Data Processing Agreement (DPA)
Last updated: 09 July 2024
Whereas
- idloom performs services (hereinafter: “Service”) for the benefit of his Customers to enable them and their customers and employees to use the platforms “idloom.events”, “idloom.passport”, and “idloom.wall” made available by idloom.
- imply the processing of personal data for the benefit of the Customer, who is Controller within the meaning of the Belgian Privacy Act (hereinafter: "PA") and the European Regulation 2016/679 (hereinafter: “GDPR”).
- The purpose of this DPA is to bring the Service Terms of Use of idloom into compliance with the PA and GDPR. Therefore, this DPA replaces the part “Protection of Privacy” of the previous Terms of use.
- Idloom only processes the personal data at the instructions of his Customers, and not for his own purposes, this within the meaning of the PA and the GDPR. Within that context idloom qualifies as a data processor within the meaning of the PA and the GDPR.
- By means of this DPA idloom wishes to set forth his commitments regarding the processing of personal data within the context of the Service, referred to under point 1.
Processing of personal data
1. Definitions
- 1. Any terms defined in the Service Terms of Use shall have the same meaning in this DPA when written with a first capital letter, unless explicitly set forth otherwise.
- The terms “Processing”, "Process", “Personal Data”, “Data Subject”, “Controller”, “Processor” and “Personal Data Breach” shall have the meaning assigned to them in the GDPR.
- “Data Protection Legislation” means the GDPR and any other (national) data protection or privacy laws applicable to the Processing of Personal Data in the context of the Service.
- “Subprocessor” means (i) any subprocessor engaged by idloom to provide (part of) the Service and who agrees to receive Personal Data intended for processing on behalf of the Customer in accordance with Customer’s instructions and the provisions of the Terms of Use and/or (ii) idloom, as the case may be.
2. Object of this DPA
- This DPA applies to the Processing of Personal data in the context of the Service, the details of which are described hereafter:
- Subject-matter of the Processing: depending on the choices made by the Customer, the idloom.events platform and/or the idloom.wall platform and/or the idloom.passport add-on (available via the Service terms of use).
- With regard to idloom.events:
- Nature of the Processing: registration and check in, recording, organisation, modification, consultation, confirmation, payment, reminder, segmentation, erasure, tracking and performance metrics, technical support and maintenance;
- Purpose of the Processing: allow the Customer to set up custom registration processes, to manage attendees, sessions and check-in, to organize payments, badges, hotels, invoices and documents related to on-line, live and hybrid events;
- Type of Personal Data: name, surname, company, contact details (e-mail address, postal address, telephone number, mobile phone number), registered events, payments, badge information. If the Customer chooses so: accommodation, data concerning health (handicap or food allergy) and any other data collected via custom fields created by the Customer;
- Categories of Data Subjects: Staff (including volunteers, agents, and temporary workers), customers / clients, suppliers, trainees, trainers, participants of a particular event or training, and any other category as set up by the Customer;
- Duration of the Processing: Until the end of the provision of the Service by idloom to Customer unless the Customer wishes to delete or have returned some Personal Data pursuant to clause 12 of this DPA. Personal Data is destroyed at the end of the provision of the Service by idloom.
- With regard to idloom.wall:
- Nature of the Processing: hosting and email notifications
- Purpose of the Processing: allow the Customer to empower its organisation by socialising its intranet/extranet, in particular by organising and sharing knowledge and information within teams;
- Type of Personal Data: name, surname, company, contact details (e-mail address, telephone number, mobile phone number), posts, liked posts, interactions with other users of the platform (including messages);
- Categories of Data Subjects: Staff (including volunteers, agents, and temporary workers), customers / clients, suppliers, trainees, trainers, and any other category as set up by the Customer;
- Duration of the Processing: Until the end of the provision of the Service by idloom to Customer unless the Customer wishes to delete or have returned some Personal Data pursuant to clause 12 of this DPA. Personal Data is destroyed at the end of the provision of the Service by idloom.
- With regard to idloom.passport:
- Nature of the Processing: creation, import, organisation, modification, consultation, communication, segmentation, erasure, and email notifications;
- Purpose of the Processing: allow the Customer to organise users, contacts, web-based training, exams, certificates, and mass mailing;
- Type of Personal Data: name, surname, date of birth, company, job title, contact details (e-mail address, postal address, telephone number, mobile phone number), certificate unique number for training completion and certificate validation, and any other data collected via custom fields created by the Customer;
- Categories of Data Subjects: Staff (including volunteers, agents, and temporary workers), customers / clients, suppliers, trainees, trainers, participants of a particular event or training, and any other category as set up by the Customer;
- Duration of the Processing: Until the end of the provision of the Service by idloom to Customer unless the Customer wishes to delete or have returned some Personal Data pursuant to clause 12 of this DPA. Personal Data is destroyed at the end of the provision of the Service by idloom.
- Pursuant to Article 9.1 of GDPR, Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (here after “Sensitive Personal Data“) shall be prohibited.
While processing is allowed in specific cases set out in the Regulation, taking into account that Sensitive Personal Data are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, and might require more protection, additional conditions and safeguards, designation of a data protection officer (DPO), completion of a data protection impact assessment (DPIA), involvement of a professional subject to an obligation of professional secrecy, and compliance to specific provisions on data protection from Member States law, the Customer acknowledge and agree that he will not Process any Sensitive Personal Data when using the platforms “idloom.events”, “idloom.passport”, and “idloom.wall” made available by idloom. The same applies for the collection of bank card numbers, or any other identity numbers, except when using integrated online payment services provider (e.g. Stripe or Ingenico). In addition, the Customer will not knowingly solicit information from or market to children under the age of 13 without prior written consent from idloom.
- The Customer will not provide idloom with any other Personal Data, except as set forth in clauses 2.1 and 2.2. Any deviations from or changes to the Processing as described above must be agreed in writing between the parties.
- idloom cannot be held liable for any deviations from or changes to the Processing by the Customer without consent from idloom as required under clause 2.3.
3. idloom’s obligations
- idloom may only Process the Personal Data provided by the Customer in accordance with the Customer’s instructions thereto or in fulfilment of any statutory obligation. The Service Terms of Use and this DPA constitute Customer’s complete instruction to idloom with regard to the Processing of Personal Data. Any additional or alternate instructions must be jointly agreed by the parties in writing. The following is deemed an instruction by the Customer to Process Personal Data: (i) Processing in accordance with the Service Terms of Use and (ii) Processing initiated by Customer’s End Users in their use of the Service.
- idloom guarantees that it, as well as any person acting under its authority, shall Process Personal Data only insofar as necessary for delivering the Service under the Service Terms of Use (including with regard to transfers of Personal Data to a third country or an international organisation), unless required to do so by Data Protection Legislation to which idloom is subject. In such a case, idloom will inform the Customer of that legal requirement before processing, unless such Data Protection Legislation prohibits the provision of such information on important grounds of public interest.
- The Personal Data entrusted by the Customer to idloom is confidential. idloom will not disclose Personal Data to any third party, except (i) as the Customer directs, (ii) as stipulated in the Service Terms of Use, (iii) as required for Processing by approved Subprocessors in accordance with clause 9 of this DPA or (iv) as required by law.
- idloom shall ensure that its staff (or any other person acting on its behalf and authorised to Process Personal Data) are also bound by appropriate confidentiality obligations.
- idloom will immediately notify the Customer if, in its view, any instructions are in conflict with the applicable Data Protection Legislation.
- The Processing performed by idloom under this DPA will not comprise any assistance or other services by idloom concerning data protection to the Customer beyond the assistance which idloom is required to provide to the Customer under the applicable Data Protection Legislation and/or this DPA.
4. Data subject rights
- idloom will reasonably assist the Customer, by appropriate technical and organizational matters, for the fulfilment of the Customer’s obligations to respond to Data Subjects' requests to exercise their rights.
- If a Data Subject sends a Data Subject request to idloom, idloom will direct such Data Subject to the Customer. In support of the above, idloom may provide the Customer’s basic contact information to the Data Subject.
5. Security of the Processing
- idloom will implement appropriate technical and organisational measures as described in Annex 1 to this DPA. The level of the technical and organisational measures is based on a normal utilization of the Service in accordance with the Service Terms of Use and the Processing described in clause 2.
- idloom will maintain the technical and organizational measures described in Annex 1 for the entire duration of the provision of the Service by idloom to Customer. idloom has the right to bring changes to the technical and organisational measures on condition that it will not substantially decrease the level of protection afforded to the Customer’s Personal Data.
6. Compliance and audit
- idloom will assist Customer in carrying out a data protection impact assessment with regard to the Processing of Personal Data in the context of the Service.
- idloom will notify without undue delay to the Customer any complaint, request or notice from a Data Subject or a competent supervisory authority.
- idloom will assist the Customer in demonstrating compliance with the applicable Data Protection Legislation by making available upon request of the Customer all information necessary to demonstrate such compliance.
- The Customer is entitled to reasonably audit idloom’s compliance with the present DPA. For that purpose, idloom will, if so requested by the Customer, enable Customer to audit such compliance, or have a third party do so, at a time to be mutually agreed by the parties, as well as at such other times as are deemed necessary by the Customer further to a substantial Personal Data Breach. The Customer will give idloom at least a one (1) month prior notice which should include name/identity of the third party engaged by the Customer to perform the audit and, idloom should be able to request another third party, in the case there is a reasonable justification. When performing an audit, the Customer (or the third party engaged by Customer) cannot have access to any confidential information of idloom and idloom shall refuse to communicate any such confidential information when these are not directly linked and necessary for the purpose of the audit. The frequency of such audit should be limited to a maximum of once a year, unless in the event where (i) a competent supervisory authority requires this under applicable Data Protection Legislation or (ii) following a substantial Personal Data Breach. idloom will in all reasonableness provide its cooperation to the audit.
- The costs of the audit and the assistance provided by idloom under this clause 6 and explicitly requested by the Customer or by a competent authority are borne by the Customer.
7. Location of processing
- idloom shall only process the Customer’s Personal Data in Europe.
- idloom will not process or transfer Customer’s Personal Data or have these processed by itself or by third parties, outside the European Union in countries which do not ensure an adequate level of protection according to the European Commission, except upon having secured appropriate guarantees as required by the applicable Data Protection Legislation such as the execution of appropriate data transfer agreements.
8. Personal data breach management
- The Customer, as Controller of the Personal Data, is responsible for informing the Data Subjects and other third parties, including any competent supervisory authorities, about any Personal Data Breach in accordance with applicable Data Protection Legislation.
- In the event of a Personal Data Breach found by the Customer, as Controller of Personal Data accessing the Service and irrespective of its cause, the Customer shall prevent any record or any additional processing of the Personal Data, and shall notify idloom without undue delay after having become aware of such Personal Data Breach, specifying where known or readily identifiable the following information:
- the nature and context of the Personal Data Breach;
- the identity and contact details of the Data Protection Officer (or another contact person) from whom more information can be obtained.
- In the event of a Personal Data Breach in the context of the provision of the Service to Customer and irrespective of its cause, idloom shall notify the Customer without undue delay after having become aware of such Personal Data Breach, specifying where known or readily identifiable the following information:
- the nature of the Personal Data Breach;
- the categories of Personal Data and Data Subjects concerned by the Personal Data Breach, and the approximate numbers;
- the likely consequences of the Personal Data Breach and the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach;
- the identity and contact details of the Data Protection Officer (or another contact person) from whom more information can be obtained.
- A party’s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by that party of any fault or liability with respect to the Personal Data Breach.
9. Use of Subprocessors
- The Customer authorizes idloom to engage Subprocessors in the context of the provision of the Service in accordance with this article 9. idloom shall inform the Customer (via its client intranet, via email or any other means) of any changes concerning the addition or replacement of such Subprocessors, thereby giving the Customer the opportunity to object to such changes.
- The complete list of Subprocessors can be consulted at any time upon request.
- If the Customer reasonably objects to the Processing of Personal Data by one or more Subprocessors, then the Customer shall notify idloom in writing within 10 calendar days after receipt of idloom’s notice and full information in order to allow evaluation. Failure of the Customer to object to any such Subprocessor within those 10 calendar days, shall be deemed to constitute acceptance with the engagement of such Subprocessor.
- In the event Customer objects to a Subprocessor, idloom will use reasonable efforts to change the affected part of Service or to recommend another commercially reasonable change to the Customer’s use of the affected part of the Service to avoid the Processing of Personal Data by the Subprocessor concerned. If idloom is unable to make available or propose such change within sixty (60) calendar days, the Customer may terminate the (relevant part of the) Service regarding those parts which cannot be provided by idloom without the use of the Subprocessors concerned.
- idloom shall use only Subprocessors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing shall meet the requirements of this DPA and of applicable Data Protection Legislation. idloom will impose binding and written commitments upon its Subprocessors equivalent to those imposed upon idloom under this DPA.
- Notwithstanding Customer’s permission to engage a Subprocessor, idloom shall remain fully liable towards Customer for the engagement of such Subprocessors.
10. Liability
- Clause 9.4 of the Service Terms of Use applies to this DPA, except that the liability of idloom towards the Customer for breaches of this DPA is limited to two times the liability caps provided in clause 9.4 of the Service Terms of Use.
11. Term and termination
- This DPA is entered into on the date of execution and remains in full force and effect as long as idloom Processes Personal Data on behalf of Customer.
- This DPA is automatically terminated upon termination or expiry of the Service Terms of Use;
- Obligations which, by their nature, are intended to continue after termination or expiry of this DPA, shall remain in effect after this DPA has ended. Among these obligations are those arising from the provisions concerning confidentiality, liability, and applicable law.
12. Return and deletion of Personal Data
- When the Customer closes its account or requests idloom to close its account (not a license downgrade), regardless of whether the Service Terms of Use have been terminated or have expired, idloom shall delete all Customer Personal Data stored or otherwise Processed by idloom. Customer has the possibility to download, at its own expenses, its Personal Data via the API prior to the closure of the account.
- Upon termination or expiry of a paid subscription (not the closing of the account) the Customer account is automatically downgraded to the freemium version during which the Personal Data will be retained unless the Customer requested Idloom to delete such Personal Data in accordance with the clause above. After one (1) year of inactivity on the freemium version, the Customer account will be closed. Before closure, two reminder e-mails will be sent to the Customer at thirty (30) and seven (7) days. If the Customer does not download the Personal Data or reopens or reactivates its account by the final closure and final deletion date as announced according to the above procedure, all copies of Customer’s Personal Data will be deleted automatically by idloom.
- Personal Data which has been archived in the framework of idloom’s backup policies will be automatically destroyed after deletion of the last backup set rotation (after 30 days).
13. Final provisions
- In the event of a conflict between the provisions of this DPA and those of the Service Terms of Use with regard to the Processing of Personal Data, the provisions of this DPA shall prevail.
- This DPA is governed by the same applicable law and shall come under the same jurisdiction as provided for in the Service Terms of Use.
Annex 1 to the DPA: Technical and organisational measures
This Annex 1 sets forth the administrative, technical, physical, organisational, and contractual measures put in place by idloom within the framework of idloom’s processing of Customer Personal Data in relation to Customer’s use of the Service. The purpose of these measures is to ensure that such Processing happens in a secure manner, to protect Customer's data from loss, theft, misuse and unauthorised access, disclosure, alteration, and destruction, and in particular with regard to the confidentiality, and integrity of the Data, as well as with regard to the availability of the Service.
idloom places significant emphasis on the value of continual improvement as a vital principle within its Information Security Management System (ISMS). And it follows industry standards to protect the Personal Information submitted to it, both during transmission and once it is received, taking into account the nature of such information and the risks involved in processing.
Since 2023, idloom is certified ISO 27001, one of the most widely recognized and internationally accepted information security standards.
click here to open our certificate
In addition, all measures are tested, described and kept up to date in this Security & Compliance Report
Legal information
For idloom websites:
For idloom services:
For US customers and users:
I herely accept the Data Processing Agreement (DPA).
Read and approved,
Date:
For idloom
Full name:
Title:
The customer
Company:
Full name:
Title:
Signature
Signature