This data processing agreement ("DPA") is established in accordance with Article 28 of the General Data Protection Regulation (GDPR). Complira is a service operated by Franck Trouillez, a Belgian sole proprietor (BCE 0753.954.175). This agreement is an integral part of the service contract between the data controller ("Client") and the data processor ("Complira").
"Personal data" has the meaning defined in Article 4(1) of the GDPR. "Processing" has the meaning defined in Article 4(2) of the GDPR. "Sub-processor" means a third party engaged by Complira for the processing of personal data.
Complira processes personal data exclusively on behalf of and for the account of the Client, for the duration of the service contract. Processing includes the storage, organization, and provision of compliance-related data through the Complira platform.
Complira undertakes to: - Process personal data only on the basis of the Client's documented instructions - Ensure confidentiality for all employees with access to personal data - Implement appropriate technical and organizational security measures - Assist the Client in fulfilling their GDPR obligations - Delete or return personal data at the end of the contract
The Processor relies on the sub-processors listed at https://complira.be/subprocessors to deliver the Service. That page is the canonical, dated record and is updated whenever a sub-processor is added, replaced, or removed. Notice and objection. The Processor will give the Controller at least 30 days' written notice (by email to the account billing contact) before any addition or replacement of a sub-processor takes effect. The Controller may object to a proposed change by writing to support@complira.be within that period. If the Parties cannot reach an agreement, the Controller may terminate the affected portion of the Service for cause. Sub-processor obligations. The Processor enters into a written agreement with each sub-processor imposing data-protection obligations no less protective than those set out in this DPA, including those required by Article 28(3) GDPR.
Personal data is primarily processed within the European Economic Area (EEA). For processing by sub-processors outside the EEA, appropriate safeguards are put in place, such as the European Commission's Standard Contractual Clauses (SCCs).
Complira will inform the Client without undue delay, and in any case within 48 hours, of any data breach involving personal data. The notification will include the nature of the breach, the categories of data concerned, the likely consequences, and the measures taken.
Complira makes available all information necessary to demonstrate compliance with the obligations set out in this DPA. The Client has the right to carry out audits and inspections, subject to reasonable notice of 30 days.
The liability of the parties under this DPA is subject to the limitations set out in the general terms and conditions of the service contract.
This data processing agreement is governed by Belgian law. Disputes shall be submitted to the competent courts of Brussels, Belgium.