This data processing agreement (hereinafter “DPA”) governs the processing of personal data by Soda as a data processor under the Agreement concluded between Soda and Customer in relation to Soda’s data observability software. This DPA is annexed to the General Terms and Conditions and constitutes an integral part of it. All capitalized terms not defined herein have the meaning set forth in the General Terms and Conditions. The data protection related concepts used in this DPA have the meaning given to them in the applicable laws and regulations on data protection, including the GDPR (hereinafter “Data Protection Legislation”).
Where Customer provides personal data to Soda in connection with its use of the Service and requests Soda to process personal data on behalf of Customer, Customer shall act as data controller in relation to the processing of these personal data and Soda shall act as a data processor regarding these personal data.
Soda shall process the personal data in a fair and diligent manner and exclusively in accordance with Customer’s documented instructions. The Agreement, including this DPA, is Customer's complete instruction to Soda in this respect. All additional or alternative instructions must be agreed upon in writing by Soda and must be consistent with the terms of the Agreement, this DPA, and Data Protection Legislation. Soda’s obligations under this DPA shall also apply to those who process the personal data under the authority or on the instructions of Soda. Unless provided otherwise in this DPA, Soda shall not process the personal data for its own purposes or those of third parties.
Customer shall, in its use of the Service, process personal data in accordance with the requirements of Data Protection Legislation and guarantees that its instructions to Soda comply with Data Protection Legislation. Customer further guarantees that all personal data entrusted to Soda are obtained lawfully and can be processed lawfully by Soda during the entire duration of the Agreement.
If Soda is required to processing by Union or Member State law to which Soda is subject, or by a binding decision of a public authority or a judicial decision, Soda shall inform Customer of that legal requirement before processing, unless that law or decision prohibits such information on important grounds of public interest.
If Soda is of the opinion that Customer’s instructions violate Data Protection Legislation, Soda shall notify Customer without delay and shall not be obliged to carry out the processing. A lack of notification by Soda shall not affect the liability of Customer towards Soda due to the unlawful instruction.
Soda provides services to Customer as described in the Agreement and/or as agreed from time to time between Customer and Soda. The provision of these services can include the processing of personal data by Soda on behalf of Customer.
The subject-matter of such processing of personal data by Soda is the performance of the Service pursuant to the Agreement. The data subjects include the individuals about whom data is provided to Soda via the Service by or at the directions of Customer, and might relate to the following types of data subjects: Customer’s own customers, employees, agents, or other third parties, and any data subjects about whom data is included in the data sets of Customer to which the Service is applied. The personal data that are processed might include identification information, contact details, and any other type of personal data processed by Customer or included in the data sets of Customer to which the Service is applied. The purpose of the processing is to enable Soda to provide the Service under the Agreement. The duration of the processing is the period during which Soda provides the Service under the Agreement.
Soda uses sub-processors to fulfil its contractual obligations. Soda shall ensure that its sub-processors offer a similar level of data protection as required by Soda under this DPA.
Customer hereby provides a general written authorization to Soda to engage sub-processors for the processing of the personal data. Soda shall make the current list of sub-processors available to Customer upon request. If Soda adds or replaces a sub-processor, Soda shall inform Customer about the intended change and Customer shall be entitled to object to this change on reasonable grounds by notifying Soda promptly in writing within thirty (30) days after receipt of Soda’s notice. In that case, Soda may not be in a position to continue to provide the Service to Customer and shall be entitled to terminate the Agreement and/or to suggest modifications to its modalities without having to pay damages to Customer.
Soda shall be entitled to transfer personal data to a country located outside the European Economic Area which has not been recognized as ensuring an adequate level of data protection, if Soda has provided appropriate safeguards in accordance with Data Protection Legislation or can rely on a derogation foreseen by Data Protection Legislation enabling such transfer.
Soda shall take appropriate and reasonable technical and organisational measures to secure the personal data against loss or any form of unlawful processing, taking into account the state of the art and the costs of implementation.
At the request of Customer and taking into account the nature of the processing as well as the information available to Soda, Soda shall provide insofar as possible reasonable assistance to Customer in handling personal data breaches and in fulfilling its obligations regarding data protection impact assessments, to the extent related to Customer’s use of the Service. Soda reserves the right to claim a reasonable compensation for this assistance.
When Soda becomes aware of a data breach in the framework of the performance of the Agreement, it shall inform Customer without undue delay. Soda shall, to the best of its abilities, take steps to limit the consequences of the breach and suggest measures to prevent it from happening again.
Customer can be obliged to inform the supervising authority and/or the data subjects concerned of the data breach. Soda shall under no circumstances notify the supervising authority and/or the data subjects of any breaches on its own initiative.
Soda and all those working under its responsibility or supervision, shall respect, in their relations with third parties, the confidentiality of the personal data that are processed under the Agreement. Soda shall ensure that access to the personal data is limited to the persons who need the data to carry out the tasks assigned to them by Soda in the performance of the Agreement.
This obligation of confidentiality shall not apply when Customer has authorized to communicate personal data to third parties, if the communication of personal data to third parties is necessary given the nature of Customer’s instructions and the execution of the Agreement, or if such disclosure is required by law or a decision of a public authority or a judicial decision.
If a data subject addresses a request for access, rectification, erasure, transfer or restriction to Customer, Soda shall, taking into account the nature of the processing and to the extent Customer does not have the possibility itself, upon written request of Customer, provide commercially reasonable efforts to assist Customer in fulfilling its obligation to respond to the data subject request. Soda reserves the right to claim a reasonable compensation for this assistance.
If a data subject addresses a request for access, rectification, erasure, transfer or restriction directly to Soda, Soda shall promptly notify Customer and shall not respond to such a request on its own initiative.
Customer shall be entitled to monitor compliance by Soda with this DPA by (i) requesting information from Soda that shows that Soda complies with the obligations contained in this DPA, and (ii) after obtaining Soda’s authorization, to carry out or to have a certified auditor carry out an audit at Soda’s premises.
An audit at Soda’s premises will be limited to data privacy aspects, may not unnecessarily disturb Soda’s activities and shall be limited to one inspection per year. Customer shall notify the audit to Soda in writing at least 30 working days in advance. Before the start of the audit, Soda and Customer shall agree on the process of the audit. Customer shall bear the costs of the audit, including a reasonable compensation for the efforts of Soda’s accompanying staff, except when the audit has revealed that Soda is manifestly not compliant to Data Protection Legislation and/or the provisions of this DPA.
If any audit reveals a non-compliance with the provisions of this DPA and/or Data Protection Legislation, the exclusive remedy of Customer and the exclusive obligation of Soda shall be that: (i) Soda and Customer will discuss such finding, and (ii) Soda shall take, at its own cost, all corrective actions, including any temporary workarounds, it deems necessary to comply with the provisions of this DPA and/or Data Protection Legislation.
The liability clause included in the General Terms and Conditions applies.
Soda shall not retain the personal data longer than necessary for executing Customer’s instructions. Upon expiration of this period, termination of the Agreement or expiration of another period determined by Customer, Soda shall destroy the personal data it may have in its possession entirely and irrevocably. Upon Customer’s request, Soda shall return the personal data to Customer after which Soda shall delete any copies entirely and irrevocably, or give Customer the possibility to extract the personal data. Soda reserves the right to claim a reasonable compensation for this service.
Soda’s obligation to destroy personal data shall not apply to the extent necessary to demonstrate compliance with its obligations under the DPA or Data Protection Legislation, or if a legal obligation, a binding decision of a public authority or a judicial decision prohibits the destruction.
This DPA supersedes all other agreements between Soda and Customer relating to the processing of personal data by Soda as data processor.
This DPA shall terminate together with the termination of the Agreement, for any reason whatsoever. The provisions of this DPA remain valid to the extent necessary for the performance of this DPA and to the extent that they are meant to survive the end of this DPA. Amongst others, provisions regarding confidentiality and disputes belong to the latter category.
This DPA shall be governed by, interpreted and construed in accordance with the laws of Belgium. All disputes relating to the DPA, including its interpretation, fall under the exclusive jurisdiction of the courts of the district of Brussels. Before bringing a legal claim to court, all parties concerned shall take all possible measures to resolve their dispute amicably.