When you (hereinafter the ‘Customer’) rely on Leadcamp, Cardify performs Services for you, and:
This data processing policy (hereinafter ‘Data Processing Policy’) applies to the Processing of Personal Data by Cardify for the Customer and determines:
Relying on the Services of Cardify entails your approval with this Data Processing Policy and consequently of how Cardify processes the Personal Data.
Last version: October 2020
In this Data Processing Policy, the following concepts have the meaning described in this article (when written with a capital letter):
Controller: The entity (in this case the Customer), which determines the purposes and means of the Processing of Personal Data;
Data Subject: The natural person to whom the Personal Data relates and of whom the Customer wishes to have Personal Data processed by Cardify;
Data Breach: Unauthorized disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data, which are Processed by Cardify on behalf of the Customer;
Privacy Legislation: (i) the Belgian Privacy Law of 30 July 2018 concerning the protection of individuals with regards to the processing of personal data, (ii) the General Data Protection Regulation 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, (iii) Directive 2002/58/EC of the European Parliament and Council of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘e-privacy directive’) and/or (iv) the (future) Belgian legislation regarding the implementation of European privacy legislation;
Process/Processing: Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, including, but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;
Processor: The entity (in this case Cardify) which Processes Personal Data on behalf of the Controller;
Services: All services, provided by Cardify to the Customer implying the Processing of Personal Data, including but not limited to: providing a right of access to and use of LEADCAMP, its APIs and the support related thereto.
Sub-processor: Any processor engaged by Cardify.
Annex I : Overview of (i) the Personal Data, which Parties expect to be subject of the Processing, (ii) the categories of Data Subjects, which Parties expect to be subject of the Processing, and (iii) the use (i.e. the way(s) of Processing) of the Personal Data, the purpose and means of such Processing;
Annex II : and description of the security measures taken by Cardify under this Data Processing Policy.
2.1 In accordance with the Privacy Legislation, the Customer shall be considered the ‘Controller’ and Cardify the ‘Processor’.
3.1 The Customer acknowledges explicitly that:
3.2. In case of misuse by the Customer of the Services and/or the Personal Data that was created by the Services, the Customer agrees that Cardify can never be held liable in this respect nor for any damage that would occur from such misuse (and indemnifies Cardify in this regard).
4.1. The Customer acknowledges that as a consequence of making use of the Services of Cardify, the latter shall Process Personal Data as collected by the Customer.
4.2. Cardify shall Process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.
More specifically, Cardify shall – during the performance of the Services – provide all its know-how in order to perform the Services according to the rules of art, as it fits a specialized and ‘good’ processor (as defined in the Privacy Legislation).
4.3. Nonetheless, Cardify shall only Process the Personal Data upon request of the Customer and in accordance with its instructions, as described in Annex I, unless any legal obligation states otherwise.
4.4. The Customer owns and retains full control concerning (i) the Processing of Personal Data, (ii) the types of Personal Data Processed, (iii), the purpose of Processing, and (iv) the fact whether such Processing is proportionate (non-limitative).
The responsibility and control concerning the Personal Data, subject to this Data Processing Policy, shall thus never be vested with Cardify.
5.1. Taking into account the state of the art, Cardify implements appropriate technical and organizational measures for the protection of (i) Personal Data – including protection against careless, improper, unauthorized or unlawful use and/or Processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of Personal Data, as set forth in Annex II.
6.1. The Customer acknowledges and agrees that Cardify may engage third-party Sub-processors in connection with the Services. In such case, Cardify shall ensure that the Sub-processors are at least bound by the same tier obligations by which Cardify is bound under this Data Processing Policy.
6.2. Cardify added a list in Annex III concerning the current Sub-processors on which it appeals for the performance of the Services.
6.3. Cardify shall update the list whenever a Sub-processor changes (e.g. a new Sub-processor was added, a Sub-processor was substituted, etc.) and will notify the Customer when (significant) changes are made. If the Customer wishes to exercise its right to object, it shall notify Cardify in writing and in a reasoned manner by the latest within thirty (30) days after the notification.
6.4. In the event the Customer objects to a new Sub-processor and such objection is not found unreasonable, Cardify will use reasonable efforts to (i) make available to the Customer a change in the Services or (ii) recommend a commercially reasonable change to the Customers its use of the Services to avoid Processing of Personal Data by the objected new Sub-processor without unreasonably burdening the Customer.
If Cardify is, however, unable to make available such change within a reasonable period of time (which shall not exceed thirty (30) days following the objection of the Customer), the Customer may terminate the use of the Services, under the following conditions:
And this by providing written notice thereof to Cardify within a reasonable time.
6.5. Cardify shall be liable for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Services itself, directly under the terms of this Data Processing Policy.
7.1. Any transfer of personal data to a third country or international organization (which is not based on a request or instruction of the Customer) shall be subject to an adequacy decision by the Commission or the following safeguards:
8.1. Cardify shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without the prior written agreement of the Customer, unless when such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case Cardify shall, prior to any disclosure and/or announcement, discuss the scope and manner thereof with the Customer.
8.2. Cardify ensures that its personnel, engaged in the performance of the Services, are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Cardify ensures that such confidentiality obligations survive the termination of the employment contract.
8.3. Cardify ensures that its access to Personal Data is limited to such personnel performing the Services in accordance with the Data Processing Policy.
9.1. Cardify shall use its best efforts to inform the Customer within a reasonable term when it:
9.2. In case of a Data Breach, Cardify:
10.1. If a Data Subject invokes its privacy rights under the Privacy Legislation and the Customer itself does not have the ability to carry out the request, Cardify shall assist the Customer in doing so (as long as commercially reasonable).
10.2. Cardify shall promptly notify the Customer if it receives a request directly from a Data Subject invoking its privacy rights under the Privacy Legislation. Cardify shall not respond to any such Data Subject request without the Customer’s prior written consent, except to confirm that the request is sent to the Customer.
11.1. Cardify and the Customer are each individually liable towards authorised supervisory authorities and/or Data Subjects for claims and/or fines that are the result of their own breach of or non-compliance with (i) the provisions of these Terms, and (ii) the Privacy Legislation or other applicable rules concerning Personal Data. Cardify and the Customer indemnify the other party in this regard.
11.2. The contractual liability of Cardify towards the Customer for a breach of these Terms is limited as described in the contractual documentation applicable between the Customer and Cardify.
12.1. Upon formal termination of the use of the Services, Cardify shall anonymize or delete the Personal Data of the Customer. Cardify will only use the anonymized data for analytical purposes and to further enhance the Cardify solution.
13.1. Cardify undertakes to provide the Customer with all information, required by the Customer to allow verification whether Cardify complies with the provisions of this Data Processing Policy.
13.2. In this respect Cardify shall allow the Customer (or a third party on which the Customer appeals) to undertake inspections – such as but not limited to an audit – and to provide the necessary assistance thereto to the Customer or that third party.
14.1. The Data Processing Policy lasts as long as the use of the Services by the Customer has not come to an end (i.e. formal termination).
15.2. All issues, questions and disputes concerning the validity, interpretation, enforcement, performance and/or termination of this Data Processing Policy shall be governed by and construed in accordance with Belgian law.
15.3. Any dispute concerning the validity, interpretation, enforcement, performance and/or termination of this Data Processing Policy which cannot be settled amicable, shall be submitted to the exclusive jurisdiction of the courts or the data protection authority of Cardify’s registered office.
|I. Overview of the Personal Data, which Parties expect to Process in case tracking and enrichment is activated:|
|II. Overview of the Personal Data, which Parties expect to Process in case tracking and enrichment is not activated:|
|III. Overview of the new Personal Data created, based on the structuring and analyzing of the Personal Data of Annex I, I (i.e. tracking and enrichment enabled):|
All engagement analytics based on the tracking of the behavior of the Data Subject related to:
The types of behavior analysed include (but are not limited to): which website was visited and how often, which content was viewed and downloaded, which emails were opened, viewing duration of website/content/emails, links clicked on website/content/emails and the visit dates.
|IV. The categories of Data Subjects whose Personal Data shall be Processed:|
|V. The use (= way(s) of Processing) of the Personal Data and the purposes and means of Processing:|
Use of Personal Data:
Means of Processing (tracking and enrichment disabled):
Additional means of Processing (tracking and enrichment enabled):
Purpose of Processing:
|I. Description of the technical and organizational security measures taken by Cardify.|
Cardify warrants and undertakes in respect of all Personal Data it Processes on behalf of the Customer that, at all times, it maintains and shall continue to maintain appropriate and sufficient technical and organizational security measures to protect such Personal Data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
Such measures shall include, but are not limited to:
Cardify shall thereto take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
For more detailed information on the latest state of the art measures adopted by our hosting provider Combell, please refer to the following link: combell.com/en/managed-hosting/security
|Sub-processors on which Cardify appeals for the performance of the Services:|