General
Evercate will for the performance of the Services Process Personal Data on behalf of Client as a Data Processor. Evercate's Processing of Personal Data as a Data Controller is governed by our Privacy Policy.
Definitions
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms and Conditions. The following terms have the following meanings:
"Applicable Laws" means laws and regulations under EU law and relevant Member State laws that from time to time apply to Evercate and the Client;
"Applicable Data Protection Laws" means all legislation and regulations, including regulations issued by relevant Supervisory Authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data that from time to time apply to Evercate and the Client, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR");
"Data Controller", "Data Subject", " Data Processor", "Processing", "Personal Data" and "Personal Data Breach" shall have the same meaning as in the GDPR;
"Data Subject Request" means a request from a Data Subject to exercise any right under Applicable Data Protection Laws;
"Data Processing Terms" means these terms outlining the terms and conditions for Evercate's Processing of Client Personal Data as a Data Processor;
"Sub-Processor" has the meaning stated in Section 9 below;
"Supervisory Authority" means an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and
"Third Country" means a country which is not a member of the European Union (EU) or the European Economic Area (EEA).
Processing of Client Personal Data
Evercate agrees to only Process Client Personal Data on behalf of the Client as a Data Processor in accordance with:
- the Client's documented instructions set forth in these Data Processing Terms and the Terms and Conditions; and
- Applicable Data Protection Laws.
The Client may provide additional documented instructions regarding the Processing of Client Personal Data by giving written notice to Evercate. If such instructions go over and beyond what applies under Applicable Data Protection Laws, Evercate shall be entitled to compensation for the cost such instruction entails.
Notwithstanding what is stated in Section 3.1 above Evercate is entitled to Process Client Personal Data to the extent it is necessary in order to comply with legal requirements under Applicable Laws to which Evercate is subject. Evercate shall inform the Client of such legal requirement before the Processing, unless Applicable Laws prohibit Evercate from providing this information.
Security measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Evercate shall in relation to the Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
Access to Client Personal Data
Evercate shall ensure that access to the Personal Data is limited to those employees of Evercate who need access to the Personal Data in order for Evercate to fulfil its obligations under these Data Processing Terms and the Terms and Conditions.
Evercate shall ensure that all employees authorized to access and Process Client Personal Data observes confidentiality which is not less restrictive than the confidentiality undertaking set out in Section 12 below.
Personal Data Breach
In the event of a Personal Data Breach affecting Client Personal Data, Evercate shall in accordance with Article 33(2) of the GDPR notify the Client of the Personal Data Breach in writing without undue delay after becoming aware of the Personal Data Breach.
The notification to the Client shall include the following information:
- a description of the nature of the Personal Data Breach including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- the likely consequences of the Personal Data Breach;
- a description of the measures taken or proposed to be taken by Evercate to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
- contact information to Evercate's from time to time appointed contact person.
Where, and insofar as, it is not possible for Evercate to provide the information set out in Section 6.2 above at the same time, Evercate may provide the information in phases without any further undue delay.
Documentation and audit rights
Evercate continuously documents the measures that Evercate has taken to fulfil its obligations under these Data Processing Terms. The Client is entitled to, upon request, receive a copy of the latest version of such documentation.
Subject to Sections 7.3 to 7.5 Evercate shall in accordance with Article 28(3)(h) of the GDPR allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
Any inspection or audit shall only comprise such information that is necessary in order for the Client to determine whether Evercate takes appropriate technical and organizational measures to fulfil its obligations under these Data Processing Terms and shall under no circumstances comprise any other information regarding Evercate's business operations which is irrelevant to Evercate's Processing of Client Personal Data.
The parties acknowledge that any third party auditor shall be jointly appointed by both parties. The Client shall ensure that such third party auditor undertakes confidentiality in relation to any information that the third party receives within the scope of the inspection, which is not less restrictive than the confidentiality undertaking in Section 13 below. The Client shall be liable for any breach of such confidentiality undertaking by the third party.
The Client shall notify Evercate in writing at least thirty (30) days in advance if the Client wishes to exercise its right to conduct an inspection. Each party shall bear its own costs in relation to any such audit. Should an audit or inspection show that the Evercate has not fulfilled its obligations under these Data Processing Terms or Applicable Data Protection Laws, Evercate shall without undue delay remedy such issue at its own cost.
Data protection impact assessment and prior consultation
Evercate shall upon the Client's request in accordance with Article 28(3)(f), provide necessary information that is available to Evercate in order to allow the Client to fulfil its obligations to, where applicable, carry out data protection impact assessments (DPIAs) and prior consultations with the relevant Supervisory Authority under Applicable Data Protection Laws in relation to the Processing of Client Personal Data. Evercate is entitled to compensation from the Client for any costs and expenses relating to Evercate's assistance in accordance with the Client request under this Section 8.
Use of Sub-Processors
The Client hereby gives Evercate a general written authorization to engage outside sub-contractors, consultants or other third parties to Process Personal Data on behalf of Data Controller ("Sub-Processors").
Evercate shall prior to engaging a Sub-Processor which will Process Client Personal Data:
- carry out an adequate due diligence to ensure that the Sub-Processor is capable of providing sufficient guarantees in respect of compliance with Applicable Data Protection Laws;
- ensure that there is a written data processing agreement with the Sub-Processor which imposes obligations on the Sub-Processor which fulfils the requirements of Article 28(3) of the GDPR, upon which Evercate may enter into such data processing agreement directly with the Sub-Processor on behalf of Client; and
- where the Sub-Processor will Process Personal Data in a Third Country ensure that the requirements of Section 15 of these Data Processing Terms are fulfilled.
Evercate shall maintain a list of all Sub-Processors which the Data Processor has engaged from time to time and Process Client Personal Data. The list shall be made available to the Client upon request. The list shall include at least the following information in relation to each Sub-Processor:
- the identity of the Sub-Processor (including full legal name, registration number and address);
- the type(s) of service(s) provided by the Sub-Processor; and
- the location where the Sub-Processor will Process Client Personal Data.
Evercate shall prior to replacing a Sub-Processor or appointing a new Sub-Processor which will Process Client Personal Data provide written notice to the Client of this without undue delay. The notification shall include the information outlined in Section 9.3 above.
If, within 30 days of receipt of a notice under Section 9.4, the Client notifies Evercate in writing of any objections to the proposed appointment, the parties shall seek to agree on a solution which is acceptable to both parties. If the parties do not agree on a solution, the Client shall have a right to terminate the Subscription in accordance with the Terms and Conditions.
The Client shall be entitled, upon written request, to receive a copy of the data processing agreement entered into with any Sub-Processor Processing Client Personal Data. However, Evercate shall be entitled to remove any commercial information in such data processing agreement prior to disclosing the agreement to the Client to the extent that disclosure of confidential information would imply that Evercate breaches any confidential undertaking with the Sub-Processor.
Where a Sub-Processor fails to fulfil its data protection obligations, Evercate shall in accordance with Article 28.4 of the GDPR remain fully liable to the Client for the performance of the Sub-Processor's obligations.
Data Subject Request
Taking into account the nature of the Processing, Evercate shall in accordance with Article 28(3)(e) assist the Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client's obligations to respond to Data Subject Requests.
Evercate shall promptly notify the Client if Evercate receives a Data Subject Request in respect of Client Personal Data.
Request from Supervisory Authorities
In case a Supervisory Authority requests:
- information from Evercate regarding its Processing of Client Personal Data; or
- that Evercate shall disclose Client Personal Data
Evercate shall without undue delay notify the Client thereof, unless Applicable Laws prohibit Evercate from providing such information. In case of a disclosure of Client Personal Data pursuant to this Section 11.1 Evercate shall request that the Client Personal Data shall be covered by confidentiality which is not less strict than the confidentiality undertaking in Section 13.
Return of Client Personal Data
Upon termination of a Subscription, Evercate shall return (and/or upon the Client's written request, in a secure and irreversible way delete or anonymize) all Client Personal Data that Evercate or any Sub-Processors have in its possession or control, unless Evercate (or the Sub-Processor) is obligated under Applicable Laws to continue to store the Client Personal Data. In the event Client, within thirty (30) days from termination of the Subscription, has not instructed Evercate whether the Client wishes that Evercate returns or in a secure manner deletes the Client Personal Data, Evercate (or Sub-Processor) shall delete the Client Personal Data in a secure way without undue delay, unless Evercate (or Sub-Processor) is obligated to store the Personal Data under Applicable Laws.
The obligations under these Data Processing Terms shall continue to apply until Evercate (or Sub-Processor) ceases to Process Client Personal Data.
For the avoidance of doubt, the obligations in Section 12.1 do not cover any Personal Data that Evercate Processes as a Data Controller.
Confidentiality of Client Personal Data
Evercate shall keep and maintain all Client Personal Data in strict secrecy and not disclose the Personal Data to a third party, unless otherwise authorized in advance in writing by the Client or otherwise required by Applicable Laws or for the performance of the Terms and Conditions or the obligations under these Data Processing Terms. Evercate agrees that the confidentiality undertaking under this Section 13 shall continue to apply until all Client Personal Data have been returned or (upon the Client's written request) have been deleted or anonymized in a secure and irreversible way in accordance with Section 12.1 above.
Liability
Each party shall be liable for any administrative fines imposed by a Supervisory Authority or a competent court on the party in question due to the party's failure to fulfil its obligation under these Data Processing Terms or Applicable Data Protection Laws or otherwise has Processed Personal Data in breach of Applicable Data Protection Laws.
Each party shall indemnify and hold harmless the other party from and against any potential claims for damages as a result of the party's failure to fulfil its obligations under these Data Processing Terms or Processing in breach of Applicable Data Protection Laws.
Transfer to and Processing of Personal Data in a Third Country
Evercate is entitled to transfer to (including to a Sub-Processor) and Process Client Personal Data in a Third Country, provided that:
- the Third Country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Client Personal Data;
- Evercate ensures that there are appropriate safeguards in place in accordance with Applicable Data Protection Laws, e.g. standard data protection clauses adopted by the EU Commission under Applicable Data Protection Laws, that comprises the transfer and the Processing of Client Personal Data; or
- if there are any other exemptions under Applicable Data Protection Laws that comprise the transfer and Processing of Client Personal Data.
For the avoidance of doubt, Client Personal Data may not be transferred to or Processed in a Third Country if none of the conditions outlined in Section 15.1 above exists.
Description of Processing of Client Personal Data
The subject matter and the purpose of the Processing of the Client Personal Data and the obligations and rights of the Client as the Data Controller are set out in the Terms and Conditions and these Data Processing Terms. Client Personal Data is Processed during such period Evercate provides the Services or for such shorter period notified by the Client.
The types of Client Personal Data to be Processed include:
The categories of Data Subject to whom the Client Personal Data relates include:
- Users of Client.
- Users of Client.