Data protection
      Back to home
      1. Move To Happiness Knowledge database
      2. Legal
      3. Data protection

      DATA PROCESSING AGREEMENT

      The Data Processing Agreement outlines the conditions under which MTH processes personal data on behalf of the Customer. It ensures compliance with GDPR, defines roles (Data Controller and Data Proce

      Artikel 1.            DEFINITIONS

      • General Data Protection Regulation” or “GDPR” refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
      • Data Subject(s)” refers to the identifiable natural person(s) whose Personal Data is (are) processed.
      • Data Breach” refers to a breach of the security of Personal Data that accidentally or unlawfully leads to the destruction, loss, alteration, or unauthorized disclosure of or unauthorized access to data transmitted, stored, or otherwise processed.
      • Employee(s)” refers to the persons authorized by the Parties for the performance of this Data Processing Agreement and who work under their responsibility.
      • Personal Data” refers to any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
      • Privacy Law” refers to the entire Belgian and European legislation applicable to data protection, including the General Data Protection Regulation.
      • Sub-processor” refers to any third party engaged by the Data Processor to process personal data on behalf of the Data Processor, without being subject to the direct authority of the Data Processor.
      • Supervisory Authority” in Belgium refers to the Data Protection Authority.
      • Data Processor” refers to any natural or legal person who processes Personal Data on behalf of the Data Controller.
      • Processing” refers to any operation or set of operations relating to Personal Data or a set of Personal Data, whether or not carried out by automated processes, such as collection, recording, organization, structuring, storage, updating or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
      • Data Controller” refers to any natural or legal person who determines the purposes and means of the Processing of personal data.
      • Data Processing Agreement” refers to this appendix to the Agreement.

      Artikel 2.     PURPOSE

      • The current Data Processing Agreement aims to set out the conditions under which the Data Processor may process Personal Data on behalf of the Data Controller.
      • The Parties agree that this Data Processing Agreement forms an integral part of the Agreement between MTH, acting as the Data Processor, and the Customer, acting as the Data Controller.

      Artikel 3.     PERMITTED PROCESSING

      • The Data Processor undertakes to process Personal Data only on the basis of written instructions from the Data Processor arising from the Agreement. The Agreement and the Data Processing Agreement jointly determine the subject matter and duration of the Processing.
      • The Data Processor and its Employees process the Personal Data on behalf of the Data Controller in the context of the services and purpose described below: any processing necessary to perform the services mentioned on the Order Form or any other processing for which the Data Controller has instructed the Data Processor. This includes at least the following: onboarding, Growth Services, user management, hosting, support, communication, sending e-mails within the Data Controller's organization, and sending invitations to new users for user account registration. In the context of Events, this includes at least also the management of registrations, registration of participants with the organizer, or any changes.
      • For the entire duration of the Data Processing Agreement, the Data Processor may subject Personal Data to the following Processing operations: collection, recording, organization, structuring, storage, updating or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
      • The Data Processor processes the following types of Personal Data: basic identification data (e.g., first name, surname), personal characteristics (e.g., date of birth), contact details (e-mail address), professional data or occupational data (e.g., status as an employer or worker, (department, title, or position).
      • This Personal Data relates to the following categories of Data Subjects: employees of the Data Controller.

      Artikel 4.     RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER

      • The Data Controller has a duty to provide the information in Articles 13 and 14 of the GDPR to the Data Subjects who are the subject of the Processing operations under the current Data Processing Agreement.
      • The Data Processor shall make the Personal Data, as set forth in this Data Processing Agreement, available to the Data Processor. The Data Controller determines the purpose and means of the Processing. It guarantees that the Processing of the Personal Data, including the transfer of the Personal Data, is done in a lawful manner and in accordance with the relevant Privacy Laws.
      • The Processing by the Data Processor shall only take place on the basis of written instructions given by the Data Controller. The Data Controller guarantees that the instruction to Process the Personal Data is done in accordance with the Privacy Law. If the order for Processing changes, the Data Controller shall immediately inform the Data Processor.
      • If the Employees of the Data Controller process Personal Data themselves, the responsibility for compliance with the requirements of the Privacy Laws of Processing Personal Data is the responsibility of the Data Controller and not the responsibility of the Data Processor.
      • The Data Controller shall keep a register of processing activities carried out under its responsibility in accordance with Article 30(1) of the GDPR.
      • All information and materials made available by the Data Controller to the Data Processor and containing Personal Data shall always be regarded as the property of the Data Controller.

      Artikel 5.     RIGHTS AND OBLIGATIONS OF THE DATA PROCESSOR

      • The Data Processor may only process Personal Data that are strictly necessary for the performance of the Agreement and undertakes to process the Personal Data only for the purposes described in this Data Processing Agreement. The Data Processor shall not process the Personal Data for any purpose other than as specified by Data Controller.
      • The Data Processor undertakes to process the Personal Data only on the basis of the written instructions of the Data Controller and in accordance with the provisions of the Data Processing Agreement. If the Data Processor is expected to transfer Personal Data to a third country or to an international organization pursuant to the law of the European Union or the law of a Member State applicable to it, the Data Processor must notify the Data Controller prior to the Processing, unless if the relevant law prohibits it from such notification on important grounds of public interest.
      • The Data Processor guarantees the confidentiality of the Personal Data transmitted to it under the Data Processing Agreement. The Data Processor further warrants that all its Employees have undertaken to observe confidentiality or are bound by an appropriate legal obligation of confidentiality.
      • The Data Processor may not store, transfer or otherwise process the Personal Data in a location outside the European Economic Area or transfer it to countries outside the European Economic Area without the prior written consent of the Data Controller. In addition, the Data Processor must ensure that the third country or international organization provides an adequate level of data protection. If this is not the case, appropriate guarantees must be given by contractual means or the express consent of Data Subjects must be obtained.
      • The Data Processor shall process the Personal Data transmitted by the Data Controller for as long as necessary for the performance of the Agreement. As soon as the assignment has been performed, the Data Processor shall, within a reasonable time, unless expressly agreed otherwise, cease any use of the Personal Data other than what is necessary to enable the Data Controller to recover the data entrusted to the Data Processor.
      • To the extent possible, the Data Processor shall assist the Data Controller in its duty to comply with requests from Data Subjects regarding the right of access, right of rectification, right of data erasure, right of restriction of Processing, right of data portability, or right of objection to automated individual decision-making (including profiling). In the event that a data subject makes such a request to the Data Processor, the Data Processor shall forward the request to the Data Controller, and the Data Controller shall further handle the request, unless explicitly agreed otherwise.
      • The Data Processor shall assist the Data Controller with any data protection impact assessment and prior consultation of the Supervisory Authority. In addition, the Data Processor shall assist the Data Controller to respond to requests from the Supervisory Authority. For the execution of such requests, the Parties may agree to attach a compensation arrangement to it.
      • If necessary for the performance of the assignment, the Data Processor may make a copy and/or a backup. The Personal Data on these copies and backups shall have the same protection as the original Personal Data.
      • The Data Processor shall keep a written register of all processing activities carried out on behalf of the Data Controller. This register shall contain all data required by Article 30(2) of the GDPR.
      • The Data Processor guarantees that its Employees have access to the Personal Data only to the extent necessary to perform their duties in the context of the order for Processing. The Employees of the Data Processor are also bound by confidentiality obligations. The Data Processor shall inform its Employees about the obligations of the Privacy Law and of this Data Processing Agreement.

      Artikel 6.     SUB-PROCESSORS

      • The Data Controller hereby grants the Data Processor a general authorization to engage other processors (hereinafter "Sub-processors"). The Data Controller may object to the appointment or replacement of other data processors on reasonable grounds of which it shall notify the Data Processor in writing. If the Data Controller reasonably objects to the appointment or replacement of other data processors, the Data Processor shall cooperate in good faith with the Data Processor to effect a commercially reasonable change in service that avoids the use of the proposed Sub-processor, and if such change cannot be effected within one (1) month after receipt by the Data Processor of the notification from the Data Controller, then either Party may terminate the Agreement without judicial intervention and without compensation with effect from the date on which the appointment or replacement takes effect.
      • The Data Processor must ensure that the Sub-processor offers the same guarantees with respect to taking appropriate technical and organizational measures in accordance with Article 32 of the GDPR.
      • All obligations contained in Article 5 of the current Data Processing Agreement shall apply in full to the Sub-processor. These obligations shall be stipulated in writing in an agreement between the Data Processor and the Sub-processor. The Data Processor remains fully responsible to the Data Controller for compliance by the Sub-processor with its obligations.
      • The following sub-processors are used to properly perform the duties as Data Processor: Microsoft, Company Channel, Topware Systems.

      Artikel 7.     CONFIDENTIALITY

      • The Data Processor is bound by a duty of confidentiality with respect to the Personal Data it receives from the Data Controller for the Processing order and with regard to all information that it receives in the context of this Data Processing Agreement. This duty of confidentiality applies in full to the Employees of the Data Processor and to any Sub-processors and their Employees.
      • This duty of confidentiality arises during the negotiation of the Data Processing Agreement, remains in force during the full term of the  Data Processing Agreement, and also after the termination of the Data Processing Agreement.
      • This duty of confidentiality does not apply when the Data Processor is required by the Supervisory Authority, a statutory provision, or a court order to disclose this Personal Data, when the information is publicly known, and when the data disclosure is made on behalf of the Data Controller.

      Artikel 8.     SECURITY MEASURES

      • The Data Controller and Data Processor shall take the required and appropriate technical and organizational measures (hereinafter the "Security Measures") to protect the Personal Data against destruction, whether accidental or unlawful, against loss, falsification, unauthorized disclosure or access, in particular when the processing involves the transmission of data over a network, or against any other form of unlawful Processing or use.
      • Taking into account the state of the art and the cost of implementation, the Security Measures guarantee an adequate level of security considering the risks involved in the processing and the nature of the data to be protected. The Security Measures are also aimed at preventing unnecessary collection and further processing of personal data.
      • The Data Processor shall inform the Data Processor about all Security Measures it takes to comply with the protection obligation. In determining the relevant measures, the state of the art and the cost of implementation shall be taken into account. If changes in technology require changes to the technology used, the Data Processor shall bear the necessary costs thereof.
      • The Data Controller and Data Processor shall make all reasonable efforts to ensure that the processing systems used meet the requirements of confidentiality, integrity, and availability, always taking into account the state of the art and reasonable costs of implementation. Likewise, both Parties shall verify that their systems are sufficiently resilient.

      Artikel 9.     NOTIFICATION OF A DATA BREACH

      • If the Data Processor discovers a Data Breach, it shall promptly notify the Data Controller after the discovery. This notification shall at least describe or communicate the following:
      1. the nature of the personal data breach, where possible specifying the categories of Data Subjects and Personal Data concerned and, approximately, the number of Data Subjects and Personal Data involved;
      2. the name and contact details of the data protection officer or another point of contact where more information can be obtained;
      3. the likely consequences of the Data Breach in relation to Personal Data;
      4. the measures proposed or taken by the Data Controller to address the Data Breach, including, where applicable, the measures to mitigate any adverse effects thereof.

      It is up to the Data Controller to assess whether it will report the Data Breach to the Supervisory Authority or inform the Data Subjects about it.

      Artikel 10.  DURATION AND TERMINATION OF THE DATA PROCESSING AGREEMENT

      • This Data Processing Agreement shall be valid for as long as the Agreement is in effect and shall be terminated at the same time as the Agreement. The Data Processing Agreement may not be terminated separately from the Agreement unless the Parties agree that termination is necessary to comply with Privacy Law or Supervisory Authority decisions.
      • Upon completion of the processing services, the Data Processor shall, at the option of the Data Controller, delete or return all Personal Data processed under the Agreement and delete existing copies and backups thereof, unless applicable law requires the storage of the Personal Data. Any costs associated with the return of the Personal Data and its destruction shall be borne by the Data Controller.