[Client’s company name], with its registered office at [address] and registered under number [company registration number], legally represented by [Representative’s name], as [Representative’s position] (hereinafter referred to as the “Client”)
BILLIT BV, with its registered office at Oktrooiplein 1, bus 302, 9000 Ghent and registered under number 0563.846.944, legally represented by [Representative’s name], as [Representative’s position] (hereinafter referred to as the “Processor”)
[Client’s company name] and the Processor shall hereinafter be referred to individually as the “Party” or jointly as the “Parties”.
(A) The Client and the Processor have entered into an agreement on [date] for the provision to the Client of a software platform for online administration and management of businesses (hereinafter referred to as “Framework Agreement”), under which the Processor will process personal data on the Client’s behalf;
(B) This Processing Agreement (hereinafter referred to as the “Processing Agreement”) sets out the additional terms, requirements, and conditions under which the Processor will process personal data when providing services under the Framework Agreement. This Processing Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation 2016/679 (hereinafter referred to as “GDPR”) for agreements between controllers and processors.
1. Definitions and interpretation
1.1. The following definitions apply in this Processing Agreement:
“Business Purposes” means the services described in the Framework Agreement.
“Data Protection Legislation” means any relevant statutory regulations of the European Union, including decisions, directives, and regulations, for the protection of personal data, particularly the GDPR and the relevant implementing legislation under Belgian law.
“Controller”, “Data Protection Impact Assessment”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “process/processing” means the same as in the GDPR.
1.2. This Processing Agreement shall be subject to Framework Agreement’s provisions and forms an integral part of the Framework Agreement.
1.3. In case of discrepancy between any of this Processing Agreement’s provisions and those of the Framework Agreement, this Processing Agreement’s provisions shall prevail.
2. Types of Personal Data and Purposes of the Processing
2.1. In respect of the processing of Personal Data by the Processor on the Client’s behalf, the Client shall act as the Controller and the Processor as defined in the Data Protection Legislation.
2.2. The Controller shall retain control over the Personal Data and remain responsible for fulfilling its obligations under the Data Protection Legislation, including making the required communications and obtaining the necessary consent, as well as for the processing instructions it gives to the Processor.
2.3. The following table describes the nature and purpose of the Processor’s processing, the categories of Personal Data, the categories of Data Subjects, and the storage periods for Personal Data.
Nature and purpose of the processing
The processing shall be carried out for the sole purpose of achieving the Business Purposes
Categories of Data Subjects
Employees, customers, and suppliers of the Client
Personal data categories
Personal identification data, account data, location data, and financial data
Term of the Framework Agreement
3. Obligations of the Processor
3.1. The Processor shall process the Personal Data only to the extent and in the manner necessary for the Business Purposes, in line with the Client’s written instructions. The Processor shall not process the Personal Data for any other purpose or in a manner inconsistent with this Processing Agreement or the Data Protection Legislation. The Processor shall inform the Client immediately if it considers that the Client’s instructions are not in line with the Data Protection Legislation.
3.2. The Processor shall keep all Personal Data confidential and shall not disclose them to third parties unless the Client or this Processing Agreement has expressly authorised such disclosure or it is required by law. If any law, court, regulatory body, or supervisory authority requires the Processor to process or disclose Personal Data, the Processor shall first notify the Client of such a legal or regulatory obligation and provide the Client with the opportunity to object to or challenge this obligation, unless such notification is prohibited by law.
3.3. The Processor shall provide reasonable assistance to the Client in fulfilling the Client’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor’s processing and the information available to the Processor, including with respect to the Data Subject’s rights, Data Protection Impact Assessments as well as reporting to and consulting with supervisory authorities under the Data Protection Legislation.
4.1. The Client herewith permits the Processor to authorise the following third parties (“Sub-processors”) to process the Personal Data:
Type of sub-processing operation (description of services)
Customer Portal software provider
4.2. The Client herewith gives a general authorisation to the Processor to engage other Sub-processors.
4.3. If the Processor intends to appoint another Sub-processor, it shall inform the Client accordingly and allow the Client to object to this appointment within fourteen (14) days. This is on the proviso that the Client may only object to such an appointment in writing and on reasonable grounds supported by documentary evidence.
4.4. The Processor shall enter into a written agreement with each Sub-processor containing the same conditions as those in this Processing Agreement, specifically concerning the requirements for technical and organisational security measures. The Processor shall provide copies of such agreements to the Client on the Client’s written request.
4.5. Without prejudice to Article 13.1, the Processor shall remain fully liable to the Client for any failure by a Sub-processor to fulfil its obligations concerning the processing of the Personal Data.
5. Cross-border transfer of personal data
5.1. The Processor (or a Sub-processor) shall only transfer or otherwise process Personal Data outside the European Economic Area (“EEA”) if the Processor (or the Sub-processor) has provided appropriate safeguards pursuant to Article 46 GDPR or if such transfer is required by EU regulations or those of an EU Member State.
5.2. If applicable, the Processor (or the Sub-processor) shall enter into EU standard contractual clauses with the data importer outside the EEA as approved by the European Commission.
6.1. The Processor shall ensure that the persons who are authorised to process the Personal Data:
(i) are bound by obligations of confidentiality and usage restrictions in respect of the Personal Data and
(ii) are aware of the Processor’s and their own personal obligations pursuant to the Data Protection Legislation and this Processing Agreement.
7.1. The Processor shall take all measures pursuant to Article 32 GDPR.
7.2. In particular, the Processor shall take the following technical and organisational measures:
(i) Control of de physical access: Billit’s web application, communication, and database servers are located in secure data centres in Europe, managed by TransIP & Amazon Web Services, Inc. with which Billit has entered into the required written agreements as provided for in Article 4.4 of this Processing Agreement.
(ii) Control of access to the system: Billit has taken appropriate measures to prevent unauthorised persons from using its systems. This is achieved by:
• The identification of the terminal and/or the terminal’s user in Billit’s systems;
• Automatic shut-down of the user terminal while not in use; Identification and a password required to regain access;
• Automatic blocking of the user after repeated entry of a wrong password; Registration and regular monitoring of events;
• Access control via firewall, router, and VPN to protect the private networks and back-end servers;
• Ad hoc monitoring of infrastructure security;
• Regular inspections of security risks by internal staff and external auditors;
• Issuing and safe-keeping of identification codes;
• Role-based access control according to the principle that only strictly necessary rights are granted;
• Access to host servers, applications, databases, routers, switches, etc. is recorded;
• The use of commercial and customised tools to collect and verify data recorded by the Platform and the system.
(iii) Control of access to data: Billit has implemented appropriate measures to protect Personal Data against accidental destruction or loss. This is achieved by:
(iv) Redundant infrastructure;
• A constant evaluation of data centres and Internet Service Providers (ISPs) to optimise performance for clients in terms of bandwidth, latency, and isolation for disaster recovery;
• Housing data centres in secure, carrier-neutral shared locations with physical security, redundant power supply, and redundant infrastructure;
• Service Level Agreements with ISPs to guarantee maximum availability;
• Quick changeover in case of problems.
(v) Control of transfer: BBillit has implemented appropriate measures to prevent the reading, copying, modification, or erasure of Personal Data by unauthorised persons during data transmission or transport of the data carriers. This is achieved by:
• The use of appropriate firewall and encryption technologies to protect the ports and channels through which data is transferred;
• Encryption of sensitive Personal Data during transmission using current versions of TLS or other security protocols that use strong encryption algorithms and keys;
• Protection of employee access via the Internet to account management interfaces via encrypted TLS;
• End-to-end encryption of shared screens for remote access, support, or real-time communication.
(vi) Controle of the input: Billit has implemented appropriate measures to ensure that it can be determined whether and by whom Personal Data have been entered into or deleted from the Personal Data Processing systems. This is achieved by:
• Authentication of the authorised employees;
• Protective measures for the entry of Personal Data into the memory and the reading, modification, and erasure of stored Personal Data, including by documenting or logging significant changes to account details or settings;
• Separation and protection of all stored Personal Data through database schedules, logic access controls, and/or encryption;
• The use of proof of identity for user identification;
• Physical security of the location where the data processing takes place;
• Session time-out.
(vii) Data backups;
(viii) Separation of data:Billit only accesses the Client’s Personal Data:
• To provide the necessary Services under the Framework Agreement;
• To support the user experience;
• As required by law; or
• At the Client’s request.
This is achieved by:
• Individual allocation of System Administrators;
• Taking appropriate measures to register the System Administrator’s access to the infrastructure.
8.1. The Processor shall provide the Client with all information necessary to demonstrate compliance with the obligations pursuant to this Processing Agreement and the Data Protection Legislation and shall permit and cooperate with audits, including inspections by the Client or its authorised auditors.
8.2. Such audits may only be carried out if the Processor has been notified by a registered letter at least three (3) weeks in advance. Audits may be conducted up to twice per contract year, on any day (between 9.00 am and 6.00 pm), except Saturdays, Sundays, statutory holidays in Belgium, and days when the Processor is closed due to holidays. Audits shall not reasonably interfere with the Processor’s business activities. Audits shall always be carried out at the Client’s expense. The Processor is entitled to request that the Client and external auditor sign a non-disclosure agreement before the audit is carried out.
8.3. The costs incurred by the Processor for assisting in such audits shall be invoiced to the Client at an hourly rate of EUR 120 (excl. VAT) unless expressly agreed otherwise in writing.
9. Information and assistance
9.1. The Processor shall take the appropriate technical and organisational measures agreed in writing between the Parties and shall immediately provide the Client with the information that the Client may reasonably require to enable the Client to comply with:
(i) The Data Subjects’ rights pursuant to the Data Protection Legislation; and
(ii) Information or assessment notices served by a supervisory authority on the Processor under the Data Protection Legislation.
9.2. The Processor shall inform the Client without delay if it receives a complaint, notification, or communication directly or indirectly relating to the processing of the Personal Data or one of the Parties’ compliance with the Data Protection Legislation.
9.3. The Processor shall inform the Client within five (5) working days if it receives a request from a Data Subject to access their Personal Data or to exercise any of their rights under the Data Protection Legislation.
9.4. The Processor shall reasonably cooperate and assist the Controller in responding to complaints, notifications, communications, or requests from Data Subjects.
9.5. The Processor shall not disclose the Personal Data to a Data Subject or a third party, other than at the Client’s request or instructions, as provided for in this Processing Agreement or required by law.
9.6. The costs incurred by the Processor for providing assistance under this Article 9 shall be invoiced to the Client at an hourly rate of EUR 120 (excl. VAT) unless expressly agreed otherwise in writing.
10. Personal Data Breach
10.1. The Processor shall inform the Client without undue delay if it becomes aware of a Personal Data Breach.
10.2. If the Processor becomes aware of a Personal Data Breach, it shall provide the Client with the following information without undue delay:
(i) A description of its nature, including the categories and estimated number of Data Subjects and Personal Data records affected;
(ii) The likely consequences;
(iii) A description of the measures taken or proposed to address the Personal Data Breach including those to mitigate its possible adverse effects.
10.3. Immediately following a Personal Data Breach, the Parties shall work together to investigate the Personal Data Breach. The Processor shall reasonably cooperate with the Client in dealing with the Personal Data Breach, including by:
(i) Cooperating in an investigation;
(ii) Taking reasonable and prompt steps to mitigate the consequences of and minimise any damage caused by the Personal Data Breach.
10.4. The Processor shall refrain from notifying third parties of a Personal Data Breach without the Client’s prior written consent unless it is required to do so by law.
10.5. The Client shall cover all reasonable costs related to the Processor’s performance under this Article 10 unless the Personal Data Breach is due to the Processor’s negligence, wilful misconduct, or breach of this Processing Agreement.
11. Term and termination
11.1. This Processing Agreement shall remain in full force and effect as long as:
(i) The Framework Agreement remains in force; or
(ii) The Processor holds or controls Personal Data in connection with the Framework Agreement (hereinafter referred to as “Term”).
11.2. Any provision of this Processing Agreement which is to become or remain effective, either expressly or tacitly, upon or after the termination of the Framework Agreement (including Article 13.1) shall remain in full force and effect.
12. Removal or return
12.1. Upon termination of the Framework Agreement, for whatever reason, or upon expiry of its term, the Processor shall, at the Client’s discretion, delete or return all the Personal Data relating to this Processing Agreement that are in its possession, and delete any existing copies.
12.2. If a law, regulation, or governmental or regulatory authority requires the Processor to retain documents or materials that the Processor would otherwise be required to return or destroy, the Processor shall notify the Client in writing of that retention obligation, stating the details of the documents or materials to be retained by the Processor, the legal basis for the retention, and the determination of a specific time limit for destruction once the retention obligation ends.
13. Final Provisions
13.1. To the extent permitted under the applicable legislation, any limitations and/or exclusions of liability in the Framework Agreement shall apply to this Processing Agreement.
13.2. If, at any time during the Term, it is determined that any provision of this Processing Agreement is or has become invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions of the Processing Agreement shall not in any way be affected or impaired thereby. The Parties shall negotiate in good faith to replace such invalid, unlawful, or unenforceable provision with a valid, lawful and enforceable provision, the effect of which shall be as close as possible to that of the invalid, unlawful, or unenforceable provision.
13.3. This Processing Agreement shall be governed by and read in accordance with the legislation applicable to the Framework Agreement. The court mentioned in the Framework Agreement shall have sole jurisdiction to rule on any disputes arising from or in connection with this Processing Agreement.
This Contract was prepared at [place of signature] on [date of signature] in two (2) copies.
[Client’s company name]
Notes to the Processing Agreement
• In the course of the processing of personal data as part of its services on the Billit Platform, Billit shall act as a Processor as defined in the GDPR. The Client shall act as the Controller.
• The Billit Platform is used to process certain personal data of the Client’s employees, customers, and suppliers. This mainly concerns identification and invoicing data.
• The processing of personal data is necessary to provide the Billit Platform and to perform the agreement between the Client and Billit. Billit may also process personal data pursuant to its legal obligations. This processing will be necessary as long as the agreement between the Client and Billit is in force. Processing after the termination of the agreement will be possible if there is a legal obligation to do so, e.g., for statutory retention periods.
• As the Processor, Billit shall only process personal data at the Client’s instructions.
• Billit may engage Sub-processors for processing operations. The Client is entitled to object to the appointment of a new Sub-processor.
• Billit shall ensure that its employees comply with strict confidentiality obligations..
• The GDPR imposes various obligations on processors. For example, they must provide an adequate level of data protection, and their appointment of any Sub-processors must also comply with certain conditions. Billit shall comply with these obligations.
• To comply with the GDPR obligations, Billit must keep specific information available to the Client. If the Client so wishes, audits may be carried out to check Billit’s compliance with these obligations. Billit shall cooperate with such audits at reasonable times and by appropriate deadlines. Participation in an audit requires a significant effort by Billit’s employees involved. Therefore, this cooperation will be charged for.
• Data Subjects may exercise their rights pursuant to the GDPR through the Controller. As the Processor, Billit shall assist the Client with this where necessary and possible. This cooperation will also be charged for.
• Any Personal Data Breaches must be reported to the supervisory authority. Billit shall cooperate with the Client where necessary. The Client shall cover all of Billit’s reasonable costs in respect of this cooperation.
• After termination of the agreement, Billit shall delete or return the personal data it has received and not retain them, except data that must be retained by law.
• The Processor shall inform the Client without undue delay if it becomes aware of a Personal Data Breach and shall fully cooperate in handling it.
• Billit (and the Sub-processors) shall not process personal data outside the European Economic Area without the Client’s prior written consent.