Soda Data NV, a public limited liability company incorporated and existing under the laws of Belgium (naamloze vennootschap), with office at 1000 Brussels, Rue Picard 7, registered with the Belgian Crossroads Bank for Enterprises under number 0694.987.974 (RLE Commercial Court of Brussels, Dutch-speaking section) (hereinafter referred to as “Soda”) is the developer and owner of an array of services for data management, data observability and data monitoring, including certain software to give organizations a fully integrated view into their data quality and reliability. Soda also helps with the identification and resolution of data issues in relation to the organisation’s business.
More information about Soda can be found on soda.io. Such services are offered (among others) through a Soda proprietary cloud-based hosted software application and interface.
For the provision of its services Soda requires certain personal data, which will necessarily have to be provided directly by the Data Subject (as defined below) or indirectly by the Customer (as defined below).
Soda attaches great importance to the protection of the personal data it Processes. In the context of legally responsible conduct, Soda undertakes to comply with the GDPR (as defined below). Soda is also in the process of becoming compliant with international data protection regulations like CCPA.
By this policy, Soda intends to inform about its Processing activities of Personal Data (as defined below) and the rights of the Data Subjects. This policy describes, among other things, the measures taken by Soda to protect privacy in the context of Soda’s services, including its Website (as defined below) and its Application (as defined below). It applies to all services rendered by Soda and supersedes all discussions, agreements and understandings of any nature with Soda with regard to Soda’s services. By accepting this document, you unconditionally accept this document as binding upon you regardless of any stipulations to the contrary in any document issued by you or any third party. In case of conflict between this document and any terms and conditions issued by you or any third party, the former shall prevail, notwithstanding any stipulation to the contrary in the latter.
Customers and Data Subjects (as defined below) are therefore requested to read this policy carefully, with the understanding that it may be modified from time to time in the light of the feedback or changes to services, conditions or legal or regulatory provisions.
"Agreement" means the agreement concluded between the Parties in relation to the Service under the terms and conditions set out in the General Terms and Conditions and supplemented by other terms and conditions that may be agreed between the Parties;
“Application” means the application developed, operated and maintained by Soda, available at app.soda.io or at a customer customer specific domain, like customername.soda.io;
"Customer" means a legal or physical person wishing to use the Service or to enter in contact with Soda for the provision of Services;
"Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, being, as the case may be, Soda;
"Data Subject" means a natural person whose Personal Data is Processed by Soda;
"GDPR" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
"General Terms and Conditions" means Soda’s General Terms and Conditions that can be found here;
"Personal Data" means any information relating to an identified or identifiable Data Subject in terms of the GDPR;
"Personal Data Breach" shall have the same meaning as defined in the GDPR;
"Processing" any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, adoption, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
"Processor" means a natural or legal person, public authority, agency or another body, that Processes Personal Data on behalf of the Controller, being, if the Customer is Controller, Soda.
"Representative" means with respect to Soda its directors, officers, employees, agents, advisors, counsellors, auditors, accountants or lawyers;
"Service" means the service provided by Soda under the Agreement as defined in the Agreement;
"Website" means the website developed, operated and maintained by Soda, available at www.soda.io.
By using Soda’s Service under the Agreement and/or by visiting the Website and/or by transferring Personal Data to Soda via the Website or in any other way, and to the extent that the Processing is not based on any other ground for Processing as set out in article 6 GDPR:
Soda collects Personal Data through the transfer thereof by a Data Subject or third parties (such as Customers) who are legally entitled to do so, in particular within the framework of the Agreement, via the Website, via the Application, via publicly accessible sources and via sources to which access is legally restricted.
In addition, when visiting the Website, registering with Soda (including as a partner, client or candidate) or signing up to receive Soda’s e-newsletters or information about Soda’s products or services, Soda may collect, store and use certain Personal Data about the Data Subject.
Like most website providers, Soda also analyses server log files to collect statistical information about how the Website is used only at an aggregate level and includes browser types, operating systems, IP addresses, referring/exit pages, platform types and date/time stamps.
The Service is related to the Application and the Application contains business-related content which is specifically aimed at and designed for use by adults. Soda does not knowingly solicit or collect personal information from children.
Soda Processes Personal Data within the framework of the Agreement and to obtain insight on its performance for a Data Subject and/or Customer (including the maintenance and support of a registered account that Data Subject or Customer holds with Soda and facilitating access and provision with resources, tools and other materials available to a Data Subject and/or Customer), i.a. for the purpose of data monitoring, including providing organizations with a fully integrated insight into, among others, the integrity of the data in possession and the (resolution of) potential data issues in relation to the organisation’s business, and any related purpose where a Data Subject or Customer has consented to the Processing or where other grounds for lawful Processing exist.
Soda also Processes Personal Data to respond to inquiries that Website users or Application users submit via the Website respectively the Application, for technical administration of the Website respectively the Application, for research and analysis to maintain and improve the Service, to develop new services, among others on the basis of Data Subjects’ view on Soda’s products and services, and for customer satisfaction purposes.
All Personal Data will be Processed exclusively for the purpose for which it was collected and to the extent that is necessary to achieve that finality. This restriction applies both to the quantity of Personal Data and to the scope of the Processing, the retention period and the accessibility.
If Personal Data should be Processed for a different purpose than those for which they were initially collected, Soda ensures that the Processing does not take place in a manner that is incompatible with the purpose for which the Personal Data has been provided. In case the desired finality is incompatible with the initial finality for which the Personal Data has been provided, Soda will seek the consent of the relevant Data Subject or Customer for the Processing of his Personal Data in the light of this new purpose, provided that the consent is given freely.
Soda shall not make decisions based solely on automated Processing, including profiling, which would entail legal effects concerning a Data Subject or Customer, or significantly affects him.
Soda Processes Personal Data when this is necessary (a) for the performance of the Agreement or for the execution of the pre-contractual measures requested by a Customer or a Data Subject, or (b) to comply with its legal obligations or (c) for advertising and marketing purposes aimed at conducting a policy for provision of information to Customers and/or Data Subjects and conducting a policy of customer binding, or (d) for representing the legitimate interests of Soda.
If the Processing cannot be justified by one of the aforementioned legal grounds, Soda may seek the consent of a Data Subject or Customer, provided that this consent is freely given.
With regard to the Processing of sensitive Personal Data, Soda Processes these Personal Data when (a) explicit consent from the Data Subject or the Customer has been obtained to Process one or more special categories of Personal Data for one or more well-defined purposes, or (b) when necessary for the performance of the Agreement, in particular within the framework of the assertion, exercise or substantiation of a legal claim, or (c) to comply with the legal obligations of Soda or (d) if the Processing relates to Personal Data that have manifestly been made public by the Data Subject or the Customer to whom it relates.
Soda may transfer Personal Data (or may be required to transfer Personal Data) to public authorities and may transfer Personal Data to (sub-)Processors so that they can Process these data on behalf of Soda on the condition that (sub-)Processors guarantee an adequate level of protection regarding Personal Data and are contractually obliged to comply with the GDPR. Personal data will not be transferred to countries that do not offer protection that is at least equivalent to the protection within the EEA.
Personal Data can be communicated for internal use to Soda’s representatives, though always insofar as and to the extent that this is necessary for the performance of their duties, such as the execution of the Agreement, administrative follow-up and follow-up of customer relations.
Soda may also transfer Personal data (or may be obliged to transfer Personal data) in connection with its use of external (sub-)Processors (such as suppliers of IT services, including services relating to software for Processing and follow-up of dossiers or accounting, the accountant, the cooperating partners and other persons involved in the follow-up of the Agreement), provided that they offer sufficient guarantees with respect to the implementation of appropriate technical and organizational measures to ensure that the Processing complies with the requirements of the GDPR and the protection of Personal Data rights and the transfer is necessary within the applicable legal or regulatory framework taking into account the purposes of the Processing.
To the extent required by the GDPR, Soda has entered into a contract with the (sub-) Processors in which the purpose of the Processing is determined, and in which the Processor undertakes, among other things, to respect the confidentiality of the Personal data, to limit the Processing to what is in line with Soda’s instructions or with what is legally permitted and to cooperate with the exercise of the rights by a Customer or a Data Subject granted to them by the GDPR.
Soda can store Personal Data on cloud providers that are outside of Belgium. In such a case, Soda ensures that Personal Data are stored in an EU Member State and/or in a country that is recognized to offer an equivalent level of data protection, and/or ensures that compliance with the provisions of the GDPR is contractually guaranteed.
To the extent required by law, Soda shall keep a register of the Processing Activities carried out by it or under its responsibility. In that case, the register will contain the information required by GDPR, such as the name and contact details of the (joint) data protection officer (insofar lawfully required), the Processing purposes, the description of the categories of Data Subjects, of Personal Data and of recipients, the retention period, etc.
A Data Subject or Customer (for the purposes of this article, to the extent the Customer is a natural person whose Personal Data is Processed) may exercise the rights set out below by submitting a written notification to the following e-mail address: firstname.lastname@example.org.
Soda draws attention to the fact that if a Data Subject or Customer-natural person objects to the Processing of his Personal Data in question or exercises the rights set out below, this may result in Soda being unable to further execute the Agreement and/or that Customer or Data Subject will no longer be able to make use of the Services.
If the Processing is based on consent only, the Data Subject and/or Customer shall at all times have the right to withdraw this consent, without this withdrawal affecting the lawfulness of the Processing that took place before the withdrawal of the consent.
The Data Subject and/or Customer may at any time inspect its Personal Data and any information relating to the Processing of his Personal Data.
The Data Subject and/or Customer will be entitled to have any Personal Data concerning himself that is incorrect or incomplete, corrected, insofar as this is legally possible.
Unless Processing is necessary for the assertion, exercise or substantiation of a legal claim or for compliance with a statutory obligation resting upon Soda, a Data Subject or Customer will be entitled to have his Personal Data erased if (a) Personal Data are no longer necessary for the purposes for which they were Processed, or (b) the consent, insofar as the Processing is solely based on it, is withdrawn or (c) the Data Subject or Customer objects to the Processing and there are no compelling justified grounds for Soda or (d) the Personal Data have been unlawfully Processed, or (e) the Personal Data must be erased in order to comply with a statutory obligation.
If the request for erasure forms part of an objection to Processing for reasons relating to the specific situation of a Customer and/or Data Subject concerned, Soda will erase the data, subject to compelling justified grounds for Processing that outweigh the interests and rights of the Customer and/or Data Subject concerned or that relate to the assertion, exercise or substantiation of a legal claim.
The Data Subject and/or Customer has the right to obtain from Soda the restriction on Processing if (a) the accuracy of Personal Data is disputed by him, or (b) the Processing is unlawful and he objects to the erasure of Personal Data or (c) he needs Personal Data for the assertion, exercise or substantiation of a legal claim while Soda no longer needs it for Processing purposes, or (d) he has objected to Processing on the basis of the justifiable grounds stated in article 21 GDPR.
The Data Subject and/or Customer is entitled to obtain Personal Data concerning him in a structured, customary and legible form and to transfer that Personal Data to another Processor if (a) the Processing is based on consent or (b) the Processing is necessary for the execution of the assignment following the Agreement.
The Data Subject and/or Customer is entitled to submit a complaint to the data protection authority (Drukpersstraat 35, 1000 Brussels) (hereinafter referred to as the “Data Protection Authority”) in case he believes that the Processing is unlawful.
Soda has taken appropriate measures to protect Personal Data in order to ensure that Personal Data is used in accordance with the aforementioned purposes and that their correctness and updating are assured.
Soda ensures that Personal Data of Data Subjects and/or Customers are protected and secured to the maximum extent possible in order to ensure their confidentiality and to prevent them from being distorted, damaged, destroyed or disclosed to an unauthorized third party. The specific measures taken by Soda in this perspective are described in the Information Security Policy, a copy of which can be obtained by the Data Subject and/or Customer.
In the event of an infringement and the associated violation of the availability, integrity or confidentiality of the Personal Data, Soda shall ensure that the infringement in connection with Personal Data is reported to the Data Protection Authority within 72 hours of it becoming aware of it, unless it is unlikely that the infringement poses any risk to the rights and freedoms of the Data Subjects (and, where applicable, the Customers) concerned. Soda will also report the Personal Data Breach to the Data subjects and/or Customers concerned if it is likely that the breach will entail an increased risk for the rights and freedoms of Data Subjects and/or Customers.
While Soda takes appropriate technical and organizational measures to safeguard Personal Data, it is highlighted that no transmission over the internet can ever be guaranteed secure. Consequently, the Data Subject and/or Customer notes that Soda cannot guarantee the security of any Personal Data in the process of its transmission and that the effective security depends, in part, on the Data Subject (or Customer) ensuring that any IDs and passwords that have been issued to them are kept confidential and secure.
Personal Data will not be retained longer than necessary for the purpose for which it is Processed.
Where Personal Data is Processed for the purpose of executing the Agreement, and upon termination or expiration of the Agreement, the Data Subject (and/or Customer) may request Soda not later than 30 days after the date of the termination or expiration of the Agreement to return the Personal Data to the Data Subject (or, as the case may be, the Customer).
Unless the applicable law prevents Soda from doing so, Soda shall comply with such request provided that the Customer has, at that time, paid all amounts due to Soda, including amounts resulting from the termination or expiration (whether or not due at the date of termination or expiration). In the event of a return of Personal Data to the Data Subject and/or Customer, Soda shall no longer retain Personal Data unless the Data Subject (or the Customer) so legally requests, and subject to the conditions then agreed.
Failing the said instruction to return Personal Data, Soda shall have no obligation to maintain, forward or return any Personal Data, unless Soda has retained Personal Data as provided by this article.
Unless the Data Subject (or the Customer, to the extent the Customer is a natural person whose Personal Data is Processed) requests Soda to return Personal Data or has requested Soda to delete or to anonymize Personal Data, Soda may, taking into account the requirement to keep Personal Data for follow-up tasks, retain Personal Data during 10 years after the completion of the performance of the Agreement, being understood that the Data Subject (or the Customer) may request Soda to continue the retention thereof for the term indicated by them and subject to the conditions then agreed.
Soda may in any event continue to use any Personal Data if Soda does so in aggregate and non-Customer identifiable and non-person identifiable formats, thus ensuring that Personal Data no longer qualifies as Personal Data under the GDPR.