Data processing agreement
Puratos (Philippines) Inc., with its registered office at #14 Perfecto Avenue, Bagumbayan, Taguig city, Philippines, hereby duly represented by its general manager Luisito Medina-Cue, Jr. Hereinafter referred to as ‘Puratos Philippines’;
The Customer, as identified in the Main Agreement.
Hereinafter collectively referred to as the ‘Parties’, and individually as a ‘Party’.
Within the context of the performance of certain activities and services for the Customer, Puratos Philippines shall have access to Personal Data and/or will have to Process this Personal Data, for which the Customer is responsible as ‘Controller’ in accordance with (i) the Philippine Data Privacy Act of 2012 (DPA) (Republic Act No.10173) and its Implementing Rules and Regulations (ii) the General Data Protection Regulation of 27 April 2016 (‘the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC’) and (ii) all (future) Philippine issuances regarding the implementation of the DPA (hereinafter referred to as the ‘Privacy Legislation’). Through this Agreement Parties wish to determine in writing their mutual agreements with regard to (i) managing, securing and/or Processing of such Personal Data and (ii) Parties’ obligation to comply with the Privacy Legislation in the situations where Puratos Philippines serves as a Processor on behalf of the Customer. This Agreement is without prejudice to the Processing of Personal Data in situations where Puratos Philippines serves as a Controller as stated in the Main Agreement.
THEREFORE PARTIES HAVE AGREED AS FOLLOWS
ARTICLE 1: DEFINITIONS
1.1 In this Agreement, the following concepts have the meaning described in this article:
Agreement: this document, the ‘Data Processing Agreement’, including any annexes, which is part of the Main Agreement;
Assignment: All activities, performed by Puratos Philippines for the Customer, and any other form of cooperation whereby Puratos Philippines Processes Personal Data for the Customer, regardless of the legal nature of the agreement under which this Processing takes place;
Controller: The entity, which determines the purposes and means of the Processing of Personal Data;
Data Subject: A natural person to whom the Personal Data relates;
Data Breach: Unauthorized disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data, which are Processed by Puratos Philippines on behalf of the Customer;
DPA: Philippine Data Privacy Act of 2012 on the protection of privacy of natural persons and regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data.
GDPR: Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Personal Data: Any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
Processor: The entity which Processes Personal Data on behalf of the Controller;
Process/Processing: Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, including, but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;
Sub-processor: Any Processor engaged by Puratos Philippines;
ARTICLE 2: ROLES OF THE PARTIES
2.1 Parties acknowledge and agree that in situations where the Customer acts as Controller with regard to use of the Services, Puratos Philippines acts as Processor on behalf of the Customer. Further, Puratos Philippines is allowed to engage Sub-processor(s) pursuant to the requirements set forth in Article 6.
ARTICLE 3: USE OF THE SERVICES
3.1 The Customer acknowledges explicitly that:
- The Customer shall be solely responsible for how it makes use of the Services to Process Personal Data as Controller;
- The Customer shall be solely responsible to comply with all laws and regulations (such as but not limited to the retention period) imposed on it by making use of the Services.
3.2 In case of misuse by the Customer of the Services, the Customer agrees that Puratos Philippines can never be held liable in this respect nor for any damage that would occur from such misuse.
3.3 The Customer therefore undertakes to safeguard Puratos Philippines when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.
ARTICLE 4: OBJECT
4.1 Customer acknowledges that as a consequence of making use of the Services of Puratos Philippines, the latter shall Process Personal Data as collected by the Customer.
4.2 Puratos Philippines shall Process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.
4.3 Puratos Philippines shall, in situations where Puratos Philippines serves as a Processor of Personal Data on behalf of the Customer, the Controller, only Process the Personal Data upon request of the Customer and in accordance with its instructions, as described in Annex I, unless any legislation states otherwise without prejudice to the Processing of Personal Data in situations where Puratos Philippines serves as a Controller as stated in the Main Agreement.
4.4 Notwithstanding 4.3, Puratos Philippines shall honor the Customer’s instructions, to the extent that:
- The Customer has informed Puratos Philippines of these instructions in advance and they have been accepted by Puratos Philippines in writing; and
- Puratos Philippines's systems allow this, thereby taking into account the functionalities of these systems that are provided by Puratos Philippines when Puratos Philippines receives the instructions from the Customer. If the Customer uses Puratos Philippines's systems and Puratos Philippines has not approved the Customer's instructions in writing, this will be at the Customer's own risk. If, in the Customer's opinion, Puratos Philippines's systems do not or insufficiently provide the possibility to support the Customer's instructions, the Customer will contact Puratos Philippines to further discuss these instructions. Puratos Philippines does not guarantee that the Customer's instructions are fully compatible or can be implemented by Puratos Philippines's systems.
4.5 The Customer, as Controller, owns and retains full control concerning (i) the Processing of Personal Data, (ii), the types of Personal Data Processed, (iii), the purpose of Processing Personal Data and (iv) the fact whether such Processing is proportionate (non-limitative). Moreover, the Customer shall be solely responsible to comply with all (legal) obligations in its capacity as Controller and shall have the sole responsibility for the accuracy, quality, and legality of the Personal Data, entered into the Services of Puratos Philippines, and the means by which it acquired such Personal Data. The responsibility and control concerning the Personal Data, subject to this Agreement, shall thus never be vested in Puratos Philippines.
4.6 Puratos Philippines shall assist the Customer in its GDPR responsibilities as Controller in the matter of processing security, Data Breach reporting to the data protection authority, data protection impact assessments (if applicable) and prior consultation.
ARTICLE 5: SECURITY MEASURES
5.1 Puratos Philippines has taken the following security measures, which are in accordance with the common practices in this industry:
- Physical measures for access security;
- Logical access control via passwords;
- Organizational measures for access security;
- Random monitoring of compliance with the policy;
- Protection of the network connections via Secure Socket Layer (SSL) technology;
- A secure internal network;
- Special purpose access restrictions;
- Inspection of granted access.
Additionally, Puratos Philippines will make the necessary effort to ensure that the security measures in place are sufficient, thereby taking into account the state of the art, the sensitivity of the Personal Data and the costs concerning the security. The Customer will only provide Personal Data to Puratos Philippines for Processing if it has made sure that the required security measures have been taken. The Customer is responsible for ensuring that the measures agreed between Parties are complied with.
ARTICLE 6: SUB-PROCESSORS
6.1 The Customer acknowledges and agrees that Puratos Philippines may engage third-party Sub-processors in connection with the Assignment. In such case, Puratos Philippines shall ensure that the Sub-processors are at least bound by the same obligations by which Puratos Philippines is bound under this Agreement. At the Customer’s request, Puratos Philippines will provide a list of involved Sub-processors.
ARTICLE 7: TRANSFER OF PERSONAL DATA OUTSIDE THE PHILIPPINES
7.1 The Customer explicitly agrees that Puratos Philippines can transfer Personal Data outside the Philippines if this transfer is necessary for processing keeping in mind the principle of accountability under Sec. 21 of the DPA.
ARTICLE 8: CONFIDENTIALITY AND SECRECY
8.1 Puratos Philippines shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without the prior written agreement of the Customer, unless when:
- Explicit written deviation from this Agreement;
- Such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case Puratos Philippines shall, prior to any disclosure and/or announcement, discuss the scope and manner thereof with the Customer.
8.2 Puratos Philippines shall ensure that its personnel, engaged in the performance of the Assignment, are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Puratos Philippines shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
8.3 Puratos Philippines shall ensure that its access to Personal Data is limited to such personnel performing the Assignment in accordance with the Agreement.
ARTICLE 9: NOTIFICATION
9.1 Puratos Philippines shall use its best efforts to inform the Customer within a reasonable term when it:
- Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Data;
- Has the intention to disclose Personal Data to a competent public authority.
9.2 Parties will report to each other and, in the given case, to the data protection authority concerned, all security and/or Data Breaches that have an impact on the performance of the Assignment, and in particular the protection of the Personal Data that they Process within the framework of the Main Agreement. The obligation to report, in any case, encompasses reporting the fact that a breach occurred. Additionally, the obligation to report encompasses:
- Reporting the (alleged) cause of the breach;
- What the (known and/or expected) consequence is;
- What the (proposed) solution is; and
- The contact details to follow up on the report .
9.3 Parties are required to report to the data protection authority concerned within 72 hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred, all security and/or Data Breaches when all of the following are present: breach of sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud, the data is reasonably believed to have been acquired by an unauthorized person, and the data protection authority or the personal information controller believes that the data breach is likely to give rise to a real risk of serious harm to the affected data subject.
ARTICLE 10: RIGHTS OF DATA SUBJECTS
10.1 To the extent the Customer – in its use of the Services – does not have the ability to correct, amend, block or delete Personal Data, as required by Privacy Legislation, Puratos Philippines shall – to the extent it is legally permitted to do so – comply with any commercially reasonable request by the Customer to facilitate such actions. To the extent legally permitted, the Customer shall be responsible for any costs arising from Puratos Philippines’s provision of such assistance.
10.2 Puratos Philippines shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. Puratos Philippines shall, however, not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to the Customer to which the Customer hereby agrees. Puratos Philippines shall provide the Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent the Customer does not have access to such Personal Data through its use of the Services. To the extent legally permitted, the Customer shall be responsible for any costs arising from Puratos Philippines’s provision of such assistance.
10.3 If Puratos Philippines has to erase the Personal Data of a Data Subject in case of the aforementioned assistance, the Customer acknowledges that Puratos Philippines cannot be held accountable when the Customer needs to Process the erased Personal Data again in the future as a part of an agreement between the Customer and one of its clients.
ARTICLE 11: RETURN AND DELETION OF PERSONAL DATA
11.1 Upon termination of the Main Agreement Puratos Philippines shall inform the Customer that he has the right to demand an export of the gathered Personal Data at that point in time taking into account the storage and anonymization measures as stated in the Main Agreement.
ARTICLE 12: CONTROL
12.1 The Customer may request Puratos Philippines to provide reasonable co-operation regarding an audit of the Puratos Philippines's ways of working and systems. If the Customer requests this, the audit will exclusively be performed by an independent third party appointed by both Parties, at the Customer's request. Audit requests must be submitted to Puratos Philippines no later than 10 days prior to the audit. They must include a description of which components will be audited and the audit process itself, and may not disrupt Puratos Philippines's business activities. Puratos Philippines shall lend its co-operation to the audit, and make all relevant information that is reasonably needed, including supporting data like system logs, available, and will make employees available, in as far as the direct and/or indirect consequences do not violate the (contractual) rights, duties or statutory requirements of the general services and do not harm Puratos Philippines's interests. Puratos Philippines's assistance will not extend further than a maximum of three man-days per calendar year. If Puratos Philippines's provided assistance exceeds this time limit, it will invoice the Customer for the additional time, at the normal hourly rates amounting to 150,00 euros (excl. VAT) upon the commencement of this Agreement. If the audit report, whose findings are accepted by both Parties, points to a serious error or gross negligence on the part of Puratos Philippines with a view to the GDPR, the Customer will not have to reimburse Puratos Philippines for its assistance to the audit.
ARTICLE 13: LIABILITY
13.1 Puratos Philippines's liability for loss suffered due to an attributable failure to perform with regard to providing the Processing of Personal Data, either due to a wrongful act or otherwise, will be limited per event (whereby a series of consecutive events is deemed a single event) to payment of the direct damages up to a maximum of the payments that Puratos Philippines receives for work performed pursuant to this Agreement in the month prior to the event giving rise to the damage. Puratos Philippines's liability for consequential damage, lost profit, missed savings, a loss of goodwill, loss due to business interruption, loss due to a failure to achieve the marketing targets, loss concerning the use of the Customer's data or databases, or loss, corruption or destruction of data or databases is also expressly excluded. The Customer expressly agrees to this exclusion. The preceding is without prejudice to each Party's obligation to indemnify the other Party for liability towards third parties that arises from a violation of their obligations in accordance with the GDPR. All compensation is subject to Article 82 (Right to compensation and liability) of the GDPR.
ARTICLE 14: MISCELLANEOUS
14.1 This Agreement enters into force on 25/05/2018 or on the date of the Main Agreement if this would be later in time and lasts as longs as the Assignment lasts. The provisions stated in this Agreement remain applicable as long as needed to settle this Agreement and for as far as they are meant to survive the end of the Agreement.
14.2 This Agreement and its annexes determine the rights and obligations of the Parties with regard to the object of the Agreement. It nullifies and replaces all previous written and/or oral proposals and agreements. All annexes form an integral part of this Agreement.
14.3 Deviations, alterations and/or additions to this Agreement shall only be valid and binding to the extent that they have been accepted in writing by both Parties.
14.4 This Agreement and the corresponding rights and obligations that exist in respect of the Parties, cannot be transferred, directly or indirectly, without the prior written consent of the other Party.
14.5 (Repeatedly) non-enforcement by a Party or by both Parties of any right or provision of this Agreement, can only be regarded as a toleration of a certain state, and does not lead to forfeiture.
14.6 This Agreement does not constitute a tacit waiver of rights. Except where explicitly provided for in this Agreement, a waiver of rights by either Party, or the circumstance that a Party does not submit a claim for an attributable failure to perform any provisions in this Agreement, does not constitute a waiver of rights concerning a subsequent attributable failure or would not otherwise affect the legal force of that provision. A Party cannot be deemed to have waived a right or claim pursuant to this Agreement, or concerning a breach of contract by the other Party, unless they expressly waive this right and notify the other Party in writing.
14.7 If one or more provisions of this Agreement are found to be invalid, illegal or unenforceable, in whole or in part, the remainder of that provision and of this Agreement shall remain in full force and effect as if such invalid, illegal or unenforceable provision had never been contained herein. Moreover, in such event, Parties shall negotiate to replace the invalid provision by an equivalent provision in accordance with the spirit of this Agreement. If Parties do not reach an agreement, then the competent court may mitigate the invalid provision to what is (legally) permitted.
14.8 This Agreement is governed by and must be interpreted according to Belgian law. Only courts of the judicial district of Ghent have the jurisdiction to hear disputes. Parties will initially aim to reach an amicable solution concerning disputes between Parties.
ANNEX I: PROCESSING OF PERSONAL DATA
i) The Customer Processes Personal Data from its clients via software and integrations developed by Localtomorrow as licensed to Puratos Philippines as Controller for the following purposes:
- Processing orders from the clients to the Customer;
- Answering to requests from the clients to the Customer;
- Marketing from the Customer to its clients.
ii) Within this context the Parties Process the following Personal Data:
- First and last name;
- Address (invoice and/or delivery address) if applicable;
- Email address;
- Phone number;
- Consumption habits (order time, content, type, origin, client, payment method, amount);
- Electronical identification data (IP address, cookies, …);
- Electronical localisation data (GPS if applicable);
- Financial identification data (bank account holder, cart number, bank account, payment method);
- Other Personal Data depending on the free fields added by the Data Subject and/or Customer.
iii) The categories of Data Subjects whose Personal Data shall be Processed within this context are the Customer’s clients. The Customer declares and warrants that the Data Subjects, whose Personal Data are supplied to Puratos Philippines by the Customer or by a third party, at the Customer's request, have given their unambiguous and express permission with regard to the Processing, which is part of the Services, or that the Customer may invoke any of the conditions in the GDPR based on which such permission is not required. The Customer declares that Puratos Philippines's planned Processing of Personal Data is not unlawful and does not violate the rights of third parties.
iv) Puratos Philippines shall retain the Personal Data as long as the Assignment and/or the Main Agreement is ongoing without prejudice to the measures related to Personal Data storage and anonymization as stated in the Main Agreement.
Finally, upon termination of the Assignment and/or the Main Agreement, Puratos Philippines shall also be entitled to retain the anonymized Personal Data (or part thereof) for statistical and analytical reasons.