1. Nature of this document
For the provision of its services Valpeo requires certain Personal Data which will have necessarily to be provided by you as Customer, or on your behalf.
This document represents Valpeo's Processing Agreement in relation to Processing activities regarding Personal Data under the Agreement (as defined below) and as such applies to all Services (as defined below) rendered by Valpeo. It supersedes all discussions, agreements and understandings of any nature with Valpeo with regard to Services. By accepting this document, you as Customer unconditionally accept this document as binding upon you.
This Processing Agreement forms integral part of the Agreement and therefore should be read together with the Valpeo General Terms and Conditions that can be found under www.valpeo.com/gtandc
. This Processing Agreement shall be governed by the said General Terms and Conditions, unless indicated to the contrary herein.
In this document certain terms are capitalized. For the purposes of this Processing Agreement, these terms shall have the meaning as defined in the General Terms and Conditions. For convenience only, the relevant definitions are repeated below, and certain terms that are of relevance for this document, are additionally defined below. Where the context requires, the singular shall include the plural and vice versa.
" means, with respect to a Party, any person, partnership, corporation, organization or entity that directly or indirectly Controls or is directly or indirectly Controlled by or is under common Control with such Party;
" means the agreement concluded between the Parties in relation to the Service under the terms and conditions set out in the General Terms and Conditions and supplemented by other terms and conditions that may be agreed between the Parties;
" means the ownership of more than half the capital, business or assets of a Party or the power to exercise more than half the voting rights of a Party or the power to appoint more than half the members of the board of directors of a Party or sufficient authority to direct, directly or indirectly, the adoption and/or execution of the policies, management or operations of a Party by any means whatsoever;
" means you, a legal of physical person, wishing to use the Service or entering in contact with Valpeo in the framework of provision of Services by Valpeo;
"Customer Personal Data
" means the Personal Data submitted, uploaded or stored by Customer, or on its behalf, in the Platform or otherwise provided by Customer to Valpeo under the Agreement for the purpose of the Service;
" shall have the same meaning as defined in the GDPR;
" shall have the same meaning as defined in the GDPR; "GDPR
" means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
"General Terms and Conditions
" means Valpeo's General Terms and Conditions that can be found under www.valpeo.com/gtandc
" means executed by hand or in any other physical or electronical form reasonably allowing to confirm a Party's agreement;
" and "Parties
" means individually Valpeo or Customer, respectively, collectively Valpeo and Customer;
" shall have the same meaning as defined in the GDPR;
"Personal Data Breach
" shall have the same meaning as defined in the GDPR;
" means Valpeo's proprietary online cloud-based platform through which the Services is provided via the Website;
" means national, international and supranational legal rules governing the Processing of Personal Data, including GDPR;
" shall have the same meaning as defined in the GDPR;
" means, with respect to a Party, its Affiliate and that Party's and that Party's Affiliates' directors, officers, employees, agents, advisors, counsellors, auditors, accountants or lawyers;
" means the service provided by Valpeo under the Agreement as defined in the Agreement;
" means any Data generated by, on behalf of or for Customer through the Platform or otherwise provided by Valpeo to Customer as a result of the Service;
" shall have the same meaning as defined in the GDPR;
" shall have the same meaning as defined in the GDPR;
" means a person who is not a Party to this Processing Agreement;
"Third Party Claim
" means a claim made against a Party by a Third Party;
" means the website and the application developed, operated and maintained by Valpeo, available at respectively www.valpeo.com
. 3. Scope of the Processing Agreement
1. This Processing Agreement governs all Processing activities regarding Personal Data carried out by Valpeo under the Agreement and sets out the terms and conditions that apply to such Processing in relation to the Service, whatever the means and including through the Platform and the Website.
The acceptance of this Processing Agreement by Customer and his continuous compliance herewith is a necessary precondition to place any order with Valpeo and a necessary condition for the performance of the Agreement by Valpeo. This Processing Agreement shall be binding upon Customer regardless of any stipulations to the contrary in a document issued by Customer or any Third Party. In case of conflict of this Processing Agreement with any Customer order, Customer's terms and conditions, or any other document passed between the Parties in relation to the Service, this Processing Agreement shall prevail, unless expressly and specifically agreed to the contrary by Valpeo in writing.
2. Valpeo reserves the right to modify this Processing Agreement in its reasonable discretion from time to time. Such modifications shall be deemed to be accepted by Customer provided that Valpeo notifies them to Customer in accordance with article 13. Continued use of the Service by Customer after such notification shall constitute Customer's acceptance of the modification. 4. General data protection principles
1. The Parties agree that given the nature of the Service, Valpeo shall be deemed to act as a Processor on behalf of Customer who shall be deemed to act as Controller. Each Party shall bear the respective rights, obligations and liabilities as set out in the Privacy Legislation.
2. Customer expressly authorizes and instructs Valpeo to process Personal Data, whether publicly available or not, to the extent that such processing is done and required for the purpose of the Service under the Agreement, and in particular for providing Customer with Service Results and for notifying important information regarding the Service.
3. Additionally, at the moment of creation of Customer account, Customer shall be asked whether he wishes to receive marketing and other non-Service related communications from Valpeo from time to time. Customer may opt in on receiving such communications at that time or, should he wish to change his position, opt-in or opt-out at any subsequent time by changing his preference. Customer recognizes and accepts that Valpeo may process any Personal Data marketing and other non-Service related communications, if the Customer opts-in and as long the said opt-in applies. 5. Customer's obligations in general
1. Customer warrants that in the performance of the Agreement it shall fully comply in a timely and efficient manner with the Privacy Legislation (including all applicable local, state, national and foreign laws, treaties and regulations).
2. Customer guarantees that all Personal Data are lawfully collected, used, stored, transferred to Valpeo and otherwise Processed and warrants and represents that it shall obtain, where required, prior to the communication or any other submission of Personal Data to Valpeo, any and all required third party authorizations and consents and shall fulfil any and all required legal conditions and obligations and industry standards that must be obtained or fulfilled to legally allow Valpeo (and its Representatives) to Process the Personal Data under the Agreement on Customer's behalf.
Customer shall maintain all such necessary authorizations and consents throughout the Agreement.
3. Customer shall respect the purpose limitation principle as set out in the GDPR and shall ensure that he relies on a valid legal ground under the Privacy Legislation for each purpose, including obtaining Data Subjects' appropriate consent, if required.
4. Customer shall give only lawful instructions to Valpeo and warrants that the performance of this Processing Agreement and any instructions to Valpeo in relation to the Agreement are not contrary to the Privacy Legislation or to the legal rights of Data Subjects.
5. Customer shall be responsible and liable for the accuracy, quality, integrity, legality, reliability, accuracy, appropriateness and compliance with any third party rights of Personal Data and that its use is limited to what is necessary in relation to the purposes for which they are Processed. Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed unless a longer retention is required or allowed under the applicable law. Customer agrees to immediately notify Valpeo in accordance with article 13 of any envisaged change of the Personal Data he provides to Valpeo under the Agreement In Writing.
6. Customer shall provide to the relevant Data Subject appropriate notice regarding the Processing of his Personal Data (whether or not obtained from such Data Subject) for the purposes, in a timely manner and at the minimum with the elements required under the applicable Privacy Legislation.
7. Customer shall adopt, if relevant together with Valpeo, appropriate data protection measures including appropriate technical and organizational measures which can be reviewed and updated if necessary, to ensure, and to be able to demonstrate, that the Processing is performed in accordance with the applicable Privacy Legislation, taking into account the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.
8. Customer shall, if appropriate, appoint a data protection officer and maintain internal records of Processing that Valpeo performs under his responsibility, shall comply with the principles of data protection by design and by default and shall, where required, perform data protection impact assessments and conducts prior consultations with supervisory authorities.
9. Customer shall duly respond to Data Subject requests to exercise their rights granted under the Privacy Legislation including the right of (a) access, (b) rectification, (c) erasure, (d) data portability, (e) restriction of Processing, and (f) objection to the Processing.
10. Customer shall cooperate with Valpeo to fulfil their respective data protection compliance obligations in accordance with the Privacy Legislation and shall provide Valpeo with access to all information as may be required by Valpeo for this purpose. 6. Valpeo's obligations
1. Valpeo warrants that it and its Representatives shall Process Personal Data in compliance with Privacy Legislation and shall Process Personal Data only under and to the extent required to perform the Agreement or as required by Privacy Legislation or imposed or recommended by any competent regulatory body.
2. Valpeo shall Process Personal Data in accordance with and shall strictly abide by the written instructions given from time to time by Customer, i.a. with respect to the duration of the Processing, rectification, deletion and update of Personal Data and shall confirm to Customer, upon his request, within a reasonable time that it has done so.
Valpeo shall refrain from autonomously (re)determining the purposes, duration and means of Processing and shall refrain from processing Personal Data other than on Customer's documented instructions (the Agreement and/or provision of such Data to Valpeo by Customer being deemed to constitute such instruction). Valpeo shall promptly inform Customer if, in its opinion, Customer's instructions infringe Privacy Legislation, or if Valpeo is unable to comply with Customer's instructions.
3. Valpeo shall implement, maintain and update (from time to time as needed and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing) appropriate and comprehensive technical, organizational and security measures to ensure a level of security reasonably appropriate to the applicable risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR in order to protect against unauthorised or unlawful processing of Personal Data and against any accidental loss or destruction of, or damage to, Personal Data and in order to ensure a level of security appropriate to the risk.
Inter alia, Valpeo shall as appropriate, take the following measures: (a) pseudonymisation and encryption of Personal Data, (b) ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, (c) ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident and (d) have a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
In assessing the appropriate level of security Valpeo shall take into account the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Customer is responsible for determining whether these practices and procedures are appropriate to meet its specific requirements. Valpeo shall promptly provide Customer upon hi request with a written detailed description of measures Valpeo has taken.
4. Valpeo shall ensure that any of its Representatives who has access to Personal Data do not Process such data except on Customer's instructions, unless the Representative is required to do so by applicable mandatory law.
Valpeo shall handle Personal Data it Processes as strictly confidential, not disclose any Personal Data except upon prior written consent from Customer in accordance with the provisions of applicable Privacy Legislation or as any other legislation or competent regulatory body requires and shall ensure that persons who Process Personal Data under its responsibility have committed themselves to confidentiality (e.g. non-disclosure agreement) or are under an appropriate statutory obligation of confidentiality and follow good industry practices to ensure the reliability of personnel who may have access to the Personal Data.
5. Valpeo shall provide assistance to Customer, insofar as this is reasonably possible, to fulfil its own data protection compliance obligations under Privacy Legislation, including by providing all information available to Valpeo as necessary to demonstrate compliance with Customer's own obligations. Where applicable Valpeo shall help Customer in conducting data protection impact assessments or prior consultation with supervisory authorities which Customer reasonably considers to be required by Article 35 or 36 of the GDPR, taking into account the nature of the Processing and information available to Valpeo. Customer will reimburse Valpeo for any expenses incurred in that regard.
6. Valpeo will maintain a record of the Processing activities in accordance with article 30 of the GDPR. These records will mention all categories of processing activities carried out on behalf of Customer containing (i) the name and contact details of the data protection officer, of Valpeo, of Customer(s) and, where applicable, of Valpeo's or Customer's representative (ii) the categories of processing carried out on behalf of Customer (iii) if applicable, transfers of Personal Data to a countries outside of EEA or to an international organization, including the identification of that country and/or international organization and the documentation of suitable safeguards and (iv) where possible, a general description of the technical and organizational security measures.
These records will be made available to the Supervisory Authority and to Customer on request.
7. Valpeo shall designate a data protection officer in the specific scenario foreseen in Article 37.1 (b) of the GDPR if the core activities of Valpeo consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of Data Subjects on a large scale.
8. Valpeo shall assist Customer in fulfilling its obligations towards Data Subjects and in particular regarding Data Subject's' requests in relation to the exercise their rights under the Privacy Legislation in relation to Processing of Personal Data, including the right of (a) access, (b) rectification, (c) erasure, (d) data portability, (e) restriction of Processing, and (f) objection to the Processing. Valpeo shall promptly notify Customer about any notices, requests or queries if Valpeo receives it directly from the Data Subject or Supervisory Authority.
Upon prior written consent from Customer, Valpeo shall provide a Data Subject with the same rights available to such individual in respect of his Personal Data. Valpeo may however retain certain data to the extent and for the period required by Privacy Legislation.
Customer acknowledges that the exercise of the aforementioned rights may result in Valpeo's impossibility to continue the performance of its obligations under the Agreement.
Any reasonable costs relating to the execution of the aforementioned rights shall be reimbursed to Valpeo by Customer.
9. Valpeo shall make available to Customer on his request all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Personal Data by Valpeo. The cost of any such audits or inspections and any expenses incurred in that regard shall be borne by Customer.
10. Valpeo shall Promptly notify Customer when relevant local laws prevent Valpeo from fulfilling its obligations and have a substantial adverse effect on the guarantees provided herein, and from complying with the instructions received from Customer, except if such disclosure is prohibited by applicable law, such as a prohibition under criminal law to breach the confidentiality of a law enforcement investigation. 7. Data transfers to Third Countries and international organizations
Unless required to do so by Privacy Legislation to which Valpeo is subject and provided Valpeo informs Customer upfront of that legal requirement, unless that law prohibits such information on important grounds of public interest, Valpeo shall, beyond what is required for the performance of the Agreement, not transfer Personal Data to a Third Country or an international organization without prior written authorization by Customer.
In case Valpeo does transfer Personal Data to Third Countries or an international organization, it shall do so only in compliance with the Privacy Legislation, e.g. on the condition of the existence duly recognized Binding Corporate Rules, and for the purpose of carrying out its obligations under the Agreement. 8. Sub processing
1. Customer hereby authorizes Valpeo to engage (or disclose any Personal Data to) any other specific, internal or external (sub-)Processor, insofar as Valpeo deems this necessary or useful to fulfil its obligations under the Agreement or its Processing obligations.
2. On Customers first request, Valpeo shall inform Customer of each individual Sub-Processor who processes the Personal Data (i.e. with indication of its company name, company number and registered address, the affected categories of Personal Data, the actual locations and countries of Processing, the start date) and shall provide overview of such Sub-Processor's Processing operations up to then.
Valpeo shall not use a Sub-Processor if Customer objects to it.
3. Valpeo shall ensure that all Sub-Processors, irrespective of their location and the local data protection laws applicable to them, are fully aware of and comply with Valpeo's obligations under this Processing Agreement and the applicable Privacy Legislation.
Valpeo shall impose, i.a. by means of written agreements, on its internal or external Sub-Processors the obligations stemming from this Processing Agreement and shall ensure that they comply to reasonable extent with Valpeo's instructions in particular providing sufficient guarantees to implement appropriate technical and organizational measures. Valpeo shall ensure that each sub-Processor performs all the obligations under the Agreement. In particular Valpeo shall not allow Processing outside the EEA territory unless proper contractual (back-to-back) guarantees similar to the ones imposed on Valpeo under this Processing Agreement are in place.
4. Valpeo shall be fully and solely liable towards Customer for the proper selection of and for the performance of its Processing obligations by Sub-Processors. 9. Data Breach
1. In the event that Valpeo becomes aware of any Personal Data Breach, Valpeo shall promptly notify Customer and shall communicate and describe to Customer (a) the nature of the Personal Data Breach including where possible, the root cause of the incident, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, (b) the name and contact details of the data protection officer or other contact point acting on behalf of the Valpeo where more information can be obtained, (c) the likely consequences of the Personal Data Breach and (d) the measures taken or proposed to be taken by or on behalf of the Customer to enable Customer to address the Personal Data Breach.
2. Valpeo shall make best efforts to co-operate with Customer and assist in the investigation, mitigation and remediation of such breach, considering the information and technical means available to Valpeo. Customer will reimburse Valpeo for any expenses incurred in that regard.
3. Unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons, Valpeo shall assist Customer in making a formal notification to the competent Supervisory Authority within 72 hours after having become aware of the Personal Data Breach. 10. Consequences of Termination or Expiry of the Agreement
1. Upon termination or expiry of the Agreement Customer may request Valpeo In Writing not later than 30 (thirty) days after the date of the termination or expiry of the Agreement to return Personal Data to Customer.
Unless the applicable law prevents Valpeo from doing so, Valpeo shall comply with this request provided that Customer has, at that time, paid all amounts due to Valpeo, including amounts resulting from termination or expiry (whether or not due at the date of termination or expiry), against payment by Customer of expenses incurred by Valpeo in returning of the Customer Data. In the event of return of Personal Data to Customer Valpeo shall no longer retain Personal Data unless the Customer so requests and subject to conditions then agreed between the Parties.
Failing the said Customer's instruction to return Personal Data, Valpeo shall have no obligation to forward or return to Customer any Personal Data, unless Valpeo has retained Personal Data as provided by this article.
2. Unless the Customer requests Valpeo to return Personal Data as set out above or has requested Valpeo to delete or to anonymize Personal Data, Valpeo may, taking into account the requirement to keep the Personal Data for follow-up tasks, retain Personal Data during 10 (ten) years after the completion of the performance of the Agreement, being understood that prior to the deletion of such retained Personal Data Valpeo shall inform Customer of the forthcoming deletion and the Customer may request Valpeo to continue the retention thereof for the term indicated by Customer and subject to conditions then agreed between the Parties.
3. Valpeo may in any event further use any data if regarding such data Valpeo is the Data Controller and/or if Valpeo does so in aggregate and non-Customer identifiable and non-person identifiable formats thus ensuring that the Personal Data no longer qualifies as Personal Data under the Privacy Legislation. 11. Personal Data ownership
It is understood that the (performance of the) Agreement does result and shall not be construed to result in any change in the ownership of Personal Data. Valpeo shall not obtain as a result of the Agreement any claim of ownership or any proprietary rights in the Personal Data it obtained from the Customer under the Agreement, except for the rights granted to Valpeo under the Agreement. 12. Liability
1. Each Party shall be liable vis-à-vis the other Party for any and all damages, losses, costs or expenses (including Third Party Claims against the latter Party) arising directly or indirectly out of its breach of this Processing Agreement.
In case of a Third Party Claim Valpeo will be liable only where he has not complied with obligations under Privacy Legislation specifically directed to Processors or where it has acted outside of or contrary to this Processing Agreement or to Customer's lawful instructions.
2. Valpeo shall under no circumstances be responsible or liable for Processing activities carried out by Customer under or outside of the Agreement or the use of Personal Data by Customer, its Affiliates, its Representatives and/or its Affiliates' Representatives, Customer having the obligation to indemnify and hold harmless Valpeo in that regard. 13. Miscellaneous 1. Notices
Valpeo may give any notice to Customer by means of a general notice through the Platform, by notice to the Account Administrator or by e-mail or registered mail to Customer's (e-mail) address that is on record in Valpeo's account information. Such notice shall be deemed to have been given upon the expiration of 48 hours after sending if made though the Valpeo platform or by registered mail and of 12 hours if sent by email.
Customer may give notice to Valpeo (such notice shall be deemed given when received by Valpeo) by registered letter sent through nationally recognized overnight delivery service or by means of an electronic mail to the address indicated for that purpose by Valpeo. 2. Severability
If any provision of this Processing Agreement is invalid or unenforceable, this shall not affect the remaining provisions thereof which shall remain in effect. The invalid or unenforceable provision shall be deemed to be replaced by an alternative valid and enforceable provision that is as closely in line with the Parties' original intent as allowed under the applicable law. 3. Entire Agreement
This Processing Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof, and supersedes and replaces all prior or contemporaneous understandings or agreements, written or oral, regarding the subject matter including, but not limited to, any prior non-disclosure or confidentiality agreement. No amendment of this Processing Agreement is binding unless executed In Writing and signed by duly authorized representatives of the Parties. 4. No Waiver
The election of any one or more remedies by either Party shall not constitute a waiver by such Party of the right to pursue any other available remedies. No failure by either Party to exercise and no delay by either Party in exercising (in whole or in part), any right in relation to this Processing Agreement shall operate as a waiver of any such right. 5. Force Majeure
If, for any reason beyond the reasonable control of a Party, including, without limitation, acts of God, earthquakes, floods and other natural disasters, wars, insurrections, strikes, riots, or fires, such Party is unable to perform in whole or in part its obligations under this Processing Agreement, such Party shall be relieved of those obligations to the extent it is unable to perform and such inability to perform, so caused, shall not make such Party liable to the other Party on the condition that the Party who is unable to perform notified the other Party of such inability within seven (7) days of the onset of such inability. 6. Governing Law and Dispute Resolution
This Processing Agreement shall be governed by and construed under the laws of Belgium. All disputes in connection with the existence, validity, construction, performance, non-performance, breach or termination of this Processing Agreement (or any terms thereof) that are not settled amicably shall be settled exclusively by the courts of Brussels, Belgium.