as processor of the User, acting as data controller, with respect to the processing of personal data provided by the User or its own users and customers in or through the Services and Flows in accordance with the specifications made in Section 2 of this Data Protection Policy.
2. Data processing agreement
The processing by Unblock (the “Processor”) of personal data on behalf of the User (the “Controller”) within the framework of the Terms shall be governed by the following terms and conditions. Notions such as personal data, data subject, processor, controller, processing, etc. shall have the meaning as defined by the GDPR.
“Applicable Data Protection Law” means the GDPR, the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data and any other applicable data protection regulation.
“Data Processing Agreement” means Section 2 of this Data Protection Policy, including (any) appendixes and modifications.
2.1 The Parties will, each in their respective capacity, process the personal data in accordance with Applicable Data Protection Law and any other applicable regulation to which the Controller and/or the Processor are subject.
2.2 The Processor acknowledges being subject to the Processor-oriented rights and obligations under Applicable Data Protection Law. The Processor acknowledges that the Controller is subject to the Controller-oriented rights and obligations under Applicable Data Protection Law.
2.3 The Processor shall exclusively and always process the personal data in the name and on behalf of the Controller, in compliance with the modalities established in Section 3 “Data Processing Modalities” of this Data Protection Policy.
2.4 The Processor has no control on the purpose of the processing of personal data, nor may it independently take decisions concerning the use, storage or disclosure of the personal data, unless and to the extent it has been expressly agreed upon in the Data Processing Agreement.
2.5 The Processor undertakes to implement and comply with the appropriate technical and organizational security measures necessary to protect the personal data in case of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or non-authorized access to personal data. When determining the appropriate technical and organizational security measures, the Processor shall take into account: (i) the state of the art, (ii) the implementation costs related to these measures, (iii) the nature, scope, context and purposes of processing, (iv) the risks involved for the data subjects’ rights and freedoms, in particular in case of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or non-authorized access to personal data transmitted, stored or otherwise processed, and (v) the probability that the processing shall have an impact on the rights and freedoms of the data subjects.
2.6 The Processor will, when requested by the Controller, communicate to the Controller all the information required concerning the processing of personal data and shall transfer to the Controller any data subject’s request or question in connection with the (processing of) Personal data.
2.7 The Processor can grant its employees access to the personal data to the extent the employees need such access to the personal data in order to allow a proper performance of the Processor’s obligations under the Terms and under the Data Processing Agreement. The Processor will inform the concerned employees in writing about the personal data’s confidential character along with the legal and contractual framework of the protection of personal data, and shall impose a contractual confidentiality obligation upon the concerned employees.
2.8 The Controller hereby gives general permission to the Processor to transfer personal data to sub-processors. The Processor will inform the Controller about the sub-processors.
2.9 In the event the Processor grants sub-processors access to the personal data, it undertakes that such sub-processors will be subject to contractual obligations at least equivalent to the ones to which the Processor is itself subject vis-à-vis the Controller under this Data Processing Agreement.
2.10 The Controller hereby gives general permission to the Processor to transfer personal data to sub-processors as well as any other third party established outside the EEA provided that the rules for such transfer (articles 44-50 GDPR) are complied with.
2.11 The Processor can transfer personal data to a country outside the EEA if that transfer is necessary to comply with Applicable Data Protection Law. In such case, the Processor informs the Controller prior and in writing of the legal provision following which the Processor is obliged to transfer the personal data, unless the applicable legislation prohibits this notification for important reasons of public interest.
3. Obligation to assist
3.1 The Processor commits to assist the Controller in ensuring compliance with its legal obligations under Applicable Data Protection Law concerning security of the processing, the notification of a personal data breach to the supervisory authority and the data subject, the drafting of a data protection impact assessment (if applicable), and prior consultation.
3.2 The Controller has a right to audit in order to verify the compliance of the Processor with its obligations under the Data Processing Agreement. The Controller can conduct such audit once a year. The audit can be performed by the Controller or another auditor mandated by the Controller.
3.3 The Controller will inform the Processor at least 15 working days in advance about the working day during which the audit will occur.
3.4 If the Processor, in its opinion, would receive during the audit an instruction, from the Controller or from another auditor mandated by the Controller, that infringes Applicable Data Protection Law, the Processor shall immediately inform the Controller hereof.
4. Duration and termination
4.1 The Data Processing Agreement shall enter into force on the same date as the Terms. If the Processor has already processed Personal data in the framework of the Terms prior to the conclusion of this Data Protection Policy, the Data Processing Agreement shall apply retroactively from the start of the processing of personal data by the Processor in the name and on behalf of the Controller.
4.2 The Data Processing Agreement shall remain in force for the term of the Terms. If the Terms terminate, the Data Processing Agreement shall terminate automatically.
4.3 Upon termination of the Data Processing Agreement, all personal data and any physical or electronic copies thereof must be provided to the Controller, or the Processor must, at the Controller’s discretion, destroy all personal data, unless (i) the storage of the personal data is required on the basis of a rule under applicable law or (ii) it concerns the pseudonymized data acquired in the course of the Terms and used to improve the Services provided by Unblock on its Site. The Processor is allowed to further process such pseudonymized data for improvement of the Unblock Platform and Site as well as scientific research (e.g. building statistical models). In any case, to the extent such data qualifies as personal data, Unblock shall comply with all controller obligations under Applicable Data Protection Law.
5.1 The Data Processing Agreement is severable. If one or more provisions that do not affect the essence of the Data Processing Agreement are declared fully or partially invalid, void or unenforceable, this shall not affect the validity and enforceability of the remaining provisions. The Data Processing Agreement will remain in force between the Parties and the invalid, void or unenforceable provision will be deemed modified to the minimum extent necessary to make it valid, legal and enforceable.
5.2 The modifications of and supplements to the Data Processing Agreement are valid only if they are expressly agreed in writing between the Parties.
5.3 All general or specific terms and conditions or other documents originating from the Controller are hereby excluded. If a provision of the Terms is incompatible with, or contradictory to a provision of the Data Processing Agreement, the Data Processing Agreement will prevail.
5.4 If the personal data or the relationship between the Parties is subject to new (European) legislation or case law, the Parties agree to renegotiate in good faith the Data Processing Agreement, and to bring the Data Processing Agreement in line with the new (European) legislation or case law.
5.5 Compliance by the Processor with its obligations under the Data Processing Agreement is done against a fee based on the Processor’s hourly rates applicable at that moment.
5.6 If the Processor is subject to a code of conduct or is certified with regard to the processing of personal data, it undertakes to comply with and to maintain this code of conduct or certification for the duration of the Data Processing Agreement.
3. Data processing modalities
Processing by Unblock on behalf of the User under Section 2 will be in compliance with the following modalities:
Nature and purposes
The Processor acts as the service provider for the Services in accordance with the Terms.
Type of personal data
Contact details of Controller’s own customers and users (e.g. name, birthday, address, official ID, gender, email), any other personal data that User may include in the Services or that the User’s Flow may request, use or create.
Data subject categories
Customers of the Services, end-customers of the Flows
Location(s) of the processing
Unblock processing is fully cloud-based: the processing happens at the locations of the sub-processors specified below.
For operation and management of the Platform, Workato, Inc:
Workato Inc, 215 Castro Street, Suite 300, Mountain View, CA 94041, USA
For cloud storage and database hosting, DigitalOcean LLC:
DigitalOcean LLC, 101 6th Ave, New York, NY 10013, USA
Third countries to which personal data are transferred with indication of adequacy decision or other grounds for transfer
Personal data will not be transferred to third countries, except for those where our sub-processor(s) might be located. Depending on the third country, Unblock will make use of an adequacy decision (if appropriate) or the European Commission Standard Contractual Clauses (“SCCs”). Controller can find the legal framework of the data processing by sub-processors: