back to legal homepage

Data Processing Policy Leadcamp

When you (hereinafter the ‘Customer’) rely on Leadcamp, Cardify performs Services for you, and:

  • shall have access to Personal Data; and,
  • will have to Process Personal Data for which the Customer is responsible as a Controller in accordance with the Privacy Legislation.

This data processing policy (hereinafter ‘Data Processing Policy’) applies to the Processing of Personal Data by Cardify for the Customer and determines:

  • how Cardify will manage, secure and process the Personal Data; and,
  • Parties’ obligation to comply with the Privacy Legislation.

Relying on the Services of Cardify entails your approval with this Data Processing Policy and consequently of how Cardify processes the Personal Data.

Last version: October 2020

1. DEFINITIONS

In this Data Processing Policy, the following concepts have the meaning described in this article (when written with a capital letter):

Controller: The entity (in this case the Customer), which determines the purposes and means of the Processing of Personal Data;

Data Subject: The natural person to whom the Personal Data relates and of whom the Customer wishes to have Personal Data processed by Cardify;

Data Breach: Unauthorized disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data, which are Processed by Cardify on behalf of the Customer;

Privacy Legislation: (i) the Belgian Privacy Law of 30 July 2018 concerning the protection of individuals with regards to the processing of personal data, (ii) the General Data Protection Regulation 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, (iii) Directive 2002/58/EC of the European Parliament and Council of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘e-privacy directive’) and/or (iv) the (future) Belgian legislation regarding the implementation of European privacy legislation;

Process/Processing: Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, including, but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;

Processor: The entity (in this case Cardify) which Processes Personal Data on behalf of the Controller;

Services: All services, provided by Cardify to the Customer implying the Processing of Personal Data, including but not limited to: providing a right of access to and use of LEADCAMP, its APIs and the support related thereto.

Sub-processor: Any processor engaged by Cardify.

The Data Processing Policy includes the following annexes:

Annex I : Overview of (i) the Personal Data, which Parties expect to be subject of the Processing, (ii) the categories of Data Subjects, which Parties expect to be subject of the Processing, and (iii) the use (i.e. the way(s) of Processing) of the Personal Data, the purpose and means of such Processing;

Annex II : and description of the security measures taken by Cardify under this Data Processing Policy.


2. ROLES OF THE PARTIES

2.1 In accordance with the Privacy Legislation, the Customer shall be considered the ‘Controller’ and Cardify the ‘Processor’.


3. USE OF THE SERVICES

3.1 The Customer acknowledges explicitly that:

  • Cardify purely acts as a facilitator of the Services. Hence, the Customer shall be responsible on how and to what extent it makes use of the Services;
  • The Customer is liable for (and indemnifies Cardify for) all acts and ommissions of the people mandated by the Customer to make use of the Services. The Customer shall inform said people of the applicable Privacy Legislation, this Data Processing Policy and/or all other relevant legislation and impose compliant use;
  • Cardify bears no responsibility with regard to adjustments and/or changes made to the Personal Data by or on the explicit request of the Customer;
  • The Customer is liable and responsible for the data it uploaded or created through analysis and enrichment in relation to the Services (incl. compliance with the Privacy Legislation and/or any other regulations);

3.2. In case of misuse by the Customer of the Services and/or the Personal Data that was created by the Services, the Customer agrees that Cardify can never be held liable in this respect nor for any damage that would occur from such misuse (and indemnifies Cardify in this regard).


4. OBJECT

4.1. The Customer acknowledges that as a consequence of making use of the Services of Cardify, the latter shall Process Personal Data as collected by the Customer.

4.2. Cardify shall Process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.

More specifically, Cardify shall – during the performance of the Services – provide all its know-how in order to perform the Services according to the rules of art, as it fits a specialized and ‘good’ processor (as defined in the Privacy Legislation).

4.3. Nonetheless, Cardify shall only Process the Personal Data upon request of the Customer and in accordance with its instructions, as described in Annex I, unless any legal obligation states otherwise.

4.4. The Customer owns and retains full control concerning (i) the Processing of Personal Data, (ii) the types of Personal Data Processed, (iii), the purpose of Processing, and (iv) the fact whether such Processing is proportionate (non-limitative).

Moreover, the Customer shall have be solely responsible for the accuracy, quality, and legality of the Personal Data, disclosed to Cardify in the performance of the Services, and the means by which it acquired such Personal Data. In this regard, the Customer shall inform the Data Subject in accordance with the Privacy Legislation of the fact that some of the Personal Data is not collected from the Data Subject itself but from a third party. Additionally, the Customer shall inform the Data Subject of its own privacy policy/privacy principles.

The responsibility and control concerning the Personal Data, subject to this Data Processing Policy, shall thus never be vested with Cardify.


5. SECURITY OF PROCESSING

5.1. Taking into account the state of the art, Cardify implements appropriate technical and organizational measures for the protection of (i) Personal Data – including protection against careless, improper, unauthorized or unlawful use and/or Processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of Personal Data, as set forth in Annex II.


6. SUB-PROCESSORS

6.1. The Customer acknowledges and agrees that Cardify may engage third-party Sub-processors in connection with the Services. In such case, Cardify shall ensure that the Sub-processors are at least bound by the same tier obligations by which Cardify is bound under this Data Processing Policy.

6.2. Cardify added a list in Annex III concerning the current Sub-processors on which it appeals for the performance of the Services.

6.3. Cardify shall update the list whenever a Sub-processor changes (e.g. a new Sub-processor was added, a Sub-processor was substituted, etc.) and will notify the Customer when (significant) changes are made. If the Customer wishes to exercise its right to object, it shall notify Cardify in writing and in a reasoned manner by the latest within thirty (30) days after the notification.

6.4. In the event the Customer objects to a new Sub-processor and such objection is not found unreasonable, Cardify will use reasonable efforts to (i) make available to the Customer a change in the Services or (ii) recommend a commercially reasonable change to the Customers its use of the Services to avoid Processing of Personal Data by the objected new Sub-processor without unreasonably burdening the Customer.

If Cardify is, however, unable to make available such change within a reasonable period of time (which shall not exceed thirty (30) days following the objection of the Customer), the Customer may terminate the use of the Services, under the following conditions:

  • The Services cannot be used by the Customer without appealing to the objected new Sub-processor; and/or
  • Such termination solely concerns the Services which cannot be provided by Cardify without appealing to the objected new Sub-processor;

And this by providing written notice thereof to Cardify within a reasonable time.

6.5. Cardify shall be liable for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Services itself, directly under the terms of this Data Processing Policy.


7. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

7.1. Any transfer of personal data to a third country or international organization (which is not based on a request or instruction of the Customer) shall be subject to an adequacy decision by the Commission or the following safeguards:

  • Closing a data transfer agreement with such recipient, which shall contain the standard contractual clauses, as referred to in the 'European Commission decision of 5 February 2010 (Decision 2010/87/EC)'. Before the transfer takes place, the recipient of personal data/processor of Cardify in the third country has to guarantee Cardify that an adequate level of privacy compliance is ensured in this third party country; and/or;
  • Binding corporate rules. As it is the case for standard contractual clauses, the recipient of personal data/processor of Cardify in the third country has to guarantee Cardify that an adequate level of privacy compliance is ensured in the third party country; and/ or;
  • Certification mechanisms.

8. CONFIDENTIALITY

8.1. Cardify shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without the prior written agreement of the Customer, unless when such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case Cardify shall, prior to any disclosure and/or announcement, discuss the scope and manner thereof with the Customer.

8.2. Cardify ensures that its personnel, engaged in the performance of the Services, are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Cardify ensures that such confidentiality obligations survive the termination of the employment contract.

8.3. Cardify ensures that its access to Personal Data is limited to such personnel performing the Services in accordance with the Data Processing Policy.


9. NOTIFICATION

9.1. Cardify shall use its best efforts to inform the Customer within a reasonable term when it:

  • Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Data;
  • Has the intention to disclose Personal Data to a competent public authority;
  • Determines or reasonably suspects a Data Breach has occurred in relation to the Personal Data.

9.2. In case of a Data Breach, Cardify:

  • Notifies the Customer without undue delay after becoming aware of a Data Breach and shall provide – to the extent possible – assistance to the Customer with respect to its reporting obligation under the Privacy Legislation;
  • Undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the Data Breach and to prevent and/or limit any future Data Breach.

10. RIGHTS OF DATA SUBJECTS

10.1. If a Data Subject invokes its privacy rights under the Privacy Legislation and the Customer itself does not have the ability to carry out the request, Cardify shall assist the Customer in doing so (as long as commercially reasonable).

10.2. Cardify shall promptly notify the Customer if it receives a request directly from a Data Subject invoking its privacy rights under the Privacy Legislation. Cardify shall not respond to any such Data Subject request without the Customer’s prior written consent, except to confirm that the request is sent to the Customer.


11. LIABILITY

11.1. Cardify and the Customer are each individually liable towards authorised supervisory authorities and/or Data Subjects for claims and/or fines that are the result of their own breach of or non-compliance with (i) the provisions of these Terms, and (ii) the Privacy Legislation or other applicable rules concerning Personal Data. Cardify and the Customer indemnify the other party in this regard.

11.2. The contractual liability of Cardify towards the Customer for a breach of these Terms is limited as described in the contractual documentation applicable between the Customer and Cardify.


12. RETURN AND DELETION OF PERSONAL DATA

12.1. Upon formal termination of the use of the Services, Cardify shall anonymize or delete the Personal Data of the Customer. Cardify will only use the anonymized data for analytical purposes and to further enhance the Cardify solution.


13. CONTROL

13.1. Cardify undertakes to provide the Customer with all information, required by the Customer to allow verification whether Cardify complies with the provisions of this Data Processing Policy.

13.2. In this respect Cardify shall allow the Customer (or a third party on which the Customer appeals) to undertake inspections – such as but not limited to an audit – and to provide the necessary assistance thereto to the Customer or that third party.


14. TERM

14.1. The Data Processing Policy lasts as long as the use of the Services by the Customer has not come to an end (i.e. formal termination).


15. APPLICABLE LAW AND JURISDICTION

15.2. All issues, questions and disputes concerning the validity, interpretation, enforcement, performance and/or termination of this Data Processing Policy shall be governed by and construed in accordance with Belgian law.

15.3. Any dispute concerning the validity, interpretation, enforcement, performance and/or termination of this Data Processing Policy which cannot be settled amicable, shall be submitted to the exclusive jurisdiction of the courts or the data protection authority of Cardify’s registered office.

***

Annexes

  • Annex I – Overview of Personal Data
  • Annex II – Description of security measures
  • Annex III – List of Sub-processors

Annex I - Overview of Personal Data

I. Overview of the Personal Data, which Parties expect to Process in case tracking and enrichment is activated:
  • Full name
  • Email address
  • Telephone number
  • Address (limited to: time zone, city, state, postal code, country, country code and geographical coordinates)
  • Bio
  • Website linked to the Data Subject
  • Photograph
  • Professional information (employment, domain, title, (sub-) role within the company and seniority)
  • Device's IP address (stored in a de-identified format)
  • Device location (general region)
  • Device type (unique device identifiers), operating system, and browser type
  • Referring URL and domain
  • Email content
  • All other Personal Data voluntarily provided by the Data Subject to the Customer
  • Social media data
    1. - Facebook (handle)
      - Github (handle, id, avatar, company, blog, number of followers and number of people being followed)
      - Twitter (handle, id, bio, avatar, number of followers, number of people being followed, statuses, favorites, location and site)
      - LinkedIn (handle)
      - Gravatar (handle, urls and avatar)
  • Information of the company (name, logo, description, domain, domain aliases, phone numbers, email addresses, sector, industry group, sub industry, date founded, location, time zone, full address, geographical coordinates, social media data of the company, number of employees, financial information, types of technology used and parent company)
  • Email open location
II. Overview of the Personal Data, which Parties expect to Process in case tracking and enrichment is not activated:
  • Name
  • First name
  • E-mail addresses
  • Telephone number (land line/mobile)
  • Social media profiles
  • Job title, department and seniority
  • Company name and website
  • Address (street, number, etc.)
  • Device's IP address (stored in a de-identified format)
  • Device type (unique device identifiers), operating system, and browser type
  • Device location (general region)
  • Referring URL and domain
  • All other Personal Data voluntarily provided by the Data Subject to the Customer
III. Overview of the new Personal Data created, based on the structuring and analyzing of the Personal Data of Annex I, I (i.e. tracking and enrichment enabled):

All engagement analytics based on the tracking of the behavior of the Data Subject related to:

  • The content of the Customer (e.g. documents, content pages and videos), available on:
    1. > The personal page of the Customer on Leadcamp, or
      > Other content of the Customer with an active Leadcamp tracker
  • The website of the Customer (or other websites with a Leadcamp tracker active)
  • Emails sent/received by the Customer to/from the Data Subject via the plug-in of Leadcamp

The types of behavior analysed include (but are not limited to): which website was visited and how often, which content was viewed and downloaded, which emails were opened, viewing duration of website/content/emails, links clicked on website/content/emails and the visit dates.

IV. The categories of Data Subjects whose Personal Data shall be Processed:
  • Leads/customers of the Customer
V. The use (= way(s) of Processing) of the Personal Data and the purposes and means of Processing:

Use of Personal Data:

  • Collect
  • Structure and analyse
  • Store
  • Retrieve
  • Consult
  • Align, combine and create
  • Transfer
  • Erase and destroy
  • Update

Means of Processing (tracking and enrichment disabled):

  • Cardify software

Additional means of Processing (tracking and enrichment enabled):

  • the API of Clearbit
  • the API of Gmail

Purpose of Processing:

  • To enable contact management
  • To enable integration of sales enablement tools (e.g. email services or CRM-tools)
  • To enable lead enrichment
  • To enable engagement tracking and (shared) content tracking
  • To enable usage analysis
  • To enable content analysis
  • To enable integration of sales enablement tools (e.g. email services or CRM-tools)
  • To enable smart sharing
  • To enable the prediction of email, asset and content consumption
  • To create sales (team) insights
  • To enable email content analytics
  • To enable account enrichment
  • To enable website analytics

Annex II – Description of security measures

I. Description of the technical and organizational security measures taken by Cardify.

Cardify warrants and undertakes in respect of all Personal Data it Processes on behalf of the Customer that, at all times, it maintains and shall continue to maintain appropriate and sufficient technical and organizational security measures to protect such Personal Data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

Such measures shall include, but are not limited to:

  • Physical access control,
  • Logical access control (i.e. non-physical access control measures such as passwords)
  • Data access control
  • Data transfer control
  • Input control
  • Pseudonymisation of personal data
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Cardify shall thereto take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

For more detailed information on the latest state of the art measures adopted by our hosting provider Combell, please refer to the following link: combell.com/en/managed-hosting/security

Annex III – List of Sub-processors

Sub-processors on which Cardify appeals for the performance of the Services:
  • Combell NV – Belgium
  • Clearbit – US (data processing addendum)