This addendum is part of the General Terms and
Conditions between SPATIE BVBA and the customer (hereinafter referred to as: "Controller")
with respect to the processing of Personal Data. By agreeing with the terms and conditions, of
which this addendum is a part, the customer also agrees with the below listed provisions with
regard to the processing of Personal Data by SPATIE BVBA.
The contact person for questions relating to this addendum is:
+32 3 292 56 79
Kruikstraat 22, Box 12
Between SPATIE BVBA and the Controller
Together the Controller and the Processor are referred to as the “Parties”.
The Controller and the Processor have concluded an agreement pursuant to which the Processor
is committed to deliver certain services for the account of the Controller that involve the
processing of data, including Personal Data as defined below (hereinafter, the "Main
Parties have decided in accordance with the applicable privacy law (as defined below) the
conclude current, additional agreement which set out their respective rights and obligations
(the "Processing agreement").
The following was decided:
The following terms will have the meaning as indicated below:
General data protection regulation or GDPR: the Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the
protection of individuals with regard to the processing of Personal Data and concerning the
free traffic of such data, and which takes effect on 25 May 2018.
Data subject(s): the identifiable individual person whose Personal Data is
Controller: each individual or legal entity who determines
the purposes and means of the processing of Personal Data.
Processor: each individual or legal entity who for the benefit of the
Controller processes Personal Data.
Sub Processor: every third party that is brought in by the Processor to
process Personal Data for the benefit of the Processor, without being subjected to the
direct authority of the Processor.
Personal data: all information about an identified or identifiable natural
person; an identifiable person is considered a natural person that can be identified
directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location information, an online identifier or one or more elements
that characterises the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person.
Privacy legislation: the entire Belgian and European data protection
legislation, including the law of 8 December 1992 on privacy protection in
relation to the processing of Personal Data and starting from 25 May 2018, the General Data
Processing: any processing or set of processing related to Personal Data
or a set of Personal Data, whether or not conducted through automated
processes, such as collection, recording, organisation, structuring, storing,
updating or changing, requesting, consulting, using, providing through forwarding,
distributing or otherwise making available, aligning or combining, blocking, erasure or
destruction of data.
Data leak: a security breach of Personal Data which inadvertently or
unlawfully leads to the destruction, loss, modification or unauthorised
provision of or unauthorised access to transmitted, stored or otherwise
Supervisory authority: in Belgium this is the Commission for the
Protection of Privacy, starting from 25 May 2018 it will be reformed into the
Data Protection Authority.
Employee(s): the persons who are authorised by the parties for the
implementation of this Processors Agreement that work under their responsibility.
Subject of the processing agreement
The current Processors Agreement has as objective to set out the conditions under which the
Processor may process Personal Data commissioned by the Controller.
Parties agree that this Processors Agreement is an integral part of the main agreement
between the Controller and the Processor.
The Processor undertakes to only process Personal Data on the basis of written instructions
of the Controller, arising from the Main Agreement. The Main Agreement and the Processors
Agreement jointly determine the subject and the duration of the Processing.
The Processor and his Staff process the Personal Data on behalf of the Controller in the
framework of the services and objective described below:
The Processor will process Personal Data for the implementation of the concluded closed
hosting and/or support agreement between the Parties.
For the full term of the agreement, the Processor can subject the Personal Data to the
following processing operations: the collection, recording, organisation, structure,
storage, update or change, retrieval, consultation, use, provision by means of transmission,
distribution or otherwise making available, aligning or combining, blocking, erasing or
The Processor processes the following types of Personal Data:
name, surname, address, e-mail address, date of birth, age, social media URLs
These Personal Data relate to the following categories of the data subjects:
visitors and managers of the website or web application.
Rights and duties of the controller
The Controller has the duty to provide the information in articles 13 and 14 of the GDPR to
persons involved that are the subject of processing operations under the current Processors
The Controller makes the Personal Data, as set out in this Processors Agreement, available
to the Processor. The Controller determines the purposes and means for the Processing. He
guarantees that the Processing of Personal Data, including the transmission of Personal
Data, is done in a legal way and in accordance with the relevant privacy laws.
- The Processing by the Processor is done solely on the basis of written instructions from the
Controller. The Controller guarantees that the task of processing of Personal Data is done
according to privacy laws. If the task for the processing changes, the Controller shall
immediately inform the Processor concerning this.
- If the Employees of the Controller process Personal Data themselves, the responsibility for
compliance with the requirements of Privacy Laws for the Processing of Personal Data falls
under the responsibility of the Controller and not under the responsibility of the
- The Controller must keep a register of the processing activities that take place under his
responsibility in accordance with article 30 (1) of the GDPR.
All information and material made available by the Controller to the Processor and
containing Personal Data will always be considered as the
property of the Controller.
Rights and duties of the processor
The Processor may only process Personal Data that are strictly necessary for the
implementation of the Main Agreement and undertakes to process the Personal Data only for
the purposes set forth in this Processors Agreement. The Processor will not process the
Personal Data for any other purpose than as determined by the Controller.
The Processor is committed to process Personal Data solely on the basis of the written
instructions from the Controller and according to the provisions of the Processors
Agreement. If a Processor considers some instructions contradictory with the Privacy
Legislation, then he will immediately notify the Controller of this. This advisory
jurisdiction from the Processor is a mere effort bond that exists between them and cannot be
used against the Processor as the basis for liability. If the Processor is expected to pass
on Personal Data to a third country or to an international organisation under the law of the
European Union or the law of a Member State that applies to it, the Processor must report
this to Controller prior to the Processing, unless the law concerned forbids such
notification on the basis of important reasons of the general interest.
The Processor guarantees the confidentiality of the Personal Data that was passed on to him
in the framework of the Processors Agreement. The Processor also guarantees that all its
employees undertake to take confidentiality into consideration or are bound by an
appropriate legal obligation of confidentiality.
The Processor may not save, transfer or process in any way Personal Data on a location
outside the European Economic Area or pass on to countries outside the European Economic
Area, without the prior written permission of the Controller. In addition, the Processor
must ensure that the third country or international organisation offers an adequate level of
data protection. If this is not the case, there must be proper guarantees given in a
contractual way or should the express consent be obtained of those involved.
The Processor processes the Personal Data provided by the Controller, for as long as this is
necessary for the implementation of the main
agreement. As soon as the task is executed, the Processor brings within a reasonable time,
unless explicitly agreed otherwise, an end to any other use of the Personal Data beyond what
is necessary in order to enable the Controller to recuperate the data that were entrusted to
The Processor will assist the Controller as far as possible to fulfil his duty to satisfy
the requests from of the Data Subjects regarding the right of access, right of
rectification, right of data deletion, right of limitation of the Processing, right of
transferability of the data, or right to object against automated individual decision making
(including profiling). In the event that a Data Subject makes such a request with the
Processor, the Processor will forward the request to the Controller, and the Controller will
further deal with the request, unless explicitly agreed otherwise.
The Processor will assist the Controller for each data protection impact assessment and
prior consultation of the Supervising Authority. In addition, the Processor shall assist the
Controller to answer requests from the Supervisory Authority. For the implementation of such
requests, the Parties can agree to link a compensation arrangement to this.
If necessary for the execution of the mandate, the Processor can make a copy and proceed
with the preparation of a back-up. The Personal Data on these copies and back-ups enjoy the
same protection as the original Personal Data.
The Processor keeps a written record of all processing activities carried out for the
account of the Controller. This register contains all the information required by article
30(2) of the GDPR.
The Processor guarantees that his Employees have only access to Personal Data to the extent
necessary to carry out their duties under the order for Processing. The Employees of the
Processor are also bound by confidentiality. The Processor will notify his Employees about
the obligations of the Privacy Legislation and of this Processor Agreement.
Processor indicates the name and contact details of his data protection officer (Data
Protection Oﬃcer or DPO) to the Controller, if he is obliged to appoint one in accordance
with article 37 of the GDPR.
After the prior specific and written permission of Controller, the Processor may outsource
in whole or in part to a Subprocessor. The Controller can only refuse for reasonable
grounds. The Processor remains at all times the contact point for processing.
The Processor may call upon the services of a Subprocessor located outside the European
Economic Area only after prior, specific and written consent of the Controller. In this
case, the Processor needs to choose a Subprocessor who provides appropriate protective
measures in order to protect Personal Data. In the absence of such measures, appropriate
guarantees must be given in a contractual manner or the express consent of Data Subjects
should be obtained.
The Processor must ensure that the Subprocessor offers the same guarantees with regard to
the taking of appropriate technical and organisation measures in accordance with article 32
of the GDPR.
All obligations under article 5 of the current Processors Agreement shall apply entirely to
the Subprocessor. These obligations are stipulated in writing in an agreement between the
Processor and the Subprocessor. The Processor remains solely responsible with regard to the
Controller for compliance by the Subprocessor of his obligations.
For the proper implementation of the tasks as Processor, he uses the following
Amazon.com: webhosting and backups
Openprovider.nl: policy and domain names
SendGrid.com: sending of transactional e-mails
MailChimp.com: managing newsletter subscribers
Google.com: Analytics, Tag Manager for the recording of analytical data
The Processor is bound by a confidentiality obligation with regard to the Personal Data
which he receives from the Controller for the order of processing and of all information
which he receives in the framework of this Processors Agreement. This obligation of secrecy
is also valid in full for the Employees of the Processor and for any Subprocessors and their
This confidentiality obligation occurs during the negotiations of the Processors Agreement,
shall continue to apply for the entire duration of the Processors Agreement and also after
termination of the Processors Agreement.
This confidentiality obligation shall not apply if the Processor is obliged by the
Supervisory Authority, a legal provision or a court order to communicate this Personal Data,
when the information is publicly known and when the supply of data takes place by order of
The Controller and the Processor shall take the required and appropriate technical and
organisational measures (hereinafter referred to as the "Safety Measures")
in order to protect Personal Data against destruction, either by accident, against loss,
falsification, unauthorised disclosure or access, in particular where the processing
involves the transmission of data over a network, and against all other unlawful forms of
Processing or use.
The Safety Measures guarantee, taking into account the state of the technique and the cost
of implementation, an adequate protection level having regard to the risks represented by
the processing and the nature of the data to be protected. The Safety Measures are partly
aimed at preventing unnecessary collection and further processing of Personal Data.
The Processor should inform the Controller about all the Safety Measures he is taking to
meet the protection obligation. To determine the relevant measures, one takes into account
the state of the techniques and the cost of the implementation. If due to changes to the
technology, changes have to be made to the technology used, the Processor will notify the
Controller of this and estimate the necessary costs for this. If the Controller does not
agree with the implementation of these Safety Measures deemed necessary by the Processor,
the Processor cannot be held responsible for an occurrence of a Data Leak that can be
attributed to the not acting of the Controller. The Controller can in that event not claim
possible administrative fines and/or costs to the person concerned from the Processor.
The Controller and the Processor will make all reasonable efforts to ensure that the used
processing systems meet the requirements of confidentiality, integrity and availability,
always taking into account the state of the technique and with the reasonable costs of
execution. Both parties will also check whether their systems are sufficiently flexible.
Reporting of a data leak
If the Processor finds a Data Leak, he reports this without delay and at the latest
within 24 hours to the Controller. In this notification at least, the following is
described and reported:
the nature of the infringement in relation to Personal Data, where possible, an
indication of the categories of the person involved and the Personal Data in
question and, approximately, the number of persons concerned and Personal Data in
the name and contact details of the officer for data protection or
another contact point where more information can be obtained;
the likely effects of the Data Leak related to the Personal Data;
the measures proposed or taken by the Controller to deal with the Data Leak,
including, where appropriate, the measures to limit any adverse consequences.
At the request of the Controller, the Processor will report the Data Leak in the name and on
behalf of Controller to the Supervisory Authority as soon as reasonably possible and, if
possible, within the 72 hours after the Data Leak was established, unless it is not probable
that the Data Leak entails a risk to the rights and freedoms of the Data Subject.
It is up to the Controller to assess whether they shall inform the Supervisory Authority
and/or the persons concerned or not about that.
Intellectual property rights
All intellectual property rights on the Personal Data and on the databases with these
Personal Data belong to Controller. These intellectual property rights include the copyright
and the sui generis database right.
The Processor receives only a limited right of use to the extent necessary to be able to do
the agreed processing in the context of this Processors Agreement. The Processor is not
allowed to modify, take over, or communicate the protecting elements to the public, except
with the express permission of the Controller.
Duration and end of the agreement
This Processors Agreement runs for as long as the Main Contract is in force and is
terminated at the same time as the Main Contract. The Processors Agreement may not be
terminated independently of the Main Contract, unless the parties agree that termination is
necessary to comply with the privacy laws or decisions of the Supervisory Authority.
At the end of the Processors Agreement, the Processor will provide the Controller all
Personal Data that were processed. In addition, he shall provide all information and
documentation necessary for the later Processing of Personal Data. After all the Personal
Data are passed to the Controller, the Processor immediately terminates the processing and
he destroys any copy or back-up that he still possesses. Any costs associated with the
return of the Personal Data and the destruction of them are at the expense of the
General provisions, applicable law and disputes settlement
This agreement shall not be transferred by one of the Parties to others without the prior
written consent of the other Party. This shall not, however, apply to transfer to associated
companies or taken over companies or legal successors of one of the parties, for which no
permission is needed.
This agreement contains the entire understanding of the Parties with respect to its subject
matter and supersedes all prior or existing agreements between the parties for what concern
its subject. This agreement may be modified only in writing, after joint signature by the
The nullity or invalidity of a provision or part of a provision of this agreement does not
affect the operation and validity of the remaining provisions. The Parties will in that case
make all efforts to replace or adjust the provision in question to the extent necessary to
make this provision valid and enforceable. In that case the Parties will negotiate in good
faith and will strive for an adjustment in order that the original intent of the provision
remains unaffected as much as possible. If this proves impossible will only that provision
be considered as non-existing.
Titles and subtitles in this agreement are deemed to be merely illustrative.
This agreement is governed by Belgian law. In the event of any dispute concerning the
implementation of this agreement, the Parties are expected to make all efforts to find and
amicable solution. The Parties will draw up a reasonable interpretation of this Agreement.
In the absence of an amicable solution, the dispute can be submitted to a centre of
arbitration and mediation (such as CEPANI) or a competent court. The exclusive competent
court is the court of the judicial district of Antwerp, being the district in which the
registered office of the Processor is located.