This DPA is an integral part of and an attachment to the Easybox Terms of Use entered into between the Customer and Easybox (the “Agreement”). This Easybox Processing Agreement (the “DPA”) is entered into by and between Customer and Breex Easybox with registered office at Moutstraat 54 9000 Gent, registered in the Crossroads Bank for Enterprises with enterprise number BE 0760.527.015 (“Easybox”).

This DPA describes the processing of Personal Data processed by Easybox on behalf of the Customer.

INTRODUCTION

Pursuant to the Agreement, Customer was granted access to the Easybox platform (the “Platform“). Through the Platform, personal data is collected and processed by Easybox on behalf of the Customer.

The Parties wish to enter into a processing agreement in accordance with the requirements of applicable Privacy Laws, including the AVG.

This DPA replaces previous provisions in past and current agreements between the Parties that are directly or indirectly related to the processing of personal data, privacy, access to personal data, data transfer and data security.

1. DEFINITIONS

1.1 Terms not explicitly defined in this DPA have the same meaning as in the Terms of Use. The terms and expressions used here are defined as follows:

“General Data Protection Regulation or AVG”	means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
“Concerned.”	means any identified or identifiable natural person to whom the Personal Data relates.
“Service”	means the online the offer of the Platform as well as affiliated services (support, maintenance,…)
“Purposes”	mean the specified, explicit and justified purposes of the Processing.
“Breach of Personal Data”	means any unauthorized or unlawful access, deletion, modification, loss or Processing of the Personal Data, any other event that results or may result in unintentional or unlawful deletion, loss, modification, unauthorized disclosure of or access to the Personal Data, any Personal Data Breach as it is defined in the AVG, or any indication that such a breach will occur or has occurred.
“Customer Data”	means all data in any form processed by Easybox on behalf of the Customer for the purpose of providing the Platform, including (as applicable) Personal Data.
“Personal Data”	means any information about an identified or identifiable natural person under the Agreement. An “identifiable” natural person is a natural person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
“Platform”	means the Easybox platform.
“Processor”	means the Processor as referred to in Article 4(8) of the AVG.
“Processor”	means the controller as referred to in Article 4(7) of the AVG.
“Data Protection Legislation”	means the AVG and any other local legislation within the European Economic Area that may apply to the Processing of Personal Data.
“Processing” or any variation of the verb “Process”	means any operation or set of operations relating to Personal Data, whether or not carried out by automated means, such as collection, recording, organization, structuring, storage, updating or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

1.2 All terms and expressions not expressly defined in this DPA shall have the meanings defined in the Agreement.

2. PROCESSING OF PERSONAL DATA

2.1 The Parties acknowledge that Easybox acts as Processor with respect to the Personal Data as a result of the performance of the Services. The Customer remains at all times the Processor with respect to the Personal Data.

2.2 Each of the Parties shall comply with its respective obligations in relation to the Processing of Personal Data under the Data Protection Legislation.

2.3 During the use of the Platform, the Customer may provide certain Personal Data for Processing to Easybox. Easybox will only Process this Personal Data during the term of the Agreement or during another agreed period (e.g. in case of early termination), and will in no case keep the Personal Data longer than necessary in function of the purpose for which they are Processed.

2.4 The nature and purpose of the Processing, the type of Customer Personal Data that will be Processed and the categories of Data Subjects in this DPA are further specified in Appendix 1.

2.5 Personal Data is processed within the European Economic Area. Easybox may transfer Personal Data to countries outside the European Economic Area, provided that such transfer meets the additional safeguards required by applicable Data Protection Legislation.

3. OBLIGATIONS OF THE CUSTOMER

3.1 By entering into this DPA, Customer instructs Easybox to process Customer Personal Data: (a) to provide the Service in accordance with its functions and functionalities; (b) to enable the actions initiated by Customer and Registered Users on the Service and this in accordance with this DPA and/or the Agreement.

3.2 Easybox shall immediately notify the Customer if, in its opinion, an instruction given by the Customer constitutes a breach of the AVG (or other Data Protection Laws). Easybox shall be entitled to suspend the execution of such instruction and not to further Process the Personal Data in accordance with instructions previously provided, following such notification. Such suspension shall not result in any right to compensation on the part of the Customer.

3.3 If Easybox is required to Process Personal Data or transfer Personal Data to a third country or an international organization under a provision applicable to it, Easybox will notify Customer of that legal provision, unless that legislation prohibits such notification.

3.4 Under this DPA and pursuant to the use of the Service, the Customer is responsible for complying with all obligations to which the Customer is subject under applicable Data Protection Laws, in particular with respect to the Processing of Personal Data.

3.5 Without prejudice to the foregoing, the Customer specifically agrees that it is solely responsible: (i) for the accuracy, quality and lawfulness of Personal Data and of the manner in which the Customer has obtained such Personal Data; (ii) for compliance with all obligations of transparency and lawfulness contained in the applicable Data Protection Laws regarding the collection and use of the Personal Data; (iii) and that it has the right to provide the Personal Data to Easybox and provide Easybox with access for Processing in accordance with the provisions of the Agreement; and (iv) that its instructions to Easybox regarding the Processing of Personal Data comply with applicable law, including the Data Protection Legislation. The Customer shall notify Easybox without unreasonable delay if it is unable to comply with its obligations under this Article or under the applicable Data Protection Legislation.

3.6 Nothing in this DPA shall constitute a right for the Customer to allow any person or entity, other than Registered Users, to directly or indirectly access and use the Service, or to use (or allow others to use) the Service for any unlawful purpose or in any manner other than as contemplated in the Agreement and/or in this DPA.

4. TECHNICAL AND ORGANIZATIONAL MEASURES

4.1 Easybox has implemented appropriate technical and organizational measures to ensure that the Processing is carried out in accordance with the Data Protection Legislation and to ensure an appropriate level of security of the Personal Data taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the Processing, as well as the risk of different probability and severity to the rights and freedoms of natural persons.

4.2 Customer acknowledges that security requirements are subject to change and that effective security requires regular assessment and improvement of security measures. For that reason, Easybox will continuously evaluate and strengthen, add to or improve the measures taken to comply with its obligations Easybox may modify and revise the technical and organizational measures at its sole discretion, to the extent that such modification or revision does not result in a material deterioration of the protection currently provided by the current measures.

4.3 Easybox will document all information necessary to demonstrate the above compliance (including a register of processing activities). Upon Customer’s simple request, Easybox will make these documents available.

5. CONFIDENTIALITY 

5.1 Easybox undertakes to guarantee the confidentiality of the Personal Data Processed.

5.2 Easybox will inform any person who has access to the Personal Data (including employees, temporary employees and independent workers) about the obligations on behalf of Easybox regarding the Customer’s Personal Data.

5.3 Easybox will ensure that all persons involved in the Processing of Customer’s Personal Data are bound by professional or legal confidentiality, with the aim of safeguarding the confidentiality and integrity of Customer’s Personal Data.

6. SUBVERTISERS

6.1 The Customer grants its consent to engage (external) sub-processors in order to Process Personal Data (including onward transfer).

6.2 Currently, Easybox uses the external parties listed in Appendix 2 as sub-processors. By signing this Agreement, Customer grants its written consent to use listed sub-processors for the purpose of Processing Personal Data on behalf of Customer.

6.3 Easybox will notify Customer by email and/or by notice on the Platform of any intended change regarding the addition or replacement of its current sub-processors prior to such change. The Customer may object to such addition or replacement based on legitimate reasons relating to the protection of Personal Data within 30 days of the notification by sending an email to hello@easybox.com. If Customer does not object within this period, Customer shall be deemed to have waived its right to object and to have authorized Easybox to engage such subprocessor.

6.4 In the event the Customer notifies Easybox of such objection, the Parties shall proceed to discuss the objection with the aim of reaching a reasonable solution. If no such resolution can be reached, Easybox may, at its sole discretion, decide not to appoint the new sub-processor or allow the Customer to suspend or terminate the relevant Service in accordance with the provisions on termination of the Agreement without liability to the other party (whereby any fees for the period prior to the suspension or termination of the Agreement shall, however, remain payable by the Customer).

6.5 Easybox’s sub-processors are bound by the same contractual obligations as set forth in this Agreement, as applicable given the nature of the services provided by such sub-processors. If a sub-processor fails to comply with its data protection obligations, Easybox shall remain fully liable to the Customer for the performance of the obligations of such sub-processor.

7. INFORMATION REQUIREMENT AND ASSISTANCE

7.1 Easybox will assist Customer in fulfilling its duty to respond to requests from Data Subjects for the purpose of exercising their rights:

• • by notifying the Customer of any requests received in relation to Personal Data from a Data Subject, a supervisory authority and/or any other authority competent for Data Protection Legislation;
  • by providing reasonable cooperation to the Customer in responding to requests from the Data Subject in accordance with the AVG, however after obtaining approval from the Customer;
  • by ensuring that Easybox has the technical and organizational capabilities to remove the Personal Data of the Data Subject who requests such a right from the Data Subject’s system, records or databases. Personal Data may remain present on backup or archival media that are securely isolated and shielded from further Processing and then permanently deleted in accordance with the retention period policy.

Notwithstanding the foregoing, Customer remains responsible for the proper handling of such requests from Data Subjects.

7.2 Taking into account the nature of the Processing and to the extent Easybox can reasonably dispose of the required information (, Easybox shall provide reasonable assistance to the Customer, upon request, in performing a privacy impact assessment and in any prior consultation of the competent supervisory authority. To the extent permitted by applicable Data Protection Laws, the costs of such assistance by Easybox shall be borne by the Customer.

7.3 Easybox will notify Customer of Customer’s Personal Data Breach via email message without unreasonable delay and in any event within 48 hours of becoming aware of it. The Customer shall ensure that its contact details are current and correct throughout the duration of this Agreement.

7.4 Easybox will make available to Customer all information necessary and to the extent required by law to demonstrate compliance with the obligations set forth in this Agreement and will facilitate and contribute to audits, including inspections, conducted by an external auditor mandated by Customer during the term to demonstrate compliance with the terms of the Agreement.

7.5 Customer shall limit its initiatives to conduct an audit or inspection to no more than once per year, except in the event that (i) it is mandated by law, (ii) Easybox has experienced a Personal Data Breach in the preceding twelve (12) months that has affected Customer’s Personal Data or (iii) in the event of a mutual agreement, and shall notify Easybox of such request at least 30 business days prior to the audit.

7.6 The Customer guarantees that the audit will be executed in such a way that the inconvenience for Easybox is kept to a minimum. Customer shall impose on its auditors an adequate confidentiality obligation. In addition, Easybox may require Customer and its auditors to enter into a non-disclosure agreement prior to the start of the audit.

7.7 The scope of an audit may not result in an obligation to give or provide to the auditor access to: (a) information or data of any other customer of Easybox; (b) trade secrets of Easybox or related information; (c) information which, in Easybox’s reasonable opinion, may compromise the security of Easybox’s systems or premises or which may result in Easybox breaching its obligations under Data Protection Legislation or other security, confidentiality or privacy obligations to other customers of Easybox or to third parties; or (d) any information that the auditor wishes to inspect for reasons other than the good faith performance of its obligations under the Data Protection Legislation and Easybox’s compliance with the provisions of this DPA.

8. ERASURE OR RETURN

8.1 Upon termination or expiration of the Agreement, Easybox will proceed to erase or return all Personal Data Processed pursuant to this Agreement (and all existing copies), unless (i) Easybox is obligated under applicable law to retain the Personal Data, or (ii) the Personal Data is archived in a backup system that is kept segregated by Easybox in a secure manner, is shielded from further Processing, and where data is deleted in accordance with Easybox’s data retention policy.

9. DURATION

9.1 This DPA shall automatically terminate upon the termination of the Term determined in the Order Confirmation unless this DPA is terminated earlier.

10. LIABILITY

10.1 If it can be proven that Easybox has not fulfilled its obligations under this Processing Agreement or under the AVG, Easybox will be liable for the proven direct damage suffered by the Customer. Easybox shall not be liable for indirect, intangible and/or consequential damages, including loss of profits, loss of opportunity, loss of and/or damage to data, loss of reputation, sanctions and/or fines, and unforeseeable damages. Easybox’s liability to Customer shall in any event be limited to the total amount paid by Customer to Easybox under the Agreement during the last 12 months.

10.2 Each Party shall be liable for administrative fines imposed by a supervisory authority in relation to its own Processing.

10.3 No provision of this DPA shall limit or exclude any liability or right to which the Data Subject may be entitled under law in case of damages resulting from a breach of the AVG by Easybox in its capacity as Processor.

10.4 The provisions of this clause are without prejudice to any other liability provision contained in the Agreement.

11. APPLICABLE LAW AND JURISDICTION

11.1 This DPA is subject to and shall be interpreted in accordance with the Belgian Data Protection Legislation unless otherwise required by applicable Data Protection Legislation.

11.2 Disputes arising from this Agreement must be brought before the courts as set forth in the Agreement.