GDPR at Wello Solutions
On 25 may 2018, the General Data Protection Regulation (2016/679) (the “GDPR”) entered into force.
Wello Solutions has entered into an agreement with you, End User, relating to SAAS services to be rendered by Wello Solutions to the End user (the “Agreement”)
The GDPR requiring the parties to specify the personal data processing by the processer, the Agreement is completed by the present Annex as from 25 may 2018.
Capitalized terms used and not otherwise defined herein shall have the meanings ascribed thereto in the Agreement.
This Addendum completes the Agreement and forms integral part thereof as from the date hereof and all the terms and conditions of the Agreement will fully apply to it.
Any provisions of the Agreement not explicitly changed or supplemented by this Addendum remain in full force and effect.
- For the purpose of this Annex, the following definitions shall apply:
- “Controller” means a controller or data controller (as such term is defined in Data Protection Legislation).
- “Processor” means a data processor or processor (as such term is defined in Data Protection Legislation).
- “Data Protection Legislation” means the following legislation to the extent applicable from time to time: (i) national laws implementing the Directive on Privacy and Electronic Communications (2002/58/EC) and (ii) the GDPR.
- “Wello Solutions” means Odyssee Mobile NV, with registered office at Stalingradlaan 100, 1000 Brussels, Belgium;
- “Personal Data” means any personal data (as such term is defined in Data Protection Legislation) processed as part of the Services and where such processing falls within the scope of the GDPR.
- Each party shall comply with Data Protection Legislation when processing Personal Data.
- The parties acknowledge that Personal Data may be processed by Wello Solutions as a Controller, for the purpose of, or in connection with: (i) the provision of the Services, where applicable, such as for End User contacts, User details and logins and other Personal data required for the performance of the Services; (ii) applicable legal requirements; (iii) requests and communications from competent authorities; (iv) administrative, financial accounting, risk analysis and client relationship purposes; (v) to inform the End User and/or its Users, representatives, employees, directors about Wello Solutions’ professional and social activities and about any subject that could be of interest to them, it being understood that if, in the future, the End User and/or its Users, representatives, employees, directors no longer wish to receive such information, they may send a request free of charge by email to Wello Solutions (the “Purposes”). The parties further acknowledge that Personal Data may be disclosed to, and processed by Wello Solutions’ service providers and competent authorities for one or more of the Purposes. Personal Data may also be disclosed to and processed by other third parties to the extent reasonably necessary in connection with the Purposes.
- The processing and disclosure of Personal Data referenced in paragraph (c) above may involve the transfer of Personal Data outside of the European Economic Area (EEA) to countries where the level of protection for Personal Data is not as high as within the EEA in a manner compliant with the Data Protection Legislation. The End User hereby explicitly acknowledges and consents that Wello Solutions may transfer Personal Data outside Belgium and make use of cloud computing services to store Personal Data and other data of or provided by the End User. Wello Solutions will use commercially reasonable security technologies (such as encryption, password protection and firewall protection) to protect this Personal Data and other data of/provided by the End User from unauthorized disclosure. Wello Solutions shall only be responsible if it has finally judicially been determined that it did not take commercially reasonable measures to protect the Personal Data and other data of/provided by the End User from unauthorized disclosure.
- The parties acknowledge and agree that paragraphs (c) and (d) are a summary of the applicable Wello Solutions privacy notice (the “Privacy Notice”) and is not a complete reflection of the Privacy Notice, which is available at the Wello Solutions website. End User will ensure that any Personal Data provided to Wello Solutions by, or on behalf of, End User has been collected lawfully, fairly and in a transparent manner to enable such Personal Data to be processed by End User and the other parties referenced in paragraphs (c) and (d) for all of the Purposes.
- If/Where Wello Solutions is Processor of Personal Data as part of the Services, such as for all data put on the software platform by the End User, the following will apply for such processing and Personal Data involved:
- Parties acknowledge and agree that when so processing Personal Data as part of the Services, Wello Solutions will process such Personal Data as Processor of Client. The scope of the processing of Personal Data carried out by Wello Solutions as Processor of Client under this Contract is as follows:
- Subject matter, nature and purpose of such processing: Wello Solutions processes the Personal Data insofar as necessary or useful for the delivery of the Services and related matters and as otherwise provided in the agreement concluded with the End User as instructed by the Client;
- Duration: the term of the agreement concluded with the End User or as otherwise specified in the relevant agreement;
- Types of Personal Data and categories of data subjects: employees, former employees, clients, clients’ (former) employees, officers, (sub-)contractors or co-workers, suppliers, suppliers’ (former) employees, officers, (sub-)contractors or co-workers and/or other data subjects specified in the agreement with the End user or upon the End User’s instruction as specified in the applicable agreement.
- Wello Solutions shall only process Personal Data on the documented instructions of the End User, unless required or requested to process such Personal Data for other purposes by applicable law or regulatory authorities. In such circumstances, Wello Solutions shall provide prior notice to Client unless the relevant law or regulatory authority prohibits the giving of notice on important grounds of public interest. Wello Solutions shall inform End User if (in Wello Solutions’ opinion) End User’s instructions would be in breach of the GDPR.
- Wello Solutions shall only subcontract processing of Personal Data in accordance with the general written authorization set out in point (viii) below and shall ensure that it has an agreement with any further Processors it engages to process Personal Data. That agreement must impose obligations on the Processor similar or equivalent to those in this paragraph (f) and Wello Solutions shall ensure that such Processor complies with those obligations.
- On termination of the agreement with the End User, and at the option of the End User, Wello Solutions shall promptly return or delete, insofar as reasonably possible, Personal Data and confirm that it has done so (except where Wello Solutions is obliged to retain a copy of such Personal Data by applicable law). For the avoidance of doubt, nothing in this section shall require Wello Solutions to delete copies of data that it holds on its own behalf as Controller.
- Wello Solutions shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and shall ensure any of its employees or agents or other persons who it provides access to Personal Data are obliged to keep it confidential.
- Wello Solutions shall notify End User without undue delay after becoming aware of a Personal Data breach.
- Following a written request from End User, Wello Solutions shall, in fulfilment of its obligation to demonstrate compliance with this paragraph (f) make available to End User information on its processing of Personal Data under the applicable agreement. At Wello Solutions’ discretion, such information may take the form of certificates, third-party audit reports or other relevant documentary information.
- Client provides a general authorization to Wello Solutions to engage further Processors to process Personal Data. The current categories of approved sub-processors are
- service providers or other third parties merely having incidental access to Personal Data (e.g. in the context of system maintenance) but not actively participating in the processing of Personal Data;
- service providers for general infrastructure (telephone, software or hardware maintenance, …);
- professional cloud data storage and application providers,such as IBM, Microsoft, Amazon, …
- who are not processing the Personal Data for own purposes.
- Wello Solutions shall give End User prior written notice of any intended addition to or replacement of those categories of further Processors. End User can object to that change for reasonable reasons. If applicable, End User may, within 7 days from the date of the written notification, escalate its reasonable objection to Wello Solutions for discussion. If the objection is not received within this period, the use of those further categories of Processors shall be deemed to have been approved.
- End User acknowledges that it has primary responsibility for the processing of Personal Data as part of the Services and shall notify Wello Solutions of any assistance it requires pursuant to Articles 28(3)(a) to 28(3)(h) inclusive of the GDPR. End User shall pay Wello Solutions for any reasonable costs incurred in providing such assistance within 15 Days of receiving an invoice for such costs.
- Wello Solutions may transfer Personal Data outside of the EEA where it has a lawful basis for that transfer under Articles 44-49 GDPR.
- In addition to processing Personal Data as part of the Services, the parties acknowledge that Wello Solutions may also process Personal Data as a Controller in accordance with paragraph (c) (exception made from paragraph (c)(i)).
- Parties acknowledge and agree that when so processing Personal Data as part of the Services, Wello Solutions will process such Personal Data as Processor of Client. The scope of the processing of Personal Data carried out by Wello Solutions as Processor of Client under this Contract is as follows:
- End User indemnifies Wello Solutions against all costs, expenses (including legal expenses), damages, loss (including loss of business or loss of profits), liabilities, demands, claims, actions or proceedings, which Wello Solutions may incur arising out of: (i) Wello Solutions’ compliance with any instruction given by End User to Wello Solutions in relation to the processing of Personal Data (including instructions in connection with requests from individuals exercising their rights under Data Protection Legislation and any instructions to retain, disclose, amend or otherwise process Personal Data); or (ii) any breach by End User of this Annex.