1 - Introduction

On May 25, 2018, a European privacy law is due to take effect that sets a new global bar for privacy rights, security and compliance. The General Data Protection Regulation, or GDPR, is fundamentally about protecting and enabling the privacy rights of individuals. The GPDR establishes strict global privacy requirements governing how you manage and protect personal data while respecting individual choice, no matter where data is sent, processed or stored.


The General Data Protection Regulation is a new privacy regulation across the European Union. It provides individuals with more control over their personal data, ensures transparency about the use of data, and requires security and controls to protect data.


The GDPR is structured around six principles:

Requiring transparency on the handling and use of personal data.

Limiting personal data processing to specified, legitimate purposes.

Limiting personal data collection and storage to intended purposes.

Enabling individuals to correct or request deletion of their personal data.

Limiting the storage of personal identifiable data for only as long as necessary for its intended purpose.

Ensuring personal data is protected using appropriate security practices.

2 - Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of such a natural person.

“Controller” is the natural or legal person, authority, organization, or other agency that makes decisions individually or together with other parties regarding the purpose and means for processing Personal Data.

“Processor” is a natural or legal person, authority, organization or other agency that processes Personal Data on behalf of the Controller.

“Sub-processor” is the contractual partner of the Processor, engaged to carry out specific processing activities on behalf of the Controller.

“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor, Sub-processor and persons who, under the direct authority of the Controller, Processor or Sub-processor, are authorized to process Personal Data.

3 - Use of personal data

The Controller will only process personal data for the purpose of providing messaging related services and payment related activities.


Sender and receiver information and message content, needed to provide messaging services;

IP addresses and account activity (needed for securing all available systems);

Company or personal details for invoicing;

Company or personal details for technical support.

WhiteSMS does not intentionally collect or process any Personal Data unless the Client or its customers/end users/suppliers include such type of data in the content submitted and/or while using WhiteSMS messaging services. Said processing of special categories of Personal Data is unintentional for WhiteSMS and the Client shall be regarded as solely responsible to ensure that such processing is lawful and in accordance with any applicable law.


Company details for invoicing are stored as long as the account exists. Invoicing details, payments and invoices are stored for 7 years, as required by law.

Messaging details are stored for a maximum of 18 months, as needed for website functionality, reporting and improving services. When the data is no longer used, it is deleted from our systems and platforms.


The data is stored on our own secured cloud infrastructure. All servers, databases and related systems required to supply our messaging services are located in Germany.

All passwords are salted and (one-way) encrypted according to the latest standards and are not viewable by anybody (by design).

4 - Obligations of the Controller

The Controller shall be responsible for assessing whether Personal Data can be processed lawfully and for safeguarding the rights of the Data Subjects. The Controller shall ensure in its area of responsibility that the necessary legal requirements are met (for example by collecting declarations of consent) so that the Processor can provide the agreed services in a way that does not violate any legal regulations.

The Processor shall process Personal Data only upon the documented instructions of the Controller, and the Controller shall ensure that its instructions are lawful and that Processor’s processing of Personal Data will not cause the Processor to violate any applicable law, regulation or rule, including Applicable Data Protection Laws.

5 - Obligations of the Processor


Processor shall only process Personal Data in order to provide its Services to the Controller.


The Processor shall process Personal Data in accordance with this agreement and Applicable Data Protections Laws and only upon the documented instructions of the Controller, included the transfer of Personal Data to a Non-EU country or an international organization, unless the Processor is required to process the Personal Data under mandatory law. In the event that a mandatory law prevents the Processor from complying with such instructions or required Processor to process and/or disclose the personal Data to a Third Party, Processor shall inform Controller in writing of such legal requirement before carrying out the relevant processing activities and/or disclosing the Personal Data to a Third Party, unless the Processor is prohibited by law to inform the Controller of such processing.

The Processor shall inform the Controller in writing if, in the Processor’s opinion, an instruction infringes any applicable legal provisions. The Processor shall be entitled to suspend performance of such an instruction until it is confirmed or changed by the Controller.


All Personal Data that the Processor receives from the Controller in the course of providing its Services is confidential and the Processor shall not provide or make the Personal Data in any other way available to any Third Party without the Controller’s prior written consent.


The Processor warrants that it maintains and shall continue to maintain appropriate and sufficient technical and organizational measures to protect Personal Data against accidental loss, destruction, damage, alteration, unauthorized disclosure or access, in particular where the processing invoices the transmission of data over a network, and against all other unlawful forms of processing.

Taking into account the state pf the art, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor warrants that appropriate technical and organizational measures have been implemented in order to ensure a level of security appropriate to the risk, including, but not limited to:

Implemented a procedure “Right to be forgotten” (with exception of payment data, as required by law)

Implemented various security measures to better safeguard Personal Data

6 - Personal Data Breach Notification

In respect of any Personal Data breach, the Processor shall notify the Controller of such a breach immediately, but in no event later than 48 (forty-eight) hours, after becoming aware of the Personal Data breach and provide reasonable details pertaining the subject Personal Data breach.

Personal Data breach notification shall be sent to the Controller’s known contact email address, as setup in the Controller’s account. The notification shall include, at the time of notification or as soon as possible after the notification:

The description of the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned;

Contact details for further relevant inquiries;

The description of the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall provide all necessary information and assistance to the Controller in relation to any action to be taken in response to such Personal Data breaches under Applicable Data Protection Laws. If is required so by Applicable Data Protection Laws, the Processor shall maintain complete, accurate and up to date records of processing activities carried out on behalf of the Controller according to Applicable Data Protection Laws and Art. 32 (2) GDPR and provide those records upon request to the Controller. The Processor shall cooperate with the Controller and shall provide the Controller with any details necessary for maintaining its records of processing activities when requested to do so.

7 - Sub-Processors

The Controller consents to the Processor to engage further Processors (Sub-Processors) for carrying out specific activities on behalf of the Controller, under the condition that the Processor impose the same Data Protection obligations as set out in this agreement on that other processors, to the extent applicable to the nature of the services provided by such Sub-Processor, by way of written contract or other legal act according to Applicable Data Protection Laws.

The Sub-Processor will have access to the Personal Data in the course of rendering the Services as instructed by the Processor on behalf of the Controller. The Personal Data provided by the Processor will be restricted to the Personal Data of the Data Subjects that is relevant to provide the Services.

8 - International Data Transfers

Unless otherwise agreed with the Controller in writing (including e-mail), the Processor shall ensure that Personal Data are stored and processed at the processing systems located in its datacenters within European Economic Area (EEA).

9 - Governing law

This agreement will be governed by the laws of The Germany, and the Parties submit to the exclusive jurisdiction of Tilburg courts for all purposes connected with this agreement, including the enforcement of any award or judgment made under or in connection with it.