- The Customer will give VANROEY.BE access to Personal Data to perform the Services. VANROEY.BE will not store any Personal Data. Personal Data will only be stored on the Customer’s own tenant.
The Personal Data will be processed by using VANROEY.BE’s systems. The processing will be performed only for the purpose of performing the Services. VANROEY.BE warrants that it will comply with all its obligations resulting form the General Data Protection Regulation (GDPR).
- Should the Customer ask VANROEY.BE for information which is not in the scope of the Services then VANROEY.BE inform the Customer of this fact. In such a case VANROEY.BE will not give the customer this information, if this notification would breach any provision of GDPR.
- For the performance of the Services the Customer is the Controller and VANROEY.BE will be the Processor. Parties will need to comply with their respective obligations, following from GDPR.
- The following provisions will be applicable on the processing of Personal Data by VANROEY.BE.
- As a Processor of Personal Data under the Services, VANROEY.BE will process the following types of Personal Data: address and financial data of third parties, contact information of customers, and so on.
- The Personal Data will concern Personal Data of the following types of data subjects: employees, customers, suppliers, and so on.
- The processing of Personal Data will be performed only for the purposes of performing the Services or VANROEY.BE’s legal of judicial obligations. The Personal Data will be processed for the duration of the Services or for as long as is needed to perform VANROEY.BE’s legal or judicial obligations. If VANROEY.BE is obligated to process the Personal Data for legal or judicial obligations, VANROEY.BE will inform the Customer immediately, unless VANROEY.BE is legally of judicially not allowed to do so.
VANROEY.BE will not store any of the Personal Data of the Customer. All Personal Data will be stored on the Customer’s own tenant.
To be able to perform the Services VANROEY.BE will need an extensive access to the systems of the Customer. The Customer gives VANROEY.BE the explicit consent to access these systems. If this access is not granted then the Services can not be performed. The Customer can read more about the access to the information and the processing in the Security description.
- VANROEY.BE will process the Personal Data on instructions of the Customer.
- Should VANROEY.BE change the Sub-processors they use then VANROEY.BE will inform the Customer of these changes. The Customer will be entitled to make reasonable objections to such changes. The Customer will have to communicate these reasonable objections within a period of ten (10) days after being informed by VANROEY.BE of these changes.
- The fact that VANROEY.BE engages a Sub-processor does not exempt VANROEY.BE of any of its responsibilities toward the Customer.
- When VANROEY.BE engages a Sub-processor the Sub-processor will be subject to provisions equal to these.
- VANROEY.BE will take all reasonable measures to limit the access to the Personal Data for these employees, Subcontractors, and third parties of VANROEY.BE who need the access to perform the Services. And to comply with applicable legislation.
- The Customer acknowledges that Personal Data can be shared with affiliated companies of VANROEY.BE if this is necessary to perform the Services.
Both Parties guarantee that they will take appropriate technical- and organisational measures to safeguard the Personal Data. And that they will keep taking these measures throughout the duration of the Services.
5. Information and assistance
- VANROEY.BE will comply with every reasonable request by the Customer concerning the rights of data subjects in GDPR.
- The Customer is obligated to comply with all provisions of GDPR, or any other privacy legislation, that is applicable on him. Should the Customer be in a better position to comply with a specific request VANROEY.BE will inform the Customer thereof. Should the Customer still ask VANROEY.BE to comply with the request, then VANROEY.BE will charge the Customer a reasonable fee for this.
- Should VANROEY.BE receive a request form a data subject directly, then VANROEY.BE will inform the Customer of this request immediately. VANROEY.BE will not react to such a request from a data subject without having received any instructions of the Customer.
- If VANROEY.BE is of the opinions that a request, or instructions, of the Customer breach the provisions of GDPR, or any other privacy legislation, then VANROEY.BE will inform the Customer of its opinion.
- The Customer can check the compliance with these provisions. Customer has the right to perform this check on the location where VANROEY.BE performs the data processing.
- VANROEY.BE can limit the Customer’s access to a room/location that has been provided by VANROEY.BE. The auditor can not copy or remove any documents of VANROEY.BE without having received explicit and prior consent of VANROEY.BE.
- If the Customer wishes to perform an audit, they will need to inform VANROEY.BE of their intention on a timely manner. They will need to inform VANROEY.BE at least one (1) month in advance.
- The Customer guarantees that the audit will be performed in such a fashion that the inconvenience or hinder to VANROEY.BE will be limited to the absolute minimum. If the date for the audit, as suggested by the Customer, entails to many practical problems for VANROEY.BE then VANROEY.BE will inform the Customer of these objections. VANROEY.BE will inform the customer within 7 days. Parties will try to find a new date which is as close as possible to the original date.
- The Customer can only perform 1 audit per year.
- The Customer will impose sufficient confidentiality obligations on the auditor. VANROEY.BE has the right to obligate the auditor to sign a confidentiality agreement before being allowed to perform the audit. It is necessary to protect all confidential information of VANROEY.BE.
- All costs of the audit will have to be paid by the Customer.
7. Personal data breach
- VANROEY.BE will inform the Customer, without any unreasonable delay, of any data breach concerning their personal data.
- VANROEY.BE will inform the Customer of any development after the initial notification concerning the data breach.
- Parties will bear their own costs in relation to the data breach notification to the supervisory authority, or the notification of the data subjects.
- Should their support of the Customer cause VANROEY.BE disproportionate burdens, then VANROEY.BE will charge the Customer a reasonable fee, in accordance with the fee that is applicable at that time.
8. Data deletion or return
When the Services end the Customer will have the choice to have the data deleted, or to have the data returned. After a period, the data will be removed by VANROEY.BE unless there is a legal obligation which forces VANROEY.BE to store the data.