Terms and conditions

TERMS AND CONDITIONS – DAS ACCESS

These are the terms and conditions (hereinafter: “Terms and Conditions”) of MAP4F BV, trading under the name DAS ACCESS, a Belgian limited liability company with registered offices at 2223 Heist-op-den-Berg, Leo Kempenaersstraat61 bus 2 and registered with the Crossroads Bank for Enterprises under the number 0883.444.425 (hereinafter: “DAS ACCESS”).

1. Definitions
   • In these Terms and Conditions the following terms have the following meaning, unless expressly states otherwise:

Content	Any data, information or material, that may be accessed through the Products/Software, including but not limited to models, calculations, text, images, software, programs, computer code and other (third party) information;
Contract	The contract that arises between DAS ACCESS and the Distributor when the Distributor accepts the present Terms and Conditions, either in writing or electronically and which governs the commercial relationship between Parties. The Contract includes the DPA which is attached as an annex to these Terms and Conditions.
Data Processing Agreement (DPA)	Agreement between DAS ACCESS and the Distributor containing the rights and obligations of DAS ACCESS, the Distributor and the End-Customer in connection with the processing of End-Customer’s Clients’ personal data by DAS ACCESS on behalf of the Distributor;
Distributor	Authorized third-party distributor of DAS ACCESS’s Products, exclusively a legal entity (whether incorporated or not) acting for professional purposes, who has entered into a Contract with DAS ACCESS. Any Distributor is considered to be an ‘undertaking’ within the meaning of the Belgian Code of Economic Law and, consequently, cannot be a ‘consumer’ in its commercial relationship with DAS ACCESS;
End-Customer	The end-user or purchaser, exclusively a legal entity (whether incorporated or not) of the Products and/or Software provided by DAS ACCESS through the Distributor;
Party	Each Party to this Contract;
Privacy Legislation	Refers to the General Data Protection Regulation (GDPR) of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of personal data and all Belgian implementing laws;
Privacy Policy	DAS ACCESS’s privacy policy, which explains how DAS ACCESS processes personal data, and is accessible on the Website: https://www.dasaccess.com/nl/privacy-policy/;
Products	The products which DAS ACCESS offers to the Distributor and any related hardware and Software;
Software	The subscription-based software provided by DAS ACCESS to the Distributor that operates in conjunction with the Products;
Term	The initial or renewed term – i.e. a year – during which the Distributor is granted the subscription to the Software;
Website	DAS ACCESS’s website: https://www.dasaccess.com/.

1. Offer, Scope and Contract formation
   • These Terms and Conditions apply to the purchase, supply, distribution, (sub-)license, make available or sale of all Products and/or Software developed and provided by DAS ACCESS to Distributors, who are authorized to resell the Products and sub-license the Software to End-Customers.

• The ordering of Products and/or Software by the Distributor constitutes acceptance of the Terms and Conditions. These Terms and Conditions constitute the entire Contract between the Distributor and DAS ACCESS and are exclusively applicable, excluding the terms and conditions of the Distributor.

• The usage of the Products may include web or mobile applications that may be subject to additional terms (“Additional Use Terms”) or Software that may be subject to additional (end-user) software license conditions (“EULAs”), from either DAS ACCESS, an affiliate, or a third party. Such EULAs or Additional Use Terms will be made available together with the web or mobile application or Software, as applicable. The Distributor will in turn make the EULA and/or Additional Use Terms available to the End-Customer.

• The Terms and Conditions are accessible on the Website at all times. DAS ACCESS reserves the right, in regard of the change of relevant legislation, the change of market situation, the change of its business policy or at its own discretion, unilaterally to change, modify, cancel, add or remove parts of these Terms and Conditions at any time without a prior notice by posting the updated/amended Terms and Conditions including the day of its effectiveness on the Website. Such changes will be valid and effective as of the moment of posting on or the Website.

2. Price and payment
   • Prices for Products and subscription fees for Software will be as agreed upon in writing between DAS ACCESS and the Distributor. Prices and subscription fees are exclusive of VAT, duties or other charges, unless otherwise stated.

• Payment is due within 30 days of the invoice date unless otherwise agreed in writing. If the Distributor fails to pay the invoice by the due date, DAS ACCESS reserves the right to charge interest on overdue amounts in accordance with Article 5, par. 1 of the Belgian Act of 2 August 2002 on combating late payment in commercial transactions. This default interest will automatically start to accrue from the day after the due date of the outstanding invoice, without the need for a prior notice of default.

In the event of late payment by the Distributor, the outstanding amount will automatically, and therefore without the need for a prior notice of default, be increased by a fixed indemnity of 10% of the principal sum, with a minimum of €50.00.

If the Distributor fails to pay the invoice containing the subscription fees for Software by the due date, DAS ACCESS is entitled to suspend or even permanently terminate access to the Software without the Distributor being entitled to claim any damages.

• Under penalty of forfeiture, the Distributor must submit any protest regarding an invoice within 8 calendar days of the invoice date, in writing and by registered mail to DAS ACCESS, mentioning the invoice number and date. In the absence of a protest within the aforementioned period, the invoices will be considered as definitively accepted.

• Under no circumstances does DAS ACCESS guarantee that it will maintain the prices for any of its Products. DAS ACCESS reserves the right to adjust the prices of one or more of its Products at any time. DAS ACCESS undertakes to notify its Distributors at least one (1) month prior to the application of the new prices. Without prejudice to the provisions on indexation below, any significant price increase may be considered a substantial change to the Agreement. Consequently, the Distributor shall be given the possibility to terminate the Agreement. Such notice of termination must be done in writing to DAS ACCESS before the new prices come into effect. The continued purchase of the Products by the Distributor after the effective date shall constitute the acceptance of the revised prices.

• In so far as the prices of the Products/ Services are based on the then prevailing wage costs, costs of components/ parts/ third party licenses, social security contributions and government levies, insurance premiums, costs of materials, exchange rates and/or other costs, DAS ACCESS shall, in the event of an increase of one or more of these price factors, be entitled to index its prices accordingly in accordance with the legally permitted standards. An indexation cannot be considered a substantial change to the Agreement. Consequently, the Distributor shall not be given the possibility to terminate the Agreement.

3. Contract duration and termination
   • The Contract comes into force upon the date on which the Distributor either accepts the Terms and Conditions or orders Products/ Software from DAS ACCESS (whichever happens first).

• The Contract is concluded for an indefinite period of time. Each party may terminate the Contract by adhering to a notice period of three (3) months unless otherwise agreed upon by the Parties.

• DAS ACCESS may terminate the Contract immediately upon written notice if the Distributor breaches any of these Terms and Conditions. The Distributor may only terminate the Contract immediately in accordance with Article 2.4 of the Terms and Conditions.

4. Intellectual property
   • The Products, Software and Content are protected by (intellectual) property rights. All (intellectual) property rights and derivative rights rest and remain with DAS ACCESS.

• DAS ACCESS grants the Distributor a non-exclusive, limited transferable right to distribute, sublicense and make available the Products and Software to the End-Customers in accordance with these Terms and Conditions.

• The Distributor is authorized to grant non-exclusive and non-transferable sublicenses to End-Customers, allowing them to use the Products and Software solely for purposes directly related to its own use of the Products and Software. The Distributor shall ensure that any sublicense agreement with End-Customers includes terms that protect the intellectual property rights of DAS ACCESS and that are no less protective than those set forth in these Terms and Conditions.

• The Distributors and the End-Customers shall not, without the prior written consent of DAS ACCESS:

• Modify, adapt, reverse engineer, decompile or disassemble the Products/ Software;
• Remove or alter any proprietary notices or labels contained within the Products/ Software;
• Use the Products/ Software in a manner inconsistent with the license granted herein.

• Upon termination or expiration of the Distributor’s license with DAS ACCESS, all sublicenses granted to End-Customers will automatically be transferred to and managed directly by DAS ACCESS. The Distributor must provide DAS ACCESS with a complete list of all active sublicenses and relevant contact details for End-Customers prior to the termination or expiration of the Distributor’s license.

• The Distributor shall take all necessary steps to protect the (intellectual) property rights of DAS ACCESS and promptly inform DAS ACCESS of any unauthorized use or infringement of its intellectual property rights by End-Customers or third parties.

• In the event of any breach by the Distributor or End-Customer of the provisions of this Article, DAS ACCESS reserves the right to claim compensation from the Distributor for the damage suffered.

5. Liability
   • DAS ACCESS’s liability shall be limited to the lesser of the following two amounts: (i) the invoice value of the most recent invoice related to the Products or Software, or (ii) the amount paid out under DAS ACCESS’s applicable insurance policies. DAS ACCESS’s liability shall in any case be limited to the liability mandatory under Belgian law. The Distributor agrees to notify DAS ACCESS in the shortest possible time of any damage it (or by an End-Customer) has suffered as a result of using the Products. Any aggravation of the damage as a result of the failure to give such prompt notice shall not be attributable to DAS ACCESS.

• DAS ACCESS shall not be liable for:

• Indirect and/or consequential damage (including but not limited to loss of income, loss of goodwill and damage to the property of the Distributor or End-Customer due to the use of the Products). This limitation applies even if DAS ACCESS has been advised of the potential for such losses by the Distributor;
• Defects that have been caused directly or indirectly by an act on the part of the Distributor, End-Customer or any third party, regardless of whether such actions are caused by an error or negligence;
• Damage resulting from using the Products for purposes other than those for which they have been developed or intended by DAS ACCESS;
• Additional damage caused by continued use after a defect has been detected;
• Loss, incorrect use or mishandling of the Products, except where such loss or misuse is solely due to DAS ACCESS’s fault;
• Damage arising from failure to comply with any advice and/or guidelines that may be given by DAS ACCESS (including the Additional Use Terms and EULA’s);
• Damage resulting from force majeure or hardship as defined in Article 6 of these Terms and Conditions.

• The application of Article 6.3 of the Belgian Civil Code is expressly excluded. The Distributor hereby waives any right to hold any auxiliary person of DAS ACCESS (including employees, directors or any other appointees) liable for damages resulting from DAS ACCESS’s failure to fulfill its contractual obligation. Should any attempt be made to hold an auxiliary person of DAS ACCESS liable, that person shall be entitled to invoke all defenses available to DAS ACCESS against the Distributor. Additionally, the auxiliary person may invoke any defenses available to them against their own principal, regardless of whether that principal is DAS ACCESS.

• The Distributor acknowledges and agrees that DAS ACCESS does not guarantee that the Products or Software will:

• Ensure compliance with any specific laws, regulations, or industry standards applicable to the End-Customer;
• Achieve any particular results, outcomes, or performance metrics, including but not limited to increased efficiency, revenue or customer satisfaction;
• Operate without interruption, errors or delays, including but not limited to issues related to connectivity, system integration, or compatibility with third-party software or hardware;
• Meet the specific needs, requirements, or expectations of the Distributor, End-Customer, or any third party in terms of functionality, reliability, or security;
• Prevent unauthorized access to or loss of data, or provide complete protection against cyber threats, viruses, or other harmful content, beyond the measures outlined in the Data Processing Agreement annexed to the Terms and Conditions.

DAS ACCESS disclaims any and all responsibility for the aforementioned aspects, and any reliance by the Distributor or End-Customer on the Products or Software for these purposes shall be at their own risk.

• All claims for (hidden) defects in conformity must be immediately communicated to DAS ACCESS, but no later than within two calendar months following the day on which the relevant (hidden) defects is detected under penalty of forfeiture of the right to bring such a claim. If the defect manifests itself within 6 months after delivery, this is deemed to have already existed upon delivery, unless DAS ACCESS can prove otherwise. After 6 months after the delivery date, the End-Customer (or Distributor) will have to prove that the defect was already present at the delivery.

6. Force Majeure / Hardship
   • DAS ACCESS cannot be held liable for any failure to meet its obligations under the Contract if this failure is due to force majeure or hardship. Usual events of force majeure or hardship include: all circumstances that were reasonably unforeseeable and unavoidable at the time of the conclusion of the Contract, and which prevent DAS ACCESS from performing the Contract, or which would make the performance of the Contract more difficult, financially or otherwise, than would normally be the case (including, but not limited, to: war, natural disasters, fire, seizure, epidemics and pandemics, delays with or bankruptcy of third parties engaged by DAS ACCESS, shortage of staff, strikes, organizational circumstances, threat or acts of terrorism, interventions by public authorities, power interruptions and failures of or interruptions to any communications equipment, software or hardware). The aforementioned situations entitle DAS ACCESS to review and/or suspend the execution of the Contract by simple written notice to DAS ACCESS, without being liable to pay compensation. Parties shall be entitled to terminate the Contract if the situation of force majeure and/or hardship lasts longer than two (2) months.

7. Privacy
   • DAS ACCESS is committed to protecting the privacy of its Distributors, End-Customers and any third party whose personal data it (inadvertently) gains access to.

• DAS ACCESS acts as a data controller in its direct relations with Distributors. The personal data will only be processed in accordance with our Privacy Policy and the Privacy Legislation.

• When processing personal data on behalf of the End-Customers through the Products and Software, DAS ACCESS acts as a data processor. The specific obligations of DAS ACCESS as a data processor are outlined in the Data Processing Agreement (DPA) annexed to these Terms and Conditions. The Distributor shall ensure that the DPA forms part of the end agreement with the End-Customer. The personal data will only be processed in accordance with the instructions of the End-Customer, the DPA and the Privacy Legislation.

8. Availability, maintenance and updates of the Software
   • DAS ACCESS wishes to keep the quality of the Software high by performing maintenance activities and implementing updates on a regular basis. DAS ACCESS undertakes to minimize the impact of such maintenance activities and updates on the availability of the Tool, but does not exclude any downtime in this respect. In any case DAS ACCESS undertakes its best effort to inform the Customer thereof in due time, unless this is impossible or not useful (e.g. in case of urgency).

• In the event of problems with the availability of the Software, DAS ACCESS will make all reasonable efforts to solve such issue as soon as reasonably possible without giving any guarantee in terms of response and resolution times.

• Under no circumstances shall DAS ACCESS be obliged to compensate the Distributor or End-Customer due to a situation of unavailability.

9. Miscellaneous
   • The invalidity, nullity, and/or unenforceability of any provision of these Terms and Conditions shall not in any way affect the validity and/or enforceability of the remaining provisions of the Terms and Conditions. The relevant provision shall be replaced by a valid provision that strives to achieve as closely as possible the purpose and intent of the invalid or voided provision. If parties do not reach an agreement, then the competent court may mitigate the invalid provision to what is (legally) permitted.

• The Distributor accepts electronic evidence. The final confirmation of the order by the Distributor shall be considered acceptance of the order at the stated price. The Distributor’s confirmation shall be considered a signature and express acceptance of the relevant order.

• The (repeated) failure by DAS ACCESS to exercise any of its rights may only be construed as a toleration of a particular situation and shall not give rise to a forfeiture of its rights.

• DAS ACCESS is entitled to assign or transfer this Contract, in whole or in part, to any affiliate or to another company in connection with the sale, transfer, merger, consolidation, or any other disposition of all or substantially all of its assets or business.

• In case of disputes between DAS ACCESS and the Customer, only Belgian law shall apply and only the courts of the Antwerp district, division Antwerp shall have jurisdiction, unless otherwise provided in mandatory legal provisions.

ANNEX I: DATA PROCESSING AGREEMENT

This data processing agreement (the "Agreement") is entered into on [date]

BETWEEN:

1. [NAME], a [XXX] company with registered offices at [address] and registered with the Crossroads Bank for Enterprises under the number [number], hereby legally represented by [XXX] in his/her capacity of [XXX],

Hereinafter: “Controller”;

AND

2. MAP4F BV, trading under the name DAS ACCESS, a Belgian limited liability company with registered offices at 2223 Heist-op-den-Berg, Leo Kempenaersstraat 61 #2 and registered with the Crossroads Bank for Enterprises under the number 0883.444.425, hereby legally represented by [XXX] in his/her capacity of [XXX],

Hereinafter: “Processor”;

Controller and Processor are individually referred to as “Party” and jointly as the “Parties”.

WHEREAS:

1. Processor provides services relating to the management and use of parking systems provided by Processor and sold via an authorized third party to the Controller (the “Services”);
2. The provision of these Services entails that Processor will Process Personal Data (as defined below) on behalf of the Controller;
3. Parties wish to enter into an agreement regarding the Processing of Personal Data, that complies with the applicable Data Protection Laws (the “Agreement”);

IT IS AGREED AS FOLLOW:

1. Definitions

“Agreement” means this Data Processing Agreement and all Appendices.

“Appendix A” means appendix A entitled “Data Processing Description”.

“Appendix B” means appendix B entitled “Minimum Security Measures”.

“Appendix C” means appendix C entitled “List of Sub-processors”.

“Controller Personal Data”means any Personal Data Processed by or the Processor (or a Sub-Processor) on behalf of the Controller pursuant to or in connection to the Services provided by the Processor.

“EEA”means the European Economic Area.

"EU Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any and all applicable national data protection laws made under or pursuant to (i) or (ii); in each case as may be amended or superseded from time to time; and

“Sub-processor” means subcontractors, appointees, or any third parties engaged by the Processor to Process Personal Data.

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Scope and relationship between the Parties

2.1 Scope and details of processing

The Processor will only Process Controller Personal Data on behalf of Controller during the performance of the Services as described in this Agreement.

The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this Agreement are further specified in Appendix A (Data Processing Description) to this Agreement.

2.2 Relationship between the Parties

The parties agree that for the Processing of Personal Data under this Agreement, Controller is the Data Controller, and Processor the Data Processor. If Controller acts as a Data Processor, then Processor will serve as a Sub-processor. Controller retains exclusive authority over the purpose and means of processing Controller Personal Data. Both Parties will comply with their respective obligations under the GDPR and other applicable data protection laws.

3. Obligations of the Parties

3.1 Purpose limitation

Processor shall process the Controller Personal Data solely for the purposes described in Appendix A and strictly in accordance with the documented instructions of Controller (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law applicable to Processor. In no event shall Processor process the Controller Personal Data for its own purposes or those of any third party.

3.2 International transfers

Processor shall not transfer the Personal Data (nor permit the Personal Data to be transferred) outside of the EEA unless (i) it has first obtained Controller 's prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. For transfers of Personal Data from a country in the European Economic Area ("EEA") to a non-EEA country, such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with EU Data Protection Law, to a recipient based in the United States of America that maintains a valid and up-to-date EU-US Privacy Shield certification, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

3.3 Confidentiality of processing

Processor shall ensure that any person that it authorises to process the Controller Personal Data (including Processor’s staff, agents and subcontractors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Controller Personal Data who is not under such a duty of confidentiality. Processor shall ensure that all Authorised Persons process the Controller Personal Data only as necessary for the Permitted Purpose.

3.4 Security

Processor shall implement appropriate technical and organisational measures to protect the Controller Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Personal Data (a "Security Incident"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, such measures shall include the measures identified in Appendix B. Furthermore, the Processor shall assist the Controller in ensuring compliance with its obligations pursuant to the security of the processing, taking into account the nature of processing and the information available to the Processor.

3.5 Sub-processing:

The Parties acknowledge and agrees that in order to provide the Services, Processor may use third-party service providers (“Sub-processors”) to process Controller Personal Data. Processor commits to only use Sub-processors in compliance with EU Data Protection Law and listed in the attached Appendix C.

Processor imposes data protection terms on any Sub-processor it appoints that protect the Controller Personal Data to the same standard provided for by this Agreement. Furthermore, the Processor remains fully liable for any breach of this Agreement that is caused by an act, error or omission of its Sub-processors.

3.6 Cooperation and Data Subjects' rights

Taking into account the nature of the processing and the information available to the Processor, Processor shall provide all reasonable assistance (including by appropriate technical and organisational measures, insofar as this is possible) to Controller to enable Controller to respond to: (i) any request from a Data Subject to exercise any of its rights under EU Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Controller Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Processor, Processor shall promptly inform Controller providing full details of the same. However, Processor shall not have any responsibility to respond to such request, correspondence, enquiry or complaint.

3.7 Data Protection Impact Assessment

Taking into account the nature of processing and the information available to the Processor, if Processor believes or becomes aware that its processing of the Controller Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Controller and Processor shall provide Controller with all reasonable assistance as Controller may require in order to conduct a data protection impact assessment in accordance with EU Data Protection Law including, if necessary, to assist Controller to consult with its relevant data protection authority.

3.8 Security incidents

Upon becoming aware of a Security Incident, Processor shall inform Controller without undue delay and shall provide all such timely information and reasonable cooperation (taking into account the nature of processing and the information available to the Processor) as Controller may require in order for Controller to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) EU Data Protection Law. Processor shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Controller informed of all developments in connection with the Security Incident.

3.9 Deletion or return of Data

Upon termination of the performance of the Services, Processor shall (at Controller's election) destroy or return to Controller all Controller Personal Data (including all copies of the Controller Personal Data) in its possession or control (including any Personal Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Processor is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event Processor shall isolate and protect the Controller Personal Data from any further Processing except to the extent required by such law until deletion is possible.

3.10 Audit

Processor shall permit Controller (or its appointed third-party auditor, who shall not be a competitor of Processor and subject to appropriate confidentiality undertakings ) to audit Processor’s compliance with this Agreement, and shall make available to Controller all information, systems and staff necessary for Controller (or its third- party auditors) to conduct such audit. In this respect, Processor shall immediately inform Controller if it becomes aware that Controller's processing instructions infringe the EU Data Protection Law. The Processor acknowledges that Controller (or its third-party auditor) may enter its premises for the purposes of conducting this audit, provided that Controller gives a reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Processor's operations. Controller will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Controller believes a further audit is necessary due to a Security Incident suffered by Processor. All reasonable costs of the Processor related to this audit will be borne by Controller.

4. Duration of the Agreement

The Agreement shall enter into force on the date of commencement of the provision of Services and shall be terminated upon termination of provision of the Services.

5. Liability

5.1 The Processor is liable and shall indemnify the Controller for all damages caused to or claims from third parties, including the Data Subject, due to the Processor’s breach of this Agreement, and of the obligations specifically imposed on the Processor by the GDPR.

5.2 The Processor shall indemnify the Controller for all damages caused by Sub-processors or any other third party appointed by the Processor.

5.3 The Processor shall not be liable if and to extent the damage has been caused directly and exclusively by force majeure or by the Controller’s non-compliance with its obligations, provided that the Processor has made an effort to limit the consequences of the damage.

To the largest extent permitted by law, the Processor’s liability arising out of or related to this Agreement, whether in contract, tort, or under any other theory of liability, is limited to the amount covered by the Processor’s insurance policy.

6. Miscellaneous

6.1 Amendment

The Processor reserves the right to amend this Agreement as required by changes in EU Data Protection Law. The amendment(s) will be notified to the Controller in writing or through publication on the website of the Processor.

6.2 Severability

If one or more provisions that do not affect the essence of the Agreement are declared fully or partially invalid, void or unenforceable, this declaration shall not affect the validity and enforceability of the remaining provisions. The Agreement will remain in force between the Parties, as if the invalid, void or unenforceable provision never existed.

Following the aforementioned case, the Parties undertake to renegotiate in good faith the Data Processing Agreement in order to modify or replace the (fully or partially) void, invalid or unenforceable provision by a provision that most closely matches the purpose of the invalid, void or unenforceable provision.

6.3 Jurisdiction and governing law

This Agreement shall be governed by and construed in accordance with the laws of Belgium. Any disputes arising from the validity, interpretation, enforcement, performance or termination of this Agreement shall be resolved in the courts of Antwerp, Belgium.

6.4 Entire Agreement

This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, or communications between the Parties, whether written or oral.

This Agreement was signed in …….…… on ……/…../………….

APPENDIX A: Data Processing Description

This Appendix A forms part of the Agreement and describes the Processing that the Processor will perform on behalf of the Controller.

Controller

The Controller is a company with one or more parking spaces

Processor

The Processor is a company providing parking systems and the accompanying software services, including providing technical support and troubleshooting (if necessary).

Data subjects

The Personal Data to be Processed concern the following categories of Data Subjects: the Controller’s clients (i.e. natural persons using the parking spaces provided by the Controller).

Categories of Personal Data

The Personal Data to be Processed concern the following categories:

• Number plate;
• Location data;
• Name;

Special categories of data (if appropriate)

The Personal Data to be processed concern the following special categories of data:

Not applicable.

Purpose of the processing

The provision of the Services.

Processing operations

The personal data will be subject to the following basic processing activities (please specify):

• Collect;
• Record;
• Organize;
• Store;
• Use;
• Disclosure by transmission;
• Combine;
• Restrict;
• Erase;

APPENDIX B: Minimum Security Measures

The environment is only accessible by:

1. Personnel of the Processor with a specified role (admin/develop/test) role. The Processor must be able to reproduce that list if asked by Controller and be able to prove the implementation of that list at any moment within a reasonable time frame.
2. Personnel of the Controller, asp specified by the Controller, and third-parties authorized by the Controller
3. All communication with systems or persons outside the environment must be encrypted.
4. No other connectivity to the environment is allowed without prior consent of Controller.
5. Processor must be able to provide a security configuration document that is evidence for the above within a reasonable time frame. Processor must also be able to show, if asked, the implementation of that configuration.

In compliance with its obligations under the Agreement the processor shall give due consideration to the following types of security measures in order to safeguard a risk-adjusted level of security:

• the pseudonymisation and encryption of personal data;
• Physical Security;
• Access Control;
• Security and Privacy Enhancing Technologies;
• Awareness, training and security checks in relation to personnel;
• Incident/Response Management/Business Continuity; and
• Audit Controls/Due Diligence.