Data Processing Addendum

This Data Processing Addendum ( “DPA”) defines the rights and obligations of Dynavision and the Customer regarding the processing of Personal Data by Dynavision on behalf of the Customer and relating to the use of the Dynavision Product.  

These Data Processing Terms and Conditions arise from the obligation set out in Article 28 of the General Data Protection Regulation 2016/679 of 27 April 2016 (hereafter: “GDPR”) to provide a Data Processing Agreement.

“Personal Data”; “Processing”; “Data Breach”; “Data Subjects” have the meaning as set out in the GDPR; 
“Data Controller” or “Controller”: Customer as defined in the Dynavision Terms and Conditions. 

“Data Processor” or “Processor”: Dynavision bv, Vijfstraten 18, 9100 Sint-Niklaas and with company number 0777.838.347. 

Subscription Agreement: The Reseller Order Form signed by the Customer. 

“Sub-processor”: a subcontractor appointed by the Data Processor, who will (partially) execute the processing of Personal Data on behalf of the Data Controller; 

“Special Categories of Personal Data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.


The Data Controller is the legal entity who determines the purposes and means for the processing of Personal Data as specified in article 3 of this DPA. The Data Processor will process the Personal Data on behalf of the Data Controller and take into account its instructions. 

This DPA is applicable during the term of Subscription Agreement. The termination of the agreement implies the termination of this DPA. The termination of this DPA does not relieve the Data Controller, the Data Processor nor the Sub-processors from their obligation to treat the Personal Data confidentially.

The Data Processor will process certain Personal Data on behalf of the Data Controller to provide the following services: the delivery and proper functioning of the Dynavision Product. 

In order to provide these services, the Processor may have access to the following personal data: all personal data which is uploaded to or inserted in the Microsoft Dynamics 365 environment of the Customer. 

The nature of the processing is: Making the Dynavision Product available to the Controller based on the Subscription Agreement. 

Any modification to the processing activities must be notified to Dynavision in writing. In case the Data Processor is planning to process any Special Categories of Personal Data, he is obliged to inform Dynavision in advance in order for Dynavision to take the necessary technical and organizational security measures. 

The Parties explicitly agree that the Data Processor has no control whatsoever over the location of the Data Controller’s systems and applications as well as the systems and applications made available by the Data Controller to the Data Processor, which may be inside or outside the European Economic Area depending on the applicable terms of the Customer’s license agreement for Microsoft Dynamics 365.
The Controller will make certain Personal Data as defined in article 3 available to Dynavision. The Controller determines the purposes and the means for the processing of Personal Data. He guarantees that the processing of the Personal Data, including the transfer of Personal Data, takes place in a legal manner and in accordance with all applicable privacy legislation. 

The processing of Personal Data by the Data Processor only takes place on the basis of written instructions from the Data Controller. The Data Controller guarantees that the instruction to process the Personal Data is in conformity with all applicable privacy legislation. 

All information and material made available by the Controller to the Processor and containing Personal Data will always be considered the property of the Controller. 

The Controller may request the Processor to provide reasonable assistance with an audit of the operation and systems of the Processor. If the Controller requests such an audit, this audit will only be conducted by an independent third party, subject to the approval of both Parties. 

At least 10 days before the start of the audit, a description of the audit process must be submitted, taking into account the least possible disruption of the Processor’s business activities. The Processor undertakes to cooperate reasonably and to provide the requested information if and insofar as these do not prejudice any contractual or other obligations of the Processor or harm its interests unreasonably. The Controller will reimburse any costs made by Dynavision to provide assistance with the audit ordered by the Data Controller based on the applicable rates.

The Processor agrees to comply with the obligations set forth in Article 28 GDPR, including:  

  1. The Processor undertakes to process Personal Data only on the basis of written instructions from the Controller, which ensue from the agreement between the Parties.  
  2. The Processor may only process the Personal Data strictly necessary for the execution of the agreement and undertakes to process the Personal Data exclusively for the purposes as defined by the Controller.  
  3. The Processor will protect the confidentiality of the Personal Data and ensure that confidentiality measures are taken with regards to its employees such that they have committed themselves contractually or are under a regulatory obligation.  
  4. The Processor processes the Personal Data provided by the Controller as long as this is necessary for the execution of the agreement.  
  5. The Processor is allowed to make back-ups of the processing activities if necessary for the execution of the agreement. The Personal Data on these back-ups enjoys the same protection as the original Personal Data.  
  6. The Processor guarantees that its employees only have access to the Personal Data insofar as this is necessary to perform their duties related to the processing instruction. The Processor will inform its employees on the obligations of the applicable privacy legislation and of this DPA.  
  7. The Processor undertakes to assist the Controller in ensuring compliance with the obligations pursuant to articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Processor. Any extraordinary assistance requested by the Client beyond what is commercially reasonable will be reimbursed by the Client based on the applicable rates.  
  8. The Controller authorizes the Processor to communicate the Personal Data to all persons, institutions and bodies directly participating in the execution of the assignment and when this is strictly necessary for the execution of the Subscription Agreement and within the limits of this DPA.  
The Controller acknowledges and agrees to be fully responsible for processing applications from Data Subjects relating to their rights in accordance with Article 12 and following GDPR. In the event the Controller receives a request from a Data Subject whose Personal Data are processed by Dynavision, in order to exercise its rights in accordance with the GDPR (such as for example, the right to object, or the right to erasure), the Controller shall forward this request without delay to the Processor, unless the Controller is able to handle the request himself. In the former case, the Processor undertakes to immediately and within 7 working days after receipt of the request at the latest, give appropriate follow-up to this assignment by either providing the requested information or making the requested adjustments to remove and destroy the Personal Data fully or partially or informing the Controller why it was not possible to fulfil the request in a timely manner.

The Controller explicitly agrees that the Processor is allowed to call upon Sub-processors such as service providers for domain name registrations, hosting, cloud services for backups, cloud services for sending e-mailings, SSL certificates, providers of cloud connect services subcontractors. The list of Subprocessors is available upon request. 

The Processor undertakes to take all reasonable and appropriate measures in accordance with the applicable privacy legislation in case Personal Data is (partially) processed by Sub-processors and to conclude a DPA with these third parties. 

If the Processor detects a Data Breach, he undertakes to report the breach immediately and at the latest within 48 hours after the discovery to the Controller. 

In this notification the following information will be described or communicated: (a) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the contact point where more information can be obtained; (c) the likely consequences of the Personal Data Breach. 

It is up to the Controller to assess whether or not it will inform the Supervisory Authority and/or the Data Subjects involved. 

If the Controller identifies a Personal Data Breach in its systems that could potentially have an impact on the processing activities the Processor performs, the Controller undertakes to inform the Processor as soon as possible and within 24hours at the latest.

The Controller and the Processor both undertake to take the required and appropriate technical and organizational measures to protect the Personal Data against destruction, whether accidentally or unlawfully, against loss, forgery, unauthorized distribution or access, in particular when the processing involves transmission of data via a network, or against any other form of unlawful processing or use. Both Parties will take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing. 

Annex 1 stipulates the technical and organizational security measures taken by the Data Processor.
In case of termination of this DPA, the Processor will immediately and on its own initiative return all Personal Data-containing documents, computer disks, USB sticks and other information carriers, including copies thereof. Insofar as the Personal Data is stored on a computer system of the Processor or has been recorded in any other form that cannot reasonably be handed over to the Controller, the Processor will destroy such Personal Data and/or give instructions to its Sub-processor(s) to destroy these Personal Data.

The Processor undertakes to strictly comply with the provisions of this DPA and to take all reasonably necessary measures to ensure that his employees and/or Sub-processors charged with the processing of Personal Data comply with its provisions. 

The Data Processor’s total liability for an imputable failure in the performance of the DPA or arising from the applicable privacy legislation, is limited to the compensation of damages as described in this article. 

Neither of the Parties is liable for indirect damages, consequential loss, loss of profits, lost savings, reduced goodwill, loss due to business interruption, loss as a result of claims of the other Party’s clients unless the breach causing such damages or losses is a result of the first Party’s gross negligence or willful misconduct. 

The Data Processor is not liable for any direct or indirect loss arising from the use of goods, materials or software of third parties prescribed by the Data Controller to the Data Processor nor for any direct or indirect damages and loss arising from suppliers which the Data Controller has recommended to the Data Processor, whether they are established inside or outside the EEA. 

Unless in case of intent or deliberate recklessness on the part of the Data Processor, the Data Processor’s liability for direct damages is limited to a maximum amounting to the price paid during the twelve (12) months prior to the date on which the incident which gave rise to liability occurred. In no event shall the Data Processor’s total liability for any direct damages, on any legal basis whatsoever, exceed 100.000 (one hundred thousand) EUR.
For all matters which are not explicitly addressed or covered by this DPA, the relevant terms of the Subscription Agreement shall be applicable to this DPA. 

Annex 1: Technical and Organizational Security Measures 

The Processor undertakes at least the following technical Security Measures: 

  • Processing of personal data online (e.g. cloud) or by third parties
  • Facilities to keep systems and software up to date (anti-virus, firewall,…)
  • Unique and personal login and password, adjusted on a regular basis
  • Secure internet connection
  • User management policies: defining access roles and access rights to projects, back-up procedures and adequate back-up protection 

The Processor undertakes at least the following Organizational Security Measures: 
  • ICT and data security management policies regarding safe use of the IT-infrastructure
  • Guidelines concerning the processing of personal data (e.g. Clean desk policy, data retention policies,…). Control mechanisms to the procedures and policies
  • Awareness training regarding the processing of personal data and information security
  • Physical protection of the ICT infrastructure and offices against unlawful access, damage and failure
  • Procedure regarding the processing of applications of Data Subjects (e.g. erasure or rectification)
  • Communication and transparency towards Data Subjects (e.g. privacy statement website)
  • Data Breach Procedure