Skip to content
pdf download icon

Download as a pdf

DATA PROCESSING AGREEMENT – v2.01

 

This data processing agreement is an integral part of the Agreement between you (the other party) and Televic Education.

Televic Education is the processor (hereinafter: ‘Processor’) of the personal data and the other party is controller (hereinafter: ‘Controller’) of the personal data.

 

CONSIDERING THAT:

 The Processor offers software to conduct assessments and exams, in which context it will process Personal Data on behalf of the Data Controller, as specified in Annex 1 of the Agreement;

a) The Processor commits to performing the processing services under the conditions set out in the Agreement;

b) This Agreement is part of the obligation arising from Article 28 of Regulation 2016/679 of the European Parliament and the Council of 27 April 2016.

 

THE PARTIES AGREE AS FOLLOWS:

 

Article 1 – Definitions

“Agreement”: this data processing agreement, including its annexes;

“Personal Data”: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

“Data Breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed;

“GDPR”: General Data Protection Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

“Sub-processor”: any subcontractor appointed by the Processor to carry out part of the processing activities on behalf of the Data Controller.

 

Article 2 – Subject matter

This Agreement arises from the obligation set forth in Article 28 of the GDPR, which stipulates that a written agreement must be concluded between the Processor and the Data Controller.

This Agreement governs the rights and obligations of the Data Controller and the Processor in relation to the processing of Personal Data.

The Processor commits, from the effective date of this Agreement, to comply with its terms while performing processing activities on behalf of the Data Controller. If any processing activities were carried out prior to the effective date of this Agreement, the Processor agrees to conduct such activities in compliance with this Agreement from the moment it becomes effective.

 

Article 3 – Contact details of the data protection officer (dpo) or fixed gdpr contact person

For the Processor, the fixed contact person is:

Article 4 – Rights and obligations of the processor

The Processor shall act solely on behalf of the Data Controller when processing Personal Data.

The Processor will only process Personal Data as described in Annex 1 of the Agreement and at all times in accordance with the provisions of the Agreement and the written instructions of the Data Controller. However, the Data Controller expressly allows the Processor to further anonymize the processed Personal Data in order to create aggregated statistics, with the aim of analyzing them for the optimization of the Processor’s SaaS services.

The Processor will only process those Personal Data that are strictly necessary for the execution of the Agreement and exclusively those Personal Data included in Annex 1 of the Agreement.

The Processor commits to regularly informing and training its employees responsible for the processing of Personal Data and the execution of the Agreement regarding the provisions of privacy regulations in general, and the GDPR in particular. The Processor guarantees that these employees have committed to confidentiality or are bound by an appropriate legal obligation to confidentiality.

 

Article 5 – Rights and obligations of the data controller

The Data Controller commits to proposing an addendum or amendment to this Agreement whenever a new processing task is assigned to the Processor or whenever the purpose of the processing changes.

 

Article 6 – Processing of personal data

6.1

The Processor is obligated to maintain the confidentiality of the Personal Data it processes on behalf of the Data Controller.

6.2

The Processor may only process Personal Data for the purposes described in Annex 1 of the Agreement. The Processor is allowed to process or have the Personal Data processed outside the European Economic Area, provided the Data Controller is informed in advance and compliance with Article 44 and subsequent articles of the GDPR is ensured.

6.3

The Data Controller grants the Processor permission to disclose Personal Data to all persons, institutions, and entities directly involved in the execution of the assignment, when it is strictly necessary for the execution of the Agreement, and within the limits of the Agreement and the GDPR.

6.4

Disclosure to other third parties not mentioned in the previous section is prohibited, unless required by law or mandated by a court order. Any legally or judicially mandated disclosure to third parties must be communicated to the Data Controller by the Processor in advance.

6.5

The Processor may make a backup or copy of the data if it is strictly necessary to execute the Agreement.

6.6

The Processor is permitted to anonymize the data from the platform for statistical, developmental, and analytical purposes.

 

Article 7 – Rights of the data subject

If the Data Controller receives a request from the data subject whose Personal Data is being processed to exercise their rights under the GDPR, such as the right to object or the right to erasure of Personal Data, the Data Controller shall promptly forward this request to the Processor.

The Processor commits to responding promptly and, at the latest, within 10 business days after receiving the request, by either providing the requested information, making the necessary adjustments to the Personal Data, or deleting and destroying certain Personal Data as instructed by the Data Controller.

If the Processor directly receives a request from the data subject to exercise their rights under the GDPR, the Processor will forward this request to the Data Controller without unreasonable delay and provide reasonable assistance as requested by the Data Controller to appropriately comply with the request. The Processor will not respond to such requests or take any other actions unless instructed by the Data Controller. However, the Processor may confirm to the data subject that the request has been forwarded, along with the reasoning for doing so.

 

Article 8 – Confidentiality

All Personal Data and information received by the Parties under this Agreement shall be treated as confidential during the term of this Agreement and for ten years thereafter. This information shall not be disclosed to third parties and shall not be used for any purpose other than advancing the objectives of the Agreement.

The obligation of confidentiality described above does not apply to confidential information that:

  • Was already publicly available at the time of disclosure by the disclosing Party, or becomes publicly available thereafter without any action by the receiving Party;
  • Was lawfully in the possession of the receiving Party at the time of disclosure, as can be sufficiently demonstrated by the receiving Party; or
  • Is received by the receiving Party on a non-confidential basis from a third party after disclosure by the disclosing Party.

Personal Data shall also be considered confidential information, and at no time in the future, even after the ten-year period, may the Processor use this information beyond the limits of this Agreement.

 

Article 9 – Liability and warranties

If the Processor is held liable by the Data Controller for damages due to non-compliance with this Agreement or the GDPR, the Processor’s liability, except in cases of intentional misconduct, will be limited per the totality of events leading to a dispute to the relevant amount effectively paid out under the Processor’s (cyber)insurance, provided the facts are covered by such insurance.

If, for any reason, the insurer does not make a payout, the Processor’s liability, except in cases of intentional misconduct, will be limited in any case to the total amounts invoiced by the Processor to the Data Controller and paid by the Data Controller during the year preceding the facts giving rise to the liability. For calculating this maximum liability amount, only the amounts paid for cloud products and related services that fall under the scope of this Agreement regarding the associated data processing are considered.

A series of related events leading to liability for the Processor shall, for the purposes of this article, be treated as a single set of events giving rise to the same dispute. In this case, the Processor’s total liability for this series of events shall not exceed the aforementioned amounts.

The Processor is not liable for any form of indirect damage such as, but not limited to, business stagnation, reduced goodwill, missed savings, lost profits, reputational damage, or any other form of indirect, incidental, or consequential damage, regardless of the nature of the action.

This provision does not affect the potential liability of the Processor towards the data subject under Article 82 of the GDPR.

 

Article 10 – Duration, termination, and ending

This Agreement is inextricably linked to the agreement(s) concluded between the Parties as specified in Annex I and should be regarded as a supplement or amendment to those agreements, taking precedence over all other agreements between the Parties. The Parties will amend this Agreement in response to changes or updates in regulations, additional instructions from relevant authorities, and evolving interpretations of privacy legislation (for example, through case law or advice from the Data Protection Authority or the European Data Protection Board).

This Agreement takes effect on today’s date and is concluded for an indefinite period. Either Party may terminate the Agreement by registered letter, subject to a notice period of 3 months. The notice period begins on the first day of the month following the sending of the registered letter, with the postmark serving as proof. If the main agreement(s) specified in Annex I have not yet been terminated by the end of the notice period, the notice period will be suspended until these agreement(s), which imply the processing of Personal Data under this Agreement, are also terminated.

 

Article 11 – Consequences of termination

In the event of termination of this Agreement, regardless of the manner of termination, the Processor shall, on its own initiative, return all Personal Data—whether the content of the information carriers was produced or created by the Processor, the Data Controller, or third parties—or instruct its Sub-processors to do so, within a reasonable period and subject to the provisions in the third paragraph of this article.

If the Personal Data is stored or kept in a database of the Processor or in any other form that cannot reasonably be transferred to the other Party, the Processor shall destroy such Personal Data and/or instruct its Sub-processor(s) to do so within a reasonable period, subject to the provisions of the third paragraph of this article.

The Processor shall fully comply with the obligations set out in this article within 3 months after the termination of the Agreement. If specific deadlines have been agreed for certain Personal Data, the relevant Personal Data will be deleted earlier, and where relevant, during the course of the Agreement, in accordance with the instructions of the Data Controller.

 

Article 12 – Retention of personal data

The Processor shall not retain Personal Data longer than is necessary for the execution of the task for which it was made available. If the Personal Data is no longer needed after this, the Processor shall either properly exchange and permanently delete it, or return the data carriers to the Data Controller, subject to the provisions in Article 11.

This provision also applies to the data carriers on which a copy or backup, as mentioned in Article 6.5 of the Agreement, was stored.

This provision also applies to any Sub-processors the Processor may engage.

 

Article 13 – Audit by the data controller

The Data Controller has the right to verify compliance with the Agreement, possibly through the involvement of an authorized auditor. To this end, after making an appointment at least two weeks in advance of the visit, the Data Controller may access the premises or locations where the Processor or Sub-processors carry out data processing and/or store copies or backups. During this visit, the Data Controller may review all relevant and necessary documents, upon request, to ensure that the processing by the Processor or Sub-processor complies with the provisions of this Agreement and the GDPR. The Processor may require the signing of a confidentiality declaration or agreement as a condition for entering its premises or other buildings by the persons assigned to this task by the Data Controller.

The costs for the audit are borne by the Data Controller and are considered part of the available support time or on a time and material basis if no support time is included in the agreement.

The costs for the audit will be borne by the Processor if it is found that the Processor has committed serious breaches of this Agreement or has clearly acted contrary to the instructions of the Data Controller.

The Processor will also provide the Data Controller, upon request, with any information necessary to demonstrate compliance with the obligations laid out in this Agreement.

 

Article 14 – Security

The Processor commits to implementing appropriate technical and organizational measures to secure the Personal Data and its processing, at least in accordance with industry standards.

The Processor also undertakes to take the necessary measures to restrict access to the Personal Data to those employees of the Processor who need access to such data in order to execute the Agreement.

If the Processor engages Sub-processors to perform the Agreement, the Processor guarantees that it has entered into an agreement with these Sub-processors that includes at least the same guarantees and obligations as those arising from this Agreement.

 

Article 15 – Sub-Processors

The Processor is permitted to appoint or replace Sub-processors for the purpose of carrying out the processing activities that are the subject of this Agreement. The Data Controller hereby grants general written consent to the Processor for this purpose. In such cases, the Processor shall inform the Data Controller in advance of the appointment or replacement of the Sub-processor, and the Data Controller will have the opportunity to object to the appointment within a reasonable period as communicated by the Processor.

If the Processor wishes to engage a Sub-processor as described in this article, the Processor commits to entering into a written agreement with the Sub-processor that includes at least the same guarantees and obligations as those arising from this Agreement.

The Processor shall maintain an up-to-date register of the Sub-processors it engages, which will include the identity, location, and a description of the tasks performed by the Sub-processors, as well as any additional conditions set by the Data Controller. This register will be added as Annex 3 to this Agreement and will be kept current by the Processor. The Sub-processors engaged at the commencement of this Agreement will also be listed in Annex 3.

 

Article 16 – Miscellaneous provisions

16.1

This Agreement constitutes the entire agreement between the Parties regarding its subject matter and replaces all prior written and oral agreements in this regard.

16.2

If one or more provisions of this Agreement are declared null or unenforceable, this will not affect the legality, validity, and enforceability of the remaining provisions of the Agreement and the Agreement as a whole, as long as these provisions still retain some effect or legal basis. The Parties agree to replace the invalid provisions, to the extent legally possible, with new provisions that align with the objectives and choices of this Agreement.

16.3

Neither Party may transfer the rights from this Agreement to third parties without the prior written consent of the other Party. Amendments or modifications to this Agreement can only occur if they are accepted and signed in writing by both Parties.

 

Article 17 – Data breaches

In the event of a Data Breach, the Processor shall inform the Data Controller as soon as possible and no later than 48 hours after discovering the breach by phone, followed by an immediate written confirmation via the contact details (telephone number or email) of the DPO or the Fixed GDPR contact person of the Data Controller, as specified in Article 3 of the Agreement. Under no circumstances shall the Processor notify the affected individuals of the Data Breach itself, without prejudice to the obligation to mitigate or remedy the consequences of such breaches and incidents as quickly as possible.

The Processor shall also provide all information that the Data Controller deems necessary to assess the incident, upon the Data Controller’s first request.

The Processor commits to keeping the Data Controller informed of the measures taken to limit the scope of the Data Breach or to prevent similar incidents in the future after discovering the breach.

The Processor has a thorough action plan for handling and managing Data Breaches and will provide the Data Controller with access to this plan upon request. The Processor will inform the Data Controller of any material changes to the action plan.

The Processor shall leave notifications to the supervisory authorities to the Data Controller.

The Processor will fully cooperate in providing any additional information to the supervisory authorities and/or data subjects as necessary, as soon as possible. The Processor shall, in any case, provide the Data Controller with the information described in Annex 2.

The Processor shall maintain a detailed log of all (suspected) Data Breaches, as well as the measures taken in response to such breaches, which shall at least include the information referred to in Annex 2, and will provide access to this log upon the Data Controller’s request.

 

Article 18 – Export of personal data

The Processor commits not to transfer any Personal Data to a third country or an international organization except in accordance with Article 6.2 of the Agreement, unless a Union law or a law of a Member State applicable to the Processor requires such processing. In such cases, the Processor shall inform the Data Controller of the legal requirement prior to processing, unless that legislation prohibits such notification for important reasons of public interest.

 

Article 19 – Assistance

The Processor shall assist the Data Controller in fulfilling its obligations under the GDPR. The Processor will provide assistance to the Data Controller in conducting a data protection impact assessment in accordance with Articles 35 and 36 of the GDPR.

 

Article 20 – Applicable law and disputes

This Agreement is in all respects subject to and shall be interpreted and construed in accordance with Belgian law.

Disputes concerning the execution or interpretation of the Agreement shall be submitted exclusively to the courts that have territorial jurisdiction over the registered office of the Processor.

 

Annex 1: Details of the processing activities

Description: Assessment Software

The following categories of personal data are processed by the Processor:

  • Users of the software:
  • Admin
  • Users of the organization
  • Participants in the assessment

Content of the Data:

The specific data that needs to be entered into the tool and the questions to be asked are fully managed by the Data Controller. The Processor ensures that the data is correctly processed to execute the assessment.

If special categories of personal data are to be processed, the Data Controller must explicitly inform the Processor.

Personal dataCategory of personal dataPurpose of processing
Contact details: name, email addressContact detailsIdentification of the user
Personal detailsUsage data entered in the toolParticipation in the assessment, identification
Questions and answersAssessment dataCompleting the assessment
User statisticsStatistics, behavioral data on the platformStatistics, user monitoring
Video, audio, imagesMediaUser monitoring
Login details on the platformLogin detailsLogging into the platform

 

Annex 2: Overview of information in case of an incident

The Processor shall provide the following information to the Data Controller in the event of a (potential) Data Breach involving the Data Controller’s Personal Data (possibly in multiple communications):

  • The (alleged) cause of the breach;
  • The (currently known and/or expected) consequence of the breach;
  • The (proposed) solution to address the breach;
  • Relevant contact information for the follow-up of the report;
  • The number of individuals whose Personal Data is involved in the breach (if the exact number is unknown, the minimum and maximum number of potentially affected individuals);
  • A description of the group of individuals whose Personal Data is involved in the breach;
  • The type(s) of Personal Data involved in the breach;
  • The date on which the (potential) breach occurred (approximately, if the exact date is unknown);
  • The time period during which the breach occurred;
  • The date and time when the Processor or any engaged Sub-processor became aware of the breach;
  • Whether the data was encrypted, hashed, or otherwise rendered unintelligible or inaccessible to unauthorized individuals;
  • The measures already taken to end the breach and limit its consequences, and the measures still to be taken or under consideration.

 

Annex 3: Overview of sub-processors

Sub-processor 1Cronos
Description of activitiesHosting of the platform
Location of processingEU
Processed personal dataData on the platform

Sub-processor 2Sendgrid
Description of activitiesSending communications from the platform
Location of processingUS entity – privacy framework compliant – ISO27001 certified – binding corporate rules

https://www.twilio.com/en-us/gdpr
Processed personal dataEmail address

Sub-processor 3Proctorexam
Description of activitiesProctoring service – identification, abuse monitoring, support
Location of processingEU
Processed personal dataIdentification data, video, photo, audio recordings