This Data Processing Agreement (“Exhibit DPA”) is an integral part of the Agreement between the parties making reference to it (the “Agreement”) and applies to the extent End User Data includes personal data within the meaning of the GDPR.
WHEREAS under the Agreement, users are entitled to use identified products and/or services provided by or connected with Barco over the cloud (the ”Connected Services”);
WHEREAS in rendering the Connected Services, Barco (acting as Data Processor) may from time to time be provided with, or have access to information of individuals who are permitted to use the Connected Services and this information may qualify as personal data within the meaning of the GDPR;
WHEREAS End User (acting as Data Controller) engages Barco as a commissioned processor acting on behalf of End User as stipulated in art. 28 GDPR;
WHEREAS European data protection laws require data controllers in EU/EEA countries to provide adequate protection for transfers of personal data to non-EU/EEA countries and such protection can be achieved by requiring processors to enter into the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries (“EC Standard Contractual Clauses”) pursuant to Commission Decision 2010/87/EU of 5 February 2010 as set out in appendix III;
WHEREAS this DPA contains the terms and conditions applicable to the processing of such personal data by Data Processor as a commissioned data processor of Data Controller with the aim to ensure that the Parties comply with the Applicable Data Protection Laws.
For the purpose of this DPA, the terminology and definitions as used in the GDPR shall apply. In addition to that,
“Affiliate” means any of Affiliate(s) of End User which (a) is subject to the data protection laws and regulations of the EEA , and (b) is permitted to use the Connected Services.
“Applicable Data Processor law” means the Data Protection Laws that are applicable to Barco as the Data Processor.
“Applicable Data Protection Law” means the Data Protection Laws applicable to the Data Controller.
“Barco” means Barco NV, with registered office at President Kennedypark 35, 8500 Kortrijk Belgium and its subsidiaries.
“Data Controller” is a reference to End User.
“Data Importer” means the Data Processor or Sub-Processor that is located in a Third Country. “Data Exporter” means the Data Controller if (a) (i) the Data Controller is located in the EEA or (ii) is located outside of the EEA and is subject to GDPR, and (b) Data Controller transfers personal data to a Data Importer.
“Data Processor” is a reference to Barco.
“Data Protection Law” means the GDPR and the laws and regulations containing rules for the protection of Data Subjects with regard to the Processing, including without limitation security requirements for and the free movement of Personal Data, implementing or completing the GDPR. “EC Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, for the time being the clauses attached hereto as Appendix III by reference pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021 or any subsequent version issued pursuant to article 46(2) GDRP.
“EEA” means all member states of the European Union (excluding the United Kingdom), Norway, Iceland, Liechtenstein and, for the purposes of this DPA, Switzerland.
“Employee” means any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Barco. However, “Employees” do not include “Sub-Processors”. “End User” is the person or entity on whose behalf this Exhibit DPA is accepted.
“End User Data” means Personal Data for which End User is the Data Controller under Applicable Data Protection law, which are being shared with Barco in the provision of the Connected Services. “GDPR” means regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Non-Adequate Country” means a country that is deemed not to provide an adequate level of protection of Personal Data within the meaning of the articles 44-45 GDPR.
“Sub-Processor” means any Processor engaged by Barco that Processes End User Data.
“Third Country” means those countries that are not member states of the EU or the EEA (as defined herein).
“Third Party” means any party other than Barco, Sub-Processor or End User.
2.1 To the extent Barco Processes End User Data necessary for the provision of the Connected Services it shall act as a Data Processor on behalf of End User, being the Data Controller.
2.2 End User is obliged to ensure that any instruction given to Barco is in compliance with Applicable Data Protection Law.
2.3 In the provision of the Connected Services, Barco shall Process the End User Data only on documented instructions from Data Controller unless Barco is required to Process End User Data by Union or by a Member State law to which Barco is subject; in such case, Barco shall inform the End User of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
2.4 The Agreement and this DPA are Data Controller's complete and final Instructions to Barco with regard to the Processing.
2.5 Appendix I to this DPA sets out certain information regarding the Processing of the End User Data as required by article 28 of the GDPR (and possibly, equivalent requirements of other Data Protection Laws).
2.6 If Barco thinks that an instruction of Data Controller infringes the Applicable Data Processor Law, Barco shall point this out to Data Controller without undue delay.
2.7 Any further instructions that go beyond the instructions contained in this DPA or the Agreement must be within the subject matter of this DPA and the Agreement. If the implementation of such further instructions results in costs for Barco, Barco shall inform Data Controller about such costs with an explanation of the costs before implementing the instruction. Data Controller shall give further instructions generally in writing, unless the urgency or other specific circumstances require another form. Instructions in another form shall be confirmed in writing by Data Controller without undue delay.
- Applicable law
3.1 When performing this DPA, Data Controller shall comply with the Applicable Data Protection Law and Barco shall comply with the Applicable Data Processor Law.
3.2 Each party shall deal with reasonable requests for assistance of the other party (including of End User) to ensure that the Processing complies with Applicable Data Protection Law.
- Obligations of Data Controller
4.1 Data Controller Personal Data are lawfully obtained from Data Subject and are lawfully provided to Barco under the Applicable Data Protection Law;
- it provides Barco with Personal Data that are up-to-date and relevant for the Processing activities;
- it has provided Data Subject all necessary and relevant information with regard to the
Processing of the Personal Data as required under the Applicable Data Protection Law; and iii) the End User Data does not infringe any third-party rights.
4.2 Data Controller, agrees that it remains the contact point for Data Subject and that it will inform Data Subject about this. Should a Data Subject contact Barco with regard to correction or deletion of its Personal Data, Barco will use commercially reasonable efforts to forward such requests to End User.
- Obligations of Barco
5.1 Security. Barco shall implement appropriate technical, physical and organisational security measures as specified in Appendix II taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons to ensure a level of security appropriate to the risk and to protect End User Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other forms of unlawful Processing including, but not limited to, unnecessary collection or further Processing.
5.2 Non-disclosure and confidentiality. Barco shall keep End User Data confidential and shall not disclose End User Data in any way to any Employee or Third Party without the prior approval of Data Controller, except where, (i) subject to this Section, the Disclosure is required for the performance of the Processing, or (ii) subject to Section 8.1 ii), where End User Data need to be disclosed to a competent public authority to comply with a legal obligation or as required for audit purposes. Barco shall provide the Employees access to End User Data only to the extent necessary to perform the Processing. Barco shall ensure that any Employee it authorises to have access to End User Data Processed on behalf of End User has committed himself to confidentiality or is under an appropriate statutory obligation of confidentiality.
6.1 Data Controller agrees that Barco may use Sub-Processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services or hosting services. The Sub-Processors that are currently engaged by Barco to carry out Processing activities on End User Data on behalf of End User are mentioned in Barco’s product privacy statement on www.barco.com.
6.2 Barco shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-Processors via Barco’s usual email notification process. Data Controller shall not unreasonably object to such changes.
6.3 Where Barco subcontracts (part of) the Processing of End User Data on behalf of End User, it shall do so only by way of a written agreement with the Sub-Processor which imposes the same or essentially the same data protection obligations on the Sub-Processor as are imposed on Barco under this DPA and which shall restrict the Sub-Processor to use the End User Data for any other purpose than the provision of the Connected Services. Barco remains liable for the Sub-Processor’s breach of its data protection obligations under such written agreement.
- Audit and compliance
7.1 Barco shall, upon reasonable notice (no less than two (2) months) and not more than once every two years (unless there is a Personal Data Breach), allow its procedure and documentation to be inspected or audited by Data Controller (or the auditor of its choice, excluding any Barco competitor) during business hours in order to ascertain compliance with the obligations set forth in this DPA, in which case Barco shall make the processing systems, facilities and supporting documentation relevant to the Processing of End User Data available for an audit by End User. For the avoidance of doubt, the scope of such audit shall be limited to documents and records allowing the verification of Barco’s compliance with the obligations set forth in this DPA and shall not include financial documents or records of Barco or any documents or records concerning other customers of Barco.
- Notifications of Disclosures and Personal Data Breaches
8.1 Barco shall use reasonable efforts to inform Data Controller as soon as reasonably possible if:
- it receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing, except where Barco is otherwise prohibited by law from making such disclosure;
- it intends to disclose Personal Data to any competent public authority; or iii) it becomes aware of a Personal Data Breach.
8.2 In the event of a Personal Data Breach, Barco shall take reasonable remedial measures to preserve the confidentiality of the End User Data. Furthermore, Barco shall provide Data Controller the information reasonably requested by End User regarding the Personal Data Breach. This information will at least contain the following elements:
- a description of the nature of the Personal Data Breach, including the number and categories of Data Subject and personal data records affected;
- a description of the likely consequences of the Personal Data Breach; and
- a description how Barco proposes to address the Personal Data Breach, including any mitigation efforts.
8.3 Data Controller agrees that an Unsuccessful Security Incident will not be subject to this Section 8. An “Unsuccessful Security Incident” is one that results in unauthorised access to End User Data or to any of Barco’s or Sub-Processor’s equipment or facilities storing End User Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents that did not result in an actual destruction, loss, alteration or unauthorised disclosure of Personal Data.
8.4. Barco’s obligation to report or respond to a Personal Data Breach under this Section 8 is not and will not be construed as an acknowledgement by Barco of any fault or liability of Barco with respect to the alleged Personal Data Breach.
- Cooperation and assistance duty
9.1 Barco will assist Data Controller in the fulfilment of its obligation to respond to requests from Data Subjects, provided that (i) Data Controller has instructed Barco to do so by way of a written instruction and (ii) Data Controller reimburses Barco for the costs arising from this assistance.
9.2 Barco shall promptly inform Data Controller of any complaints, requests or enquiries received from a Data Subject, including but not limited to requests to rectify or erase End User Data or to object to the Processing of End User Data. Barco shall not respond directly to any complaints, requests or enquiries received from Data Subject without Data Controller’s prior written instruction, except where required by law.
9.4 Upon written request of Data Controller, Barco shall make available to Data Controller all information necessary to demonstrate compliance with the Applicable Data Protection Law. 9.5 Upon written request of Data Controller, Barco shall, taking into account the nature of the Processing and the information at its disposal, assist Data Controller in ensuring compliance with the obligations regarding security of the Processing, notification of Personal Data Breaches and mandatory data protection impact assessments (articles 32-36 GDPR).
9.6 Barco shall cooperate with the supervisory authorities in the performance of their duties.
- Return and destruction of Personal Data
Upon termination of the provision of the Connected Services, Barco shall – at a reasonable fee - , at the option of Data Controller expressed in writing, return and/or delete the End User Data and copies thereof to Data Controller, except to the extent applicable law provides otherwise. In that case, Barco shall no longer Process the End User Data, except to the extent required by applicable law.
11.1 The parties acknowledge and agree that, by providing the Connected Services, the End User enters into the DPA for its own account and, as applicable, in the name and on behalf of its or their Affiliates. End User and each Affiliate agree to be bound by the obligations under this DPA. All access to and use of the Connected Services by Affiliates must comply with the terms and conditions of the DPA and any violation of the terms and conditions of this DPA by an Affiliate shall be deemed a violation by End User.
11.2 End User shall remain responsible for coordinating all communication with Barco under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of End User and any relevant Affiliates.
12.1 Barco indemnifies Data Controller and holds Data Controller harmless against all claims, losses or damages incurred by Data Controller and arising directly out of a breach by Barco of this DPA and/or the Applicable Data Processing Law provisions directed to Barco, unless Barco proves that it is not responsible for the event giving rise to the liability.
12.2 Data Controller indemnifies Barco and holds Barco harmless against all claims, losses or damages incurred by Barco and arising directly out of a breach of this DPA and/or the Applicable
Data Protection Law by End User.
12.3 Each party’s liability will be limited to foreseeable, direct and personal damage suffered, excluding indirect, incidental, special or consequential damage and regulatory fines, even if advised of the possibility thereof. Indirect Damage shall mean damage or loss that do not directly and immediately result from an event giving rise to the liability, including but not limited to loss of earnings, business interruption, increase of personnel cost, failure to realize anticipated savings or benefits.
12.4 In any event and to the extent permitted by law, Barco’s aggregated maximum liability under this DPA will be limited to the amounts received for the provision of the Connected Services in the twelve months preceding the incident giving rise to liability.
- Data transfer
13.1 Barco shall not transfer End User Data to any Non-Adequate Country outside the EEA or make any End User Data accessible from any such Non-Adequate Country without adequate protection.
13.2 Any transfer of Personal Data to a Non-Adequate Country shall be governed by the terms of the EC Standard Contractual Clauses (Appendix III) or other model clauses that have been approved by the EU commission or another competent public authority in accordance with the Applicable Data Processing Law. Barco shall conclude these clauses on behalf of Data Controller. The Appendices of these clauses will contain the same or essentially the same information as this DPA. Barco and Data Controller shall work together to apply for and obtain any permit, authorization or consent that may be required under Applicable Data Processing Law in respect of the implementation of this Section.
- Termination of the DPA
This DPA shall continue in force until the termination or expiration of the Agreement (the “Termination Date”).
- Entire Agreement
This Exhibit DPA is an integrating part of the Agreement. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
The following Annexes are attached hereto and made a part hereof:
Appendix I: Details of processing
Appendix II: Technical and organizational measures
Appendix III: EC Standard Contractual Clauses
Appendix I Details of Processing
This Appendix 1 includes certain details of the Processing of End User Data as required by Article 28(3) GDPR. More specific details per Barco product are included in the product specific sections of Barco’s product privacy statement.
Subject matter and duration of the Processing of End User Data
The subject matter of the Processing of the End User Data is set out in Barco’s product privacy statement and this DPA.
End User Data will be Processed for the duration of the provision of Connected Services for the benefit of the End User.
End User Data can be Processed outside the EEA by Barco Affiliates and/or Sub-Processors as indicated in Barco’s Product Privacy Statement.
The nature and purpose of the Processing of End User Data
Barco is managing the hosting environment on behalf of the Data Controller to enable the provision of the Connected Services
The types of End User Data to be Processed is set out in Barco’s product privacy statement.
The categories of Data Subjects to whom the End User Data relates
- End User’s employees (including End User’s agents, advisors, freelancers and consultants) and End User’s representatives (who are natural persons)
- Customers of the End User, its employees and representatives
- Customers of the End User’s customers, its employees and representatives
- Users of the Barco Product authorized by the End User to use the products
Appendix II Technical and organisational measures
1. The pseudonymisation and encryption of personal data; (art. 32, par. 1, lit. a, GDPR)
a. based on a risk assessment (and if required an additional DPIA) Barco will ensure a level of security appropriate to the risk, including inter alia as appropriate:
ii. Encryption, conform Cryptographic Controls policy
2. Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (art. 32, par. 1, lit. b, GDPR)
a. Barco is verified under ISO/IEC 27001:2013 covering the business processes, infrastructure and tools related to software development, sales, deployment, and support of our ClickShare wireless collaboration product line in our Kortrijk, Noida and Taipei locations. https://www.barco.com/en/about-barco/legal/certificates
b. Security and privacy by design
c. Compliance with the security policies in place at Barco, covering
i. Information Security Top Policy
ii. Code of Digital Conduct iii. Acceptable Use
iv. Logical Access Control
v. Third Party Security
vi. Backup and Recovery
viii. Info Sec Incident Management
ix. Anti Malware
x. Network Protection
xi. Cryptographic Controls
xii. IT Operations
xiii. Cloud Security xiv. Secure SDLC
xv. Disposal and Destruction
xvi. Physical Environmental Security
xvii. Secure Remote Support Policy
3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (art. 32, par. 1, lit. c, GDPR) Compliance with the security policies in place at Barco, covering
i. Backup and Recovery
ii. IT Operations
4. Process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the data processing (art. 32, par. 1, lit. d, GDPR)
a. Product Security Incident Response teams (psirt): https://www.barco.com/psirt
b. Barco Security Organization operates in three lines of defense, covering operations, governance and internal audit.
c. Regular evaluations by independent third parties (e.g. penetration testing, audit, …)
d. Integration of automated security scanning tools during the development process (Secure SDLC) and operations
Appendix III EC Standard Contractual Clauses
The 2021 Standard Contractual Clauses1 are incorporated into the DPA by reference, and will apply in the following manner:
Module Two (Controller to Processor) will apply where End User is a controller of Personal Data and Barco is a processor of Personal Data.
For this Module:
i) Clause 7 will not apply;
ii) in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-Processor changes will be as set forth in Section 6 of the DPA;
iii) in Clause 11(a), the optional language will not apply;
iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the laws of Belgium;
v) in Clause 18(b), disputes will be resolved by the courts of Belgium; vi) Annex I.A (List of parties)
The End User (as defined under Section 1 of the DPA) acts as data exporter and Barco (as defined under Section 1 of the DPA), on behalf of Barco’s (Sub-)Processors located in a Third Country, acts as data importer for the construction of these 2021 Standard Contractual Clauses. Further contact details are part of the DPA and Appendix I.
vii) Annex I.B (Description of Transfer)
The Parties agree that Appendix I to the DPA (as well as Section of DPA in respect of transfers to (subprocessors) describe the transfer as required under the 2021 Standard Contractual Clauses.
viii) Annex I.C (Competent Supervisory Authority)
The competent supervisory authority is the supervisory authority that has primary jurisdiction over the data exporter.
ix) Annex II (Technical and Organizational Measures – Security of the Data)
Described in Appendix II to the DPA
x) Annex III (List of Sub-processors)
The Data Controller has authorised the use of the sub-processors mentioned in Barco’s product privacy statement.