GDPR addendum

This addendum is part of the General Terms and Conditions between SPATIE BVBA and the customer (hereinafter referred to as: "Controller") with respect to the processing of Personal Data. By agreeing with the terms and conditions, of which this addendum is a part, the customer also agrees with the below listed provisions with regard to the processing of Personal Data by SPATIE BVBA.

The contact person for questions relating to this addendum is:

E-mail: support@spatie.be
+32 3 292 56 79
Kruikstraat 22, Box 12
2018 Antwerp
Belgium

Between SPATIE BVBA and the Controller

Together the Controller and the Processor are referred to as the "Parties".

Whereas:

1. The Controller and the Processor have concluded an agreement pursuant to which the Processor is committed to deliver certain services for the account of the Controller that involve the processing of data, including Personal Data as defined below (hereinafter, the "Main agreement");
2. Parties have decided in accordance with the applicable privacy law (as defined below) the conclude current, additional agreement which set out their respective rights and obligations (the "Processing agreement").

The following was decided:

Definitions

The following terms will have the meaning as indicated below:

1. General data protection regulation or GDPR: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the processing of Personal Data and concerning the free traffic of such data, and which takes effect on 25 May 2018.
2. Data subject(s): the identifiable individual person whose Personal Data is processed.
3. Controller: each individual or legal entity who determines the purposes and means of the processing of Personal Data.
4. Processor: each individual or legal entity who for the benefit of the Controller processes Personal Data.
5. Sub Processor: every third party that is brought in by the Processor to process Personal Data for the benefit of the Processor, without being subjected to the direct authority of the Processor.
6. Personal data: all information about an identified or identifiable natural person; an identifiable person is considered a natural person that can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location information, an online identifier or one or more elements that characterises the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
7. Privacy legislation: the entire Belgian and European data protection legislation, including the law of 8 December 1992 on privacy protection in relation to the processing of Personal Data and starting from 25 May 2018, the General Data Protection Regulation.
8. Processing: any processing or set of processing related to Personal Data or a set of Personal Data, whether or not conducted through automated processes, such as collection, recording, organisation, structuring, storing, updating or changing, requesting, consulting, using, providing through forwarding, distributing or otherwise making available, aligning or combining, blocking, erasure or destruction of data.
9. Data leak: a security breach of Personal Data which inadvertently or unlawfully leads to the destruction, loss, modification or unauthorised provision of or unauthorised access to transmitted, stored or otherwise processed data.
10. Supervisory authority: in Belgium this is the Commission for the Protection of Privacy, starting from 25 May 2018 it will be reformed into the Data Protection Authority.
11. Employee(s): the persons who are authorised by the parties for the implementation of this Processors Agreement that work under their responsibility.

Subject of the processing agreement

1. The current Processors Agreement has as objective to set out the conditions under which the Processor may process Personal Data commissioned by the Controller.
2. Parties agree that this Processors Agreement is an integral part of the main agreement between the Controller and the Processor.

Allowed processings

1. The Processor undertakes to only process Personal Data on the basis of written instructions of the Controller, arising from the Main Agreement. The Main Agreement and the Processors Agreement jointly determine the subject and the duration of the Processing.
2. The Processor and his Staff process the Personal Data on behalf of the Controller in the framework of the services and objective described below:
   The Processor will process Personal Data for the implementation of the concluded closed hosting and/or support agreement between the Parties.
3. For the full term of the agreement, the Processor can subject the Personal Data to the following processing operations: the collection, recording, organisation, structure, storage, update or change, retrieval, consultation, use, provision by means of transmission, distribution or otherwise making available, aligning or combining, blocking, erasing or destroying data.
4. The Processor processes the following types of Personal Data:
   name, surname, address, e-mail address, date of birth, age, social media URLs
5. These Personal Data relate to the following categories of the data subjects:
   visitors and managers of the website or web application.

Rights and duties of the controller

1. The Controller has the duty to provide the information in articles 13 and 14 of the GDPR to persons involved that are the subject of processing operations under the current Processors Agreement.
2. The Controller makes the Personal Data, as set out in this Processors Agreement, available to the Processor. The Controller determines the purposes and means for the Processing. He guarantees that the Processing of Personal Data, including the transmission of Personal Data, is done in a legal way and in accordance with the relevant privacy laws.
3. The Processing by the Processor is done solely on the basis of written instructions from the Controller. The Controller guarantees that the task of processing of Personal Data is done according to privacy laws. If the task for the processing changes, the Controller shall immediately inform the Processor concerning this.
4. If the Employees of the Controller process Personal Data themselves, the responsibility for compliance with the requirements of Privacy Laws for the Processing of Personal Data falls under the responsibility of the Controller and not under the responsibility of the Processor.
5. The Controller must keep a register of the processing activities that take place under his responsibility in accordance with article 30 (1) of the GDPR.
6. All information and material made available by the Controller to the Processor and containing Personal Data will always be considered as the property of the Controller.

Rights and duties of the processor

1. The Processor may only process Personal Data that are strictly necessary for the implementation of the Main Agreement and undertakes to process the Personal Data only for the purposes set forth in this Processors Agreement. The Processor will not process the Personal Data for any other purpose than as determined by the Controller.
2. The Processor is committed to process Personal Data solely on the basis of the written instructions from the Controller and according to the provisions of the Processors Agreement. If a Processor considers some instructions contradictory with the Privacy Legislation, then he will immediately notify the Controller of this. This advisory jurisdiction from the Processor is a mere effort bond that exists between them and cannot be used against the Processor as the basis for liability. If the Processor is expected to pass on Personal Data to a third country or to an international organisation under the law of the European Union or the law of a Member State that applies to it, the Processor must report this to Controller prior to the Processing, unless the law concerned forbids such notification on the basis of important reasons of the general interest.
3. The Processor guarantees the confidentiality of the Personal Data that was passed on to him in the framework of the Processors Agreement. The Processor also guarantees that all its employees undertake to take confidentiality into consideration or are bound by an appropriate legal obligation of confidentiality.
4. The Processor may not save, transfer or process in any way Personal Data on a location outside the European Economic Area or pass on to countries outside the European Economic Area, without the prior written permission of the Controller. In addition, the Processor must ensure that the third country or international organisation offers an adequate level of data protection. If this is not the case, there must be proper guarantees given in a contractual way or should the express consent be obtained of those involved.
5. The Processor processes the Personal Data provided by the Controller, for as long as this is necessary for the implementation of the main agreement. As soon as the task is executed, the Processor brings within a reasonable time, unless explicitly agreed otherwise, an end to any other use of the Personal Data beyond what is necessary in order to enable the Controller to recuperate the data that were entrusted to the Processor.
6. The Processor will assist the Controller as far as possible to fulfil his duty to satisfy the requests from of the Data Subjects regarding the right of access, right of rectification, right of data deletion, right of limitation of the Processing, right of transferability of the data, or right to object against automated individual decision making (including profiling). In the event that a Data Subject makes such a request with the Processor, the Processor will forward the request to the Controller, and the Controller will further deal with the request, unless explicitly agreed otherwise.
7. The Processor will assist the Controller for each data protection impact assessment and prior consultation of the Supervising Authority. In addition, the Processor shall assist the Controller to answer requests from the Supervisory Authority. For the implementation of such requests, the Parties can agree to link a compensation arrangement to this.
8. If necessary for the execution of the mandate, the Processor can make a copy and proceed with the preparation of a back-up. The Personal Data on these copies and back-ups enjoy the same protection as the original Personal Data.
9. The Processor keeps a written record of all processing activities carried out for the account of the Controller. This register contains all the information required by article 30(2) of the GDPR.
10. The Processor guarantees that his Employees have only access to Personal Data to the extent necessary to carry out their duties under the order for Processing. The Employees of the Processor are also bound by confidentiality. The Processor will notify his Employees about the obligations of the Privacy Legislation and of this Processor Agreement.
11. Processor indicates the name and contact details of his data protection officer (Data Protection Officer or DPO) to the Controller, if he is obliged to appoint one in accordance with article 37 of the GDPR.

Subprocessors

1. After the prior specific and written permission of Controller, the Processor may outsource in whole or in part to a Subprocessor. The Controller can only refuse for reasonable grounds. The Processor remains at all times the contact point for processing.
2. The Processor may call upon the services of a Subprocessor located outside the European Economic Area only after prior, specific and written consent of the Controller. In this case, the Processor needs to choose a Subprocessor who provides appropriate protective measures in order to protect Personal Data. In the absence of such measures, appropriate guarantees must be given in a contractual manner or the express consent of Data Subjects should be obtained.
3. The Processor must ensure that the Subprocessor offers the same guarantees with regard to the taking of appropriate technical and organisation measures in accordance with article 32 of the GDPR.
4. All obligations under article 5 of the current Processors Agreement shall apply entirely to the Subprocessor. These obligations are stipulated in writing in an agreement between the Processor and the Subprocessor. The Processor remains solely responsible with regard to the Controller for compliance by the Subprocessor of his obligations.

5. For the proper implementation of the tasks as Processor, he uses the following Subprocessors:

   • Digitalocean.com: webhosting
   • Site5.com: webhosting
   • Amazon.com: webhosting and backups
   • Openprovider.nl: policy and domain names
   • SendGrid.com: sending of transactional e-mails
   • MailChimp.com: managing newsletter subscribers
   • Google.com: Analytics, Tag Manager for the recording of analytical data

Confidentiality

1. The Processor is bound by a confidentiality obligation with regard to the Personal Data which he receives from the Controller for the order of processing and of all information which he receives in the framework of this Processors Agreement. This obligation of secrecy is also valid in full for the Employees of the Processor and for any Subprocessors and their Employees.
2. This confidentiality obligation occurs during the negotiations of the Processors Agreement, shall continue to apply for the entire duration of the Processors Agreement and also after termination of the Processors Agreement.
3. This confidentiality obligation shall not apply if the Processor is obliged by the Supervisory Authority, a legal provision or a court order to communicate this Personal Data, when the information is publicly known and when the supply of data takes place by order of Controller.

Safety measures

1. The Controller and the Processor shall take the required and appropriate technical and organisational measures (hereinafter referred to as the "Safety Measures") in order to protect Personal Data against destruction, either by accident, against loss, falsification, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of Processing or use.
2. The Safety Measures guarantee, taking into account the state of the technique and the cost of implementation, an adequate protection level having regard to the risks represented by the processing and the nature of the data to be protected. The Safety Measures are partly aimed at preventing unnecessary collection and further processing of Personal Data.
3. The Processor should inform the Controller about all the Safety Measures he is taking to meet the protection obligation. To determine the relevant measures, one takes into account the state of the techniques and the cost of the implementation. If due to changes to the technology, changes have to be made to the technology used, the Processor will notify the Controller of this and estimate the necessary costs for this. If the Controller does not agree with the implementation of these Safety Measures deemed necessary by the Processor, the Processor cannot be held responsible for an occurrence of a Data Leak that can be attributed to the not acting of the Controller. The Controller can in that event not claim possible administrative fines and/or costs to the person concerned from the Processor.
4. The Controller and the Processor will make all reasonable efforts to ensure that the used processing systems meet the requirements of confidentiality, integrity and availability, always taking into account the state of the technique and with the reasonable costs of execution. Both parties will also check whether their systems are sufficiently flexible.

Reporting of a data leak

1. If the Processor finds a Data Leak, he reports this without delay and at the latest within 24 hours to the Controller. In this notification at least, the following is described and reported:

   1. the nature of the infringement in relation to Personal Data, where possible, an indication of the categories of the person involved and the Personal Data in question and, approximately, the number of persons concerned and Personal Data in question;
   2. the name and contact details of the officer for data protection or another contact point where more information can be obtained;
   3. the likely effects of the Data Leak related to the Personal Data;
   4. the measures proposed or taken by the Controller to deal with the Data Leak, including, where appropriate, the measures to limit any adverse consequences.
2. At the request of the Controller, the Processor will report the Data Leak in the name and on behalf of Controller to the Supervisory Authority as soon as reasonably possible and, if possible, within the 72 hours after the Data Leak was established, unless it is not probable that the Data Leak entails a risk to the rights and freedoms of the Data Subject.
3. It is up to the Controller to assess whether they shall inform the Supervisory Authority and/or the persons concerned or not about that.

Intellectual property rights

1. All intellectual property rights on the Personal Data and on the databases with these Personal Data belong to Controller. These intellectual property rights include the copyright and the sui generis database right.
2. The Processor receives only a limited right of use to the extent necessary to be able to do the agreed processing in the context of this Processors Agreement. The Processor is not allowed to modify, take over, or communicate the protecting elements to the public, except with the express permission of the Controller.

Duration and end of the agreement

1. This Processors Agreement runs for as long as the Main Contract is in force and is terminated at the same time as the Main Contract. The Processors Agreement may not be terminated independently of the Main Contract, unless the parties agree that termination is necessary to comply with the privacy laws or decisions of the Supervisory Authority.
2. At the end of the Processors Agreement, the Processor will provide the Controller all Personal Data that were processed. In addition, he shall provide all information and documentation necessary for the later Processing of Personal Data. After all the Personal Data are passed to the Controller, the Processor immediately terminates the processing and he destroys any copy or back-up that he still possesses. Any costs associated with the return of the Personal Data and the destruction of them are at the expense of the Controller.

General provisions, applicable law and disputes settlement

1. This agreement shall not be transferred by one of the Parties to others without the prior written consent of the other Party. This shall not, however, apply to transfer to associated companies or taken over companies or legal successors of one of the parties, for which no permission is needed.
2. This agreement contains the entire understanding of the Parties with respect to its subject matter and supersedes all prior or existing agreements between the parties for what concern its subject. This agreement may be modified only in writing, after joint signature by the Parties.
3. The nullity or invalidity of a provision or part of a provision of this agreement does not affect the operation and validity of the remaining provisions. The Parties will in that case make all efforts to replace or adjust the provision in question to the extent necessary to make this provision valid and enforceable. In that case the Parties will negotiate in good faith and will strive for an adjustment in order that the original intent of the provision remains unaffected as much as possible. If this proves impossible will only that provision be considered as non-existing.
4. Titles and subtitles in this agreement are deemed to be merely illustrative.
5. This agreement is governed by Belgian law. In the event of any dispute concerning the implementation of this agreement, the Parties are expected to make all efforts to find and amicable solution. The Parties will draw up a reasonable interpretation of this Agreement. In the absence of an amicable solution, the dispute can be submitted to a centre of arbitration and mediation (such as CEPANI) or a competent court. The exclusive competent court is the court of the judicial district of Antwerp, being the district in which the registered office of the Processor is located.