DATA PROCESSING POLICY 

For B2B clients
Updated on: April 2024

INTRODUCTION

When o2o BV (hereinafter ‘o2o’) performs certain Services for a customer (hereinafter the ‘Customer’), it shall (i) have access to Personal Data (as defined hereinafter) and/or (ii) will have to process Personal Data for which the Customer is responsible as a Controller in accordance with the Privacy Legislation (as defined hereinafter). 

This data processing policy (hereinafter ‘Data Processing Policy’) applies to the Processing of Personal Data by o2o for the Customer and determines (i) how o2o will manage, secure and process the Personal Data, and (ii) parties’ obligation to comply with the Privacy Legislation.

Relying on the Services of o2o implies the approval of the Customer with this Data Processing Policy and consequently of how o2o processes the Personal Data of the Customer.

DEFINITIONS

In this Data Processing Policy, the following concepts have the meaning described in this article (when written with a capital letter):

Assignment: All activities, such as but not limited to the Services, performed by o2o for the Customer, and any other form of cooperation whereby o2o Processes Personal Data for the Customer, regardless of the legal nature of the agreement under which this Processing takes place;

Controller: The entity, which determines the purposes and means of the Processing of Personal Data, being in this case the Customer;

Data Subject: The natural person to whom the Personal Data relates and of whom the Customer wishes to have Personal Data processed by o2o;

Data Breach: Unauthorized disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data, which are Processed by o2o on behalf of the Customer; 

Personal Data: Personal data within the meaning of the Privacy Legislation and as defined in Annex I; 

Privacy Legislation: (i) the General Data Protection Regulation 2016/679 of April 27, 2016; (ii) the Belgian Privacy Law of 30 July 2018; and/or (iii) the (future) Belgian legislation regarding the implementation of the General Data Protection Regulation;

Process/Processing: Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, including, but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;

Processor: The entity which Processes Personal Data on behalf of the Controller, being in this case o2o;

Services: All services, provided by o2o to the Customer within the framework of the Assignment, implying the Processing of Personal Data by o2o;

Sub-processor: Any processor engaged by o2o to assist in the performance of the Services.The Data Processing Policy includes the following annexes:

Annex I: Overview of (i) the Personal Data, which parties expect to be subject of the Processing, (ii) the categories of Data Subjects, which parties expect to be subject of the Processing, and (iii) the use (i.e. the way(s) of Processing) of the Personal Data, the purpose and means of such Processing

Annex II: Overview and description of the security measures taken by o2o under this Data Processing Policy. 

Annex III: Overview of all Sub-Processors on which o2o appeals, including (i) the name of the Sub-Processors, (ii) their country of location, (iii) if they are located within or outside the European Economic Area (hereinafter ‘EEA’) and (iv) the implemented safeguards (in case of transfer to Sub-Processors outside the EEA).

1. ROLES OF THE PARTIES

  1. Parties acknowledge and agree that with regard to the Processing of Personal Data, the Customer shall be considered ‘Controller’ and o2o ‘Processor’ in accordance with the Privacy Legislation. Further, o2o may engage Sub-processors pursuant to the provisions of Article 5
  2. Each party shall comply with its respective obligations under the applicable Privacy Legislation with respect to the processing of the Personal Data.

2. THE ASSIGNMENT/SERVICES

  1. o2o shall Process the Personal Data in a proper and careful way and in accordance with the applicable Privacy Legislation and other applicable rules concerning the Processing of Personal Data. 

More specifically, o2o shall – during the performance of the Assignment – provide all its know-how in order to perform the Assignment according to the rules of art and adopt – to the best of its abilities – the necessary security measures (cfr. Annex II), as it fits a specialised and ‘good’ processor (as defined in the Privacy Legislation). 

  1. The Customer acknowledges that:
  • o2o acts as a facilitator of the Services. Hence, the Customer shall be responsible on how it makes use of the Services; 
  • o2o bears no responsibility with regard to adjustments and/or changes made to the Personal Data on the explicit request of the Customer;
  • The Customer is responsible for all acts and ommissions of its employees. The Customer shall inform its employees of the applicable Privacy Legislation, this Policy and/or all other relevant legislation and assure the employees act compliant;
  • The Customer is liable and responsible for the accuracy of the material and/or data it provided;
  • The Customer is liable and responsible for the content of the (personalised) messages generated or transmitted via the Services.
  1. In case of misuse by the Customer of the Services, the Customer agrees that o2o can never be held liable in this respect nor for any damage that would occur from such misuse. 
  2. The Customer shall avoid any misuse of the Services. Therefore, the Customer shall safeguard o2o when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.

3. OBJECT & INSTRUCTIONS

  1. The Customer acknowledges that as a consequence of making use of the Services of o2o, the latter shall Process Personal Data as collected by the Customer. Nonetheless, o2o shall only Process the Personal Data upon request of the Customer and in accordance with its documented instructions, as described in Annex I, unless any legal obligation states otherwise.
  2. o2o shall inform the Customer, if in its opinion, the instructions of the Customer infringe the Privacy Legislation. If the Customer subsequently cannot guarantee the validity or legality of the instruction or fails or refuses to change the unlawful instruction so that it no longer violates the Privacy Legislation, o2o shall be entitled to (i) suspend/refuse the performance of said instruction and (ii) at its discretion, to either continue to process the Personal Data in accordance with previously provided instructions or to stop the processing altogether, until the Customer has revised its instruction so that it no longer violates the Privacy Legislation.
  3. The Customer owns and retains full control concerning (i) the Processing of Personal Data, (ii) the types of Personal Data Processed, (iii), the purpose of Processing, and (iv) the fact whether such Processing is proportionate (non-limitative). 
  4. Customer shall inform o2o without undue delay if it is not able to comply with its responsibilities under this Article or the Privacy Legislation.

4. SECURITY OF PROCESSING

Taking into account the state of the art, o2o implements appropriate technical and organizational measures for the protection of (i) Personal Data – including protection against careless, improper, unauthorized or unlawful use and/or Processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of Personal Data, as set forth in Annex II.

5. SUB-PROCESSORS

  1. The Customer acknowledges and agrees that o2o may engage third-party Sub-processors in connection with the Assignment. In such case, o2o shall ensure that the Sub-processors are at least bound by the same obligations by which o2o is bound under this Data Processing Policy.
  2. o2o added a list (cfr. Annex III) concerning the current Sub-processors on which it appeals for the performance of the Assignment. 

o2o shall: 

  • update the list whenever a Sub-processer changes; 
  • clearly indicate the changes in the list; 
  • indicate the date when the list was updated and when the change of the Sub-processor went or will go into effect. 

o2o will notify the Customer (e.g. through the platform) when changes to the list are made. If the Customer wishes to exercise its right to object to a Sub-processor, it shall notify o2o in writing and in a reasoned manner by the latest within thirty (30) days after the notification.  

  1. In the event the Customer objects to a new Sub-processor and such objection is not found unreasonable, o2o will use reasonable efforts to (i) make available to the Customer a change in the Services or (ii) recommend a commercially reasonable change to the Customer’s use of the Services to avoid Processing of Personal Data by the objected new Sub-processor without unreasonably burdening the Customer. 

If o2o is, however, unable to make available such change within a reasonable period of time (which shall not exceed thirty (30) days following the objection of the Customer), the Customer may terminate the Assignment / the Services, under the following conditions:

  • The Services cannot be used by the Customer without appealing to the objected new Sub-processor; and/or 
  • Such termination solely concerns the Services which cannot be provided by o2o without appealing to the objected new Sub-processor; 

And this by providing written notice thereof to o2o within a reasonable time. 

  1. o2o shall be liable for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Services itself, directly under the terms of this Data Processing Policy.

6. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

  1. The Personal Data shall be primarily processed within the EEA, and if outside the EEA in which case Article 6.3 applies. 
  2. o2o shall only transfer Personal Data upon request of the Customer and/or in accordance with its documented instructions, unless o2o is required to do so by EU or member state law. In such a case, o2o shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
  3. Any transfer of Personal Data outside the EEA by o2o to a third party whose domicile or registered office is in a country which does not fall under the adequacy decision enacted by the European Commission, shall be additionally subject to one or more of the listed EU-approved safeguards: 
  • Closing a data transfer agreement with such recipient, which shall contain the standard contractual clauses, as referred to in the 'European Commission decision of 5 February 2010 (Decision 2010/87/EC)'; and/or 
  • Binding corporate rules; and/ or 
  • Certification mechanisms.

7. CONFIDENTIALITY

  1. o2o shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties without the prior written agreement of the Customer, unless when such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case o2o shall, prior to any disclosure and/or announcement, discuss the scope and manner thereof with the Customer.
  1. o2o ensures that its personnel, engaged in the performance of the Assignment, are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. o2o ensures that such confidentiality obligations survive the termination of the employment contract.
  2. o2o ensures that its access to Personal Data is limited to such personnel performing the Assignment in accordance with the Data Processing Policy.

8. NOTIFICATION

  1. o2o shall use its best efforts to inform the Customer within a reasonable term when it: 
  • Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Data;
  • Receives a request from a Data Subject invoking its privacy rights under the Privacy Legislation (cfr. Article 9.2)
  • Has the intention to disclose Personal Data to a competent public authority;
  • Determines or reasonably suspects a Data Breach has occurred in relation to the Personal Data. 
  1. In case of a Data Breach, o2o:
  • Notifies the Customer without undue delay after becoming aware of a Data Breach and shall provide – to the extent possible – assistance to the Customer with respect to its reporting obligation under the Privacy Legislation;
  • Undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the Data Breach and to prevent and/or limit any future Data Breach.

9. LIABILITY

  1. Both parties are solely liable for all damage, claims and/or fines of third parties, authorized supervisory authorities or Data Subjects that are the result of their own breach of or non-compliance with (i) the provisions of this Data Processing Policy, and (ii) the Privacy Legislation or other applicable rules concerning Personal Data. Each party indemnifies the other party in this regard. 
  2. In case of breach/non-compliance as described in Article 9.1, the infringing party is liable to the other party and must reimburse the latter for all damages and costs, including reasonable attorney's fees, (legal) expenses and damage resulting from a such breach/non-compliance.
  3. The liability of o2o for a breach of this Data Processing Policy is limited as described in the applicable contractual documentation (i.e. the framework agreement).

10. RIGHTS OF DATA SUBJECTS

  1. If a Data Subject requests to exercise his/her rights and the Customer itself – in its use of the Services – does not have the ability to correct, amend, block or delete the Personal Data, o2o shall offer cooperation and assistance with any commercially reasonable request by the Customer to facilitate such actions.
  2. o2o shall promptly notify the Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. o2o shall, however, not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to the Customer to which the Customer hereby agrees. 

11. RETENTION, RETURN AND DELETION OF PERSONAL DATA

  1. o2o shall only retain the Personal Data as long as needed to provide the Services or the Assignment between the Customer and o2o has not been terminated. 
  2. Upon termination of the Assignment, the Customer shall be notified by o2o of its possibility to export the Personal Data through the available export tools and during a certain term (as mentioned in such notification).
  3. Once the aforementioned term regarding export has passed, o2o shall permanently delete the Personal Data resp. anonymize it.

12. COMPLIANCE & INSPECTIONS

  1. Upon Customer’s request, o2o undertakes to provide the Customer with all information and to the extent as requested by law to allow verification whether o2o complies with the provisions of this Data Processing Policy.
  2. In this respect o2o shall allow the Customer (or a third party on which the Customer appeals) to undertake inspections – such as but not limited to an audit – and to provide the necessary assistance thereto to the Customer or that third party. The Customer must notify o2o at least thirty (30) working days in advance. The performance of inspections may in any case not cause any delay in the performance of the Services by o2o.
  3. As to ensure confidentiality of other o2o customers, the Customer shall impose sufficient confidentiality obligations on its (internal/external) auditors. 
  4. All inspection costs are exclusively borne by the Customer, except if (and to the extent that) a severe security incident/personal data breach (at o2o/under o2o’s responsibility) or a violation of this Data Processing Policy is determined during the inspection. 

13. TERM

The Data Processing Policy lasts as long as the Assignment has not come to an end. 

14. CONTACT 

Notifications by the Customer under this Data Processing Policy and/or any questions or concerns with regard to the provisions of this Data Processing Policy must be directed at privacy@o2o.be.

15. GOVERNING LAW & JURISDICTION 

 This Data Processing Policy, including its Annexes, shall be governed by the law and subject to the jurisdiction clause as provided in the Assignment.

Annex I – Overview of Processing activities

Tabel

Annex II – Description of the technical and

organizational security measures taken by o2o

  1. Data Protection and Privacy: We implement stringent data protection measures to ensure the confidentiality, integrity, and availability of personal and sensitive information. This includes encryption, access control, and secure data storage solutions.
  2. Risk Management: We conduct regular risk assessments to identify, evaluate, and manage risks associated with information security. This proactive approach helps us to implement appropriate measures to mitigate potential security threats.
  3. Incident Response: We have a comprehensive incident response plan in place to quickly address any security breaches or data leaks. This ensures that we can effectively contain and mitigate the impact of any security incidents.
  4. Employee Training and Awareness: Recognizing that human error can often lead to security vulnerabilities, we invest in regular training and awareness programs for our employees. This ensures that our team is equipped with the knowledge to maintain high security standards and to recognize and respond to potential threats.
  5. Vendor Management: We carefully assess and manage the security practices of third-party vendors and partners. This includes conducting due diligence and requiring adherence to our security standards to ensure the protection of shared information.
  6. Continuous Improvement: We are committed to continuously improving our security practices through regular reviews, updates to our security policies, and staying informed about the latest security trends and threats.
  7. Compliance with Legal and Regulatory Requirements: We ensure compliance with all applicable legal and regulatory requirements related to information security and data protection. This includes adhering to privacy laws and regulations that govern the jurisdictions in which we operate.

Annex III – Overview of all Sub-ProcessorsS

o2o will provide the list with an overview of all Sub-processors (i) in the context of negotiations with the Customer or (ii) upon request of the Customer.