Data processing agreement
When the customer (hereinafter the ‘Customer’) relies on the Services of SENSOLUS NV – VAT 0543.551.277 (hereinafter ‘Sensolus’), Sensolus:
- shall have access to personal data of the Customer; and,
- will have to process personal data for which the Customer is responsible as a controller in accordance with the Privacy Legislation (alone or together with its Affiliated Companies).
These data processing terms (hereinafter the ‘Terms’) apply to the processing of personal data by Sensolus for the Customer and determines:
- the obligations of the parties regarding compliance with the Privacy Legislation; and,
- how Sensolus will manage, secure and process the personal data.
These Terms are inherently linked to the Services of Sensolus and replace any previously applicable data processing terms as soon as an agreement with Sensolus is concluded or the Customer accepts these Terms.
In these Terms, the following concepts have the meaning described in this article (when written with a capital letter):
Affiliated Companies: Any company affiliated and/or associated with the Customer in accordance with article 1:20 and 1:21 of the Belgian Companies and Associations Code. When the Customer is to be consider controller jointly with one or more of its Affiliated Companies, each reference to the Customer in these Terms includes the relevant Affiliated Companies as well;
(i) The Belgian Privacy Law of 30 July 2018 concerning the protection of individuals with regards to the processing of personal data;
(ii) The General Data Protection Regulation 2016/679 of April 27 , 2016 (‘GDPR’) on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC; and/or
(iii) Other applicable rules concerning the processing of personal data by Sensolus;
Services: All industrial IoT related services provided by Sensolus to the Customer;
Sub-processor: Any processor engaged by Sensolus.
All other definitions used in these Terms (such as but not limited to personal data, processing and personal data breach) have the meaning as described in the GDPR.
3.1 Parties acknowledge and agree that with regard to the processing of personal data, the Customer shall be considered ‘controller’ and Sensolus ‘processor’ in accordance with the Privacy Legislation. Sensolus shall process the personal data at any time in a proper and careful way and in accordance with the Privacy Legislation.
3.2 Sensolus shall only process the personal data in accordance with the documented instructions of the Customer, as described in Annex I, unless when the processing is required by a Union or Member State law to which Sensolus is subject. In that case, Sensolus shall inform the Customer of the legal requirement before processing, unless when the applicable law prohibits sharing such information on important grounds of public interest.
3.3 The Customer owns and retains full control concerning (i) the use of personal data, (ii), the types of personal data processed, (iii), the purpose of processing and (iv) the fact whether such processing is proportionate (non-limitative).
3.4 Sensolus shall treat all personal data as strictly confidential and thus not disclose nor transfer any personal data to third parties without the prior written consent of the Customer (without prejudice to article 5), unless when such disclosure is required by law, by a court or by a government decision.
4.SECURITY OF PROCESSING
4.1 Taking into account the state of the art, Sensolus implements appropriate technical and organisational measures for the protection of (i) personal data – including protection against careless, improper, unauthorised or unlawful use and/or processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of personal data, as set forth in Annex III.
5.1 The Customer acknowledges and agrees that Sensolus may engage third-party Sub-processors in connection with the Services. Sensolus ensures that the Sub-processors are at least bound by the same obligations by which Sensolus is bound under these Terms.
5.2 Sensolus added a list in Annex II concerning the current Sub-processors on which it appeals for the performance of the Services.
5.3 Sensolus shall update the list whenever a Sub-processor changes (e.g. a new Sub-processor was added, a Sub-processor was substituted, etc.) and will notify the Customer when (significant) changes are made. If the Customer wishes to exercise its right to object, it shall notify Sensolus in writing and in a reasoned manner by the latest within thirty (30) days after the notification.
5.4 Sensolus ensures its employees, agents and/or approved Sub-processors respect the confidential nature of the personal data and are bound by similar privacy and confidentiality obligations as Sensolus is under these Terms.
6.TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
6.1 Any transfer of personal data outside the EEA by Sensolus to a Sub-processor whose domicile or registered office is in a country which does not fall under the adequacy decision enacted by the European Commission, shall be subject to one or more of the listed EU-approved safeguards:
- Closing a data transfer agreement with such recipient, which shall contain the standard contractual clauses, as referenced to by the European Commission;
- Binding corporate rules; and/or
- Valid certification mechanisms.
7.1 Sensolus shall use its best efforts to inform the Customer within a reasonable term when it:
- Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the processing of personal data;
- Has the intention to disclose personal data to a competent public authority; or
- Determines or reasonably suspects a personal data breach has occurred in relation to the personal data.
7.2 In case of a personal data breach, Sensolus:
- Notifies the Customer without undue delay after becoming aware of a personal data breach and shall provide – to the extent possible – assistance to the Customer with respect to its reporting obligation under the Privacy Legislation;
- Undertakes – as soon as reasonably possible – to take appropriate remedial actions to end the personal data breach and to prevent and/or limit any future personal data breach.
8.RIGHTS OF DATA SUBJECTS
8.1 If a data subject invokes its privacy rights under the Privacy Legislation and the Customer itself does not have the ability to carry out the request, Sensolus shall assist the Customer in doing so (as long as commercially reasonable).
8.2 Sensolus shall promptly notify the Customer if it receives a request directly from a data subject invoking its privacy rights under the Privacy Legislation. Sensolus shall not respond to any such data subject request without the Customer’s prior written consent, except to confirm that the request is sent to the Customer.
9.1 Sensolus and the Customer are each individually liable towards authorised supervisory authorities and/or data subjects for claims and/or fines that are the result of their own breach of or non-compliance with (i) the provisions of these Terms, and (ii) the Privacy Legislation or other applicable rules concerning personal data. Sensolus and the Customer indemnify the other party in this regard.
9.2 If the Customer and Sensolus have a direct contractual relation, the liability of Sensolus for a breach of these Terms is limited as described in the applicable contractual documentation. If the Customer and Sensolus have no direct contractual relation (i.e. the Customer relies on a certified partner of Sensolus), Sensolus is solely liable towards the Customer if it processed the personal data inconsistent with its documented instructions (cfr. Annex I).
10. RETURN AND DELETION OF PERSONAL DATA
5.1 Sensolus shall only retain the personal data as long as necessary to perform the Services.
5.2 When the Customer informs Sensolus it will no longer rely on the Services, the Customer shall be notified by Sensolus of its possibility to export the personal data through the available export tools and during a certain term (as mentioned in such notification). Once the aforementioned term regarding export has passed, Sensolus shall permanently delete or anonymise the personal data (incl. copies), unless Union or Member State law requires storage of the personal data.
11.1 Sensolus undertakes to provide the Customer with all required information to allow verification whether Sensolus complies with the provisions of these Terms. In this regard, Sensolus will allow the Customer to conducts (reasonable) audits/inspections and will contribute thereto.
12.1 These Terms last as long as Sensolus provides the Services.
13. APPLICABLE LAW AND JURISDICTION
13.1 All issues, questions and disputes concerning the validity, interpretation, enforcement, performance and/or termination of these Terms shall be governed by and construed in accordance with Belgian law.
13.2 Any dispute concerning the validity, interpretation, enforcement, performance and/or termination of these Terms which cannot be settled amicable, shall be submitted to the exclusive jurisdiction of the courts or the data protection authority of Sensolus’ registered office.
I. Overview of the personal data, which parties expect to process
- Location information and/or GPS coordinates (including timestamp)
II. The categories of data subjects whose personal data shall be processed (most likely/frequently):
- Business partners
- Service providers
III. The use (= way(s) of processing) of the personal data and the purposes and means of processing:
Use of personal data:
- Collection, organisation, structuring, storage, consultation, alignment or combination and erasure or destruction
Means of processing:
- Software of Sensolus
- Communication network
Purpose of processing:
- Tracking assets
- Analysing and optimising asset use
- Support and bug fixing
IV. The term(s) during which the (different types of) personal data shall be stored:
Sensolus shall retain the personal data as long as it provides the Services, unless when the Customer deviates from this by deleting or requesting deletion of the personal data.
In any case Sensolus shall, once the performance of the Services have ended and the period to export the personal data has expired (cfr. Article 10), permanently delete or anonymise the personal data.
ANNEX II: Subprocessors of Sensolus
Type of processing
Amazon Web Services EMEA (SARL)
Host of the cloud
TMA Solutions Co. (Ltd.)
Vietnam (prior SCC were concluded)
Microsoft Ireland Operations (Ltd.)
Atlassian PTY (Ltd.)
Australia (prior SCC were concluded)