1. About this Data Processor Agreement
This Data Processor Agreement supersedes and replaces all previous agreements made in respect of Processing Personal Data and data protection. Parties agree that Rombit is a Processor and the Customer is a Controller in respect of all Products provided by Rombit related to the Agreement. The aforementioned indication of the Parties as Controller and Processor is consistent with the terms and definitions given within the Data Protection Laws. In the performance of the Services and provision of Products related to the Agreement, Rombit will receive and Process Personal Data for the benefit of the Customer and according to its instructions and purpose. Specific legislation applies to such Processing, including among others the Data Protection Laws. By means of this Data Processor Agreement (hereafter the “DPA”) Parties wish to lay down their specific agreements in respect to Processing Personal Data within the framework of the Agreement.
Regarding the interpretation of this DPA, the definitions in the Agreement will also apply to this DPA, unless this DPA expressly deviates from those definitions. The notions Controller, Processor, Process, (Data) Breach, Supervisory Authority, Personal Data, Data Protection Officer will be defined as the terms used in the applicable Data Protection Laws.
“Subcontractor” refers to any third party that is involved in the Processing of Personal Data by Rombit;
“Third Party” means a natural or legal person, a government agency, a service or other body, not being the Data Subject, neither the Customer nor Rombit, nor the persons authorized under direct authority of the Customer or Rombit to process the Personal Data.
3. Object of this DPA
This DPA determines the conditions of the Processing by Rombit, on a self-employed basis, of the Personal Data communicated by or at the initiative of the Customer and in the context of the Agreement; this Processing will exclusively take place for the benefit of the Customer and for the purpose as defined by the Customer.
The nature and purpose of the Processing, a list and the type of Personal Data as well as the categories of the Data Subjects, taking into account the Services to be performed, are detailed in Schedule 4 to the Purchase Order (Data Processing Details).
Rombit will only process the Personal Data according to the documented instructions of the Customer and will not use these Personal Data for its own purpose.
If Rombit is legally obliged to proceed with any Processing of Personal Data, Rombit, unless this would violate applicable mandatory rules, will inform the Customer of such obligation.
4. Compliance with Data Protection Regulations
The Customer and Rombit shall comply with their obligations under applicable legislation.
This DPA is applicable to every Processing of Personal Data executed in the context of the Agreement.
This DPA applies as long as Rombit processes Personal Data made available by the Customer in the context of the Agreement. This DPA ends automatically upon termination of the Agreement; the provisions of this DPA that are either expressly or implicitly (given their nature) intended to have effect after termination of the DPA shall survive the end of the Agreement as regards the Personal Data communicated by or at the initiative of the Customer in the context of the Agreement.
6. Technical and organizational protection measures
Rombit and Customer offer adequate guarantees with regard to the implementation of appropriate technical and organizational measures so that the Processing complies with GDPR requirements and that the protection of the Data Subject’s rights is guaranteed.
7. Records of processing activities
Each Party and, where applicable, their representatives, shall maintain a register of the processing activities under their responsibility. Each such register shall contain at least all legally required data.
8. Data Protection Officer
If required by law, the Customer and/or Rombit will appoint a Data Protection Officer. The name and the contact details of the Data Protection Officer (or any other person responsible for privacy related matters) can be found in Schedule 4 to the Purchase Order (Data Processing Details).
9. Storage of Personal Data
Rombit will not keep the Personal Data any longer than as required for Processing of such Personal Data in the context of the Agreement. The Customer will not instruct Rombit to store any Personal Data longer than necessary. The agreed storage period can be found in Schedule 4 to the Purchase Order (Data Processing Details).
Unless storage of the Personal Data is mandatory under Union or Member State law, Rombit shall, within a reasonable period after the end of the Processing services, at the option of the Customer, either erase, if reasonably possible, all Personal Data or return it to the Customer and delete existing copies.
The Customer and Rombit shall take all appropriate technical and organizational measures as referred to in Article 32 GDPR to ensure a level of security appropriate to the risk. The measures taken by Rombit are available on request.
Rombit shall, taking into account the nature of the Processing and the information available, assist the Customer in ensuring compliance with the obligations resulting from Articles 32 to 36 GDPR. The Customer will reimburse Rombit for services rendered in the context of providing assistance in fulfilling the aforementioned obligations according to Article 18 “Costs” of this DPA.
Only those agents of Rombit who are involved in the Processing of Personal Data may be informed about the Personal Data. Rombit ensures that persons authorized to process the Personal Data are committed to confidentiality by contract or are under an appropriate statutory obligation of confidentiality.
11. Code of Conduct and Certification
Adherence by Rombit to an approved code of conduct as referred to in Article 40 GDPR, or an approved certification mechanism as referred to in Article 42 GDPR may be used as an element of proof of sufficient guarantees as referred to in GDPR.
12. Data Subject’s rights
Taking into account the nature of the Processing, Rombit shall use its best efforts, by taking appropriate technical and organizational, to assist the Customer in the fulfillment of its obligation to respond to requests from Data Subjects.
For all services performed by Rombit in the context of the treatment of such requests from Data Subjects, the Customer will pay Rombit in accordance with Article 18 “Costs” of this DPA.
13. Duty to notify
Upon becoming aware of a Personal Data Breach Rombit shall notify the Customer thereof without undue delay.
At the request of the Customer, Rombit will cooperate with the investigation and elaboration of the measures necessary in case of any Breaches.
The Parties will keep each other informed of any new developments with regard to any Breach and of the measures they take to limit its consequences and to prevent the repetition of such Breach.
It is the responsibility of the Customer to report any Breach to the Supervisory Authority or the Data Subject, as required.
The Customer expressly authorizes Rombit to engage Subcontractors for the processing of Personal Data. The Customer grants a proxy to Rombit to decide with which Subcontractor(s) Rombit cooperates. Rombit shall keep a list of all Subcontractors engaged, which can be consulted by the Customer upon simple request. The Customer can only refuse a Subcontractor proposed by Rombit on the basis of a well-founded justification submitted in writing.
Rombit will conclude a separate subcontracting agreement with each Subcontractor.
In this subcontracting agreement, similar data protection obligations as set out in this DPA shall be imposed on the Subcontractor.
In the event the Subcontractor fails to fulfill its data protection obligations, Rombit shall remain fully liable to the Customer for the performance of the obligations of that Subcontractor in accordance with Article 20 of this DPA.
15. Transfers of Personal Data
The Processing of Personal Data will exclusively take place within the EEA.
The Processing or transfer of Personal Data outside the EEA can only occur in compliance with applicable legislation. Rombit can sign standard contractual clauses, codes of conduct or any other instruments adopted by the European Commission, which ensures that the transfer of Personal Data to a country outside the EEA complies with appropriate safeguards as required by the GDPR.
16. Data Protection Impact Assessment
When a ‘Data Protection Impact Assessment’ or a ‘prior consultation’ is required according to Article 35 and 36 GDPR, the Customer will implement such assessment. At the request of the Customer, Rombit will assist in this assessment as well as in the compliance with any required measures.
The Customer will reimburse Rombit for the services so rendered in relation to this assessment and the compliance with any required measures in accordance with Article 18 “Costs” of this DPA.
17. Audit – inspection
Each Party shall allow the other Party and its authorized auditors to perform audits regarding the compliance by a Party with its obligations under this DPA and the applicable legislation in respect of data protection.
Each Party shall use its best efforts to cooperate with those audits and to make available to the other Party all information necessary to prove compliance with the obligations of such Party. A Party shall immediately inform the other Party if, in its opinion, an instruction infringes the applicable legislation. In case the audit required more than one business day of services of the Party which is being audited, the auditing Party will compensate the services provided on a time and material basis (at standard rates applicable at that moment in time).
Upon the performance of any such audit, the confidentiality obligations of the Parties with respect to third parties must be taken into account. Both the Parties and their auditors must keep the information collected in connection with an audit secret and use it exclusively to verify the compliance by the other Party with this DPA and the applicable laws and regulations in respect of data protection.
The Customer and Rombit and where applicable their representatives, shall cooperate, upon request, with the Supervisory Authority in the performance of its tasks.
The services to be performed under this Agreement for which Rombit may charge the Customer, will be charged on the basis of the hours worked and the applicable standard hourly rates of Rombit. Rombit will invoice these amounts on a monthly basis.
Payment by the Customer to Rombit for the services under this Agreement will take place in accordance with the provisions in the Agreement.
19. Notice of default
When Rombit fails to comply with its obligations under this DPA, the Customer shall first send a registered notice of default (in compliance with article “Notices” of the Terms and Conditions). This notice shall clearly mention the defaults that occurred, and, if redress is possible, a proposal of remedial measures and a reasonable term for their implementation.
Limitations of liability in Rombit Terms and Conditions are applicable to this DPA and all services provided in respect of this DPA.
Rombit is in any case only liable for the damage caused by Processing if it (a) did not comply with its specific obligations of the GDPR, or (b) acted outside or in violation of the lawful instructions of the Customer.
21. Other provisions
The miscellaneous provisions of Rombit Terms and Conditions are applicable to this DPA.