GDPR ADDENDUM
- Mixvoip SA, 70 rue des Prés L-7333 Steinsel – Luxembourg
- Mixvoip Srl, Avenue de Finlande 5 – B-1420 Braine l’Alleud – Belgium
- Mixvoip GmbH, Max-Planck-Strasse 22 D-54296 Trier – Germany
- Mixvoip SAS, 4 rue Marconi F-57000 Metz – France
hereinafter “Mixvoip”
Pursuant to the European General Data Protection Regulation (2016/679) of May 25, 2018 this article replaces any other article of the agreement relating to privacy and protection of personal data as of that date.
1 PROTECTION OF PERSONAL DATA - GENERALITIES
1.1 The data protection related concepts used in this article 1 shall have the meaning given to them in the Data Protection Legislation.
1.2 The Client (i) represents and warrants that it complies and undertakes to continue to comply with the national laws implementing the Data Protection Directive (95/46/EC) until 24 May 2018 and (ii) undertakes to comply with the General Data Protection Regulation (2016/679) as of 25 May 2018 and (iii) undertakes to comply with the national laws implementing the Directive on Privacy and Electronic Communications (the legislation referred to under (i), (ii), and (iii) above being jointly referred to as the "Data Protection Legislation").
1.3 Mixvoip will comply with the Data Protection Legislation when processing information relating to an identified or identifiable natural person in its performance of this Agreement (referred to as "personal data" under the Data Protection Legislation).
2 MIXVOIP ACTING AS DATA CONTROLLER
2.1 Mixvoip processes personal data relating to its Clients (and their fellow users and end users where applicable), e.g., identification data, contact data, data on the Client's use of Mixvoip products and services, data on the Client's communication traffic, billing and payment data, and technical data. In this context, Mixvoip acts as a data controller. The data is processed for the following purposes:
- the performance of the Agreement with the Client and the delivery of the Products and Services requested by the Client;
- the administration and management of relations with the Client;
- Client profiling and conducting information and promotion campaigns for products and services offered by Mixvoip, unless the Client objects to this;
- the improvement and development of Mixvoip products and services and the network infrastructure;
- the provision of reporting services to third parties based on anonymized data.
2.2 Mixvoip's files may be accessible to third parties who work in the name or on behalf of Mixvoip. Mixvoip may share Client data with the Affiliates Mixvoip in order to conduct information and promotional campaigns for the products and services of Mixvoip, unless the Client objects to this. In the cases stipulated by law, Mixvoip shall hand over Client data if requested to do so by the government services. The Client has the right to access, correct, and delete any data that relates to him. For further information about the processing of personal data by Mixvoip, the purposes of the processing, the categories of personal data concerned, the data collection method, the retention period of the personal data, and the way in which the Client can exercise his rights and set his privacy preferences, please contact dpo@mixvoip.com. The data relating to Clients who have terminated their contracts with Mixvoip can be used by the Mixvoip Group to inform them of Mixvoip’s products and services, unless the Client objects to this.
2.3 Mixvoip hereby delegates to the Client, which agrees, to carry out the following obligations of Mixvoip under the Data Protection Legislation. In particular, the Client shall:
- ensure that all personal data are accurate, complete, and up-to-date;
- ensure that data subjects to whom the personal data relate are properly informed in accordance with the Data Protection Legislation that personal data relating to them may be processed by Mixvoip under this Agreement. For that purpose, the Client shall inform the data subjects of the Mixvoip GDPR Addendum and more specifically how employees can exercise their rights regarding their personal data;
- provide, upon the request of Mixvoip, evidence demonstrating that the data subjects have been duly informed in accordance with this article 1.2.
3 MIXVOIP ACTING AS DATA PROCESSOR
3.1 Where Client (or its data controllers if the Client is not the data controller) provides personal data to Mixvoip in connection with its use of the Products/Services and requests Mixvoip to process personal data on behalf of the Client (or of the Client’s data controllers) for the sole purpose of providing the Client with the Products/Services, the Client shall act as data controller in relation to the processing of these personal data and Mixvoip shall act as a data processor regarding these personal data.
3.2 The Client shall ensure the rights and obligations of the Parties under this Article 1 are appropriately reflected towards its data controllers it allows to make use of the Products/Services. The Parties agree that Client shall act as the sole point of contact for Mixvoip, either in its capacity as data controller or on behalf of its data controllers. All references to Client rights and obligations under this Article 1 shall be deemed to include the respective data controllers of the Client to the extent applicable. The personal data made available by the Client might relate to the following types of data subjects: its own customers, employees, workers, agents, representatives, consultants, or other third parties. The personal data might include the following categories of data:
- identification information, contact details;
- preferences with regard to direct marketing;
- invoice and billing data;
- data related to the usage of the Products/Services under this Agreement;
- any other type of personal data identified in the Agreement.
With regard to these personal data, the Client (or its data controllers) will have the rights and obligations of a data controller as set out in the Data Protection Legislation.
3.3 Mixvoip shall process or transfer the personal data in accordance with the Client’s documented instructions, unless Mixvoip is required to otherwise process or transfer the personal data under the laws of the European Union or one of its Member States. Where such a requirement is placed on Mixvoip, Mixvoip shall provide prior notice to the Client, unless the law prohibits such notice on important grounds of public interest. The Agreement, including this article, is the Client's complete instruction to Mixvoip in this respect. All additional or alternative instructions must be agreed upon in writing by the Parties.
3.4 Mixvoip shall treat the personal data as strictly confidential and ensure that any natural person acting under its authority who has access to the personal data (i) commits himself/herself to confidentiality or is under an appropriate statutory obligation of confidentiality and (ii) does not process the personal data except on instructions from the Client, unless he/she is required to otherwise process or transfer the personal data under the laws of the European Union or one of its Member States.
3.5 Irrespective of where Mixvoip receives or holds the personal data, Mixvoip shall take the technical and organizational measures agreed in this Agreement to ensure a level of security appropriate to the risks that are presented by the processing (in particular risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, use or access, and against all other unlawful forms of processing) and taking into account the state of the art, the costs of implementation, and the nature of the personal data and the potential risks.
3.6 If Mixvoip detects a personal data breach affecting the personal data in the framework of the performance of the Agreement, Mixvoip shall inform the Client about the breach without undue delay.
3.7 At the request of the Client and taking into account the nature of the processing as well as the information available to Mixvoip, Mixvoip shall provide insofar as possible reasonable assistance to the Client in:
- dealing with requests from data subjects exercising their data subject rights under the Data Protection Legislation;
- implementing technical and organisational security measures to comply with the Client’s obligation of security of the personal data processing;
- notifying personal data breaches affecting the personal data to the supervisory authority and to the data subject, as the case may be; and
- conducting data protection impact assessments and consult the supervisory authority in such context.
Mixvoip reserves the right to claim reasonable compensation for this assistance.
3.8 At the request of the Client, Mixvoip shall provide all information necessary to demonstrate compliance with this article 1.3 as well as to contribute reasonable demands for audits conducted by the Client or another independent auditor mandated by the Client. Advance notice of at least 60 (sixty) Calendar days is required, unless applicable Data
3.9 The Client hereby provides a general written authorisation to Mixvoip to engage subcontractors for the processing of the personal data (i) to the extent necessary to fulfil its contractual obligations under the Agreement and (ii) as long as Mixvoip remains responsible for any acts or omissions of its subcontractors in the same manner as for its own acts and omissions hereunder. Upon request, Mixvoip shall inform the Client of any intended addition or replacement of other processors, giving the Client the opportunity to object to such changes. If the Client has a legitimate reason for objection that relates to the processing of personal data, Mixvoip may not be in a position to continue to provide the Service to the Client and shall in such case be entitled to terminate this Agreement. Where Mixvoip engages another processor under this Article, Mixvoip shall ensure that the obligations set out in this article 1.3. are imposed on that other processor by way of a written contract.
3.10 Mixvoip shall be entitled to transfer the personal data to a country located outside the European Economic Area which has not been recognised by the European Commission as ensuring an adequate level of data protection, if Mixvoip (i) has provided appropriate safeguards in accordance with the Data Protection Legislation or (ii) can rely on a derogation foreseen by the Data Protection Legislation enabling such transfer. The Client shall from time to time execute such documents and perform such acts as Mixvoip may reasonably require to implement any such appropriate safeguards.
3.11 At the end of the Agreement, Mixvoip will delete the personal data (unless the law requires further storage of the personal data) or, if requested by the Client, return it to the Client or give the Client the possibility to extract the personal data.
3.12 If any request of the Client under this article 1.3 requires Mixvoip to take additional steps beyond those directly imposed on Mixvoip by the Data Protection Legislation, the Client shall reimburse Mixvoip for any costs incurred by Mixvoip for taking such additional steps.
3.13 The breach of any Data Protection Legislation by Mixvoip shall be deemed as a Mixvoip’ Fault only if Mixvoip has acted outside or contrary to lawful instructions of the Client.
3.14 LANGUAGE DISCREPANCY: In the event there is a discrepancy or inconsistency between the English language version and any other language version of this GDPR Addendum, the English version shall prevail, govern and control.