On May 25, 2018, a European privacy law is due to take effect that sets a new global bar for privacy rights, security and compliance. The General Data Protection Regulation, or GDPR, is fundamentally about protecting and enabling the privacy rights of individuals. The GPDR establishes strict global privacy requirements governing how you manage and protect personal data while respecting individual choice, no matter where data is sent, processed or stored.

“Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of such a natural person.

“Controller” is the natural or legal person, authority, organization, or other agency that makes decisions individually or together with other parties regarding the purpose and means for processing Personal Data.

“Processor” is a natural or legal person, authority, organization or other agency that processes Personal Data on behalf of the Controller.

“Sub-processor” is the contractual partner of the Processor, engaged to carry out specific processing activities on behalf of the Controller.

“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor, Sub-processor and persons who, under the direct authority of the Controller, Processor or Sub-processor, are authorized to process Personal Data.

The Controller will only process personal data for the purpose of providing messaging related services and payment related activities.

The Controller shall be responsible for assessing whether Personal Data can be processed lawfully and for safeguarding the rights of the Data Subjects. The Controller shall ensure in its area of responsibility that the necessary legal requirements are met (for example by collecting declarations of consent) so that the Processor can provide the agreed services in a way that does not violate any legal regulations.

The Processor shall process Personal Data only upon the documented instructions of the Controller, and the Controller shall ensure that its instructions are lawful and that Processor’s processing of Personal Data will not cause the Processor to violate any applicable law, regulation or rule, including Applicable Data Protection Laws.

In respect of any Personal Data breach, the Processor shall notify the Controller of such a breach immediately, but in no event later than 48 (forty-eight) hours, after becoming aware of the Personal Data breach and provide reasonable details pertaining the subject Personal Data breach.

Personal Data breach notification shall be sent to the Controller’s known contact email address, as setup in the Controller’s account. The notification shall include, at the time of notification or as soon as possible after the notification:

The description of the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned;

Contact details for further relevant inquiries;

The description of the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall provide all necessary information and assistance to the Controller in relation to any action to be taken in response to such Personal Data breaches under Applicable Data Protection Laws. If is required so by Applicable Data Protection Laws, the Processor shall maintain complete, accurate and up to date records of processing activities carried out on behalf of the Controller according to Applicable Data Protection Laws and Art. 32 (2) GDPR and provide those records upon request to the Controller. The Processor shall cooperate with the Controller and shall provide the Controller with any details necessary for maintaining its records of processing activities when requested to do so.

The Controller consents to the Processor to engage further Processors (Sub-Processors) for carrying out specific activities on behalf of the Controller, under the condition that the Processor impose the same Data Protection obligations as set out in this agreement on that other processors, to the extent applicable to the nature of the services provided by such Sub-Processor, by way of written contract or other legal act according to Applicable Data Protection Laws.

The Sub-Processor will have access to the Personal Data in the course of rendering the Services as instructed by the Processor on behalf of the Controller. The Personal Data provided by the Processor will be restricted to the Personal Data of the Data Subjects that is relevant to provide the Services.

Unless otherwise agreed with the Controller in writing (including e-mail), the Processor shall ensure that Personal Data are stored and processed at the processing systems located in its datacenters within European Economic Area (EEA).

This agreement will be governed by the laws of The Germany, and the Parties submit to the exclusive jurisdiction of Tilburg courts for all purposes connected with this agreement, including the enforcement of any award or judgment made under or in connection with it.