available export tools and during a certain term (as mentioned in such notification). Once the aforementioned term regarding export has passed, Sensolus shall permanently delete or anonymise the personal data (incl. copies), unless Union or Member State law requires storage of the personal data
11.1 Sensolus undertakes to provide the Customer with all required information to allow verification whether Sensolus complies with the provisions of these Terms. In this regard, Sensolus will allow the Customer to conducts (reasonable) audits/inspections and will contribute thereto.
12.1 These Terms last as long as Sensolus provides the Services.
13.1 All issues, questions and disputes concerning the validity, interpretation, enforcement, performance and/or termination of these Terms shall be governed by and construed in accordance with Belgian law.
13.2 Any dispute concerning the validity, interpretation, enforcement, performance and/or termination of these Terms which cannot be settled amicable, shall be submitted to the exclusive jurisdiction of the courts or the data protection authority of Sensolus’ registered office.
III. The use (= way(s) of processing) of the personal data and the purposes and means of processing:
Use of personal data:
Means of processing:
Purpose of processing:
Sensolus shall retain the personal data as long as it provides the Services, unless when the Customer deviates from this by deleting or requesting deletion of the personal data.
In any case Sensolus shall, once the performance of the Services have ended and the period to export the personal data has expired (cfr. Article 10), permanently delete or anonymise the personal data.
ANNEX II: Subprocessors of Sensolus
Name | Type of processing | Country |
Amazon Web Services EMEA (SARL) | Host of the cloud | Luxembourg |
Forstentech | Cloud engineering | Vietnam (prior SCC were concluded) |
Microsoft Ireland Operations (Ltd.) | General processing | Ireland |
Atlassian PTY (Ltd.) | Development tools | Australia (prior SCC were concluded) |