DATA PROCESSING AGREEMENT


  1. DEFINITIONS AND INTERPRETATION

This Data Processing Agreement is a schedule to the Agreement pursuant to which Vecos provides Services to the Customer. This Schedule is applicable whether or not the Customer is a Data Controller that is subject to the GDPR. Terms used in this Schedule have the same meaning as those used in the Agreement, unless explicitly provided otherwise in Clause 19 (Definitions of this Data Processing Agreement). If there are any conflicts between this Schedule and the Agreement on the subject of data privacy, the Schedule prevails. For purposes of the DPA, "Customer" also means each of its ordering Affiliates, unless explicitly provided otherwise.

  1. SUBJECT AND DURATION OF THE PROCESSING
    1. Vecos shall only Process Personal Data on documented instructions from the Customer and for purposes authorised by the Customer.
    2. The Customer hereby instructs Vecos to Process Personal Data in accordance with the specifications set out in this Schedule. The Agreement and the Schedule are Customer's complete and final instructions to Supplier for the Processing, except to the extent agreed otherwise by the Parties.
    3. Vecos may not Process Personal Data for its own purposes without the prior written consent of the Customer.
    4. When carrying out its obligations under the Agreement, Vecos shall comply with Applicable Data Processor Law. Vecos shall deal promptly and appropriately with requests for assistance from the Customer to ensure compliance of the Processing with Applicable Data Protection Law.
    5. Prior to any transfer of Personal Data, Customer shall obtain all necessary consents, approvals, licenses, permits and waivers required under Applicable Data Protection Law to process, use, disclose and transfer Personal Data. This requirement also includes any notifications made to competent data protection authorities. Customer shall comply with Applicable Data Protection Law during the term of the Agreement.
  2. NATURE AND PURPOSE OF THE PROCESSING

The nature and purpose of the Processing of Personal Data by Vecos is the Processing of Personal Data necessary for the use and support of the smart locker system provided by Vecos to the Customer.

  1. TYPES OF PERSONAL DATA AND CATEGORIES OF INDIVIDUALS

The types of Personal Data which will be Processed are: identification information, location information and usage data, among which: name and address details, contact details such as e-mail, phone number, personnel registration number, access records (usage of the locker: which locker from which duration, opening and closing time of the locker door), badge number of lockers used (typically the building access card) with a start and end date of use and a 'friendly' name on the badge. For Individuals that use a mobile phone, the unique id of the phone together with the brand, operation system and operating system version number.

  1. The categories of Individuals that of which Personal Data will be processed by Vecos:

Users of the smart locker system provided by Vecos to the Customer, such as employees and guests of the Customer, system operators.

  1. SECURITY
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vecos shall implement appropriate technical, physical and organisational security measures appropriate to the risk, in particular to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised Disclosure or access, and against all other forms of unlawful Processing including, but not limited to, unnecessary collection or further Processing.
    2. Vecos shall remain ISO27001 certified (or certified for a comparable standard) for the duration of the Agreement.
  2. NON-DISCLOSURE AND CONFIDENTIALITY
    1. Vecos shall keep Personal Data confidential and shall not Disclose Personal Data in any way to any Employee or Third Party without the prior written approval of the Customer, except where (i) the Disclosure is required for the performance of the Processing, or (ii) where Personal Data need to be Disclosed to a competent public authority to comply with a legal obligation or as required for audit purposes.
    2. Vecos shall provide Employees access to Personal Data only to the extent necessary to perform the Processing. Vecos shall ensure that any Employee it authorises to have access to Personal Data Processed on behalf of Vecos commit themselves to the confidentiality and security of the Personal Data.
  3. SUB-PROCESSORS
    1. The Customer hereby provides Vecos with a general authorisation to engage Sub-Processors. Vecos remains fully liable to the Customer for the Sub-Processor's performance of the contract, as well as for any acts or omissions of the Sub-Processor in regard to its Processing.
    2. Vecos engages the following Sub-Processors at the moment of execution of the Agreement:

Customer location

Sub-Processor

Function

Sub-Processor Location

EEA

Microsoft

Azure platform

Geo Azure Platform: West and North Europe

USA

Microsoft

Azure platform

Geo Azure Platform: West and in East USA

Asia & Pacific

Microsoft

Azure platform

Geo Azure Platform: Australia

Any country within Europe, the Middle East, or Africa ("EMEA")

Amazon Web Services EMEA SARL

SMTP relay functions within Releezme

Luxemburg. Geo Amazon: EEA

Any other country that is not in EMEA

Amazon Web Services, Inc.

SMTP relay functions within Releezme

Seatle USA, Geo Amazon: USA

All

Sioux Technologies B.V.

Support and software development

Eindhoven, the Netherlands, EEA

All

WSB Solutions B.V.

Network/office support

Hardinxveld-Giessendam, the Netherlands, EEA,

All

OTRS AG

Service desk software

Oberursel, Germany, EEA,

Vecos shall inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors. The (privacy) conditions of Microsoft and Amazon applicable to the services provided by Microsoft respectively Amazon apply to their engagement and are published on their websites. Vecos will provide a link to Customer upon first request.

  1. Prior to engaging any Sub-Processor, Vecos shall enter into a written agreement with each such Sub-Processor containing obligations on it in relation to Personal Data that are equivalent to, and no less onerous than, those set out in this Data Processing Agreement, any related written instructions given by Customer and Applicable Data Processor Law and promptly upon request from the Customer provide details of any such agreement to the Customer.
  2. The Customer has the right to object against the use of a new Sub-Processor on reasonable grounds. Vecos will notify the Customer at least two (2) months in advance prior to appointment of a new Sub-Processor, during which no Personal Data may be transferred or otherwise disclosed to any such Sub-Processor. If the Customer executes the right to object against the use of a new Sub-Processor, the parties shall negotiate in a good faith in order to agree on a suitable Sub-Processor. In case the Parties cannot come to an agreement within sixty (60) days, either Party may terminate the Agreement with immediate effect by providing - before the end of the relevant notice period - written notice of termination to the other Party and giving an explanation of such grounds.

Vecos shall submit its relevant Processing systems, facilities and supporting documentation to an inspection or audit relating to the Processing by a competent public authority if this is necessary to comply with a legal obligation. In the event of any inspection or audit, each Party shall provide all reasonable assistance to the other Party in responding to that inspection or audit. If a competent public authority deems the Processing in relation to the Agreement unlawful, the Parties shall take immediate action to ensure future compliance with Applicable Data Protection Law and Applicable Data Processor Law.

  1. NOTIFICATIONS OF DISCLOSURES AND DATA SECURITY BREACHES
    1. Vecos shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other (member states of the) European Union's data protection provisions.
    2. Vecos shall inform the Customer without undue delay, and in any case within 48 hours, if it:
      • receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing, except where Vecos is otherwise prohibited by law from making such disclosure;
      • intends to Disclose Personal Data to any competent public authority; or
      • detects or reasonably suspects that a Data Security Breach has occurred.
  2. In the event of a Data Security Breach, Vecos shall promptly take adequate remedial measures. Furthermore, Vecos shall promptly provide the Customer with all relevant information as requested by the Customer regarding the Data Security Breach. Vecos shall fully cooperate with the Customer to develop and execute a response plan to address the Data Security Breach.

Vecos shall, at the Customer’s costs and expense, assist with the Customer when conducting any data protection impact assessments in connection with the performance of this Agreement.

  1. REGISTER

Vecos will keep a register of all categories of Processing activities. If requested, the Customer or Vecos will make this register available to the competent public authority.

  1. NOTIFICATION OF NON-COMPLIANCE AND RIGHT TO SUSPEND OR TERMINATE
    1. Vecos shall promptly notify the Customer if Vecos:
      • cannot for any reason comply with its obligations under this Schedule; or
      • becomes aware of any circumstance or change in Applicable Data Processor Law that is likely to have a substantial adverse effect on Vecos's ability to meet its obligations under this Schedule.

All notices, confirmations and other statements made by the parties in connection with this Schedule shall be in writing and shall be sent by e-mail to the address as provided to each other by the parties.

  1. DEFINITIONS

In this Schedule:

Agreement means the Customer Agreement “Releezme Saas” between Vecos and the Customer;

Affiliate means in relation to either party the ultimate parent company of that party and any company, partnership or legal entity of which the ultimate parent company directly or indirectly owns more than 50% of the issued share capital or otherwise directs the activities of such other legal entity;

  • Applicable Data Processor Law means the Data Protection Laws that are applicable to Vecos;
  • Applicable Data Protection Law means the Data Protection Laws applicable to Customer;
  • Data Controller means the entity or natural person which alone or jointly with others determines the purposes and means of the Processing;
  • Data Processor means the entity or natural person which Processes Personal Data on behalf of a Data Controller;
  • Data Protection Law means (i) the GDPR, and (ii) all laws and regulations and sector recommendations, including those in the United States, containing rules for the protection of individuals with regard to the Processing, including without limitation security requirements for, and the free movement of, Personal Data;
  • Data Security Breach means the accidental or unlawful destruction, loss, alteration, unauthorised Disclosure of, or access to the Personal Data of an Individual;
  • Disclosure means any form of disclosure of Personal Data to (including remote access by) any Employee or any Third Party. Disclose and Disclosed are to be construed accordingly;
  • EEA means all member states of the European Union, Iceland, Liechtenstein, Norway and, for the purposes of the Schedule, Switzerland and the UK;
  • Employee means any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Vecos;
  • GDPR means EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
  • Individual means any individual whose Personal Data is Processed by Vecos as part of the provision of the Services provided to the Customer and in the course of the performance of the Agreement;
  • Personal Data means any information relating to an identified or identifiable Individual that is Processed by Vecos on behalf of the Customer in the course of the performance of the Agreement;
  • Processing means any operation that is performed on Personal Data, whether or not by automated means, such as collection, recording, storage, organisation, alteration, use, Disclosure (including the granting of remote access), transmission or deletion of Personal Data. Process and Processed are to be construed accordingly;
  • Sub-Processor means (i) any Third Party, including Vecos' Affiliates, engaged by Vecos that Processes Personal Data under the instruction or supervision of Vecos; and

Third Party means any party other than the parties to the Agreement.

COOPERATION, COMPLAINTS, REQUESTS AND ENQUIRIES
  1. Vecos shall deal promptly and appropriately with inquiries of the Customer related to the Processing under the Agreement.
  2. Vecos shall promptly inform the Customer of any complaints, requests or enquiries received from Individuals, including but not limited to requests to access, correct, delete, block or restrict access to their Personal Data or receive a machine-readable copy thereof. At the Customer's request, Vecos shall assist the Customer with fulfilling its obligation to respond to such complaints, requests or enquiries. Vecos shall not respond to the Individual directly except where specifically instructed by the Customer.
ASSISTANCE WHEN CONDUCTING PIASLIABILITY
  1. The liability of Vecos for damages resulting from or in connection with a breach of this Data Processing Agreement or for any breach by it of Data Protection Laws, will not exceed the aggregate of the total Charges paid (i) under the Order pursuant to which the event arose that gave rise to the liability, and (ii) in the twelve months immediately preceding such event. The scope of damages resulting from or in connection with a breach of this Data Processing Agreement or for any breach by it of Data Protection Laws will not be limited by the Releezme SaaS Conditions.
  2. Subject to Clause 15.4 of this Data Processing Agreement, Vecos agrees to indemnify the Customer on first written demand for and against any claim, fine or penalty by any person (including supervisory authorities) alleging that the processing of Personal Data by Vecos infringes any Data Protection Laws, or alleging that the Customer has breached any Data Protection Laws and such infringement or breach is attributable to Vecos’s breach of this Agreement.
  3. Subject to Clause 15.4 of this Data Processing Agreement, Vecos agrees to indemnify the Customer on first written demand for and against any costs resulting from or in connection with a Security Breach, if and to the extent such Security Breach is caused by or attributable to a breach by Vecos of the Agreement, including the breach of any obligation to protect Personal Data under the Agreement.
  4. In no event shall the total aggregate liability of Vecos under the Data Processing Agreement (including any indemnifications under Clauses 15.2 and 15.3 and under any other agreement between Vecos and the Customer) exceed the aggregate of the total Charges paid (i) under the Order pursuant to which the event arose that gave rise to the liability, and (ii) in the twelve months immediately preceding such event.
RETURN AND DESTRUCTION OF PERSONAL DATA
  1. All Personal Data shall be immediately returned to the Customer and/or deleted upon the Customer's first request. Vecos shall not retain Personal Data any longer than is necessary for the purposes of performing its obligations under the Agreement.
  2. Upon termination of the Agreement, Vecos shall, at the option of the Customer, return the Personal Data and copies thereof to the Customer and/or shall securely destroy such Personal Data, except to the extent the Agreement or Applicable Processor Law provides otherwise. In that case, Vecos shall no longer Process the Personal Data, except to the extent required by the Agreement or Applicable Data Processor Law. The Customer may require Vecos to promptly, and in any case within five (5) business days, confirm and warrant that Vecos has returned, deleted and/or destroyed all copies of Personal Data. Vecos shall, at the request of the Customer, allow its Processing facilities to be audited to verify that Vecos has complied with its obligations under this Clause 16.2.
TRANSFER
  1. If the Customer is located in the European Economic Area (EEA), Vecos shall not transfer Personal Data to any country outside the EEA or make any Personal Data accessible from any such country without the prior written consent of the Customer. With regard to Microsoft and Amazon, Vecos shall make sure that the residence of the Personal Data is in geo’s within the EEA if the Customer is located in the EEA. If Customer is located outside the EEA, Vecos will use the geo’s on the Microsoft and Amazon platform as specified in clause 7.2.
  2. Any transfer of Personal Data outside the country of VECOS or any Sub-Processor in a third country shall be governed by a data transfer legal instrument as required by Data Protection Law. Vecos shall ensure that all Sub-Processors engaged by it co-sign or comply with such data transfer legal instrument. Vecos and Customer shall work together to apply for and obtain any permit, authorisation or consent that may be required under Applicable Data Processor Law in respect of the implementation of this clause.
NOTICES

All notices, confirmations and other statements made by the parties in connection with this Schedule shall be in writing and shall be sent by e-mail to the address as provided to each other by the parties.

  1. DEFINITIONS

In this Schedule:

Agreement means the Customer Agreement “Releezme Saas” between Vecos and the Customer;

Affiliate means in relation to either party the ultimate parent company of that party and any company, partnership or legal entity of which the ultimate parent company directly or indirectly owns more than 50% of the issued share capital or otherwise directs the activities of such other legal entity;

  • Applicable Data Processor Law means the Data Protection Laws that are applicable to Vecos;
  • Applicable Data Protection Law means the Data Protection Laws applicable to Customer;
  • Data Controller means the entity or natural person which alone or jointly with others determines the purposes and means of the Processing;
  • Data Processor means the entity or natural person which Processes Personal Data on behalf of a Data Controller;
  • Data Protection Law means (i) the GDPR, and (ii) all laws and regulations and sector recommendations, including those in the United States, containing rules for the protection of individuals with regard to the Processing, including without limitation security requirements for, and the free movement of, Personal Data;
  • Data Security Breach means the accidental or unlawful destruction, loss, alteration, unauthorised Disclosure of, or access to the Personal Data of an Individual;
  • Disclosure means any form of disclosure of Personal Data to (including remote access by) any Employee or any Third Party. Disclose and Disclosed are to be construed accordingly;
  • EEA means all member states of the European Union, Iceland, Liechtenstein, Norway and, for the purposes of the Schedule, Switzerland and the UK;
  • Employee means any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Vecos;
  • GDPR means EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
  • Individual means any individual whose Personal Data is Processed by Vecos as part of the provision of the Services provided to the Customer and in the course of the performance of the Agreement;
  • Personal Data means any information relating to an identified or identifiable Individual that is Processed by Vecos on behalf of the Customer in the course of the performance of the Agreement;
  • Processing means any operation that is performed on Personal Data, whether or not by automated means, such as collection, recording, storage, organisation, alteration, use, Disclosure (including the granting of remote access), transmission or deletion of Personal Data. Process and Processed are to be construed accordingly;
  • Sub-Processor means (i) any Third Party, including Vecos' Affiliates, engaged by Vecos that Processes Personal Data under the instruction or supervision of Vecos; and

Third Party means any party other than the parties to the Agreement.