- idloom performs services (hereinafter: “Services”) for the benefit of his Subscribers to enable them and their customers and employees to use the platform “idloom-wall” made available by idloom.
- These services imply the processing of personal data for the benefit of the Subscriber, who is Controller within the meaning of the Belgian Privacy Act (hereinafter: PA) and the European Regulation 2016/679 (hereinafter: “GDPR”).
- Idloom only processes the personal data at the instructions of his Subscribers, and not for his own purposes, this within the meaning of the PA and the GDPR. Within that context idloom qualifies as a data processor within the meaning of the PA and the GDPR.
- By means of this Annex idloom wishes to set forth his commitments regarding the processing of personal data within the context of the services, referred to under a.
Processing of personal data
Terms such as “processing”/ "process", “personal data”, “data controller” and “data processor” shall have the meaning assigned to them in the Belgian Privacy Act (“PA”) and starting from May 25th, 2018 in the European Regulation 2016/679 (“GDPR”).
2. Object of this Data Processing Agreement
During the performance of the Main Agreement, idloom may process personal data for the benefit of the Subscriber or in fulfilment of any statutory obligation.
This is a list containing the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.
- Subject-matter of the processing: idloom-wall platform
- Nature of the processing: hosting and email notifications
- Purpose of the processing: access to an Internet-based intranet/extranet platform, in the form of a SaaS (Software as a Service) or via a software installation on its own servers.
- Type of personal data : profile information (name, surname, company, contact details (e-mail address, postal address, telephone number, mobile phone number), posts, liked posts, interactions with other users of the platform (including messages).
- Categories of data subjects: customers/employees of the Subscribers
- Duration of the processing: Until the end of the contract with the Subscriber, unless the Subscriber wishes to delete some data he estimates not to be entitled to keep anymore.
Data is destroyed at the end of the collaboration between the parties.
3. idloom’s obligations
- idloom shall take care to guarantee the non-use of the data provided in any context other than that strictly envisaged in the present contract or in accordance with the subscriber’s instructions.
- The data entrusted by the subscriber to idloom-events is confidential.
In order to ensure the sustainability of the business, idloom shall take particular care to do everything possible to avoid all use, distribution or publication of the subscriber’s data without their consent.
No information shall be communicated to third parties without the agreement of the Subscriber. idloom will not disclose personal data directly or indirectly to any person, company or governmental entity. If such disclosure is necessary for the proper processing of personal data, this may only occur after prior written permission of the Subscriber and then only under a full obligation of confidentiality. idloom may, upon timely prior information to the Controller, release personal data pursuant to an order issued by a court or a competent governmental agency.
Other processing activities shall only be performed, when idloom is explicitly instructed to do so by the Subscriber or to comply with a legal requirement, after having notified, and under the responsibility of, Controller.
In no case shall idloom process personal data for its own purposes.
idloom staff are also bound by this confidentiality clause as a result of the employment contracts agreements entered into with idloom.
- idloom shall process the personal data verifiably, properly and carefully and in accordance with all Data Protection Laws applicable and is committed to not, by any act or omission, put the Subscriber in breach of any Data Protection Laws in connection with this Data Protection Agreement.
- idloom will comply with all reasonable instructions that will be provided by the Subscriber in relation to the processing of the personal data. idloom will immediately notify the Subscriber if, in its view, any instructions are in conflict with Belgian law or with GDPR.
- The processing will not comprise consultancy services by idloom concerning data protection (like risk assessment, an evaluation of compliance with the GDPR or a classification of data).
4. Security of processing
- The level of the appropriate technical and organizational measures to ensure a level of security appropriate to the risk incurred by the processed data depends on a normal utilization of the platform.
These measures secure personal data against loss, destruction, damage, unauthorized disclosure, mutilation or unauthorized or unlawful processing, and guarantee the conventional availability, or timely availability, of the data.
Such measures provide a level of security which could be considered as appropriate considering the technical standards and the kind of personal data processed taking into account:
- the state of the art, and the costs of implementation and
- the nature, scope, context and purposes of processing as well as
- the risk of varying likelihood and severity for the rights and freedoms of natural persons
- idloom guarantees to implement the acknowledged technical and organizational measures for the entire duration of the Services.
Parties acknowledge that security requirements are changing continually and that effective security requires a frequent assessment and regular improvement of outdated security measures.
- idloom informs its employees and agents of the obligations resting on the idloom with regards to Subscriber Personal Data. idloom makes all employees and agents involved in the processing of Subscriber Personal Data, enter into obligations of confidentiality with the purpose of safeguarding the confidentiality and integrity of Subscriber Personal Data.
- idloom is at the disposal of the Subscribers to cooperate in carrying out an impact assessment if they think they fall within the scope of Article 35 of the GDPR.
- idloom will notify without undue delay to the Subscriber any complaint, request or notice from a data subject exercising his rights under data protection legislation.
idloom will comply with the Controller’s instructions with respect to the request or notice. Controller agrees for idloom to reply directly to this request without instruction from the Controller.
Taking into account the nature of the processing, idloom will assist the controller by appropriate technical and organizational measures, insofar as this is possible and will provide its full and timely cooperation to Subscriber in order to respond to requests for exercising the data subject's rights, especially:
- after having been instructed by Controller, allow the data subjects to access their personal data concerned,
- after having been instructed by Controller, delete or correct personal data,
- show that personal data have been deleted or corrected, if incorrect (or, in the event of Subscriber disagreeing that personal data are incorrect, to record the fact that the data subject regards his/her personal data as incorrect) and
- otherwise enable Subscriber to fulfil its obligations to respond to requests for exercising the data subject's rights laid down in the PA, GDPR Chapter III or other applicable legislation in the field of the processing of personal data.
- Starting May 25th 2018, the Subscriber is entitled to monitor compliance with the present Agreement, or have such compliance monitored by third parties. For that purpose, idloom will, if so requested by The Subscriber, enable him at least once a year to monitor such compliance, or have a third party do so, at a time to be agreed by the Parties in joint consultation, as well as at such other times as are deemed necessary by the Subscriber further to any information or privacy incidents, or a suspicion of these. idloom should at least get a one (1) month notice before such a monitoring intervention from the Subscriber with the name/identity of third party and, idloom should be able to request for another third party, in the case there is a reasonable justification. idloom shall within a reasonable period comply with any reasonable instructions provided by Subscriber further to such monitoring to adjust the security policy. At any case, this monitoring should be strictly limited to the measures needed to ensure that idloom complies with this contract’s disposals. This monitoring cannot be the occasion for the Subscriber to have access to any confidential information of idloom and idloom shall refuse to communicate any such confidential information when these are not directly linked and necessary for the purpose of this monitoring within the scope of this contract. Also the frequency of monitoring should be limited to a maximum of once a year.
idloom will in all reasonableness provide its cooperation to the monitoring. The costs of the monitoring are borne by the Subscriber.
6. Location of processing
- idloom shall only process the Subscriber’s Personal Data in Belgium.
By exception, data may be handled by idloom sister company Idloom Inc, registered in the U.S.A. with appropriate guaranties, to better suit the subscriber’s needs or to answer request after European business hours. Idloom has secured appropriate guaranties with its sister company.
- idloom will not process or transfer Subscriber Personal Data or have these processed by itself or by third parties, outside the European Union except with the Subscriber's explicit prior written permission and having secured appropriate guaranties.
7. Personal data breach management
- idloom will assist the Subscriber in ensuring compliance with the obligations pursuant to Belgian law and to GDPR Article 32 to 36, taking into account the nature of processing and the information available to idloom.
- The Subscriber is responsible for the information of the data subjects and other third parties, including the Data Protection Authority Commission for the Protection of Privacy, about any personal data breach, if deemed necessary by him. It is not permitted for idloom to provide information about personal data breach to data subjects or other third parties, except if idloom is by law obliged to do so.
8. Use of subProcessors
- The subscriber authorizes idloom to engage another processor. Idloom shall inform the Subscriber of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
- idloom shall use only subprocessors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing shall meet the requirements of this Data protection Agreement and of Belgian law and GDPR and ensure the protection of the rights of the data subject.
idloom will impose the same binding or even more binding commitments upon the third party engaged by it as those arising to idloom itself from this addendum and from Belgian law and GDPR and shall make sure that these are complied with by that third party. The agreements which are made with the third party shall be laid down in writing.
- Notwithstanding Controller’s permission to engage a third party, idloom shall remain fully liable towards Subscriber for the consequences of the subcontracting of activities to a third party.
- The processor can only be held liable for any damage caused by the processing if he did not respect the obligations specifically provided for processors by the GDPR or in case of any act violating or deviating the instructions of the controller.
In accordance with article 82.3 of the GDPR, the subprocessor will be exonerated of any liability towards the data subject if he proves that the fact having caused the damage, isn’t attributable to him.
The liability of the processor is limited to the direct damage, excluding all indirect or consequential damages, like loss of profits, loss of revenues, loss of anticipated savings, loss of opportunity, loss of Subscribers, claims of Subscribers or other third parties, and reputational damage.
In any case, the liability of the processor is limited to the value of one year of performances, as determined by the main agreement.
- The Subscriber garantees idloom from any consequence resulting from:
- in case of absence of complete information of idloom by the Subscriber, particularly concerning an incident, a request from a supervisory authority or a data subject
- a decision being the responsibility of the Subscriber or every breach committed by the personnel of the Subscriber.
The consequences as referred to by this article are, without being exhaustive: de costs of additional performances of the idloom, the suffered damage, administrative fines, every sum due to a data subject or to a subprocessor.
- When the Subscriber or idloom has completely repaired the damage suffered by the data subject, he has the right to claim from the other party, that part of the reparation corresponding to his part of responsibility for the damage, provided that the other party has agreed to the adequate nature of the indemnification of the data subject or provided that the indemnity has been fixed by a judgment and the other party has been implicated in the legal proceeding.
10. Term and termination
11. Return and deletion of Personal Data
After the end of the processing or at first request from the Subscriber, idloom shall at Subscriber’s discretion:
- delete all copies of Subscriber Personal Data stored or processed by idloom,
- or return all the personal data to the controller and deletes existing copies, unless Union or Member State law requires storage of the personal data.
If the Subscriber chooses the return of the data, he will have to defray idloom of the expenses thereof.
If the Subscriber indicates nothing about that after one year, all copies of Subscriber Personal Data will be deleted by idloom.
12. Processing of the co-contracting party’s Personal Data
- Personal data of the contact persons of the Subscriber (surname, first name, image, occupation, domicile or residence, telephone and fax number, e-mail, date and place of birth, civil status, bank account number, languages and areas of specialization, diplomas and academic or professional qualifications) are processed by idloom in accordance with the applicable legislation regarding the processing of personal data:
- to enable payment of the services of idloom;
- to enable customers and the personnel of idloom to contact the Subscriber by telephone or e-mail;
- to manage the normal use of the platform;
The provision of those personal data is a requirement necessary to enter into a contract. Failure to provide such data would prevent the conclusion of the contract.
- These personal data shall also be processed to fight fraud, for direct marketing or to ask Subscriber’s consent about a new purpose. Theses processing operations will occur upon idloom’s legitimate interest to ensure the smooth running of its activities.
- If the Subscriber communicates the personal data of its employees to idloom, he shall ensure that he communicates this information to its employees.
These data shall be used exclusively for the purposes listed above, unless further opposition on behalf of the other Party on the purpose of direct marketing.
- The personal data shall be stored for 10 years after the Subscriber’s account closing.
- The Processor agrees that the data strictly necessary may be disclosed to the following third parties: tax administration and social security instances, idloom’s subcontractors and accountant.
- Data may be transferred outside the European Union, in countries the European Commission deems not to ensure an adequate level of protection for personal data. In this case, each Party will take appropriate safeguards with standard data protection clauses adopted by the Commission. These can be consulted at the headquarter of idloom.
- The Parties or their contact persons may, by written request dated and signed, addressed to the Subscriber and the proof of their identity, obtain, free of charge if it is a reasonable volume, from the Subscriber the written communication of the data and the portability of the data, as well as, where appropriate, rectification, restriction of processing, deletion of those which are inaccurate, incomplete or irrelevant. The application is considered as dismisses where no action has been taken on the application within 30 days of the request. They may also apply to or lodge a complaint with the Privacy Commission for the exercise of these rights. The President of the Court of First Instance shall hear of any request concerning these rights if the application was dismissed.
- If at any time the Subscriber or their employees believe that the other Party is not respecting their privacy, they may send a letter or e-mail to idloom: firstname.lastname@example.org. idloom shall make every effort to detect and correct the problem. If idloom wishes further information, he may also contact the Data Protection Authority at the following address: Data protection authority, 1000 Brussels, Rue de la Presse, 35 (Tel. + 32 2 213 85 40 - Fax + 32 2 213 85 65 - email@example.com). They may consult the public register of automatic processing of personal data.
13. Final provisions
- This Annex is exclusively governed by Belgian law and by GDPR.
- Any conflicts shall first of all be the subject of discussions between the parties, with both parties making an effort to resolve the matter by agreement.
Last modified: April 19, 2018
For this website usage:
For US customers and users: