Barco Data Processing Addendum

In connection with the provision of Online Services by Barco for the benefit of End User (as defined below), Barco may, from time to time, process certain Personal Data in respect of which the End User or any Affiliate of End User (as defined below) is a data controller under Data Protection Law.

This data processing addendum (“DPA”) reflects the parties’ rights and obligations with regard to the Processing of Personal Data. This DPA forms part of the Online Services. For the purposes of this DPA only, and except where indicated otherwise, the term "End User" shall include End User and Affiliates.

1. Definitions

“Affiliate” means any of Affiliate(s) of End User which (a) is subject to the data protection laws and regulations of the European Union, the EEA and Switzerland, and (b) is permitted to use the Online Services.

“Applicable Data Processor law” means the Data Protection Laws that are applicable to Barco as the Data Processor.

“Applicable Data Protection Law” means the Data Protection Laws applicable to the End User as the Data Controller.

“Barco” means Barco NV, with registered office at President Kennedypark 35, 8500 Kortrijk Belgium and its subsidiaries.

“Data Controller” means the entity or natural person which alone or jointly with others determines the purposes and means of the Processing.

“Data Processor” means the entity or natural person which Processes Personal Data on behalf of a Data Controller.

“Data Protection Law” means the GDPR and the laws and regulations containing rules for the protection of Data Subjects with regard to the Processing, including without limitation security requirements for and the free movement of Personal Data, implementing or completing the GDPR.

“Data Subject” means any individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, and who is employed or otherwise acting under the control or authority of the End User.

“EC Standard Contractual Clauses” means the EC Standard Contractual Clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC).

“EEA” means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of this DPA, Switzerland.

“Employee” means any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Barco, however “Employees” do not include “Sub-Processors”.

“End User Data” means Personal Data for which End User is the Data Controller under Applicable Data Protection law.

“End User” means the legal entity who ultimately uses the Barco Online Services, which may have been procured from Barco or from a Barco sales channel.

“GDPR” means regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Non-Adequate Country” means a country that is deemed not to provide an adequate level of protection of Personal Data within the meaning of the articles 44-45 GDPR.

“Online Services” means services provided by Barco in the context of the provision of its products, such as managing the hosting environment of the Barco product.

“Personal Data” means any information relating to an identified or identifiable Data Subject.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, End User Data transmitted, stored or otherwise Processed.

“Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, storage, organisation, alteration, use, disclosure (including the granting of remote access), transmission or deletion of Personal Data. “Process” and “Processed” are to be construed accordingly.

“Sub-Processor” means any Processor engaged by Barco that Processes End User Data.

“Third Party” means any party other than Barco, Sub-Processor or End User.

2. Instructions

2.1 To the extent Barco Processes End User Data necessary for the provision of the Online Services it shall act as a Data Processor on behalf of End User, being the Data Controller.

2.2 End User remains solely responsible for complying with all Applicable Data Protection Law.

2.3 When carrying out the Processing services, Barco shall Process the End User Data only on documented instructions from End User, unless Barco is required to Process End User Data by Union or by a Member State law to which Barco is subject; in such case, Barco shall inform the End User of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

2.4 This DPA and Barco’s product privacy statement on www.barco.com are End User's complete and final Instructions to Barco with regard to the Processing.

2.5 Annex I to this DPA sets out certain information regarding the Processing of the End User Data as required by article 28 of the GDPR (and possibly, equivalent requirements of other Data Protection Laws).

2.6 If Barco thinks that an instruction and/ or audit of End User infringes the Applicable Data Processor Law, Barco shall point this out to the End User without undue delay.

3. Applicable law

3.1 When performing this DPA, End User shall comply with the Applicable Data Protection Law and Barco shall comply with the Applicable Data Processor Law.

3.2 Each party shall deal with reasonable requests for assistance of the other party to ensure that the Processing complies with Applicable Data Protection Law.

4. Obligations of End User

End User warrants towards Barco that

i)     the Personal Data are lawfully obtained from Data Subject and are lawfully provided to Barco under the Applicable Data Protection Law;

ii)    it provides Barco with Personal Data that are up-to-date and relevant for the Processing activities;

iii)   it has provided Data Subject all necessary and relevant information with regard to the Processing of the Personal Data as required under the Applicable Data Protection Law; and

iv)   the data Processing does not infringe any third-party rights.

5. Obligations of Barco

5.1 Security. Barco shall implement appropriate technical, physical and organisational security measures taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons to ensure a level of security appropriate to the risk and to protect End User Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised Disclosure or access, and against all other forms of unlawful Processing including, but not limited to, unnecessary collection or further Processing.

5.2 Non-disclosure and confidentiality. Barco shall keep End User Data confidential and shall not disclose End User Data in any way to any Employee or Third Party without the prior approval of End User, except where, (i) subject to this Section, the Disclosure is required for the performance of the Processing, or (ii) subject to Section 8.1 ii), where End User Data need to be disclosed to a competent public authority to comply with a legal obligation or as required for audit purposes. Barco shall provide the Employees access to End User Data only to the extent necessary to perform the Processing. Barco shall ensure that any Employee it authorises to have access to End User Data Processed on behalf of End User has committed himself to confidentiality or is under an appropriate statutory obligation of confidentiality.

6. Sub-Processors

6.1 End User agrees that Barco may use Sub-Processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services or hosting services. The Sub-Processors that are currently engaged by Barco to carry out Processing activities on End User Data on behalf of End User are mentioned in Barco’s product privacy statement on www.barco.com.

6.2 Barco shall inform the End User of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the End User the opportunity to reasonably object to such changes.

6.3 Where Barco subcontracts (part of) the Processing of Personal Data on behalf of End User, it shall do so only by way of a written agreement with the Sub-Processor which imposes the same or essentially the same data protection obligations on the Sub-Processor as are imposed on Barco under this DPA. Where the Sub-Processor fails to fulfil its data protection obligations under such written agreement Barco shall remain fully liable towards End User.

7. Audit and compliance

7.1 Except when instructed otherwise by End User in accordance with Section 7.2, Barco shall audit its compliance with the obligations of this DPA. This audit shall:

i)     cover the Processing services performed by Barco;

ii)    be performed by Barco or an independent auditor at Barco's selection and expense; and

iii)   result in the generation of an audit report.

End User can request a copy of the audit report by way of issuing a written instruction to Barco.

7.2 End User has the right – every three years – to notify Barco that Barco is no longer authorised to audit its compliance with this DPA in accordance with Section 7.1, in which case Barco shall make the Processing systems, facilities and supporting documentation relevant to the Processing of End User Data available for an audit by End User or a qualified independent assessor selected by End User and provide all assistance End User may reasonably require for the audit. End User shall provide Barco with a copy of the audit report. If the audit demonstrates that Barco has materially breached any obligation under this DPA, Barco shall immediately cure that breach and pay or reimburse End User for reasonable costs of the audit subject to Section 12 of this DPA. Otherwise End User shall bear its own costs of the audit.

7.3 End User shall:

i)     give Barco at least two months’ notice of the intention to perform an audit pursuant to Section 7.2;

ii)    procure that its representatives and nominees conducting the audit comply with Barco's reasonable confidentiality and health and safety regulations, as notified by Barco to End User; and

iii)   procure that its representatives and nominees conducting the audit use reasonable efforts to minimize any disruption to Barco's business caused by the performance of the audit.

8. Notifications of Disclosures and Personal Data Breaches

8.1 Barco shall use reasonable efforts to inform End User as soon as reasonably possible if:

i)     it receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing, except where Barco is otherwise prohibited by law from making such disclosure;

ii)    it intends to disclose Personal Data to any competent public authority; or

iii)   it becomes aware of a Personal Data Breach.

8.2 In the event of a Personal Data Breach, Barco shall take reasonable remedial measures to preserve the confidentiality of the End User Data. Furthermore, Barco shall provide End User the information reasonably requested by End User regarding the Personal Data Breach. This information will at least contain the following elements:

i)     a description of the nature of the Personal Data Breach, including the number and categories of Data Subject and personal data records affected;

ii)    a description of the likely consequences of the Personal Data Breach; and

iii)   a description how Barco proposes to address the Personal Data Breach, including any mitigation efforts.

9. Cooperation and assistance duty

9.1 Barco will assist End User in the fulfilment of its obligation to respond to requests from Data Subjects, provided that (i) End User has instructed Barco to do so by way of a written instruction and (ii) End User reimburses Barco for the costs arising from this assistance.

9.2 Barco shall promptly inform the End User of any complaints, requests or enquiries received from Data Subject, including but not limited to requests to rectify or erase End User Data or to object to the Processing of End User Data. Barco shall not respond directly to any complaints, requests or enquiries received from Data Subject without End User's prior written instruction, except where required by law.

9.4 Upon request of End User by having issued a written instruction, Barco shall make available to the End User all information necessary to demonstrate compliance with the Applicable Data Protection Law.

9.5 Upon request of End User by having issued a written instruction, Barco shall, taking into account the nature of the Processing and the information at its disposal, assist the End User in ensuring compliance with the obligations regarding security of the Processing, notification of Personal Data Breaches and mandatory data protection impact assessments (articles 32-36 GDPR).

9.6 Barco shall cooperate with the supervisory authorities in the performance of their duties.

10. Return and destruction of Personal Data

Upon termination of the provision of the Online Services, Barco shall – at a reasonable fee - , at the option of End User, issued by way of a written instruction of End User return and/or delete the End User Data and copies thereof to End User and/or shall destroy such Personal Data, except to the extent applicable law provides otherwise. In that case, Barco shall no longer Process the End User Data, except to the extent required by applicable law.

11. Affiliates

11.1 The parties acknowledge and agree that, by providing the Online Services, the End User enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Affiliates. Each Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Online Services by Affiliates must comply with the terms and conditions of the DPA and any violation of the terms and conditions of this DPA by an Affiliate shall be deemed a violation by End User.

11.2 The End User shall remain responsible for coordinating all communication with Barco under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates.

12. Liability

12.1 Barco indemnifies the End User and holds the End User harmless against all claims, losses or damages incurred by the End User and arising directly out of a breach by Barco of this DPA and/or the Applicable Data Privacy Law provisions directed to Barco, unless Barco proves that it is in no way responsible for the event giving rise to the liability.

12.2 The End User indemnifies Barco and holds Barco harmless against all claims, losses or damages incurred by Barco and arising directly out of a breach of this DPA and/or the Applicable Data Privacy Law by the End User.

12.3 Each party’s liability will be limited to foreseeable, direct and personal damage suffered, to the exclusion of indirect, incidental, special or consequential damage (“indirect damage”) and regulatory fines, even if advised of the possibility thereof. Indirect Damage shall mean damage or loss that do not directly and immediately result from an event giving rise to the liability, including but not limited to loss of earnings, business interruption, increase of personnel cost, failure to realize anticipated savings or benefits.

12.4 In any event and to the extent permitted by law Barco’s aggregated maximum liability under this DPA will be limited to the amounts received for the provision of the Online Services.

13. Data transfer

13.1 Barco shall not transfer End User Data to any Non-Adequate Country outside the EEA or make any End User Data accessible from any such Non-Adequate Country without adequate protection.

13.2 Any transfer of Personal Data to a Non-Adequate Country shall be governed by the terms of the EC Standard Contractual Clauses or other model clauses that have been approved by the EU commission or another competent public authority in accordance with the Applicable Data Protection Law. Barco shall conclude these clauses on behalf of End User. The Appendices of these clauses will contain the same or essentially the same information as this DPA. Barco and End User shall work together to apply for and obtain any permit, authorization or consent that may be required under Applicable Data Protection Law in respect of the implementation of this Section.

14. Notices

All notices, confirmations and other statements made by the Parties in connection with this DPA can be validly delivered via e-mail to the parties’ last known address.

Annex I

Details of Processing of End User Data

This Annex 1 includes certain details of the Processing of End User Data as required by Article 28(3) GDPR. More specific details per Barco product are included in the product specific sections of Barco’s product privacy statement.

Subject matter and duration of the Processing of End User Data

The subject matter of the Processing of the End User Data is set out in Barco’s product privacy statement on www.barco.com  and this DPA.

End User Data will be Processed for the duration of the provision of Online Services for the benefit of the End User.

End User Data can be Processed outside the EEA by Barco Affiliates and/or Sub-Processors as indicated in Barco’s Product Privacy Statement.

The nature and purpose of the Processing of End User Data

Barco is managing the hosting environment on behalf of the Data Controller to enable the provision of the Online Services.

The types of End User Data to be Processed

  • Contact information
  • Name
  • Email address
  • User name
  • IP-address
  • Connection data

The categories of Data Subject to whom the End User Data relates

  • Data Controller’s employees (including Data Controller’s agents, advisors, freelancers and consultants) and Data Controller’s representatives (who are natural persons)
  • Customers of the Data Controller, its employees and representatives
  • Customers of the Data Controller’s customers, its employees and representatives
  • Users of the Barco Product authorized by the Data Controller to use the products