Legal information

Data processing Agreement

Definitions

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Services: the services Flexmail provides the Client with, as further defined in the Service Agreement and its description and as published on the Flexmail website;

Service Agreement: the agreement the Parties concluded under which Flexmail processes data on behalf of the Client and on the latter's instructions, as further specified in the Flexmail General Terms of Business (including the Privacy Policy, Anti-spam Policy and Acceptable Use Policy);

Data: any and all information exchanged between the Parties, including the Personal Data potentially contained therein;

Agreement: this “Data processing Agreement”, including its Annexes, if any;

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing activities: the processing of Data by Flexmail in the context of the performance of the Service Agreement

Article 1: Scope, subject matter and duration of the processing

This Agreement is concluded in the context of the performance of the Service Agreement and more specifically the Processing Activities. This Agreement shall come to an end on the date the Service Agreement expires, in which case Flexmail, at the Client's request, shall either transfer all the Data of the Client that remain at Flexmail's disposal to the Client or destroy the Data in question.

The Flexmail General Terms of Business, to the exclusion of any provisions Flexmail did not expressly accept in writing, shall continue to apply in full.

Article 2: Nature and purpose of the processing

  1. The Data shall be processed in the context of the Service Agreement, where the Client is qualified as the controller and Flexmail as the processor in the context of the GDPR. Flexmail shall not use these Data or process these Data in a manner not provided for under the Service Agreement or in the description of the Services, unless expressly otherwise agreed between the Parties. The Client and/or the data subjects remain the owner(s) of the Data the Client puts at Flexmail's disposal.
  2. As further laid down in the Service Agreement and the description of the Services, the Processing Activities may include any of the following:
    • receiving the Data, as supplied by the Client in a format agreed upon between the Parties
    • verifying the structure in which the Data are supplied by the Client
    • integrating the Data into the Flexmail systems; and
    • combining the Data with the communications the Client wishes Flexmail to send out, in the name and for the account of the Client
  3. The above processing is done via and by means of the Flexmail systems, consisting of hardware and software Flexmail exclusively uses within the European Union or in a country that guarantees an adequate level of protection. In the latter case, Flexmail shall, at the Client's request, inform the Client in writing what Processing Activities are carried out in which countries on the instruction and under the supervision of Flexmail. More specifically, when determining the appropriate level of protection, Flexmail shall take account of the duration of the proposed processing, the country of origin and the country of final destination, the general and sectoral rules of law prevailing in the country in question, including the rules of professional life and the security measures adhered to in these countries.
  4. Furthermore, Flexmail shall be responsible for:
    • the transmission of the communications, created by the Client, to the persons whose Personal Data form part of the Data the Client supplied to Flexmail
    • the creation and compilation of standard reports on behalf of the Client, a standard functionality the Flexmail systems are equipped with
    • the foregoing to be exclusively processed within the automated systems Flexmail puts at the Client's disposal in the context of the Service Agreement.
  5. The Parties hereby expressly agree that Flexmail has no control over the location of the Client's systems, let alone over the systems of the data subjects whose Personal Data and other Data are processed in accordance with Article 2.2. Accordingly, the Client recognises and accepts that the systems of the Client and/or the data subjects may be located within or outside of the European Union.

Article 3: Type of Personal Data

  1. To avail of the Services, the Personal Data the Client, as controller, puts at the disposal of Flexmail in the context of the Service Agreement, shall contain at least one or more valid and active email address/addresses.
    The Parties recognise that such email addresses may be qualified as Personal Data.
  2. In general, but especially with a view to personalising the communications the Client wishes to transmit to the data subjects, the Client may supply Flexmail with any additional data the Client deems necessary or appropriate, given the Client's objectives when availing of the Services. Solely the Client, to the exclusion of Flexmail, is responsible for the choice, content, use, qualification and processing of these Data, and the Client recognises that the combination of certain Data, whether Personal Data or otherwise, can, in turn, be qualified as (sensitive) Personal Data, either or not taking account of the objectives the Client pursues by availing of the Services. In such cases, it shall notify Flexmail accordingly, so as to allow the latter to take the appropriate measures with regard to such Data and the manner in which they are processed. However, the Client shall at all times remain responsible for the effective processing of the Data by Flexmail, more specifically taking the nature and the scope of the Services into account.
  3. Nonetheless, the Client shall ensure that no Personal Data other than those that are strictly required in terms of the Service provision are transmitted to Flexmail. By availing of the Services, the Client, to the exclusion of Flexmail, is and remains responsible for the choice and content of the Data the Client transmits to Flexmail in performance of the Service Agreement.

Article 4: Categories of data subjects

  1. The categories of data subjects whose Personal Data are processed by the Client and Flexmail in the context of the performance of the Service Agreement shall be determined by the Client. Flexmail's role in this respect shall at the most consist of assisting the Client with the drafting of communications to ensure that the Services can be provided as efficiently and effectively as possible. Responsibility for the content of the communications, the manner in which the addressees of such communications are addressed and for the accuracy thereof shall invariably rest with the Client.
  2. The Client declares and guarantees that the data subjects whose Personal Data the Client or a third party transmits to Flexmail, on the Client's instructions, have given their unambiguous and explicit consent to the processing that forms part of the Services, or that the Client can rely on one of the provisions of the GDPR on the basis of which such consent is not required. In particular, the Client declares that the envisaged Processing Activities by Flexmail are not unlawful and do not infringe the rights of third parties.

Article 5: Rights and obligations of the Client

  1. The Client, as controller, declares and guarantees that the Client will at all times be in a position to furnish Flexmail with proof that the Data, and more specifically the Personal Data the Client supplies to Flexmail within the context of the performance of the Service Agreement, are processed lawfully, both by the Client and by Flexmail, more specifically in terms of the content and scope of the Service Agreement and the Services.
  2. The Client shall notify Flexmail without delay, via the systems Flexmail put at the Client's disposal, in cases where a third party asks the Client to delete his Data, in particular his Personal Data, from the Flexmail systems, or to no longer use them in the context of the Service Agreement.
  3. The Client is at liberty to ask Flexmail to lend its reasonable assistance with an audit of the functioning of the Flexmail systems. At the Client's request, such audit shall exclusively be carried out by an independent third party, designated by common accord between the Parties, at the Client's expense. Aside from the fact that audits shall not unnecessarily interfere with Flexmail's business activities, Flexmail shall be notified of an audit in writing no less than ten days in advance and be given a description of the parts that will be audited and of the auditing process. Flexmail shall cooperate with the audit and, as timely as possible, provide all the information that may reasonably be required for the audit, including the supporting data such as system logs and staff, provided the (in)direct consequences thereof will not result in the (contractual) rights, obligations or legal requirements of the service provision as a whole or Flexmail's interests being prejudiced. Flexmail's assistance shall not exceed a maximum of [three working days] per calendar year. Once the actual assistance Flexmail provides exceeds the aforesaid period of time, the additional time spent by Flexmail shall be invoiced to the Client at the regular hourly rate which, at the time this Agreement comes into effect, amounts to € 125,95 excl. VAT. However, if the audit report, the findings of which have been accepted by both Parties, shows that Flexmail is guilty of serious misconduct or gross negligence under the GDPR, the Client shall not be obliged to compensate Flexmail for its assistance with the audit in question.

Article 6: Obligations incumbent Flexmail

1. Compliance with the applicable legislation
Flexmail, including the third-party processors designated by it, shall process the Data in accordance with the Service Agreement and the provisions of the GDPR, as further specified herein.

2. Compliance with the instructions
Flexmail shall comply with the Client's instructions to the extent that:
  1. the Client communicated the instructions in question to Flexmail in writing and beforehand and Flexmail has accepted the instructions; and
  2. the Flexmail systems so permit, taking into account the functionalities of the systems Flexmail has at its disposal at the moment Flexmail receives the Client's instructions.
Any use of the Flexmail systems by the Client without Flexmail having accepted the Client's instructions in writing shall be at the Client's own risk. To the extent that the Flexmail systems, in the Client's opinion, do not or do not adequately allow the Client's instructions to be supported, the Client shall contact Flexmail to further discuss the instructions in question. Flexmail does not guarantee that the Client's instructions are fully compatible with or can be implemented in the Flexmail systems.

3. Appropriate security measures
Flexmail has, as a minimum, implemented the following security measures which are consistent with current industry practices:
  • physical access protection measures
  • logical access control, using passwords
  • organisational access protection measures
  • random policy adherence checks
  • secure network connections via Secure Socket Layer (SSL) technology
  • secure internal network
  • purpose-bound access restrictions
  • monitoring of the authorisations granted
Furthermore, Flexmail makes every effort to ensure that its security is at a level that is not unreasonable taken into account the state of technology, the sensitivity of the Personal Data and the cost involved in implementing the security measures. The Client shall only supply Flexmail with Personal Data for processing purposes after it has established that the relevant security measures have been implemented. The Client is responsible for its compliance with the measures the Parties have agreed upon.

4. Security breaches and data leaks
The Parties shall notify one another and, in the given case, the relevant data protection authority of any security breaches or data leaks that may have an impact on the performance of the Service Agreement, and more specifically on the security of the Personal Data they are processing in the context of the Service Agreement. To allow the Client to meet this statutory obligation, Flexmail shall notify the Client of any security breach or data leak within 48 hours of the breach/leak having come to Flexmail's attention.

Notifications are only required in the event of an incident with a major impact, and only if the event actually occurred.
The notification requirement shall in any case include reporting the fact that a security breach/data leak has occurred. In addition, the notification requirement shall include:
  • the (presumed) cause of the breach/leak
  • the (known and/or anticipated) consequence
  • the (proposed) solution; and
  • the contact details to follow up the notification
5. Processing by third parties, on the responsibility of Flexmail
Flexmail:
  • declares and guarantees that the persons authorised to process Personal Data have undertaken or undertake to respect the confidentiality of the Data
  • shall see to it that, where it calls on one or more processors to process the Data, it takes the appropriate measures vis-à-vis such processors, in accordance with the provisions of the GDPR
6. Assistance
Flexmail shall:
  • assist the Client with the fulfilment of its obligation to respond to requests for exercising the data subject's rights
  • assist the controller in ensuring compliance with the obligations (taking into account the nature of the information available to Flexmail NV);
  • at the choice of the Client, delete, return or remove all the Personal Data once the this agreement has come to an end
  • provide the Client with all the information necessary to demonstrate compliance with the obligations laid down and allow for and contribute to audits, including inspections, conducted by the Client or another auditor agreed upon between the Parties, as stipulated above
7. Requests from data subjects
Where a data subject submits a request to Flexmail to access or have his Personal Data rectified, completed, modified or restricted, Flexmail shall forward the request to the Client whereupon the Client shall deal with the request. Flexmail is entitled to notify the data subject to that effect.

8. Liability
Flexmail's liability for any damage arising from a shortcoming in the provision of the Processing Services attributable to Flexmail, in tort or otherwise, shall per event (a serious of consecutive incidents shall be qualified as one event) be limited to covering the direct damage, up to a maximum of the fees Flexmail was paid for the activities under this Agreement during the month in which the event giving rise to the damage occurred. Flexmail's liability for consequential damage, loss of profits, lost savings, loss of goodwill, damage due to business interruption, damage due to the non-specification of the marketing objectives, damage relating to the use of the data or data files specified by the Client, or the loss, mutilation or destruction of data or data files is hereby expressly excluded and the Client expressly agrees to this exclusion.
The foregoing is without prejudice to the obligation of each Party to indemnify the other Party against liability towards third parties arising from violation of its obligations under the GDPR. Any compensation is subject to article 82 (Right to compensation and liability) of the GDPR.

Article 7: Secrecy and confidentiality

  1. All the Personal Data Flexmail receives from the Client and/or collects itself in the context of this Agreement are subject to a duty of confidentiality vis-à-vis third parties (with the exception of third parties Flexmail calls upon in the context of the Service provision, as specified above).
  2. This duty of confidentiality does not apply in cases where the Client expressly agrees to pass on the information to third parties, if the disclosure of the information to third parties is understandably necessary in view of the nature of the assignment and the performance of the Service Agreement, or where there is a statutory obligation to pass on the information to a third party.

Article 8: General provisions

  1. This Agreement shall come into effect as of 25 May 2018 or on the date the Service Agreement enters into force, if the latter was to be signed at a later date.
  2. This Agreement and its Annexes set out the Parties' rights and obligations with regard to its subject matter. It cancels and replaces any and all earlier written or verbal proposals and agreements on the matter. All the Annexes form part of and constitute one whole with this Agreement.
  3. Amendments and addenda to the Agreement shall be valid only if they have been set out in writing and signed by both Parties and shall form part of and form an integral whole with this Agreement. This requirement can be waived in writing only.
  4. This Agreement does not imply a tacit waiver of rights. Except as expressly stipulated in this Agreement, any waiver of rights by one Party or the fact that one of the Parties does not file proceedings following the other Party's culpable failure to adhere to any one provision of this Agreement shall not be construed as a waiver of rights in the event of a subsequent culpable failure, or affect the legal force of the provision in question in any way. Neither Party can be deemed to have waived a right or entitlement under this Agreement or in relation to the other Party's default, unless that right or entitlement has been waived explicitly, in writing and communicated by registered letter.
  5. This Agreement is governed by and shall be interpreted in accordance with Belgian law. Solely the courts of the Judicial District of Gent have jurisdiction to take cognizance of any dispute. In first instance, the Parties shall try to settle any dispute that may arise between the Parties in an amicable fashion.
  6. The Parties hereby expressly agree that the nullity or unenforceability of one or more provisions of this Agreement shall not in any way affect the validity or the enforceability of the other provisions of this Agreement. Accordingly, the other provisions shall remain in full force and effect. The Parties undertake to replace any such null and void or unenforceable provisions with other provisions or implementing provisions that approximate the Parties' original common intention as closely as possible.


UPDATED: 05/03/2024