- In the execution of the Agreement, TCC may process personal data on behalf of the Client through the services it provides. In this case, the terms as set out in this article shall be considered a data processing agreement within the meaning of Article 28(3) of the GDPR, with the Client being the data controller and Auto-Pilot being the data processor.
- TCC processes personal data on behalf of the Client in accordance with the terms and for the purposes as set out in this article. The processing is carried out solely within the scope of the Agreement and for any purposes that may be agreed upon later.
- TCC does not make independent decisions regarding the processing of personal data for other purposes, including but not limited to the provision of personal data to third parties and the retention periods of the data. Control over the personal data processed under this article and/or other agreements between the Parties rests with the Client. TCC may anonymize personal data and use it to improve the services.
The categories of personal data that may be processed include: contact and address information, financial data, employee records and/or numbers, customer or identification number(s), date of birth, nationality, race, gender, social security number, medical/health data, (copy of) ID documents, IP address, and other location data, content of emails, chat messages, contact forms, and other (personal) data stored or processed through TCC's services.
- TCC and the Client adhere to applicable laws and regulations regarding the protection of personal data, including the GDPR. The Client guarantees that the submission or uploading of (personal) data to TCC is lawful and that the processing of such data in accordance with the Agreement does not violate applicable privacy laws and regulations.
- Upon request, TCC will promptly provide the Client with further information about the measures it has taken to fulfill its obligations under this Data Processing Agreement. Additionally, TCC will assist the Client as necessary in complying with its (legal) obligations under the GDPR. TCC will inform the Client if, in its opinion, an instruction from the Client constitutes a breach of applicable laws and regulations regarding the protection of personal data.
- If there is a (legal) obligation or requirement for TCC to assist the Client under the GDPR, TCC will assist the Client in informing the supervisory authority and/or the data subjects concerned.
- TCC may process personal data in any country within the European Economic Area (EEA). Transfer of personal data to countries outside the EEA is also allowed, provided that the legal requirements for such transfer are met.
- The Client hereby grants TCC a general authorization to engage third parties (sub-processors). The Client authorizes TCC to engage the third parties listed in Attachment 1. Upon the Client's request, TCC will inform the Client about the engaged sub-processors. With sound and justified reasons, the Client has the right to object to new or changed sub-processors. In such cases, the Parties will engage in discussions to find a workable solution. The terms and conditions of the sub-processors also apply to this Agreement.
- TCC strives to take sufficient and appropriate organizational and technical measures against any unlawful processing related to the processing of personal data. Upon request, TCC will provide the Client with insight into its security policy, to the extent relevant to the services. TCC does not guarantee that security is effective under all circumstances. The Client will only provide personal data to TCC if it has ensured that the required security measures have been taken.
- In the event of a breach in the security of personal data that could cause damage or have adverse consequences for the protection of personal data, TCC will promptly notify the Client upon discovery of the security breach, after which the Client will decide whether or not to notify the supervisory authority and/or the data subjects. The notification will include, at a minimum, the fact that a security incident has occurred, as well as all other information known to TCC in this regard.
- If TCC receives a data subject's request for access, TCC will forward this request to the Client. The Client will then process this request. TCC may notify the data subject if necessary, and if required, TCC will support the Client in enabling the data subject to exercise their legal rights.
The Client has the right to conduct an audit, through an independent third party bound by confidentiality, to verify TCC's compliance with this article. The Client is allowed to conduct an audit if they have a concrete suspicion of misuse of personal data by TCC. The audit will not take place earlier than two weeks after the Client's notification to TCC and without access to confidential information. TCC will cooperate in the audit and will provide the Client with all reasonably relevant information as soon as possible, including but not limited to supporting data such as system logs and employee records.
- The findings of the conducted audit will be discussed and evaluated by the Parties and, if applicable, implemented by TCC. The costs of the audit will be borne by the party conducting it.
- TCC may charge reasonable costs to the Client for assisting with the exercise of data subject rights, prior consultation, and demonstrating compliance with the GDPR.
- Once the agreement is terminated for any reason, TCC, at the Client's choice, will either return all personal data in its possession in original or copy form to the Client and/or delete and/or destroy these original personal data and any copies thereof within a maximum period of 30 days. The terms of this article remain in effect until all data and other details of the Client have been deleted.
Attachment 1 – Sub-processors
- Amazon Web Services
- Google Cloud Platform
Last updated: September 22, 2023