Data processing

BETWEEN :

V&D EXPERTS whose head office is located at 7000 MONS, rue de la Réunion, 2/4 and registered with the BCE under number BE 0731.880.737

(hereinafter: “the subcontractor”)

AND :

BIZZCARDZ App Users

(hereinafter: “the data controller)

Preamble

By means of this agreement, the parties wish to establish their agreements concerning the processing of personal data.

V&D EXPERTS is a company that offers an application, BIZZCARDZ, offering Users a service for managing dematerialized business cards. This service works using QR code and NRC technologies. It allows Users, mainly companies, to manage, collect and update the professional data of their employees as well as to import that of people outside their company.

Users of the application have the possibility on BIZZCARDZ to process this personal data thanks to the standardized functionalities offered by V&D EXPERTS. In this case, V&D EXPERTS only acts as a subcontractor and only following the instructions of the Users of the application. BIZZCARDZ Users are responsible for processing all personal data processed through their BIZZCARDZ account of which they are the administrators.

1. Definitions:
1.1 – Terms such as “process” / “processing”, “personal data”, “controller” and “processor” should be interpreted in light of the GDPR and the GDPR.

2. Purpose of the Amendment:

2.1 – During the execution of the Main Agreement, the subcontractor may process personal data for the benefit of the controller or in fulfillment of a legal obligation. A list containing the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects is provided in Appendix 1 of this Addendum.

2.2 – The data controller declares that the personal data entrusted to the subcontractor contain data concerning health, genetic data or biometric data for the purpose of uniquely identifying a natural person (within the meaning of Article 9 GDPR)

2.3 – Since only the data controller is able to make this assessment, the qualification of the data processed is the sole responsibility of the data controller, who cannot engage the responsibility of the subcontractor in the event of a consequence resulting from an error. in the type of data processed.

It undertakes to guarantee the subcontractor against any consequence that would result from a qualification of the data processed other than that described in article 2.2 (these consequences may be, in a non-exhaustive manner: additional services. The damage suffered, administrative or criminal fines, any sum due to a data subject or to a second-tier subcontractor).

2.4 – This subcontracting does not include consultancy services by the subcontractor in terms of data protection.

3. Obligations of the subcontractor:

3.1 – Processor processes personal data correctly, carefully and in compliance with all applicable data protection laws.

3.2 – The Processor will comply with all reasonable written instructions provided to it by the Data Controller in relation to the Processing of Personal Data. The processor will immediately notify the data controller if, in its opinion, one of the latter’s instructions conflicts with applicable Belgian law or with the GDPR.

3.3 – The subcontractor guarantees that it and any person acting under its authority will only process personal data on documented instructions from the controller, in accordance with the instructions of the controller and to the strict extent necessary to the performance of the Services provided for in the Main Agreement (including with regard to transfers of personal data to a third country or to an international organization), unless Union or State legislation member to which the subcontractor is subject requires it. In this case, the processor will inform the data controller of this legal obligation before the processing, unless the law concerned prohibits it from communicating this information for important reasons of public interest.

3.4 – Processor will not disclose personal data directly or indirectly to any person, company or government entity. If such disclosure is necessary for the proper processing of personal data, it may only take place after prior written authorization from the controller and only within the framework of a

obligation of confidentiality. The processor may, if it gives prior notice to the controller, communicate personal data in accordance with an order issued by a court or a competent government body.

3.5 – Other processing activities will only be carried out if the processor is expressly requested to do so by the controller or in order to comply with a legal obligation, after having informed the controller and acting under his responsibility.

3.6 – The processor must immediately inform the controller if, in his opinion, an instruction violates the GDPR or data protection legislation. Once informed, the data controller determines whether or not the instruction violates the applicable legislation.

3.7 – If the processor breaches this agreement and the GDPR by determining the purposes and means of the processing, it must be considered the data controller in the context of this processing.

4. Compliance with the principles applicable to the processing of personal data

4.1 – The controller will comply with all applicable laws and regulations, in particular the LPPPD and the GDPR.

4.2 – The data controller will remain responsible for the legality of the processing of personal data, including where necessary to obtain the consent of the persons concerned by the processing of his personal data.

4.3 – The controller will take reasonable steps to keep personal data up to date to ensure that the data is not inaccurate or incomplete with respect to the purposes for which it was collected.

5. Security of data processing:

5.1 – The level of appropriate technical and organizational measures to ensure a level of security appropriate to the risk incurred by the data processed, taking into account the technical standards and the type of personal data processed, depends on the information provided by the data controller. in Article 2 of this Addendum, as well as the risk analysis carried out by the data controller.

Before the conclusion of this amendment, the subcontractor has explained to the data controller the security measures that it employs or that it undertakes to take and the latter has deemed them appropriate to ensure a level of security appropriate to the risk. , so as to meet the requirements of Belgian law, the GDPR and to ensure the protection of the rights of data subjects.

The subcontractor warrants that it will implement these measures throughout the term of the Main Agreement.

5.2 – The parties acknowledge that security requirements are continually evolving and that effective security requires frequent evaluation and regular improvement of outdated security measures. After an initial period of 2 years, spontaneously or at the suggestion of the data controller, the processor will estimate the cost of possible improvement measures, the decision to implement them or not rests with the data controller.

5.3 – The processor will ensure that all employees and agents involved in the processing of the controller’s personal data are bound by an obligation of confidentiality with the aim of guaranteeing the confidentiality and integrity of the personal data. staff of the controller.

6. Compliance Obligations:

6.1 – DPO

The subcontractor has appointed a data protection officer whose contact details are in appendix 2, without this meaning that the subcontractor considers that it is required to do so by article 37 of the GDPR.

6.2 – Impact analysis

Any impact analyzes will be carried out by the controller.

6.3 – Demonstration of compliance with obligations

The subcontractor will make available to the controller all the information necessary to demonstrate compliance with the obligations provided for by Belgian law and the GDPR.

6.4 – Rights of data subjects

The processor will notify the data controller of any complaint, request or opinion from a person concerned by the processing of the data who would exercise the rights conferred on him by the data protection legislation.

The processor must comply with the instructions of the data controller in the event of a request or notice and it must not respond to such request or notice without instructions from the data controller.

Having regard to the nature of the processing, the processor will assist the data controller with appropriate technical and organizational measures, as far as possible, and will provide its cooperation to the latter in order to respond to requests from data subjects, in accordance with the LPPPD, in chapter III of the GDPR

or any other applicable legislation in the field of the processing of personal data.

7. Location of processing:

The Processor will process the Personal Data of the Controller at a location within the EU. The processor shall not process or transfer the personal data of the data controller, nor process them itself or through third parties, outside the European Union, except with the express and explicit prior authorization of the data controller and in execution of one of the recognized data transfer mechanisms such as the standard contractual clauses.

8. Personal Data Breach Management:

8.1 – In the event of a personal data breach in connection with the processing of personal data, the processor will assist the controller in ensuring compliance with the obligations arising from Belgian law and Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to the processor.

8.2 – The subcontractor notifies the data controller of any breach of personal data without delay after becoming aware of it.

8.3 – The subcontractor will make its best efforts to remedy or reduce as quickly as possible the negative consequences resulting from a breach of personal data. He will keep the controller informed, on a regular basis and at least every 24 hours, of any development in the situation and, in particular, of the measures taken to remedy or reduce the harmful consequences.

8.4 – If the data controller deems it necessary, he will inform data subjects and third parties, including the Data Protection Authority, of any data breach. Processor is not permitted to provide information about data breaches to data subjects or third parties unless legally required to do so.

The obligation for a party to report or respond to a personal data breach is not and will not be construed as an admission by that party of any wrongdoing or liability with respect to such incident. .

9. Use of a second-tier subcontractor:

The Controller authorizes the Processor to engage another Processor (“Second Tier Processor”). Processor will notify Controller of any intended changes to the addition or replacement of other Processors, thereby giving Controller the opportunity to object to such changes.

9.1 – The subcontractor will only use second-tier subcontractors offering sufficient guarantees to implement the appropriate technical and organizational measures so that the data processing meets the requirements of this Addendum, Belgian law and of the GDPR and that it ensures the protection of the rights of the data subject.

9.2 – The subcontractor must impose on his second-tier subcontractor(s) commitments that are as (or more) binding than those arising from this Amendment, Belgian law and the GDPR and he will ensure that these latter are respected by its second-tier subcontractor(s). The agreements made with the second-tier subcontractor are established in writing.

9.3 – Notwithstanding the authorization by the data controller to call on a second-tier subcontractor, the first-tier subcontractor remains fully liable to the data controller for the consequences of this subcontracting of activities to a third.

10. Liability:

10.1 – The subcontractor can only be held liable for damage caused by the processing if it has not complied with the obligations provided for by the GDPR which are specifically incumbent on subcontractors or if it has acted outside the instructions lawful of the controller or contrary to them.

In accordance with Article 82.3 of the GDPR, the subcontractor will be exonerated from liability with regard to the data subject if it proves that the fact which caused the damage is in no way attributable to it.

The liability of the subcontractor is limited to direct damages, excluding all indirect or consequential damages, such as loss of profits, loss of income, loss of anticipated savings, loss of opportunity, loss of customers, claims customers or other third parties, and damage to reputation.

The liability of the subcontractor is, in any event, limited to the value of one year of services, as set by the Main Agreement.

10.2 – The data controller guarantees the subcontractor against any consequences that may arise from:

an erroneous qualification of the data and the details of the processing, as provided for in Article 2,
the absence of complete information on the

by the data controller, in particular regarding an incident, a request from a supervisory authority or a data subject,
a decision for which the data controller is responsible or any breach committed by the data controller’s staff,

The consequences referred to in this article are, in a non-exhaustive manner: the cost of the additional services of the subcontractor, the damage suffered, administrative fines, any sum due to a person concerned or to a second-tier subcontractor.

10.3 – When the data controller or the processor has fully repaired the damage suffered by the data subject, he is entitled to claim from the other party the part of the compensation corresponding to his share of responsibility for the damage, provided that the other party has agreed to the adequacy of the compensation of the person concerned or that the compensation has been fixed by a judgment and that the other party has been brought to the cause.

11. Period of storage, return and deletion of personal data:

11.1 – Upon termination of the provision of services relating to the processing or at the first request of the controller, the processor shall, at the discretion of the controller:

a – delete all copies of the controller’s personal data stored or processed by the processor,

b – or return all personal data to the controller and delete existing copies,

unless Union or Member State law requires the storage of personal data.

If the data controller opts for the return of the data, he will have to pay the subcontractor for this.

11.2 – If the data controller does not take a position on the fate of the data within one month of sending a formal notice, the subcontractor will be authorized to destroy the data.

12. Processing of the personal data of the parties and their possible personnel:

12.1 – The personal data of each party and its staff (surname, first name, image, profession, domicile or residence, telephone and fax numbers, e-mail address, date and place of birth, marital status, bank account number , languages and areas of specialization, degrees and academic or professional titles,) are processed by the other party in accordance with the applicable legislation on the processing of personal data under the execution of the contract:

a – to allow payment for the services provided, and to manage any problem or dispute,

b – to allow customers and staff of the data controller to communicate with the processor by telephone or e-mail;

c – to allow subcontractors to make the service available to the controller.

The provision of this personal data is a necessary requirement for concluding the contract. Failure to provide this data would prevent the conclusion of the contract.

12.2 – Personal data is kept for 10 years after the end of the contract.

12.3 – Data may be transferred outside the European Union, even to countries which the European Commission considers not to guarantee an adequate level of protection of personal data. In this case, each party will take appropriate safeguards through standard contractual data protection clauses adopted by the Commission. These can be consulted at the headquarters of the party concerned.

12.4 – Each party or its workers may (by written request dated, signed, addressed to the other party and proving its identity) obtain, free of charge – if it is a reasonable volume – the written communication of the data and the portability of data, as well as, where appropriate, rectification, limitation of processing, deletion of those that are inaccurate, incomplete or irrelevant. If no action has been taken on the request 30 days after its introduction, it will be considered rejected. Each party or its workers may also address or file a complaint with the Data Protection Authority for the exercise of these rights (1000 Brussels, Rue de la Presse, 35, Tel. + 32 2 274 48 00 – Fax + 32 2 274 48 35 – contact@apd-gba.be).

12.5 – If a party communicates the personal data of its workers to the other party, it ensures that this information is brought to their attention.

12.6 – If the subcontractor actually processes the personal data of the data controller’s staff, then the data controller undertakes to make them aware of this article 12.

13. Final Provisions:

13.1 – In the event of any conflict between the provisions of this Data Processing Addendum and this

of the Main Agreement referred to in Article 1, the provisions of this amendment shall prevail.

13.2 – This Addendum is exclusively governed by Belgian law and by the GDPR.

13.3 – Any dispute must first be discussed between the parties, with both parties endeavoring to settle the matter amicably.

13.4 – Any dispute arising from or related to this Amendment will be subject to the exclusive jurisdiction of the competent court of the district of Mons.

APPENDIX 1: Personal data processed

As only the data controller has the information necessary to complete this appendix, it is his responsibility to do so.

Its attention is drawn to the fact that it cannot engage the responsibility of the subcontractor in the event of a consequence arising from an error in the information contained in this appendix, and in particular as to the type of data processed.

Purpose of the processing: Hosting of the identification data of the controller in the servers of the subcontractor.

Duration of processing: This processing corresponds to the duration of the use of the subcontractor’s IT infrastructure by the data controller / the duration of the subscription.

Nature of processing: Storage

Purpose of the processing: Allow the management and administration of virtual business cards by the administrator of a BIZZCARDZ account.

Type of personal data:

company employee data:

– Last name, first name, company name, position, date of entry, telephone, e-mail address, department, employee photo, QR Code (unique identifier).

Categories of data subjects: Data controller – User of the BIZZCARDZ application

Purpose of the processing: Importing virtual business cards from people outside a company into the BizzCardz application.

Duration of processing: This processing corresponds to the duration of the use of the subcontractor’s IT infrastructure by the data controller / the duration of the subscription.

Nature of processing: Import of data

Purpose of the processing: To allow the import into a BIZZCARDZ account of information relating to members external to a company (external card) and to allow their integration into a CRM software.

Type of personal data:

Non-Company Member Identification Data:

– First name, last name, company name, position, email address, telephone number

Categories of data subjects: Data controller – User of the BIZZCARDZ application

APPENDIX 2: Contact details

V&D EXPERTS uses the data that Users provide when registering for the service to contact them in the event of an incident or breach of personal data. Users ensure that this data is always up to date.

APPENDIX 3: Description of the subcontractor’s security measures

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

BizzCardz.

BizzCardz.

BizzCardz.

V&D Experts

Contact Us

Legal Notice