Data Processing Agreement for Partners
This Data Processing Agreement (hereafter: “DPA”) is an annex to the Commission Partner Agreement (the “CPA”; available here) and the Distribution Channel Partner Agreement (the “DCPA”; available here). Together, the CPA and/or DCPA and the DPA constitute the Agreement with the Commission Partner or Distribution Channel Partner (hereafter jointly referred to as the “Partner”).
Within the context of the performance of the CPA or DCPA, the Partner can be given access to Personal Data of Teamleader prospects for which TEAMLEADER is responsible as ‘Controller’ in accordance with (i) the General Data Protection Regulation of 27 April 2016 (‘the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data or ‘GDPR’) and (ii) all Belgian laws regarding the implementation of the GDPR (hereafter jointly referred to as the “Privacy Legislation”). The Partner shall process this Personal Data on behalf of Teamleader for the sole purpose of promoting Teamleader’s services towards Teamleader prospects.
Through this DPA Parties wish to determine in writing their mutual agreements with regard to (i) managing, securing and/or Processing of such Personal Data and (ii) Parties’ obligation to comply with the Privacy Legislation.
In this DPA, the following concepts have the meaning described in this article (when written with a capital letter):
‘Controller’, ‘Data Subject’, ‘Data Breach’, ‘Personal Data’, ‘Processor’ and ‘Process/Processing’ shall have the meaning given to them in the Privacy Legislation.
- Assignment: The promotion of Teamleader's services to Teamleader prospects by the Partner using prospect contact information provided to the Partner by Teamleader;
- Associated Companies: Any company associated with a Party, according to Article 1:20 of the Belgian Companies and Associations Code;
- Sub-processor: Any Processor engaged by the Partner.
The DPA includes the following overviews:
Overview I: Overview of (i) the Personal Data, which Parties expect to be subject of the Processing, (ii) the categories of Data Subjects, which Parties expect to be subject of the Processing, (iii) the use (i.e. the way(s) of Processing) of the Personal Data, (iv) the goals and means of such Processing and (v) the term(s) during which the (different types of) Personal Data shall be stored;
Overview II: Overview and description of the security measures taken by the Partner under this DPA.
Parties acknowledge and agree that with regard to the Processing of Personal Data, Teamleader shall be considered ‘Controller’ and the Partner ‘Processor’. The Partner shall only be allowed to engage Sub-processor(s) pursuant to the requirements set forth in Article 5.
3.1 The Partner shall Process the Personal Data at any time in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.
More specifically, the Partner shall – during the performance of the Assignment – provide all its know-how in order to perform the Assignment according to the rules of art, as it fits a specialized and ‘good’ processor.
3.2 Nonetheless, the Partner shall only Process the Personal data upon request of Teamleader and in accordance with its instructions.
3.3 Teamleader, as Controller, owns and retains full control concerning (i) the use and Processing of Personal Data, (ii), the types of Personal Data Processed, (iii), the purpose of Processing and (iv) the fact whether such Processing is proportionate (non-limitative).
The control concerning the Personal Data shall thus never be vested in the Partner.
3.4 Unless prior written and explicit approval of Teamleader, the Partner shall not Process any Personal data outside a member state of the European Union.
3.5 The Partner shall in no event Process the Personal Data beyond what was agreed with Teamleader. Hence, the Partner shall not Process the Personal Data for its own purposes nor for the benefit of any third party. Neither shall it be allowed to transfer any Personal Data to its Associated Companies, without the prior written approval of Teamleader.
4.1 Taking into account the state of the art, the Partner implements appropriate technical and organizational measures for the protection of the security – including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage – confidentiality and integrity of Personal Data.
4.2 If the Partner fails in taking appropriate technical and organizational security measures and fails – within a reasonable period specified by Teamleader – to take appropriate measures, Teamleader shall be entitled – if possible – to implement such security measures itself or by a third party at the expense of the Partner and without prejudice to any rights Teamleader has under this DPA and/or the law.
5.1 The Partner acknowledges and agrees that it may not engage Sub-processors in connection with the Assignment, without the prior written approval of Teamleader.
Teamleader shall be free to connect certain conditions to its permission, which the Partner must impose on to such Sub-processors.
5.2 In case of prior written approval of Teamleader (cfr. Article 5.1), the Partner shall ensure that the Sub-processors are at least bound by the same obligations by which it is bound under this DPA.
5.3 A list of the current Sub-processors, who the Partner engages for the performance of the Assignment, shall be made available by the Partner to Teamleader not later than one week following signing of this DPA. Such list shall include the identities of those Sub-processors and their country of location.
5.4 The Partner undertakes to inform Teamleader in writing of any intended change to the aforementioned list (e.g. adding or replacing a Sub-processor). The Partner acknowledges, however, that a new Sub-processor can only be engaged by the Partner upon prior written approval of Teamleader.
5.5 In case the Partner wishes to appeal on a Sub-processor, located outside the European Union, the Partner guarantees – without prejudice to Article 5.2 – that this Sub-processor ensures an adequate level of protection and security of the personal data within the meaning of the Privacy Legislation.
The Partner undertakes in any case to provide Teamleader with proof thereof.
5.6 Without prejudice to the use of Sub-processors by the Partner, the latter shall towards Teamleader act as the single point of contact and be liable for the acts and omissions of its Sub-processors to the same extent as it would be liable if performing the services of each Sub-processor directly under the terms of this DPA, including the extra conditions as set out in Article 5.1 § 2.
6.1 The Partner shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without the prior written agreement of Teamleader, unless when:
- Explicit written deviation from this DPA;
- Such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case the Partner shall, prior to any disclosure and/or announcement, discuss the scope and manner thereof with Teamleader.
6.2 The Partner shall ensure that its personnel, engaged in the Processing of Personal Data, are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. The Partner shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
6.3 The Partner shall ensure that its access to Personal Data is limited to such personnel performing the Assignment in accordance with the DPA.
7.1 The Partner notifies Teamleader as soon as a reasonably possible but in any case not later than 24 hours after gaining knowledge thereof, when it:
- Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Data. In such case, the Partner shall verify the grounds of the request and/or subpoena, as well as the identity of the person who files the request and/or subpoena; and notify Teamleader thereof;
- Has the intention to disclose Personal Data to a competent public authority;
- Determines or reasonably suspects a Data Breach has occurred in relation to the Personal Data.
7.2 In case of a Data Breach, the Partner:
- Notifies Teamleader in a detailed way and as soon as reasonably possible but in any case not later than 24 hours after becoming aware of a Data Breach;
- Undertakes – as soon as reasonably possible but in any case not later than 24 hours – to take appropriate remedial actions to make an end to the Data Breach and to prevent and/or limit any future Data Breach, and inform Teamleader of all measures taken.
The Partner shall in this respect be held to indemnify Teamleader for any damage it might have occurred due to the Data Breach and shall provide assistance to Teamleader with its reporting obligation under the Privacy Legislation.
7.3 The Partner shall in no event inform any third party of a (potential) Data Breach, without prior written approval of Teamleader.
7.4 Any notification to Teamleader under this DPA should be addressed to Teamleader’s Data Protection Officer (DPO) via firstname.lastname@example.org.
8.1 To the extent Teamleader does not have the ability to correct, amend, block or delete Personal Data, as required by Privacy Legislation, the Partner shall comply with any commercially reasonable request by Teamleader to facilitate such actions to the extent the Partner is legally permitted to do so.
8.2 The Partner shall, to the extent legally permitted, promptly notify Teamleader if it receives a request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. The Partner shall not respond to any such Data Subject request without Teamleader’s prior written consent except to confirm that the request relates to Teamleader to which Teamleader hereby agrees.
The Partner shall provide Teamleader with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to, correction, amendment or deletion of that person’s Personal Data, to the extent legally permitted.
9.1 Upon termination of the Assignment and/or termination of the CPA or DCPA, the Partner shall grant Teamleader the possibility to export its Personal Data during a certain period (but in any case not shorter than one (1) month following termination).
Once the aforementioned term has passed, the Partner must permanently delete or anonymize all Personal Data, unless when storage of such Personal Data (or part thereof) is obligated under the Privacy Legislation.
9.2 If longer storage would be required according to Privacy Legislation, the Partner undertakes to scramble the Personal Data.
10.1 The Partner undertakes to provide Teamleader with all information, required by Teamleader to allow verification whether the Partner complies with the provisions of this DPA.
10.2 In this respect the Partner (and/or its potential Sub-processors) shall allow Teamleader or a third party (on which Teamleader appeals) to undertake inspections at every moment Teamleader desires – such as but not limited to an audit – and to provide the necessary assistance thereto to Teamleader or that third party.
10.3 Parties agree that the performance of such inspections may not cause any delay in the performance of the Assignment by the Partner.
If such a delay would, however, occur the Partner shall immediately notify Teamleader thereof and Parties shall try to find as soon as possible and in joint consultation a suitable solution.
10.4 The Partner shall carry out every recommendation, imposed by Teamleader for the improvement of the performance of the Assignment by the Partner, within the period determined by Teamleader.
10.5 Every cost, arising out of such inspections by Teamleader, shall be borne by Teamleader, unless the results of such inspection indicate that the Partner has failed to perform the Assignment in accordance with the Agreement.
All (intellectual) property rights – such as but not limited to copyright and database rights – concerning the collection of Personal Data, copies and the Processing thereof, remain and shall remain the sole property of Teamleader or its licensor(s).
12.1 The Partner is liable for and indemnifies Teamleader for any damage due to non-compliance by the Partner of (i) the provisions of this DPA, (ii) internal policies, procedures and best practices of Teamleader and/or (iii) the Privacy legislation and other applicable rules concerning the Processing of Personal Data.
12.2 Consequently, the Partner shall amongst others be liable for (i) the payment of any administrative penalty imposed by the supervisory authority and/or (ii) the damage suffered by the Data Subject(s) and/or Teamleader.
13.1 The DPA lasts as long as the Assignment has not come to an end. The provisions of this DPA shall apply to the extent necessary for the completion of this DPA and to the extent intended to survive the end of this DPA (such as but not limited to Article 6 and 14).
13.2 If one or more provisions of this DPA are found to be invalid, illegal or unenforceable, in whole or in part, the remainder of that provision and of this DPA shall remain in full force and effect as if such invalid, illegal or unenforceable provision had never been contained herein. Moreover, in such event, Parties shall negotiate to replace the invalid provision by an equivalent provision in accordance with the spirit of this DPA. If Parties do not reach an agreement, then the competent court may mitigate the invalid provision to what is (legally) permitted.
13.3 Deviations, alterations and/or additions to this DPA shall only be valid and binding to the extent that they have been accepted in writing by both Parties.
13.4 This DPA and the corresponding rights and obligations that exist in respect of the Parties, cannot be transferred, directly or indirectly, without the prior written consent of the other Party.
13.5 (Repeatedly) non-enforcement by a Party or by both Parties of any right or provision of this DPA, can only be regarded as a toleration of a certain state, and does not lead to forfeiture
13.6 This DPA prevails to any other data processing agreement between the Parties.
14.1 All issues, questions and disputes concerning the validity, interpretation, enforcement, performance or termination of this DPA shall be governed by and construed in accordance with Belgian law, without giving effect to any other choice of law or conflict-of-laws rules or provisions (Belgian, foreign or international) that would cause the laws of any country other than Belgium to be applicable.
14.2 Any dispute concerning the validity, interpretation, enforcement, performance or termination of this DPA shall be submitted to the exclusive jurisdiction of the courts of Teamleader’s registered office.
Overview of the Personal Data, which Parties expect to Process
- First name
- Account name
- Company name
- Company address
- E-mail address
- Telephone number (land line/mobile)
- Job title and role
The categories of Data Subjects whose Personal Data shall be Processed:
- Teamleader prospects
Use & purpose of Personal Data:
- The Partner receives lists with contact information of the Teamleader prospects which can be used to contact these prospects for the purpose of promoting Teamleader’s services to them
Means of Processing:
- Software of the Partner
- Local storage on the device(s) of the Partner
The term(s) during which the (different types of) Personal Data shall be stored:
The Partner shall only retain the Personal Data as long as the Assignment between Teamleader and the Partner and/or the CPA or DCPA has not been terminated, unless when Teamleader deviates from this or requests ‘hard deletion’ or anonymization of the Personal Data.
In any case the Partner shall, once the Assignment and/or CPA or DCPA has been terminated and the period to export the Personal Data has expired, permanently delete (‘hard deletion’) resp. anonymize the Personal Data.
The Partner commits to take the following technical and organizational measures:
- Encryption: The Partner shall implement encryption to ensure the secure transmission and storage of personal data.
- Access Controls: The Partner agrees to enforce stringent access controls, utilizing robust authentication mechanisms and role-based access controls to limit access to Personal Data to authorized personnel only.
- Data Minimization: The Partner shall Process only the minimum necessary Personal Data required for the agreed-upon purpose, refraining from collecting or storing extraneous information.
- Data Integrity: The Partner commits to maintaining the accuracy and integrity of Personal Data by implementing measures to prevent unauthorized alteration or corruption.
- Data Retention: The Partner agrees to adhere to specified data retention policies, ensuring that Personal Data is not retained beyond the necessary duration for the intended purpose.
- Employee Training: The Partner shall provide comprehensive training to employees with access to Personal Data, ensuring a thorough understanding of data protection principles and the implemented security measures.
- Incident Response: The Partner agrees to develop and maintain an incident response plan, promptly addressing and mitigating any security incidents or breaches and notifying Teamleader in a timely manner.
- Audits and Monitoring: The Partner shall conduct security audits and monitoring to identify and address vulnerabilities or suspicious activities, maintaining the security of the processed Personal Data.