Processing Agreement
Lumenii Processing Agreement
1. Definitions
1.1. This Processing Agreement contains terms (such as the party/person concerned, Personal Data and processing) that have the same meaning as those used in the applicable South African legislation for the protection of Personal Data, particularly the Protection of Personal Information Act (“POPI”). For purposes of this agreement, reference to Personal Data is to be used interchangeably with “Personal Information”, as defined in POPI.
1.2. “Responsible Party” means the Client.
2. Applicability and Actual Processing
2.1. Any order under the Agreement for the processing of Personal Data by Lumenii for the Responsible Party shall be governed by this Processing Agreement.
2.2. The Responsible Party will inform Lumenii timeously in writing of the (changed) nature of the Personal Data to be processed by Lumenii under the Agreement.
2.3. Lumenii will process the Personal Data in a proper and meticulous manner in accordance with his obligations as the Processor under this Processing Agreement and the applicable legislation.
2.4 Lumenii will process Personal Data for the Responsible Party within the framework of the order as further specified in the Agreement. Other processing’s will only be performed under a supplementary order from the Responsible Party or if such is a legal obligation. The processing by Lumenii under the Agreement is only related to the types of Personal Data as specified in the Agreement, failing which the Processor will assume that his processing will be related to the following Personal Data: name, address, place of residence, gender, date of birth, position, email address, education/training and nationality.
2.5. The Responsible Party must see to it that Personal Data will be entered correctly and completely. The Responsible Party is also responsible for verifying that the processed Personal Data is correct and complete.
2.6. The Responsible Party guarantees to Lumenii that the content, the use by or on behalf of the Responsible Party and/or the ordered processing of the Personal Data are legitimate and do not infringe upon the rights of the persons concerned, and also that the Personal Data were obtained in a manner in line with the applicable legal regulations.
2.7. Through the functionality in the SaaS Service the Responsible Party himself will be able to (i) allow the persons concerned to get a copy of their processed Personal Data or to inspect these; and (ii) to remove, correct or supplement Personal Data.
The Processing Agreement forms an integral part of the Agreement. If a provision of this Processing Agreement conflict with a provision of the Agreement, the provision in this Processing Agreement will prevail over the provision of the Agreement.
3. Protection of Personal Data & Control
3.1. Lumenii will take suitable, technical and organisational protective measures, that, considering the current state of the art and the costs involved, are in line with the nature of the Personal Data to be processed, as indicated by the Responsible Party, and the order as to how the data will be used, for the protection of the Personal Data against loss or illegitimate processing, while observing the provisions of this Processing Agreement.
3.2. The Responsible Party will timeously inform Lumenii of any (changed) risks connected with, and also of the (changed) risk category with respect to the Personal Data to be processed by Lumenii.
3.3. The Responsible Party will immediately inform Lumenii of an order or other notice given by a competent authority (Personal Data Authority) concerning the Personal Data as processed by Lumenii as ordered by the Responsible Party.
3.4. The Responsible Party will see to it that his employees will keep strictly secret the authentication means (including, but not limited to login name and password) that allow access to the SaaS Service.
3.5. The measures to be taken by Lumenii as referred to in clause 3.1 are:
3.5.1. compliance with the secrecy obligation referred to in clause 4;
3.5.2 installing and updating a system ensuring secure access to the Personal Data through an authentication process, such as login name and password;
3.5.3 securing the system by which Lumenii processes the Personal Data, by means of up-to-date software that detects viruses, Trojans and other malware;
3.5.4 monitoring the access to the system (including monitoring any indications of illegitimate access to the Personal Data, such as wrong logins and exceeding authorisation powers);
3.5.5 designating persons entrusted with the processing and authorised to get access on a need-to-know basis.
3.5.6 informing the Responsible Party of security-related incidents, as soon as reasonably possible but no later than 50 hours after these have been found, which may, to a considerable degree, have adverse consequences for the protection of Personal Data of one or more persons involved (hereinafter: “data leak”);
3.5.7 as soon as possible Lumenii will take measures that may be reasonably expected of him, to repair the adverse consequences of the data leak as it may have occurred, or to limit these consequences as much as possible;
3.5.8. the notification to the Responsible Party should at least mention the nature of the breach and the measures that Lumenii has taken or proposes to repair these consequences or to limit these as much as possible;
3.5.9. besides, Lumenii will lend his cooperation to the Responsible Party, where possible, in preparing a description of the ascertained and possible consequences of the data leak in view of the processing of Personal Data in connection with the reporting obligation of the Responsible Party and where necessary – in the opinion of the Responsible Party – towards the persons involved;
3.5.10. adequate, physical protection of the areas concerned that house the equipment where the Personal Data are stored (such as access control, temperature control, measures to prevent fire and water damage).
3.6 In order to enable the Responsible Party to check on the compliance with the measures mentioned under 3.5, Lumenii gives the Responsible Party the opportunity once a year, if the Responsible Party requests such, to get insight into the measures taken, based on a statement by an independent external expert who will, when so instructed by Lumenii, give his opinion on the measures taken, a so-called third party opinion (TPM). Lumenii is entitled to charge a fee for this.
3.7 Lumenii will give the supervisory agency (Personal Data Authority) the opportunity, when so requested by it, – after previous consultations with the Responsible Party – to inspect the processing by Lumenii under the Agreement.
3.8. Lumenii will, in all reasonableness and at his reasonable commercial rates, lend his cooperation towards the inspection referred to under 3.6.
3.9. If necessary the Responsible Party and Lumenii will consult each other to see whether and to what extent the organisational and security measures need to be changed in order to comply with the then applicable imperative legislation for the protection of Personal Data, and who will bear what costs.
3.10 As soon as possible after receiving a binding instruction by the competent supervisory agency to change the organisational and security measures, the Parties will consult each other in order to determine the necessary measures in order to comply with the instruction and who will bear what costs.
4. Secrecy
4.1. Lumenii is obliged to keep the Personal Data provided by the Responsible Party secret. Lumenii is not allowed to disclose, provide or otherwise make available the Personal Data to any third party, unless this is necessary or permitted pursuant to the order as laid down in the Agreement and/or the Processing Agreement, or unless this results from a supplementary instruction by the Responsible Party or from a legal obligation, an order by a competent judge, an order given by the competent authority, an instruction given by a competent person or a request by the relevant supervisory agency (Personal Data Authority), in case of a merger or acquisition or unless previous written permission was obtained from the Responsible Party.
4.2. Lumenii will see to it that anyone acting under his authority will be obliged to keep secret the Personal Data he/she may get to know.
4.3. If on the grounds of a legal obligation Lumenii must provide information, Lumenii will verify the basis of the request and the identity of the requestor, and inform the Responsible Party hereof before providing any information. Unless the applicable law and regulations should prohibit this.
5. Use of Subprocessors
5.1. Within the framework of this Processing Agreement Lumenii is entitled to use subprocessors and also third Parties in countries that provide a suitable level of protection. If the third party resides in a country which does not necessarily provide a suitable level of protection, then only after the previous express permission from the Responsible Party, which permission the Responsible Party will not withhold on unreasonable grounds. If the Responsible Party so asks, Lumenii will inform him about the identity and place of residence of the subprocessor. It is noted that the Assessio Group (Assessio International AB) that provides the SaaS Service is a subprocessor, located in the European Union.
5.2. Lumenii and the subprocessors he has engaged will enter into a (sub)processing Agreement imposing obligations equivalent to his obligations under this Processing Agreement, unless the Responsible Party has directly concluded such a processing agreement with this subprocessor.
6. Liability
6.1. The Responsible Party assumes the full responsibility and is therefore fully liable for the intended purpose of the processing, the use and content of the Personal Data, the disclosure to third Parties, the duration of the storage of the Personal Data, the manner of processing and the means used therefor.
6.2. The Responsible Party indemnifies Lumenii (including its shareholders, directors, employees, officers and agents) against any liability, claim or fine, for whatever reason, from any persons involved or third parties because the applicable legislation for the protection of Personal Information or Data, or other applicable legal obligations and also the obligations under this Processing Agreement may have been violated, unless and in so far as the claim or fine is based on acts and/or any gross negligence for which Lumenii can be blamed.
6.3. Lumenii will indemnify the Responsible Party against any claim, for whatever reason, from any persons involved because the applicable legislation for the protection of Personal Data or Information, or other applicable legal obligations may have been violated, in so far as the claim is based on any acts and/or any gross negligence for which Lumenii can be blamed, while observing the provisions in clause 6.4.
6.4. Lumenii is liable as towards the Responsible Party as provided in the Agreement. Notwithstanding the content thereof, and without detracting in any manner from its generality, Lumenii shall not be liable in respect of any data breach/es which are caused by the unintended or unauthorised use of credentials provided to the Client.
7. Term and Consequences of Termination (Retention Period)
7.1. The term of this Processing Agreement equals the term of the Agreement unless the Parties have agreed otherwise, or lasts as long as Lumenii keeps Personal Data of the Responsible Party in conformity with clause 7.3.
7.2. Any obligations that considering their nature should continue to be in force also after the dissolution of this Processing Agreement, will remain in force after the dissolution of the Processing Agreement. These obligations are those that are in line with the obligations concerning secrecy, liability and applicable law.
7.3. Lumenii retains the Personal Data until the end of the Agreement on which ground the data are processed or, if a different retention period has been agreed upon by the Parties or if clause 7.4 applies, not longer than this period, after which Lumenii will remove the data as soon as possible, in so far as the Client has not done so himself using the appropriate functionality in the SaaS Service.
7.4. At the request of and at reasonable costs to be borne by the Responsible Party, Lumenii will – in so far as the Responsible Party has not already obtained it’s own copy of the Personal Data entered by it under the Agreement – provide, within a reasonable period after the end of the Agreement, a backup of the Personal Data entered by the Responsible Party under the Agreement and saved on the system of Lumenii, in a then readable standard format on an accepted medium. Such a request should be made before the end of the Agreement, unless such cannot be reasonably expected from the Responsible Party and the Responsible Party has timeously informed Lumenii of this in writing, in which case the request can be made until no later than 2 months after the end of the Agreement.
7.5 During the term of the agreement the Responsible Party may make printouts of the assessment reports generated by him earlier.
8. Disputes and Governing Law
8.1. South African law shall govern this Processing Agreement.
8.2. All disputes connected with the performance of this Processing Agreement shall be submitted to the competent judge or arbitrator as provided in the Agreement.