www.thinkgpa.com
Appendix 1: Standing GPA Inter-RBU Data Sub-Processor Agreement
1 PARTIES
1.1 This agreement on collection, storage and use of documents and information
(hereinafter the ”Sub Data Processing Agreement”) is deemed to stand between
A GPA Regional Business Unit (hereinafter: “RBU) acting as the Originator of an
opportunity, program, or customer relationship generally
(hereinafter referred to as
the ”Data Processor”)
and
Any other GPA RBU, and/or GPA B.V. as a party acting as the Receiver/Deliverer of an
opportunity, program, or customer relationship, and/or generally facilitating and
supporting the alignment between RBUs
(hereinafter referred to as the ”Sub Data
Processor”)
(hereinafter jointly referred to as the ”Parties” and individually as ”Party”)
2 DEFINITIONS
2.1 Terms and expressions with capital first letters used in this Sub Data Processing
Agreement shall have the meanings set out in the General Data Protection Regulation
(EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data, hereinafter
the "GDPR") or the meanings otherwise defined in this Sub Data Processing Agreement.
2.2 “Data Subject” shall mean the identified or identifiable natural person to whom
Personal Data refers.
2.3 “Pre-approved Subcontractors” unless otherwise specifically named on a customer or
project specific basis by the Data Processor shall be considered to be GPA BV, any other
GPA RBU.
2.4 “Third party” shall mean a natural or legal person, public authority, agency or body
other than the Data Subject, the Data Controller, Sub Data Processor, the Data Processor
and persons who, under the direct authority of the Sub Data Processor or Data Processor,
are authorized to process Personal Data.
2.5 “Sales and Delivery Terms” shall mean any direct or indirect agreement or scope
related to provision of communication and collaboration technology services entered into
by and between the Sub Data Processor and the Data Processor as related to their
common participation in and ownership of the GPA organization.
3 SCOPE
3.1 This Sub Data Processing Agreement concerns the Parties’ obligations in regard to
processing of Personal Data.
3.2 Under this Sub Data Processing Agreement, the Data Processor shall solely or jointly
with other parties decide for what purpose and by use of what tools Personal Data may
be processed. Data Processor shall instruct the Sub Data Processor hereon.
3.3 This Sub Data Processing Agreement shall apply to all the Sub Data Processor’s
current and future deliveries under the Sales and Delivery Terms to all companies within
Data Processor’s group of companies, for whom the Sub Data Processor processes
Personal Data.
www.thinkgpa.com
3.4 This Sub Data Processing Agreement shall also apply to all Sub Data Processor’s
activities undertaken with the consent of, and on behalf, Data Processor where Data
Processor maintains the consent of or a legitimate interest in processing such Personal
Data.
3.5 This Sub Data Processing Agreement shall form part of the standing Sales and
Delivery Terms as outlined within the GPA Standard Subcontracting Conditions Schedule
within the GPA Member Agreement as executed by all GPA Regional Business Units.
In case of any inconsistencies between this Sub Data Processing Agreement and any
subsequently negotiated Sales and Delivery Terms, this Sub Data Processing Agreement
shall prevail unless specifically and categorically stated and acknowledged otherwise.
3.6 The Sub Data Processor shall comply with the GDPR and other applicable national
data protection legislation.
3.7 Any Personal data processed pursuant to this Sub Data Processing Agreement is
proprietary to the Data Processor.
4 PRIOR SPECIFIC OR GENERAL WRITTEN AUTHORISATION
4.1 Sub Data Processor shall process Personal Data on behalf of Data Processor.
4.2 Where applicable, Data Processor has received its instructions in regard to the
Personal Data from the Controller, which is a customer to the Data Processor. In such
cases, Data Processor instructs the Sub Data Processor to process the Personal Data to
provide its services under and within the Sales and Delivery Terms.
4.3 If the Sub Data Processor considers that any instructions from the Data Processor
contravene or infringe statutory regulations, including the GDPR or other EU or
applicable member state data protection provisions, the Sub Data Processor must notify
the Data Processor hereof immediately.
4.4 The Sub Data Processor is not entitled to make use of Personal Data, information or
otherwise provided by Data Processor, for purposes other than fulfilment of this Sub Data
Processing Agreement. The Sub Data Processor may not use such Personal Data for
historical, statistical, scientific or similar purposes, whether anonymized or in any other
way.
5 GEOGRAPHICAL LIMITATIONS
5.1 The Sub Data Processor is not allowed to transfer, access, process or otherwise make
available Personal Data to any third party in countries outside the EU/EEA, however the
Sub Data Processor can transfer, access, process or otherwise make personal data
available to any and all other GPA RBU’s and/or GPA BV. Any such agreements with Pre-
Approved Subcontractors outside the EU or EEA shall prior to any transfer of data - be
entered into pursuant to the EU Commission’s decision 2021/914 of 4 June 2021 on
standard contractual clauses for the transfer of personal data to third countries and all
supplementary measures necessary to ensure that the data transferred is afforded in the
third country a level of protection essentially equivalent to that guaranteed within the EU,
in addition to any permission from local authorities if legally required.
6 CONFIDENTIALITY
6.1 The Parties accept, both for the duration of this Sub Data Processing Agreement and
subsequently, not to disclose any Confidential Information to a Third Party.
6.2 “Confidential Information” means all information of a technical, business, infra
structural or similar nature, irrespective of whether this information has been
www.thinkgpa.com
documented, except for information which is or will be made available in another way
than through breach of this Sub Data Processing Agreement and all Personal Data.
6.3 The Parties shall ensure that employees and consultants who receive Confidential
Information are obliged to accept a similar obligation regarding Confidential Information
from the other Party and the cooperation in general in accordance with this Sub Data
Processing Agreement.
6.4 The Sub Data Processor must further ensure that all people with access to Personal
Data being processed on behalf of Data Processor are familiar with this Sub Data
Processing Agreement and are subject to the provisions of this Sub Data Processing
Agreement.
7 DATA PROCESSOR’S IT SECURITY POLICIES
7.1 The Sub Data Processor shall comply with Data Processor’s IT Security Policies as may
be specifically defined to them by the Data Processor, but at minimum.
7.1.1 Access to Personal Data is restricted to persons who have a material need for
access to Personal Data. Personal Data will only be accessed on a "need to know"
basis.
7.1.2 Employees, who handle Personal Data, are instructed and trained in what
they must do with Personal Data and how to protect Personal Data.
7.1.3 There must be as few people as possible with access to Personal Data, with
due regard for the operation. However, there must be a sufficient number of
employees to ensure the operation of the tasks concerned in case of sickness,
holidays, staff replacement, etc. Personal Data will only be accessed on a "need to
know" basis.
7.2 Data Processor shall inform Sub Data Processor in writing each time a change has
been made to the Data Processor’s IT Security Policies before such changes takes effect.
Upon written request, Data Processor shall inform Sub Data Processor of the content of
any such changes made to the Data Processor’s IT Security Policies.
7.3 The Sub Data Processor must always provide supervisory authorities and Data
Processor with the necessary access to and insight into the Personal Data which is being
processed and the systems used.
8 APPROPRIATE TECHNICAL AND ORGANISATIONAL MEASURES
8.1 The Sub Data Processor must implement appropriate and reasonable technical and
organizational measures to ensure a level of security that matches the risks of data
processing for the processing of Personal Data which the Data Processor provides under
this Sub Data Processing Agreement, including reasonably ensuring a) Pseudonymisation
and encryption of Personal Data; b) continuous confidentiality, integrity, availability and
robustness of the processing systems and services for which the Sub Data Processor is
responsible; c) timely recovery of the availability of and access to Personal Data in case of
a physical or technical incident; d) a procedure for regular testing, assessment and
evaluation of the effectiveness of the technical and organizational measures to ensure
processing security; e) that Personal Data is not accidentally or unlawfully destroyed, lost
or impaired and against any unauthorized disclosure, abuse or in any other way is
processed in violation of any applicable law on Personal Data.
8.2 The Sub Data Processor shall determine the appropriate level of technical and
organizational measures. When determining this, the Sub Data Processor must
particularly consider the risks related to the processing, i.e. the risks of accidental or
unlawful destruction, loss, alteration, unauthorized disclosure or ac-cess to Personal Data
which has been transmitted, stored or processed in any other way.
www.thinkgpa.com
8.3 Sub Data Processor shall, upon prior written request from the Data Processor, and
within reasonable time-limits provide the Data Processor with sufficient in-formation to
document that the abovementioned technical and organizational security measures have
been taken.
9 TRANSPARENT INFORMATION AND COMMUNICATION
9.1 The Sub Data Processor must report to Data Processor with any agreed contents,
quality and frequency any data related reporting as may be defined by the Data
Processor. The Sub Data Processor must immediately inform Data Processor of any
development which may significantly impair the Sub Data Processor’s current or future
ability or possibility to comply with the Sub Data Processing Agreement.
9.2 The Sub Data Processor is obliged to inform Data Processor immediately, if the Sub
Data Processor is not able to ensure the correct processing of Data Processors Personal
Data in accordance with this Sub Data Processing Agreement.
10 DATA SUBJECTS RIGHTS
10.1 Sub Data Processor shall upon request from the Data Processor and without undue
delay provide all reasonable requested information and assistance to the Data Processor
in regards to the Data Subject’s rights on the following items: (1) processing security
known to the Sub Data Processor for any processing of Personal Data which is not
provided directly by Sub Data Processor or a Pre-Approved Subcontractor, (2) notification
to the supervisory authority of any Data Security Breach, (3) notification to the Data
Subject of any Data Security Breach, (4) consequential analysis of data protection
regulatory breaches..
10.2 Sub Data Processor shall also upon request from the Data Processor provide all
reasonable requested information and assistance to the Data Processor in regards to the
Data Subject’s rights without undue delay on the following items: (1) the duty to inform
when collecting Personal Data from the Data Subject, (2) the duty to inform if the
Personal Data has not been collected from the Data Subject, (3) the Data Subject’s right
to access Personal Data, (4) the right to correct Personal Data, (5) the right to be deleted
(»the right to be forgotten«), (6) the right to limitation of processing; (7) the duty to notify
in connection with corrections or deletions of Personal Data or limitations in the
processing activity, (8) the right to data portability and (9) the right to object for pro-
cessing of Personal Data.
11 DATA SECURITY BREACH
11.1 In case of a Data Security Breach for which the Sub Data Processor (or any Pre-
Approved Subcontractor) is responsible, the Sub Data Processor shall, as soon as
practically possible and no later than 48 hrs of identification of the breach, inform Data
Processor hereof.
11.2 This notification must at least:
a) include a description of the nature of the Data Security Breach including, if possible,
the categories and the estimated number of affected Data Subjects as well as the
categories and estimated number of affected registrations of Personal Data,
b) include the name of and contact information for the data protection officer (DPO) or
another point of contact where further information may be obtained,
c) describe the probable consequences of the Data Security Breach,
d) describe the measures taken by the Sub Data Processor or which the Sub Data
Processor proposes are taken to handle the Data Security Breach including, if relevant,
measures to limit the possible consequential damages.
www.thinkgpa.com
11.3 The Sub Data Processor must document all Data Security Breaches, including the
actual circumstances surrounding the Data Security Breach, its consequences, and the
remedial measures that have been taken.
11.4 This documentation must enable the regulatory authority to check that Sub Data
Processor complied with its duty to inform of any Data Security Breach.
12 USE OF SUBCONTRACTORS
12.1 The Sub Data Processor may not use any unauthorised subcontractors without Data
Processor’s prior written approval.
12.2 Data Processor has provided its consent to Sub Data Processor using the GPA RBU’s
or GPA B.V. as subcontractors.
12.3 The Sub Data Processor must inform Data Processor of any plans to either add or
replace subcontractors. No sub-sub data processor may be added to the list of the Pre-
Approved Subcontractors without Data Processors prior written approval.
12.4 If the Sub Data Processor uses a subcontractor to carry out specific processing
activities on behalf of Data Processor, the same data protection obligations as are
described in this Sub Data Processing Agreement shall be imposed on the subcontractor
in a written agreement.
12.5 If the subcontractor does not comply with the provisions of this Sub Data Processing
Agreement, the Sub Data Processor will be liable for the subcontractor’s actions or
failures to act/breach on the same terms as for its own services.
12.6 The Sub Data Processor is obliged to inform its subcontractors of the provisions of this
Sub Data Processing Agreement.
13 DELIVERY OF PERSONAL DATA
13.1 During the term of this Sub Data Processing Agreement, Data Processor has full
access to any Personal Data being processed by the Sub Data Processor.
13.2 If Data Processor so requests, the Sub Data Processor is obliged to keep a back-up
copy of Personal Data and additional information available in the Sub Data Processor’s
systems for up to 3 months after the expiry or termination of the Sub Data Processing
Agreement. Provided such request has been made, the Data Processor may, until the
expiration of such 3-month period and irrespective of the reason for the expiry of the Sub
Data Processing Agreement, request for an access to any Personal Data and additional
information recorded in such back-up copy.
13.3 Sub Data Processor may only disclose Personal Data and information to Data
Processor and/or to a third party appointed by Data Processor.
13.4 The Sub Data Processor must upon Data Processor’s written instructions delete
Personal Data or any information which has come to the Sub Data Processor’s possession
under the Sub Data Processing Agreement.
14 COOPERATION WITH THE SUPERVISORY AUTHORITY
14.1 The Data Processor and the Sub Data Processor and, where applicable, their
representatives, shall cooperate, on request, with the supervisory authority in the
performance of its tasks.
15 COSTS
www.thinkgpa.com
15.1 All costs, including costs related to revision, inspection and regular implementation of
measures under applicable law and to fulfil the Sub Data Processor’s obligations under
this Sub Data Processing Agreement are included in any fees to be paid by the Data
Processor under the Sales and Delivery Terms. Sub Data Processor shall not be entitled to
receive any separately fees for the Sub Data Processor’s fulfilment of such obligations.
16 EFFECTIVE DATE AND TERMINATION
16.1 The Sub Data Processing Agreement shall come into force upon (1) the date of
awareness of and/or acknowledgement by an existing GPA RBU of implementation or a
GDPR policy by the GPA Foundation Board (2) the execution of a GPA Member
Agreement in which the GPA GDPR Policy is included as a Schedule
16.2 The Sub Data Processing Agreement shall continue for as long as the Sales and
Delivery Terms have not been terminated or expired.
16.3 Data Processor is always entitled to suspend the data processing by the Sub Data
Processor under this Sub Data Processing Agreement.
17 CHANGES IN THE APPLICABLE DATA PROTECTION LEGISLATION
17.1 If a change in mandatory applicable data protection legislation applicable to Data
Processor or to Sub Data Processor requires Sub Data Processor to (i) sign on to any
additional documentation for mandatory data protection compliance purposes, or (ii)
implement additional technical and organizational measures to the ones listed herein, or
(iii) accept additional obligations to those set out herein, and such requirement
mentioned in (i) - (iii) above cause additional costs or risks for Sub Data Processor, then
the Parties agree to negotiate in good faith a fair adjustment of any applicable fees.
17.2 Section 17.1 shall apply accordingly, in case (i) the Data Processor instructs Sub Data
Processor to undertake services not foreseen in this Sub Data Processing Agreement or
(ii) where mandatory applicable data protection legislation applicable to Data Processor
or to Sub Data Processor or the relevant supervisory authority imposes obligations on Sub
Data Processor in addition to those set out herein.
18 GENERAL TERMS
18.1 Amendments. The terms of this Sub Data Processing Agreement can only be
amended by written agreement between the Parties.
18.2 Independent Parties. The Parties explicitly accept that the relationship between them
is a customer-independent contractor relationship.
18.3 Information. The Parties are obliged to act loyally towards each other and to inform
each other without undue delay about any changes that may affect this Sub Data
Processing Agreement.
18.4 Force majeure. None of the Parties are responsible for any actions or failure to carry
out measures to the extent that such actions or such failure is due to matters beyond a
Party’s reasonable control, including but not limited to war, uprisings, force majeure,
strikes or other work stoppages (either in part or in whole), disturbances of the public
communication networks, disturbances of internet connections or similar events, but only
if said Party could not have predicted the event at the time of taking on the obligation. As
long as such an event prevents a Party from performing said obligation, this must be
suspended until such disturbance no longer exists.
18.5 Assignment. Data Processor may, either in part or in whole, assign its rights and
obligations under this Sub Data Processing Agreement to a third party. The Sub Data
www.thinkgpa.com
Processor may not assign its rights or obligations under this Sub Data Processing
Agreement to a third party without the Sub Data Processor’s prior written approval.
18.7 Invalid condition. If a condition or a provision in this Sub Data Processing Agreement
is invalid, such invalidity shall not mean that the remaining part of this Sub Data
Processing Agreement is invalid. If the applicable law on personal data is changed after
the effective date of this Sub Data Processing Agreement, the Data Processor is obliged
to accept such changes to this Sub Data Processing Agreement.
www.thinkgpa.com
Appendix 1a: GPA Data Processing Agreement
This agreement on collection, storage and use of documents and information (hereinafter
the ”Data Processing Agreement”) is deemed to stand between
A GPA Regional Business Unit (the “Company
)
and
GPA B.V.
(hereinafter referred to as the ”Data Processor”)
(hereinafter jointly referred to as the ”Parties” and individually as ”Party”)
WHEREAS
(A) The Company acts as a Data Controller.
(B) The Company wishes to enable the processing of personal data by the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the
requirements of the current legal framework in relation to data processing and with the
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and
on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this
Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules that may
apply or be referenced;
1.1.2 “Company Personal Data” means any Personal Data Processed by a Processor on
behalf of Company pursuant to or in connection with the Principal Agreement;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable,
the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means the GDPR and laws implementing or
supplementing the GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
www.thinkgpa.com
1.1.8 “Data Transfer” means:
1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor;
or
1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a
Subcontracted Processor, or between two establishments of a Contracted Processor, in
each case, where such transfer would be prohibited by Data Protection Laws (or by the
terms of data transfer agreements put in place to address the data transfer restrictions of
Data Protection Laws);
1.1.9 “Services” means the audio visual and collaboration technology related services the
Company provides.
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process
Personal Data on behalf of the Company in connection with the Agreement.
1.1.11 “GPA” refers to GPA B.V., an organization duly incorporated in the Netherlands
1.1.12 GPA “Regional Business Unit” or “RBU” refers to any organization authorized as such
by GPA, and in doing so; a) is a certificate holder and thereby partial owner of the GPA
Foundation, the foundation being the sole shareholder of GPA B.V. b) maintains a
standing contractual agreement between itself and GPA B.V. to govern its actions as a
designated GPA Regional Business Unit.
1.1.13 Principal Agreement refers to the GPA Member Agreement executed between
GPA B.V. and each of its Regional Business Units, and thereby setting out the terms,
conditions, obligations, and legal structures under which each GPA Regional Business
Unit engages with each and every other GPA Regional Business Unit
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”,
“Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same
meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Company Personal Data
2.1 Processor shall process the following types of Company Personal Data:
Company Personal Data type:
Data subject(s):
Employee Name
Employees, contractors, subcontractors.
Business e-mail address
Business phone number(s)
Company/Function/Title
Birth Date
In processing the above types of Company Personal Data, Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company
Personal Data; and
2.1.2 not Process Company Personal Data other than on the relevant Company’s
documented instructions.
www.thinkgpa.com
2.2 The Company instructs Processor to process Company Personal Data.
3. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or
contractor of any Contracted Processor who may have access to the Company Personal
Data, ensuring in each case that access is strictly limited to those individuals who need to
know / access the relevant Company Personal Data, as strictly necessary for the purposes
of the Principal Agreement, and to comply with Applicable Laws in the context of that
individual’s duties to the Contracted Processor, ensuring that all such individuals are
subject to confidentiality undertakings or professional or statutory obligations of
confidentiality.
4. Security
4.1 Taking into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of Processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons, Processor shall in relation to the
Company Personal Data implement appropriate technical and organizational measures
to ensure a level of security appropriate to that risk, including, as appropriate, the
measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take into account the
risks that are presented by Processing, in particular from a Personal Data Breach.
5. Sub-processing
5.1 Processor shall not appoint or disclose any Company Personal Data to any Sub-
processor unless required or authorized by the Company.
5.2. Any and all GPA RBU’s are deemed as authorized Sub Data Processors by the
Company under the understanding that each RBU has executed and maintains a valid
Principal Agreement with GPA BV and thereby a similar Data Processing agreement
between it and GPA B.V.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Company
by implementing appropriate technical and organizational measures, insofar as this is
possible, for the fulfilment of the Company obligations, as reasonably understood by
Company, to respond to requests to exercise Data Subject rights under the Data
Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data
Protection Law in respect of Company Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented
instructions of Company or as required by Applicable Laws to which the Processor is
subject, in which case Processor shall to the extent permitted by Applicable Laws inform
Company of that legal requirement before the Contracted Processor responds to the
request.
7. Personal Data Breach
www.thinkgpa.com
7.1 Processor shall notify Company without undue delay upon Processor becoming aware
of a Personal Data Breach affecting Company Personal Data, providing Company with
sufficient information to allow the Company to meet any obligations to report or inform
Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Company and take reasonable commercial steps
as are directed by Company to assist in the investigation, mitigation and remediation of
each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
8.1 Processor shall provide reasonable assistance to the Company with any data
protection impact assessments, and prior consultations with Supervising Authorities or
other competent data privacy authorities, which Company reasonably considers to be
required by article 35 or 36 of the GDPR or equivalent provisions of any other Data
Protection Law, in each case solely in relation to processing of Company Personal Data by,
and taking into account the nature of the Processing and information available to, the
Contracted Processors.
9. Deletion or return of Company Personal Data
9.1 Subject to this section 9 Processor shall promptly and in any event within 10 business
days of the date of cessation of any Services involving the Processing of Company
Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those
Company Personal Data.
10. Audit rights
10.1 Subject to this section 10, Processor shall make available to the Company on request
all information necessary to demonstrate compliance with this Agreement, and shall
allow for and contribute to audits, including inspections, by the Company or an auditor
mandated by the Company in relation to the Processing of the Company Personal Data
by the Contracted Processors.
10.2 Information and audit rights of the Company only arise under section 10.1 to the
extent that the Agreement does not otherwise give them information and audit rights
meeting the relevant requirements of Data Protection Law.
11. Data Transfer
11.1 The Processor may not transfer or authorize the transfer of Data to countries outside
the EU and/or the European Economic Area (EEA) without the prior written consent of
the Company. If personal data processed under this Agreement is transferred from a
country within the European Economic Area to a country outside the European
Economic Area, the Parties shall ensure that any personal data is adequately protected.
To achieve this, the Parties shall, unless agreed otherwise, rely on an adequacy decision by
the European Commission, the EU approved standard contractual clauses for the transfer
of personal data of 4 June 2021, or another applicable data transfer mechanism as
deemed adequate by the GDPR.
12. General Terms
12.1 Confidentiality. Each Party must keep this Agreement and information it receives
about the other Party and its business in connection with this Agreement (“Confidential
www.thinkgpa.com
Information”) confidential and must not use or disclose that Confidential Information
without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in
writing and will be delivered personally, sent by post or sent by email to the address or
email address set out in the heading of this Agreement, or at such other address as
notified from time to time by the Parties changing address.
13. Governing Law and Jurisdiction
13.1 This Agreement is governed by the laws of The Netherlands.
13.2 Any dispute arising in connection with this Agreement, which the Parties will not be
able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of
The Netherlands
www.thinkgpa.com
Appendix 2: GPA Externally Published Privacy Policy
The following document expresses our commitments and approach to the management
of personal information. It explains what kind of personal data we collect and for which
purposes.
We recommend that you read it carefully. If you have any questions regarding the
processing of personal data, you can find contact details at the end of the document to
enquire further. This policy statement is applicable to all sources controlled or managed
by GPA from which Personal Information may be collected.
GPA ORGANIZATIONAL OVERVIEW
GPA B.V. (GPA) is the global parent management entity of a global consortium of
affiliated regional audio visual and collaboration technology integration companies.
Together, our goal is to provide customers one global source for all their audio, video, and
unified communications solutions.
Each GPA Regional Business Unit (RBU)is a separate and stand alone corporate legal
entity, however each is approved by GPA to operate within designated geographical
region(s) using GPA brand, policies, and infrastructure, and operational models. Within
that structure, all RBU’s are governed by and operate within the GPA Data Privacy &
Protection Policy.
INTENT
During the processing of personal data, as an EU (Dutch) registered corporate entity, GPA
aligns to the requirements of applicable data protection legislation such as the General
Data Protection Regulation (GDPR).
This means we:
clearly specify our purposes before we process personal data, by using this privacy
statement
limit our collection of personal data to only the personal data needed for
legitimate purposes
first ask for explicit permission to process your personal data in cases where your
permission is required
take appropriate security measures to protect your personal data and we demand
the same from parties who process personal data on our behalf
respect your right to access, correct or delete your personal data held by us
DATA PROCESSING AGREEMENTS
As separate legal entities, GPA and GPA RBU’s should be considered separate controllers
of personal data. GPA does however maintain a standing sub data processing agreement
with, and in turn between, all its RBU’s to ensure global GDPR compliance in the sharing
of personal data with and between each and all these independent parties.
Any organization governed by the GDPR, and thereby considered a Data Controller either
because of its country of registration or the location of any of its employees, may request
the execution of a Data Processor Agreement with either GPA or a GPA RBU. This will
allow you to provide us specific instructions related to managing personal data related to
individuals within your organization. GPA maintains a templated Data Processor
Agreement we can provide upon request.
www.thinkgpa.com
USE OF PERSONAL DATA: PORTALS & PLATFORMS
GPA maintains various user or customer specific web portals or software platforms within
which approved users may be able to access a management environment through which
they may undertake activities such as to set, specify, and change settings. If you are a user
of such a portal, we may keep track of your activities for proof of use or changes made.
For this purpose, we may use personal information including your name and address
details, phone number and email address. We need this data because of our agreement
with you. We store this information until our services to you have ended, or you
specifically request its deletion.
USE OF PERSONAL DATA: WEBSITE
When visiting our websites, we can use your personal data for the following purposes:
Contact Form
You can use our contact form to ask questions or make any request. For this purpose, we
use your name and address details, phone number, email address and the message you
wish to send to us. We do this based upon your consent. We store this information until
we are sure that you are satisfied with our response, or until you specifically request us to
no longer retain your information or communicate with you.
Cookies
During a user’s interaction with one of GPA's websites, GPA may use a cookie to collect
information anonymously and track user patterns. A cookie is a small text file containing a
unique identification number that identifies a user’s browser (but not the user personally)
each time a user visits one of the GPA websites. Cookies tell GPA which pages of its
websites are visited and how many people visited each web page. This helps GPA
understand interests and enhance the on-line experience. Cookies also serve to identify
the user's computer so that preferences can be saved for future visits and to help us with
items such as traffic management, research, and analytics.
The use of cookies is an industry standard, and many major browsers are initially set up to
accept them. You can reset your browser to either refuse to accept all cookies or to notify
you when you have received a cookie. However, if you refuse to accept cookies, you may
not be able to use some of the features available on GPA's websites.
USE OF PERSONAL DATA: CUSTOMER RELATIONSHIP MANAGEMENT (CRM) OR
OTHER INFORMATION MANAGEMENT SYSTEMS OR DATABASES
GPA processes personal data relating to both its business contacts, and those of its RBU’s,
using a various software platforms and databases, including a Customer Relationship
Management (CRM) system. We initiate the collection of personal data relating to your
business in order to provide you with what we believe will be or are relevant products,
services, or information, and therefore of legitimate interest to you. We may therefore
add that data to our CRM. This personal data may include name, job title, address details,
phone number, address, and email address.
GPA and it’s RBU’s use this data because of either an explicit agreement or consent
process undertaken with one or more of our organizations, under the basis we believe it
serves a legitimate interest, and/or is legally or otherwise necessary for us to do so. We
store this information in the CRM until we believe the services we have provided or
continue to provide to you have been completed, or any expectation of legitimate interest
no longer exists. Certain types of personal data will be retained for a longer period if
required by law (e.g., the legal retention period).
As a result of our global RBU footprint, personal data may be visible to (transferred)
other GPA RBU’s in countries outside the European Union that do not have laws that
www.thinkgpa.com
provide specific protection for personal data. We have taken steps to ensure all personal
data is provided with adequate protection.
PROVIDING DATA TO THIRD PARTIES
Except for the parties necessary to deliver the above-mentioned services, we do not
under any circumstance provide your personal data to other companies or organisations,
unless we are required to do so by law (for example). Where your data will be provided to
a third party, we execute contractual mechanisms such as Data Processing Agreements
to clearly define and manage the limitations and requirements under which we are
providing such data and how it may and may not be used.
SECURITY
We have taken security measures to reduce misuse of and unauthorized access to
personal data. We take responsibility for the security of your personal data. We
consistently renew our security measures to ensure safe storage of personal data.
INSPECTION AND MODIFICATION OF YOUR DATA
You can always contact us if you have any questions regarding our privacy statement or
wish to review, modify, or delete your personal data.
You have the following rights:
Right of access: you have the right to see what kind of personal data we process
about you.
Right of rectification: you have the right to rectify any personal data we process
about you if this information is (partially) wrong.
Right to complain: you have the right to file a complain against the processing of
your personal data by us.
Right to be forgotten: you can file a request with us to remove any personal data
we have processed of you.
Right to data portability: if technically possible, you have the right to ask us to
transfer your processed personal data to a third party.
Right to restriction of processing: you can file a request with us to (temporarily)
restrict the processing of your personal data.
If you exercise any of the rights mentioned above, we might ask you to identify yourself
with a valid ID, to confirm it is your personal data. If so, it is important that you hide your
social security number and photo.
We will usually respond to your request within 30 days. This term can be extended if the
request is proven to be complex or tied to a specific right. You will be notified about a
possible extension of this term.
CHANGES TO THIS PRIVACY STATEMENT
We reserve the right to modify this statement. We recommend that you consult this
statement on a regular basis, so that you remain informed of any changes.
INQUIRIES AND COMPLAINTS
If you wish to request the removal of your personal data, or if you wish to file a complaint
about our use of personal data, please send an email with the details of your complaint
to privacy@thinkgpa.com. We will act promptly, and will investigate and respond to any
complaints we receive.
www.thinkgpa.com
If you think that we are not helping you in the right way, you have the right to file a
complaint with the relevant authority. For the Netherlands, this is the Dutch Data
Protection Authority (Dutch DPA) Autoriteit Persoonsgegevens.
Contact details of GPA B.V.
GPA B.V.
De Corridor 19
3621ZA Breukelen, NL
www.thinkgpa.com
Appendix 3: GPA GDPR Factsheet
From the 25th of May 2018, the General Data Protection Regulation (GDPR) became the
applicable privacy legislation throughout the European Union (EU). The GDPR is aimed at
creating a fragmentation-free legal data protection system within all the Member States of the
EU. For companies, the EU will become one large playing field that provides for obstacle-free
cross-border flows of personal data within the Union.
The GDPR is applicable to GPA Regional Business Units (RBU’s) that are located within the EU, or
that processes personal data relating to a person who is in the EU. In that event, it does not
matter if your organisation is not established in the EU or if the processing does not take place
within the EU. Also, if you are not located within the EU and the data is not relating to a person in
the EU, but you are subcontracting the execution of services to a GPA RBU in the EU, the GDPR is
also applicable.
Under the GDPR there not only needs to be a legal basis to process and exchange information
with other RBU’s, but there must also be appropriate safeguards for the protection of the
personal data. Please see the GPA Data Privacy & Protection Policy for additional information on
GDPR related guidelines relative to GPA.
This factsheet has been prepared to provide a simplified guide to help you understand the most
important GDPR aspects for you as a GPA RBU, and ends with a checklist. A GDPR Activity Flow
Chart also offers a simplified visual tool to assist you in understanding key considerations and
activities in your GDPR related considerations and actions..
If you are unsure whether anything associated with this policy or GDPR generally applies to the
processing which you are (or think that you are) required to carry out as part of your work, or if
you understand that the customer is subject to the GDPR, but is not willing to execute a Data
Processing, you need to proceed carefully:
- avoid sharing any personal data that is not essential with any third parties either within
your own organization, as well as any other GPA RBU, GPA infrastructure platform (ie:
Insightly), or an outside third party.
- contact your own internal management for direction, especially if you are an RBU within
the EU and thereby should have your own regional GDPR policies and understanding.
- contact GPA Management (privacy@thinkgpa.com) to discuss the possibilities.
Personal Data and Data Subjects
Personal Data means any information relating to a person by means of which that person is
identifiable or can be identified. Personal data can be traced back to a person directly or
indirectly. A Data Subject is the person to whom certain personal data relates (a human being).
Personal data of data subjects include, for instance:
Name and address details;
Gender;
Date of birth or age;
IP address;
Email address;
Phone number;
Location data;
Employee personnel file;
All personal data is subject to the GDPR, corporate information of a customer - such as a
company registration number, email address such as info@company.com, or anonymised data is
not subject to the GDPR.
www.thinkgpa.com
Special Personal Data
Personal data can additionally be qualified as ‘special’, meaning that it can only be processed
under strict conditions. Special Personal Data is data that directly or indirectly provide
information on someone's religion or personal beliefs, racial origin, political opinion, health or sex
life, as well as personal data on trade union membership.
A RBU should not purposely collect special personal data of its customers. However, customers
may include special personal data in messages sent to you. For instance, a customer may inform
you that he/she is not able to attend a meeting due to illness. You could record that this person is
absent, but you should not record the reason or nature of the illness.
If you are nonetheless required to process special personal data in a specific case, contact GPA
Management (privacy@thinkgpa.com), or any named privacy contact as determined within any
relevant RBU where applicable, as soon as possible to discuss how to address specific structures
and mechanism’s to manage this.
Processing of personal data
The use of personal data is referred to as the processing of data, or data processing. It is important
for you to realise that the definition is very broad. Even erasure of or access to are considered to
be a form of processing. Processing includes all actions performed with personal data, such as:
storing data;
deleting data;
copying data;
altering data.
This means that almost every action taken with personal data is subject to the GDPR. This
includes administrating contact information and projects, but also using personal data to set up a
video-conference, or sharing the personal data with another GPA member.
It is important to understand that personal or other data should only ever be processed for
specific purposes, and only in the interest of the purposes for which it was collected. For instance,
to fulfil agreed services to the customer. Using data for other purposes is expressly forbidden. If
data is collected only to fulfil a contract with a customer, this data may not be used for direct
marketing.
Role division
Within the GDPR, role division and definition is very important. There are three main roles: the
Controller, the Processor and the Sub-processor. The Controller is the company that determines
the purpose and the means of data processing (ie: the customer). The Processor is the company
that processes personal data on behalf of the controller (ie: a GPA RBU).
To put this in context, if a customer chooses a GPA RBU (Originating RBU) to provide them with
AV/UC solutions etc., the customer is considered to be the controller of the personal data. The
Originating GPA RBU will process personal data related to their employees on their behalf and is
therefore the Processor. Although as an Originating RBU you determine independently how to
provide your service to the customer in the best way, you only do this to execute the customer’s
instructions.
A Sub-processor is a third party that is engaged by the Processor (with the consent of the
controller) to support the Processor in delivering the agreed services scope, and thereby will also
have a need to process personal data associated with the Controller’s. As an example, in the event
a GPA RBU in the Netherlands (ie: an RBU subject to the legal requirements of conforming to EU
GDPR Guidelines) is instructed by a customer to provide certain services in Chile, the Dutch GPA
RBU is subcontracting the Chilean GPA RBU to execute services. In this event the customer is
www.thinkgpa.com
the Controller, the Dutch GPA RBU is the Processor and the Chilean GPA RBU is the Sub-
processor.
In the event of the opposite proposition where the GPA RBU in Chile is instructed by a Chilean
customer to provide certain services in the Netherlands, and the services are subcontracted to
the Dutch GPA RBU, the GDPR is also applicable. Because the Dutch GPA RBU (being the sub-
processor) is located within the EU, the whole chain of data processing between the customer
(being the controller) and the Chilean GPA RBU (being the processor) and the Dutch sub-
processor, must be GDPR compliant. Typically, even though the customer may be headquartered
in Chile, assuming we are executing a project in The Netherlands for a subsidiary with Dutch
employees, then that customer (or at least the subsidiary) is also bound legally to conform to the
GDPR.
Processing agreement
If you process personal data on behalf of a customer subject to the GDPR, an agreement between
you and they as a controller” relative to the processing and protection of personal data will be
necessary. GPA has a sample/reference Processing Agreement - the “GPA Data Processing
Agreement Template” - which can be either executed as a stand alone, or included as a part of
any Master Agreement between you and the customer. This can be found on the GPA Intranet,
and/or by contacting GPA Management (privacy@thinkgpa.com). Alternately the Controller may
provide their own document template.
Legal basis for processing
As a starting point, the processing of personal data has to be based on one of the legal basis’s
mentioned within the GDPR, namely:
a. The data subject has given their consent.
b. The processing is necessary for the performance of an agreement with the data subject
(for instance, in the case of data that is processed for the performance of a contract with a
customer).
c. The processing is necessary for compliance with a legal obligation (for instance, storing
financial data for tax purposes).
d. The processing is necessary for the vital interests of the data subject (for instance, a serious
situation in which data must be processed to save someone's life).
e. The processing is necessary to represent the legitimate interests of GPA that override the
rights of the data subject.
Generally, as you are processing personal data to provide your services to the customer, the legal
basis would be ‘necessary for the performance of an agreement’. Do not be too quick to assume
that basis applies, because the right to privacy is a fundamental right that should not easily give
way to other interests.
Responsibility
The primary responsibility within the GDPR rests with the Controller, meaning it is their obligation
to ensure a legal structure is in place for the processing of data associated with their employees
that meets GDPR’s requirements. However, there is still an onus on the Processor to comply to
the GDPR, meaning the Processor still carries an obligation to ensure a Data Processing
agreement be executed that defines what they as a Processor can and cannot do with the
Controller’s personal data. It is then the legal obligation of the Processor to conclude a
comparable processing agreement with any Sub-processor they engage if and when applicable.
Privacy principles
Based on the principle of Privacy by Design (which has been included in written law with the
GDPR), privacy has to be taken in mind while developing products and services (e.g. by
implementing privacy-enhancing technologies) and organising ‘privacy-friendly’ standard
settings. Relevant data protection principles in this regard are the principles of purpose
limitation and data minimisation.
www.thinkgpa.com
Purpose limitation means that it is not allowed to process data for other (incompatible) purposes
than for which it was originally collected, while the aim of the principle of data minimisation is to
process as little data as possible.
Other rules and principles that have to be taken in mind by the controller are:
that personal data may only be processed in a lawful, fair and transparent matter (which
means that there has to be a legal basis for the processing, and that the data subject has
to be informed about the processing),
the data has to be kept accurate and relevant (so you should keep your databases up-to-
date),
retention periods have to be set (retaining personal data for an indefinite period of time is
not allowed)
personal data has to be processed in an adequate secure way.
Rights of the data subject
Based on the GDPR, data subjects (the individuals within the Controller’s organisation to which
the data being processed relates) can exercise the following rights with regard to the Controllers
responsibilities:
rights of access, rectification, erasure, restriction of processing, data portability, objection
and withdrawal of their consent, the right not to be subject to an automated decision and
the right to lodge a complaint with a supervisory authority.
The role of the processor is to assist the Controller in meeting those responsibilities based on
arrangements laid down in a data processing agreement. In the event you receive a request
directly from a data subject, refer the data subject back to the Controller organization (ie: the
customer) and inform the Controller accordingly.
Data breach
In brief, a data breach is anything that goes wrongwith personal data. There is always a risk of a
data breach when personal data is processed. In case of a data breach, which results in a risk for
data subjects, the controller has to notify the supervisory authority within 72 hours of discovery of
the breach. In some cases, the data subjects must be informed as well, namely if the data breach
results in a high risk for data subjects.
An example of a high-risk breach might include a data activity that might cause a potential for
identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data
protected by professional secrecy, or any other significant economic or social disadvantage to the
person concerned. Events such as:
a hacker accessing your computer network and taking customer data
a lost hard drive (ie: USB stick) that contains files that include personal data
a malicious staff member copying customer data and selling or supplying that data to
a third party,
the accidental supply of a database file or document containing large amounts of data
to an unintended recipient.
a user password to a platform in which large amounts of personal data is stored is
shared to an unintended or unapproved third party who may have subsequently been
able to access the platform.
In these situations, typically only if it could be incontrovertibly proven that the data taken or
shared had subsequently been deleted before it was accessed or distributed, or if the data within
the breach was encrypted or anonymized, would breaches as noted above not be considered
high risk.
Lower risk events that have lower potential risk but should be evaluated for potential risk might
include:
www.thinkgpa.com
a lost laptop that has personal data stored, but is not accessible without a password.
an email that is sent to a large group of recipients within the “to” or “cc” address fields who
are employed within organization(s) not covered by a data processing agreement, thereby
exposing individual email addresses for each of the recipients to each of the other
recipients.
Notification obligations of data breaches that are discovered by or have taken place at the
Processor can be defined within the data processing agreement with the Controller. The same
goes for notification obligations for the sub-processor. While the 72 hour notification timeframe
for “high risk” data breaches should always be a goal, given the understanding that the personal
data typically processed by GPA and its business units that would create great “risk” for a subject
is minimal, the templated GPA data processing agreement template simply denotes that the
Processor should inform the Controller within a reasonable period after becoming aware of a
data breach. The GPA standing Sub-processor agreement however, being the standard to be
followed among GPA RBU’s, requires a sub-processor to notify the Processor within 48 hours to
allow the Processor (and therefore liable party legally) to determine the severity of the breach and
make any decisions as to the urgency of any notification if applicable to the Controller.
GDPR & Marketing Activities
Under GDPR, organisations can’t send marketing messages via electronic media without what is
termed active, specific consent. Electronic media includes text, voice, sound or image messages
sent over a public electronic communications network, ie: emails, texts, picture messages,
voicemail, social media messages, video messages and another message that can be stored
electronically.
In practical terms this means as a data processor, you can only send such messages to parties
within a data controller organization if:
The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and
were given a simple way to opt out.
There is a Data Processing agreement between you as the Data Processor or sub-
processor and the Data Controller organization that that explicitly allows for this.
The rule concerning existing customers is sometimes called ‘soft opt-in’. In simple terms, the
regulation means that if a person has previously bought something from and given their details
recently and did not choose to opt out of marketing messages, then they are most likely happy to
receive marketing collateral. It’s assumed that because they did not opt out, they are happy to
receive information about similar products even if they haven’t actively consented. However, for
this to be admissible, they must have been given a clear and easy opportunity to opt-out. This
should be offered when their initial data is collected and included in every subsequent message
sent. This rule therefore means that while information can sometimes be sent by email or text to
existing customers, it does not apply to new contacts or potential customers who have not had
an opportunity to provide consent in any form.
Direct physical mail is less restricted in terms of GDPR regulations, however recipients should still
be expected to have a legitimate interest in the communication, and the mail should have
minimal impact on their privacy.
Within the premises of GPA marketing activities, you as an individual or an organization should
not provide the GPA B.V. marketing team or any other RBU marketing team contact emails of
individuals within customer organizations if you believe supply of such may not meet the criteria
noted.
Processing outside the EU
www.thinkgpa.com
GPA and its business units are in a unique situation where we have independent corporate
entities both within the EU and outside, but all are bound together for global opportunities by an
EU based entity in GPA B.V.
From a legal standpoint, where a Controller is EU based and a Processor is outside the EU, the
primary legal responsibility must sit with the controller to impose GDPR contractual mechanisms
and restrictions on the Processor given the processor is not within EU jurisdiction. Similarly for a
non EU Controller being serviced by an EU based Processor, the Processor has a primary legal
obligation to abide by the GDPR guidelines for data processing even if the Controller’s
organization is external to the EU. That primary legal responsibility and jurisdictional presence
doesn’t mean however that the EU may not try to take action against one or both parties if the
GDPR rules are being broken. Typically if activities by the non EU entity are occasional then they
will face little consequence, but if the EU considers the entity is consistently doing business
relative to the EU jurisdiction that will take action in whatever way they can. When GPA is added
in the middle of this equation as an EU entity, in theory GPA could face a liability as a sub-
processor for any data privacy breach independent of the scenario, hence the importance of
adherence to GPA privacy policy whenever data associated with EU related individuals is
processed irrelevant of where a RBU is based. So, for simplicity’s sake assume that any
opportunity related to an inter-RBU opportunity where any individual within the customer’s
organization may be based within the EU, that compliance to the GDPR is required
The GDPR guidelines indicate that any processing of personal data governed by the GDPR
outside the EU, more specifically outside the European Economic Area (EEA), is only allowed if
there are adequate safeguards. Article 26(2) of Directive 95/46/EC does provide minimum terms
for these contractual safeguards, however for the purposes of simplicity, the GPA Standard Data
Processor Agreement is preferred to ensure full alignment of GPA workflows and structures. But
beware: your customers can request that data simply does not leave the EU at all. If such a
request is ever made, notify GPA Management (privacy@thinkgpa.com), as it will limit the
capacity to enter that data within any GPA platform given none of these platforms have user
access limited geographically.
Data Protection Officer (DPO)
It might be required for your company to appoint a DPO. A DPO is an independent person within
the organization who advises and reports on compliance with the GDPR.
Appointing a DPO is mandatory if you process sensitive personal data such as health data on a
large scale, or if you observe people on a structural basis (physically or digitally). A DPO can be
someone who is appointed internally, but may also be someone who is appointed externally, such
as a (virtual) privacy officer.
Generally, due to the nature of the activities, a GPA RBU is not obliged to appoint a DPO.
Data Protection Impact Assessment (DPIA)
A DPIA is a comprehensive investigation to map out privacy risks and to remove them as much as
possible. A DPIA is required if the planned processing entails high risks for the privacy of data
subjects. By doing a DPIA the risks of this planned processing are being assessed and can be
qualified. After this, it can be determined what risks are acceptable and what risks are not. This
provides you with argumentation to decide about whether to start the planned processing or not
based on the risks involved. As with appointment of a DPO, due to the nature of GPA activities a
DPIA is not typically required unless there is concern atypical and highly sensitive data might be
processed.
Awareness & internal policies
To fulfil the requirements of the GDPR, all RBU staff member involved in GPA inter-RBU business
activities, whether within an EU based RBU or otherwise, must be made aware of the GDPR and
GPA’s related policies given the likelihood of handling personal data protected under the GDPR.
www.thinkgpa.com
In particular, staff must understand how to treat personal data in a secure way, what a (potential)
data breach is, and what to do if they discover such a breach.
Records of processing activities
Based on the GDPR, almost every organisation has to create its own records of processing
activities. Within the records of processing activities, the processor should lay down the following
elements: name and contact details of the processor (and if appointed the DPO) and the
controllers on which behalf the processer is acting, the categories of processing carried out on
behalf of each controller, transfer of the personal data outside the EU and a general description of
the technical and organisational security measures taken to protect the personal data.
The records of the controller should include all the same elements, and in addition: the purposes
of the processing, the categories of data subjects, the categories of personal data, the categories
of recipients of the personal data (inside and outside the EU) and retention periods for the
categories of personal data.
The records are internal documents that do not have to be published, and that can be laid down
in any shape you like (i.e. Excel sheet, specific program, as long as all the elements are
documented). However, the supervisory authority can request insight into them.
Conclusion
Protecting your organization, and GPA as a whole, from GDPR disputes starts with owning your
responsibilities. Even where a Data Processing agreement is in place, your goals in enabling the
ability for any individual within your organization to access, modify, or utilize (process) any data
must be on the basis of the ability to:
Justify the grounds of legitimate interest between you and the customer, and the
individual processing the data’s role in supporting that interest
Be able to explain the purpose of processing this personal data
Demonstrate the necessity for such data processing
www.thinkgpa.com
Appendix 4: GPA GDPR Checklist & Flowchart
Checklist
The GDPR applies if you are located within the EU, expects to process data related to European
data subjects, and/or intends to subcontract a GPA RBU in the EU to process data related to
such data subjects.
Furthermore, if you are located within the EU, you should not only comply with the GDPR
regarding the personal data of customers, but also for job applicants, employees, prospects etc.
Given GPA B.V. is an organization registered within the EU, the GDPR has implications for every
GPA RBU where it will use any GPA workflow, platform, or otherwise to processes personal data.
In order to offer guidance in what to do and where to begin in preparing to comply to the GDPR,
we have created a short checklist for you as GPA RBU to reference for any instance in which the
GDPR will apply;
1. Reference the GPA GDPR policy and guidelines;
2. Create awareness within your organisation and involve your staff in preparing your
organisation relative to complying to the GDPR.
3. Create records of processing activities by starting with mapping the personal data flow(s)
within your organisation, and the systems and third parties involved in the processing of
this personal data. This includes other GPA members, but also any IT, tax or administrative
service providers;
4. Determine your role in every contract with a customer; are you a controller, processor or
sub-processor?
5. In case you are a controller, check if you comply with all the privacy principles and if your
legal grounds for the processing are GDPR-proof. If you are located in the EU, you are a
controller of the personal data of job applicants, employees and prospects;
6. If you are a processor, check if the controller has determined appropriate purposes and
means of processing;
7. Despite your role, check whether you can fulfil the exercise of legal rights by data subjects:
are you i.e. able to delete personal data or adapt it?
8. Check whether you have concluded data processing agreements with all the parties who
have access to the personal data you process, and if you have taken additional suitable
measures to process personal data outside the EU if applicable;
9. In case you have planned to start a high-risk processing activity, contact the central
privacy contact to help carry out a DPIA;
10. Take adequate organisational and technical security measures, check them regularly and
create internal guidelines about security, keep your security level up to date with the latest
standards of security within your field;
11. Create internal policies about the handling of personal data by your staff, and what should
happen internally if a (potential) data breach occurs (i.e. who will notify, who will
document the breach);
12. Check whether appointing a DPO is required for you.
Additionally we have created a GDPR Compliance Decision Flowchart that allows you to consider
a range of questions which will in turn direct you to whether GDPR applies, to how you should
likely proceed, and directs you to sections of this factsheet for further clarification. If these tools
still fail to resolve any questions or concerns you may have as to how to proceed, a reminder, do
not proceed in “processing” (sharing or utilising) any personal data until you:
- contact your own internal management for direction, especially if you are an RBU within
the EU and thereby should have your own regional GDPR policies and advisory resources.
- contact GPA Management (management@thinkgpa.com) to discuss the situation further.
www.thinkgpa.com
GDPR Compliance Decision Flowchart
You may continue your activities. Many non-EU countries
have some form of Data Privacy limitations, so please be
aware of this in your own country, or consult your peer
RBUs as necessary for requirements in other countries.
Will the personal data be processed on
behalf of a customer?
ref: pg. 1 2
of factsheet
GDPR factsheet
The Customer should determine
the purposes and means of
processing, and you should
conclude a Data Processing
Agreement (DPA) with them. GPA
has a specific DPA template that is
preferred to be used in order to
address GPA specific
considerations.
Is there a GPA template based DPA
in place, an alternate DPA that
addresses GPA BV and GPA RBU’s
as approved Sub Data Processors,
or an otherwise valid contractual
structure to allow you to share
personal data within GPA?
ref: pg. 2 3
of factsheet
GDPR factsheet
DO NOT PROCEED
You are not legally allowed to
share your customer’s data with
outside of your own organization!
Refer to your RBU leadership, or
GPA Corporate staff for additional
advice.
Will the personal data be processed by you
on behalf of another GPA RBU, or on behalf
of GPA BV itself, who are in turn processing
the data on behalf of a customer???
The purpose and means of data
processing, and the legal
framework to do so, should be
provided by the Originating RBU for
the request, or revert to the
previous step and execute a DPA
directly with the customer. Is this
the case?
Given there is no DPA in place between
you and the organization for whom the
personal data relates to, is there a legal
basis (ie: their consent) for the processing
of personal data in the way you intend?
DO NOT PROCEED
Given the individual whos data
you are processing is protected
under the GDPR, you are not
legally allowed to process this
data. Refer to your RBU
leadership, or GPA Corporate staff
for advice before proceeding.
ref: pg. 3 & 4
of factsheet
GDPR
factsheet
Will the personal data be processed in the
legitimate interest of the subject?
Will you require a 3
rd
party
organization outside of GPA B.V. or
GPA RBU’s to process the
customer’s personal data in support
of your own activities?
Is the use of the 3
rd
party defined
and approved within the DPA with
the customer, and additionally has
a Sub Data Processing Agreement
with the 3
rd
party been executed,
either utilizing the GPA Sub DPA
template, or an otherwise valid
Sub DPA that allows you to share
personal data with the 3
rd
party?
You may
continue your
activities within
any contractual
or legal data
processing
limitations in
place.
Is the personal data related to a GPA BV or
GPA RBU employee?
A standing contractual structure is
in place between all GPA RBUs and
GPA to allow the processing of each
others employee related personal
data, so no further contractual
structure is required.
ref: pg. 2 3
of factsheet
GDPR
factsheet
ref: pg. 5
of factsheet
GDPR
factsheet
www.thinkgpa.com
GDPR Compliance Decision Flowchart
continued
.
Inside the European Economic Area (EEA)
A Sub Data Processing Agreement needs to
be concluded. GPA has a specific template
for this.
Outside the European Economic Area (EEA)
Appropriate safeguards under the GDPR
must be taken before the data is transferred.
Please contact GPA leadership to review.
Data Processing Records
All processing activities related to the personal data related to EU based subjects need to be properly documented and recorded by both the
Processor and the Controller of the relevant data. Please refer to GPAs Data Privacy Policy, and leadership within your own organization to
understand any specific requirements you may need to follow in doing so, but generally ensure you have a record of the nature of the authority
under which you proceeded.
Will any personal data be transferred
outside your own organization? (ie: to
GPA, another RBU, or a 3
rd
party?
No Agreement regarding the processing of personal
data needs to be concluded, you must simply remain
within the guidelines of your own organization’s data
privacy regulations and own countrys laws.
Will any personal data be transferred to a 3
rd
party?
Will the data be transferred to GPA, or a GPA RBU within the European Economic Area (EEA)?
Is the processing strictly necessary to
achieve the purpose of the processing?
DO NOT PROCEED
Given the individual whos data
you are processing is protected
under the GDPR, you are not
legally allowed to process this
data. Refer to your RBU
leadership, or GPA Corporate staff
for advice before proceeding.
Will any personal data be transferred to
GPA or another GPA RBU?
A standing Sub Data Processor Agreement is in place
between all GPA RBUs and GPA to allow processing of
personal data between RBUs. Proceed with caution,
follow GPA Data Privacy Policy, and consult with
GPA/RBU leadership if necessary, however no
additional contract structure should be reqd.
Stay Alert
GDPR compliance is a continuing commitment. Always stay alert and ask yourself whether a) it is necessary, and b) allowed to process the
personal data you maintain. And remember, processing can be as simple as retaining an individuals contact information as opposed to actively
using it. When in doubt, always consult privacy related leadership within your own organization, and/or GPA.
ref: pg. 6
of factsheet
GDPR factsheet
ref: pg. 7
of factsheet
GDPR
factsheet
www.thinkgpa.com
Appendix 5: FAQ
GDPR for sales & marketing activities:
Q. Do I only need consent if I’m sending bulk emails? What about individual outreach?
A. There is no legal difference between bulk emailing and one-to-one emailing when it
comes to cold outreach under GDPR. That means even your “Just reaching out” emails
need to have prior consent in order to be legal. If you’re unsure if you have consent from a
prospect to contact them, you probably don’t.
Q. Can I send sales emails to someone I met at a conference or meet up?
A. The concept of “consent still applies for leads to receive sales emails or calls from you, and
the capacity to record that consent. As above, that could be as simple as writing a short
note in your contacts database such as:
“I met Jim at X tradeshow and he asked me to follow up with him about our
product/service.”
Alternatively, you can include your reason for reaching out to them in a follow up email
and ensure you retain the copy of the email for reference purposes:
“Hey Jim! We met at the X conference last week and you asked me to follow up
with more information about how my company can help you out with X, Y, and Z.”
If you receive a referral from a current customer, ideally, you would have the current
customer send an introductory email explaining why they’re putting you in touch.
Otherwise, you need to make sure you explain how you got their information and why
they would want to talk to you.
Q. Is simply entering a contact’s information into my personal contact database OK?
A. Strictly not without their specific or implied consent. That doesn’t necessarily mean that
you have to have had them sign a form or send you an approval email. If a contact
provides you their business card, or requests for you to contact them in some form, that is
a form of consent.
Q. What about entering a contact’s information into GPA’s central CRM?
A. Because through this policy GPA RBU’s have a formal Data Processing contractual
structure in place to properly process data between each other, have a process to notify
each other if a data privacy breach were to occur, in theory there should be no difference
in the consent required for you to process that individual’s data within your own personal
contacts database, or a wider database like GPA’s. However, the potential for its misuse
grows the more people who might have access to it, and as such further accentuates the
need for documentation of the consent provided.
Q. How explicit must the consent be relative to the activity the information will be used
for?
A. When a prospect gives you consent, you need to be open and transparent about what
you’re using that consent for. For example, if a prospect gives you their email to send them
an eBook, you can’t then use that as consent to send them sales emails or unrelated
content.
Q. How does consent change if there is a Data Processing Agreement (DPA) in place
between my organization and my contact?
A. A DPA provides a limited degree of consent to process the personal data associated with
individuals within the “Controller’s” organization related to the scope of work that DPA
covers. (A DPA could be project specific, or ongoing). In the case of a DPA< the
organization is granting you authority to store their employee’s information relative to
www.thinkgpa.com
fulfilling the legitimate interests of operating their business and is now responsible for
managing the proper use of their employee’s data with the Data Processor. So, in this
instance you do not need the individual’s consent as long as you stay within the
limitations of use specified within the DPA.
Q. How do I record “consent”?
A. Because consent is such an important part of being GDPR compliant, you should always
record when and how it was given. Whether entering data into your own contact
database, or a central GPA database, it is important to make a note of where, when, and
how the confirmation/approval to process the subject’s information was provided.
If a prospect emails you and asks why you have their information, you need to be able to
say: “Here’s where we got your data. Here’s the link to our privacy notice
(Individual RBU,
or GPA’s which is posted on our website)
. And here’s the process to unsubscribe.
Q. How does GDPR affect cold calling?
A. Cold calls to a company aren’t as restricted under GDPR as cold emails. That’s great news
for all those sales teams that are already seeing success with cold calling. However, make
sure the offer is clearly directed at the business entity, not at any specific person within the
company.
When cold calling individuals instead of companies, most local laws (UK, Germany, France,
The Netherlands, for instance) require consent from prospects (see the questions above
for the consent requirements). Before starting a cold calling project, investigate whether
your local legislation still allows cold calling without consent. EU legislation is being
finalized, which will make consent required throughout the EU.
Q. What if I am contacting someone through a Platform like LinkedIn, or a contacts
database service like ZoomInfo?
A. In the case of LinkedIn, each individual has made a choice to publish their information on
that platform, and so have in essence provided consent for you to contact them using the
information they have shared. As long as you operate only using the information provided
on that platform, and do not subsequently store or process that information outside of
that platform, there is no legal data processing limitation.
In the case of ZoomInfo specifically, they do have a Data Privacy policy and workflow,
meaning whenever an individual governed by the GDPR for example is added to their
database, the individual receives an email and is given an option to unsubscribe. In that
instance ZoomInfo bears the legal liability for managing the individual’s personal data
based upon their consent, and should reflect that in their published policies and/or
contractual terms and conditions of subscribing to their service.
If however you purchase or subscribe to a 3
rd
party contacts database, as an organization
you do bear a responsibility to do some due diligence to determine to the best of your
abilities that the provider is compliant with data privacy regulations in the region(s) the
contacts they are providing are based. Failure to do so could leave you with a potential
liability.
www.thinkgpa.com
GDPR for hiring and recruitment:
Q. How long can I keep CVs and applications after rejecting an applicant?
A. It can be useful to keep recruitment records on file, even if the applicant is not
immediately hired. For a short period, the records can be kept on file without the
applicant’s consent. A good practice is four weeks after the rejection. If there is a plausible
reason, that period may be longer. Delete the records in any case within six months. Ask
for consent if you wish to keep records on file for longer, to use them for future job
openings.
Q. Can I perform pre-employment screenings?
A. Only when real risks are involved with the job, pre-employment screening is allowed. In
such cases, inform applicants about the relevant details of the screening in an early stage.
Perform the screening in the latest possible stage of the process, to only receive screening
results of a small group of potential hires. Perform the screening in a proportionate way:
use the least intrusive measures possible for the risks involved.
Q. Can I send CVs and applications to colleagues involved in the process?
A. Anyone who actually needs to be involved in the hiring process, can get access to the
recruitment records. Accessing the documents from a shared folder is preferred over e-
mailing them to everyone. More copies of the documents in in- and outboxes means more
risk and difficulty to delete them all.
Other Considerations:
Q. What are the implications around email - in particular emailing multiple people from
different organizations?
A. An individual’s email address is considered personal data. By that you are potentially
breaching their data privacy if you expose their email address to third parties. Specific
versus implied consent should be considered here.
Emailing a large group of contacts within the same customer organization - even if
they aren’t all familiar to each other should not be a concern as their information
should be available to each other within their organization. Even less of a concern
if there is a DPA in place between your and their organization.
Emailing a wider group of stakeholders from multiple different organizations
relative to a specific project is likely not a breach given the necessary and
legitimate nature of the activity, even if they haven’t each provided specific
approval.
Forwarding an email with a past email trail embedded to a loosely related 3
rd
party,
thereby exposing multiple of the original parties’ email addresses could be.
Sending a general email (ie: an invitation to an upcoming event) to multiple
unrelated recipients that exposes all email addresses to each other would be a
breach (use the bcc field in such instance).
Generally, always be conscious if you are exposing multiple email addresses, and if so
whether you indeed need to or if you could take an alternate approach.
Q. How long can I keep any individual’s information on file?
A. That answer depends upon the continued legitimate interest to do so. A customer
contact that has changed roles within their organization and is no longer engaged in any
activities related to you, should be removed as part of some form of periodic review and deletion
effort. An individual you have had a relationship with for many years and still remains an ongoing
point of contact can remain for as long as that relationship is sustained.
www.thinkgpa.com
Appendix 6: GPA Data Processing Agreement Template
This Data Processing Agreement (“Agreement) forms part of the Contract for
Services (“Principal Agreement“) between
_____________________
_____________________
_____________________
(the “Company”) and
_____________________
_____________________
_____________________
(the “Data Processor”)
(together as the “Parties”)
WHEREAS
(A) The Company acts as a Data Controller.
(B) The Company wishes to contract certain Services, which imply the processing of personal
data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the
requirements of the current legal framework in relation to data processing and with the
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement
shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on
behalf of Company pursuant to or in connection with the Principal Agreement;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the
data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
www.thinkgpa.com
1.1.6 “EU Data Protection Laws” means the GDPR and laws implementing or supplementing the
GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or
1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a
Subcontracted Processor, or between two establishments of a Contracted Processor, in each
case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data
transfer agreements put in place to address the data transfer restrictions of Data Protection
Laws);
1.1.9 “Services” means the audio visual and collaboration technology related services the Company
provides.
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process
Personal Data on behalf of the Company in connection with the Agreement.
1.1.11 “GPA” refers to GPA B.V., an organization duly incorporated in the Netherlands
1.1.12 GPA “Regional Business Unit” refers to any organization authorized as such by GPA, and in
doing so; a) is a certificate holder and thereby partial owner of the GPA Foundation, the
foundation being the sole shareholder of GPA B.V. b) maintains a standing contractual
agreement between itself and GPA B.V. to govern its actions as a designated GPA Regional
Business Unit.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”,
“Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as
in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Company Personal Data
2.1 Processor shall process the following types of Company Personal Data:
Company Personal Data type:
Data subject:
Name
[e.g. customer, prospect, end user. Please
complete for all types listed left.]
Business e-mail address
Business phone number
Company/Function/Title
In processing the above types of Company Personal Data, Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data;
and
www.thinkgpa.com
2.1.2 not Process Company Personal Data other than on the relevant Company’s documented
instructions.
2.2 The Company instructs Processor to process Company Personal Data.
3. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or
contractor of any Contracted Processor who may have access to the Company Personal Data,
ensuring in each case that access is strictly limited to those individuals who need to know / access
the relevant Company Personal Data, as strictly necessary for the purposes of the Principal
Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the
Contracted Processor, ensuring that all such individuals are subject to confidentiality
undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of Processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data
implement appropriate technical and organizational measures to ensure a level of security
appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the
GDPR.
4.2 In assessing the appropriate level of security, Processor shall take into account in particular
the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Sub-processing
5.1 Processor shall not appoint or disclose any Company Personal Data to any Sub-processor
unless required or authorized by the Company.
5.2. GPA, or any GPA Regional Business Unit shall automatically be deemed as authorized Sub
Data Processors by the Company under the understanding that a standing Sub Data Processing
Agreement exists between the Processor and each and all such GPA Sub Data Processing parties,
thereby ensuring the terms of this agreement are upheld.
5.3. The following Data Sub-Processors are hereby named additional to those referenced in 5.2, for
which the Company authorizes the Data Processor to execute Data Sub-processing Agreements
in alignment with the terms of this agreement.
(Delete this clause if not applicable, or denote
“None” below)
5.3.1 ________________________________________________________________
5.3.2 ________________________________________________________________
5.3.3 ________________________________________________________________
5.3.4 ________________________________________________________________
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Company by
implementing appropriate technical and organisational measures, insofar as this is possible, for
www.thinkgpa.com
the fulfilment of the Company obligations, as reasonably understood by Company, to respond to
requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data
Protection Law in respect of Company Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of
Company or as required by Applicable Laws to which the Processor is subject, in which case
Processor shall to the extent permitted by Applicable Laws inform Company of that legal
requirement before the Contracted Processor responds to the request.
7. Personal Data Breach
7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a
Personal Data Breach affecting Company Personal Data, providing Company with sufficient
information to allow the Company to meet any obligations to report or inform Data Subjects of
the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Company and take reasonable commercial steps as are
directed by Company to assist in the investigation, mitigation and remediation of each such
Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
8.1 Processor shall provide reasonable assistance to the Company with any data protection
impact assessments, and prior consultations with Supervising Authorities or other competent
data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of
the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation
to processing of Company Personal Data by, and taking into account the nature of the Processing
and information available to, the Contracted Processors.
9. Deletion or return of Company Personal Data
9.1 Subject to this section 9 Processor shall promptly and in any event within 10 business days of
the date of cessation of any Services involving the Processing of Company Personal Data (the
“Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.
10. Audit rights
10.1 Subject to this section 10, Processor shall make available to the Company on request all
information necessary to demonstrate compliance with this Agreement, and shall allow for and
contribute to audits, including inspections, by the Company or an auditor mandated by the
Company in relation to the Processing of the Company Personal Data by the Contracted
Processors.
10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that
the Agreement does not otherwise give them information and audit rights meeting the relevant
requirements of Data Protection Law.
11. Data Transfer
www.thinkgpa.com
11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU
and/or the European Economic Area (EEA) without the prior written consent of the Company. If
personal data processed under this Agreement is transferred from a country within the European
Economic Area to a country outside the European Economic Area, the Parties shall ensure that
any personal data is adequately protected. To achieve this, the Parties shall, unless agreed
otherwise, rely on an adequacy decision by the European Commission, the EU approved standard
contractual clauses for the transfer of personal data of 4 June 2021, or another applicable data
transfer mechanism as deemed adequate by the GDPR.
12. General Terms
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the
other Party and its business in connection with this Agreement (“Confidential Information”)
confidential and must not use or disclose that Confidential Information without the prior written
consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in writing and
will be delivered personally, sent by post or sent by email to the address or email address set out
in the heading of this Agreement, or at such other address as notified from time to time by the
Parties changing address.
13. Governing Law and Jurisdiction
13.1 This Agreement is governed by the laws of The Netherlands.
13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to
resolve amicably, will be submitted to the exclusive jurisdiction of the courts of
_____________________________.
14. Additional Terms
14.1 In order to ensure alignment of this agreement to the standing Data Sub-processing
Agreement between Data Processor, GPA, and its Regional Business Units, the following
additional terms, restrictions, or clarifications are specifically noted by the Company beyond those
noted above. The Data Controller in turn commits to ensuring any and all related Sub Data
Processor agreements are updated accordingly to these additional specifics.
(Delete this clause if
not applicable, or denote “None” below. Where simply left blank this will be considered as
“None”)
14.1.1 ___________________________________________________________________
14.1.2 ___________________________________________________________________
14.1.3 ___________________________________________________________________
14.1.4 ___________________________________________________________________
IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out
below.
www.thinkgpa.com
Data Controller Company Name: _______________________________
Signature: _______________________________
Authorized Signatory Name: _______________________________
Title: _______________________________
Date Signed: _______________________________
Data Processor Company Name: _______________________________
Signature: _______________________________
Authorized Signatory Name: _______________________________
Title: _______________________________
Date Signed: _______________________________
www.thinkgpa.com
Appendix 7: GPA Sub Data Processing Agreement Template
1 PARTIES
1.1 This agreement on collection, storage and use of documents and information (hereinafter
the ”Sub Data Processing Agreement”) is deemed to stand between
GPA B.V.
De Corridor 19,
3621 ZA
Breukelen, NL
(hereinafter referred to as the ”Data Processor”)
and
__________________________
__________________________
__________________________
__________________________
(hereinafter referred to as the ”Sub Data Processor”)
(hereinafter jointly referred to as the ”Parties” and individually as ”Party”)
2 DEFINITIONS
2.1 Terms and expressions with capital first letters used in this Sub Data Processing Agreement
shall have the meanings set out in the General Data Protection Regulation (EU Regulation
2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, hereinafter the "GDPR") or the meanings
otherwise defined in this Sub Data Processing Agreement.
2.2 “Data Subject” shall mean the identified or identifiable natural person to whom Personal Data
refers.
2.3 “Pre-approved Subcontractors” shall be the subcontractors of Sub Data Processor, stated in
Appendix 1
2.4 “Third party” shall mean a natural or legal person, public authority, agency or body other than
the Data Subject, the Data Controller, Sub Data Processor, the Data Processor and persons who,
under the direct authority of the Sub Data Processor or Data Processor, are authorized to process
Personal Data.
2.5 “Sales and Delivery Terms” shall mean any direct or indirect agreement or scope related to the
provision of [Audio Visual Communication and Collaboration solutions and/or services] entered
into by and between the Sub Data Processor and the Data Processor on [Date]
3 SCOPE
3.1 This Sub Data Processing Agreement concerns the Parties’ obligations in regard to processing
of Personal Data.
3.2 Under this Sub Data Processing Agreement, the Data Processor shall solely or jointly with
other parties decide for what purpose and by use of what tools Personal Data may be processed.
Data Processor shall instruct the Sub Data Processor hereon.
www.thinkgpa.com
3.3 This Sub Data Processing Agreement shall apply to all the Sub Data Processor’s current and
future deliveries under the Sales and Delivery Terms to all companies within Data Processor’s
group of companies, for whom the Sub Data Processor processes Personal Data.
3.4 This Sub Data Processing Agreement shall supplement and form part of the Sales and
Delivery Terms. In case of any inconsistencies between this Sub Data Processing Agreement and
any subsequently negotiated Sales and Delivery Terms, this Sub Data Processing Agreement shall
prevail unless specifically and categorically stated and acknowledged otherwise.
3.5 The Sub Data Processor shall comply with the GDPR and other applicable national data
protection legislation.
3.6 Any Personal data processed pursuant to this Sub Data Processing Agreement is proprietary
to the Data Processor.
4 PRIOR SPECIFIC OR GENERAL WRITTEN AUTHORISATION
4.1 Sub Data Processor shall process the following types of Company Personal Data on behalf of
Data Processor.
Company Personal Data type:
Name
Business e-mail address
Business phone number
Company/Function/Title
[other]
[other]
[other]
4.2 Data Processor has received its instructions in regard to the Personal Data from the Data
Controller, which is a customer to the Data Processor.
4.3 Data Processor instructs the Sub Data Processor to process the Personal Data in order for the
Data Processor to provide its services to the Data Controller.
4.4 If the Sub Data Processor considers that any instructions from the Data Processor contravene
or infringe statutory regulations, including the GDPR or other EU or applicable member state
data protection provisions, the Sub Data Processor must notify the Data Processor hereof
immediately.
4.5 The Sub Data Processor is not entitled to make use of Personal Data, information or otherwise
provided by Data Processor, for purposes other than fulfilment of this Sub Data Processing
Agreement. The Sub Data Processor may not use such Personal Data for historical, statistical,
scientific or similar purposes, whether anonymized or in any other way.
5 GEOGRAPHICAL LIMITATIONS
5.1 The Sub Data Processor is not allowed to transfer, access, process or otherwise make available
Personal Data to any third party in countries outside the EU/EEA.
5.2 The Sub Data Processor can transfer, access, process or otherwise make personal data
available to any Pre-Approved Subcontractors listed in Appendix 1. Any such agreements with
Pre-Approved Subcontractors outside the EU or EEA shall prior to any transfer of data - be
entered into pursuant to the EU Commission’s decision 2021/914 of 4 June 2021 on standard
contractual clauses for the transfer of personal data to third countries and all supplementary
measures necessary to ensure that the data transferred is afforded in the third country a level of
www.thinkgpa.com
protection essentially equivalent to that guaranteed within the EU, in addition to any permission
from local authorities if legally required.
6 CONFIDENTIALITY
6.1 The Parties accept, both for the duration of this Sub Data Processing Agreement and
subsequently, not to disclose any Confidential Information to a Third Party.
6.2 “Confidential Information” means all information of a technical, business, infra structural or
similar nature, irrespective of whether this information has been documented, except for
information which is or will be made available in another way than through breach of this Sub
Data Processing Agreement and all Personal Data.
6.3 The Parties shall ensure that employees and consultants who receive Confidential Information
are obliged to accept a similar obligation regarding Confidential Information from the other Party
and the cooperation in general in accordance with this Sub Data Processing Agreement.
6.4 The Sub Data Processor must further ensure that all people with access to Personal Data
being processed on behalf of Data Processor are familiar with this Sub Data Processing
Agreement and are subject to the provisions of this Sub Data Processing Agreement.
7 DATA PROCESSOR’S IT SECURITY POLICIES
7.1 The Sub Data Processor shall comply with Data Processor’s IT Security Policies as may be
specifically defined to them by the Data Processor, but at minimum.
7.1.1 Access to Personal Data is restricted to persons who have a material need for access to
Personal Data. Personal Data will only be accessed on a "need to know" basis.
7.1.2 Employees, who handle Personal Data, are instructed and trained in what they must
do with Personal Data and how to protect Personal Data.
7.1.3 There must be as few people as possible with access to Personal Data, with due
regard for the operation. However, there must be a sufficient number of employees to
ensure the operation of the tasks concerned in case of sickness, holidays, staff
replacement, etc. Personal Data will only be accessed on a "need to know" basis.
7.2 Data Processor shall inform Sub Data Processor in writing each time a change has been made
to the Data Processor’s IT Security Policies that may apply to this agreement before such changes
takes effect.
7.3 The Sub Data Processor must always provide supervisory authorities and Data Processor with
the necessary access to and insight into the Personal Data which is being processed and the
systems used.
8 APPROPRIATE TECHNICAL AND ORGANISATIONAL MEASURES
8.1 The Sub Data Processor must implement appropriate and reasonable technical and
organizational measures to ensure a level of security that matches the risks of data processing for
the processing of Personal Data which the Data Processor provides under this Sub Data
Processing Agreement, including reasonably ensuring
a) Pseudonymisation and encryption of Personal Data;
b) continuous confidentiality, integrity, availability and robustness of the processing systems
and services for which the Sub Data Processor is responsible;
c) timely recovery of the availability of and access to Personal Data in case of a physical or
technical incident;
d) a procedure for regular testing, assessment and evaluation of the effectiveness of the
technical and organizational measures to ensure processing security;
e) that Personal Data is not accidentally or unlawfully destroyed, lost or impaired and against
any unauthorized disclosure, abuse or in any other way is processed in violation of any
applicable law on Personal Data.
www.thinkgpa.com
8.2 The Sub Data Processor shall determine the appropriate level of technical and organizational
measures. When determining this, the Sub Data Processor must particularly consider the risks
related to the processing, i.e. the risks of accidental or unlawful destruction, loss, alteration,
unauthorized disclosure or ac-cess to Personal Data which has been transmitted, stored or
processed in any other way.
8.3 Sub Data Processor shall, upon prior written request from the Data Processor, and within
reasonable time-limits provide the Data Processor with sufficient in-formation to document that
the abovementioned technical and organizational security measures have been taken.
9 TRANSPARENT INFORMATION AND COMMUNICATION
9.1 The Sub Data Processor must report to Data Processor with any agreed contents, quality and
frequency any data related reporting as may be defined by the Data Processor. The Sub Data
Processor must immediately inform Data Processor of any development which may significantly
impair the Sub Data Processor’s current or future ability or possibility to comply with the Sub
Data Processing Agreement.
9.2 The Sub Data Processor is obliged to inform Data Processor immediately, if the Sub Data
Processor is not able to ensure the correct processing of Data Processors Personal Data in
accordance with this Sub Data Processing Agreement.
10 DATA SUBJECTS RIGHTS
10.1 Sub Data Processor shall upon request from the Data Processor and without undue delay
provide all reasonable requested information and assistance to the Data Processor in regards to
the Data Subject’s rights on the following items: (1) processing security known to the Sub Data
Processor for any processing of Personal Data which is not provided directly by Sub Data
Processor or a Pre-Approved Subcontractor, (2) notification to the supervisory authority of any
Data Security Breach, (3) notification to the Data Subject of any Data Security Breach, (4)
consequential analysis of data protection regulatory breaches..
10.2 Sub Data Processor shall also upon request from the Data Processor provide all reasonable
requested information and assistance to the Data Processor in regards to the Data Subject’s
rights without undue delay on the following items: (1) the duty to inform when collecting Personal
Data from the Data Subject, (2) the duty to inform if the Personal Data has not been collected
from the Data Subject, (3) the Data Subject’s right to access Personal Data, (4) the right to correct
Personal Data, (5) the right to be deleted (»the right to be forgotten«), (6) the right to limitation of
processing; (7) the duty to notify in connection with corrections or deletions of Personal Data or
limitations in the processing activity, (8) the right to data portability and (9) the right to object for
pro-cessing of Personal Data.
11 DATA SECURITY BREACH
11.1 In case of a Data Security Breach for which the Sub Data Processor (or any Pre-Approved
Subcontractor) is responsible, the Sub Data Processor shall, as soon as practically possible and no
later than 48 hrs of identification of the breach, inform Data Processor hereof.
11.2 This notification must at least:
a) include a description of the nature of the Data Security Breach including, if possible, the
categories and the estimated number of affected Data Subjects as well as the categories
and estimated number of affected registrations of Personal Data,
b) include the name of and contact information for the data protection officer (DPO) or
another point of contact where further information may be obtained,
c) describe the probable consequences of the Data Security Breach,
d) describe the measures taken by the Sub Data Processor or which the Sub Data Processor
proposes are taken to handle the Data Security Breach including, if relevant, measures to
limit the possible consequential damages.
www.thinkgpa.com
11.3 The Sub Data Processor must document all Data Security Breaches, including the actual
circumstances surrounding the Data Security Breach, its consequences, and the remedial
measures that have been taken.
11.4 This documentation must enable the regulatory authority to check that Sub Data Processor
complied with its duty to inform of any Data Security Breach.
12 USE OF SUBCONTRACTORS
12.1 The Sub Data Processor may not use any unauthorised subcontractors without Data
Processor’s prior written approval.
12.2 Data Processor provides its consent to Sub Data Processor for the use of the following Pre-
Approved Subcontractors. If left blank then no subcontractors shall be considered pre-approved.
I. ________________________________________________________________
II. ________________________________________________________________
III. ________________________________________________________________
IV. ________________________________________________________________
12.3 The Sub Data Processor must inform Data Processor of any plans to either add or replace
subcontractors. No sub-sub data processor may be added to the list of the Pre-Approved
Subcontractors without Data Processors prior written approval.
12.4 If the Sub Data Processor uses a subcontractor to carry out specific processing activities on
behalf of Data Processor, the same data protection obligations as are described in this Sub Data
Processing Agreement shall be imposed on the subcontractor in a written agreement.
12.5 If the subcontractor does not comply with the provisions of this Sub Data Processing
Agreement, the Sub Data Processor will be liable for the subcontractor’s actions or failures to
act/breach on the same terms as for its own services.
12.6 The Sub Data Processor is obliged to inform its subcontractors of the provisions of this Sub
Data Processing Agreement.
13 DELIVERY OF PERSONAL DATA
13.1 During the term of this Sub Data Processing Agreement, Data Processor has full access to any
Personal Data being processed by the Sub Data Processor.
13.2 If Data Processor so requests, the Sub Data Processor is obliged to keep a back-up copy of
Personal Data and additional information available in the Sub Data Processor’s systems for up to
3 months after the expiry or termination of the Sub Data Processing Agreement. Provided such
request has been made, the Data Processor may, until the expiration of such 3-month period and
irrespective of the reason for the expiry of the Sub Data Processing Agreement, request for an
access to any Personal Data and additional information recorded in such back-up copy.
13.3 Sub Data Processor may only disclose Personal Data and information to Data Processor
and/or to a third party appointed by Data Processor.
13.4 The Sub Data Processor must upon Data Processor’s written instructions delete Personal
Data or any information which has come to the Sub Data Processor’s possession under the Sub
Data Processing Agreement.
www.thinkgpa.com
14 COOPERATION WITH THE SUPERVISORY AUTHORITY
14.1 The Data Processor and the Sub Data Processor and, where applicable, their representatives,
shall cooperate, on request, with the supervisory authority in the performance of its tasks.
15 COSTS
15.1 All costs, including costs related to revision, inspection and regular implementation of
measures under applicable law and to fulfil the Sub Data Processor’s obligations under this Sub
Data Processing Agreement are included in any fees to be paid by the Data Processor under the
Sales and Delivery Terms. Sub Data Processor shall not be entitled to receive any separately fees
for the Sub Data Processor’s fulfilment of such obligations.
16 EFFECTIVE DATE AND TERMINATION
16.1 The Sub Data Processing Agreement shall come into force on the date of the last party
signing this Sub Data Processing Agreement
16.2 The Sub Data Processing Agreement shall continue for as long as the Sales and Delivery
Terms have not been terminated or expired.
16.3 Data Processor is always entitled to suspend the data processing by the Sub Data Processor
under this Sub Data Processing Agreement.
17 CHANGES IN THE APPLICABLE DATA PROTECTION LEGISLATION
17.1 If a change in mandatory applicable data protection legislation applicable to Data Processor
or to Sub Data Processor requires Sub Data Processor to (i) sign on to any additional
documentation for mandatory data protection compliance purposes, or (ii) implement additional
technical and organizational measures to the ones listed herein, or (iii) accept additional
obligations to those set out herein, and such requirement mentioned in (i) - (iii) above cause
additional costs or risks for Sub Data Processor, then the Parties agree to negotiate in good faith a
fair adjustment of any applicable fees.
17.2 Section 17.1 shall apply accordingly, in case (i) the Data Processor instructs Sub Data Processor
to undertake services not foreseen in this Sub Data Processing Agreement or (ii) where
mandatory applicable data protection legislation applicable to Data Processor or to Sub Data
Processor or the relevant supervisory authority imposes obligations on Sub Data Processor in
addition to those set out herein.
18 GENERAL TERMS
18.1 Amendments. The terms of this Sub Data Processing Agreement can only be amended by
written agreement between the Parties.
18.2 Independent Parties. The Parties explicitly accept that the relationship between them is a
customer-independent contractor relationship.
18.3 Information. The Parties are obliged to act loyally towards each other and to inform each
other without undue delay about any changes that may affect this Sub Data Processing
Agreement.
18.4 Force majeure. None of the Parties are responsible for any actions or failure to carry out
measures to the extent that such actions or such failure is due to matters beyond a Party’s
reasonable control, including but not limited to war, uprisings, force majeure, strikes or other
work stoppages (either in part or in whole), disturbances of the public communication networks,
disturbances of internet connections or similar events, but only if said Party could not have
predicted the event at the time of taking on the obligation. As long as such an event prevents a
Party from performing said obligation, this must be suspended until such disturbance no longer
exists.
www.thinkgpa.com
18.5 Assignment. Data Processor may, either in part or in whole, assign its rights and obligations
under this Sub Data Processing Agreement to a third party. The Sub Data Processor may not
assign its rights or obligations under this Sub Data Processing Agreement to a third party without
the Sub Data Processor’s prior written approval.
18.7 Invalid condition. If a condition or a provision in this Sub Data Processing Agreement is
invalid, such invalidity shall not mean that the remaining part of this Sub Data Processing
Agreement is invalid. If the applicable law on personal data is changed after the effective date of
this Sub Data Processing Agreement, the Data Processor is obliged to accept such changes to
this Sub Data Processing Agreement.
19 SIGNATURE
IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out
below.
Data Processor Company Name GPA B.V.
Signature _____________________________
Name: Byron Tarry
Title: Managing Director
Date Signed: _____________________________
Sub Data Processor Company Name _____________________________
Signature _____________________________
Name _____________________________
Title _____________________________
Date Signed _____________________________