Privacy

Mapiq Data Processing Terms

Last updated July 2018

Unless otherwise agreed by Parties the following terms apply on the processing of personal data by Mapiq.

Article

Definitions

Data subject, processor, third party, personal data, personal data breach, processing, and controller: the terms as defined and described in Article 4 GDPR;

Parties: Mapiq and Client jointly.

Principal Agreement: the agreement(s) between the Client and Mapiq on basis of which Mapiq processes personal data and to which these Data Processing Terms apply. For the sake of clarity the term Principal Agreement includes also order confirmations that have been established by means of signed quote by Client or a quote that is confirmed by means of an order (PO, purchase order).

Data Processing Terms: the terms as stated here (including the Appendices) which apply to the Principal Agreement as concluded between Client and Mapiq and these terms reflect the mutual rights and obligations with regard the processing of personal data;

Schedule: a schedule to these Data Processing Terms, which schedule forms an integral part of these Data Processing Terms.

Data breach: a breach with regard to personal data, as defined in Article 4 under 12 GDPR;

Service: Mapiq's Software as a Service for smart buildings for which the Client purchases and receives a subscription for the use of Mapiq's remote functionality through the internet.

Client: the natural person or legal person who purchases the Service from Mapiq and/or has commissioned the performance of work or the provision of services and resources.

Mapiq: The limited liability Company “Mapiq B.V.”, Chamber of Commerce number 27366517, incorporated under the laws of the Netherlands, having its registered office in DELFT, at Molengraaffsingel 10.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Article

Applicability

These Data Processing Terms apply to all personal data processed by Mapiq in the context of the execution of the Principal Agreement or ensuing or related agreements.

These Data Processing Terms set out the rules for processing personal data as referred to in article 28 paragraph 3 of the General Data Protection Regulation. These terms shall be hereinafter referred to as “Data Processing Terms”. The Data Processing Terms form an integral part of the Principal Agreement.

In the context of the processing of personal data, Parties recognize and distinguish the following roles in accordance with the GDPR (including the associated responsibilities): the Client is the controller or processor, Mapiq is considered as processor or sub-processor, a third party contracted by Mapiq that processes the personal data will be considered as a sub-processor or a sub-sub-processor.

Article

Processing personal data

In case Client purchases the Service from Mapiq, then he also grants the order to process the personal data.

Mapiq processes the personal data of Client, as recorded in Schedule 1, during carrying out the in the Principal Agreement agreed upon work duties and rendering the in the Principal Agreement agreed upon services only on behalf of Client.

Mapiq is not allowed to process the personal data of Client, or provide the personal data of Client to third parties for its own purposes, other than agreed upon. Processing of personal data by Mapiq will only take place at request and on instructions of Client.

Unless otherwise agreed or supplemented, Mapiq processes the personal data in accordance with the purposes as determined and described in Schedule 1.

In case Client's instructions cannot be followed up within the framework of the work and services as agreed upon in the Principal Agreement, the Parties will discuss the (financial) consequences of following up the by Client given instructions.

Mapiq will inform Client if an instruction in the opinion of Mapiq is in conflict with the applicable laws and regulations regarding the processing of personal data.

In case the Principal Agreement is changed or amended in such a way that Schedule 1 needs amendments or changes, Parties agree upon an addendum to update Schedule 1.

For the processing of personal data, Mapiq puts technology and/or software at the disposal of Client, which means can be used by Client for the set purposes. Therefore, Client determines itself the purposes and means and Mapiq is considered as a passive processor.

Client shall ensure that the use of the technology and/or software intended for this purpose in such a way that it processes the personal data with the aforementioned means in accordance with the relevant legislation and/or regulation regarding data processing and the predetermined legitimate purposes for processing.

If and insofar the Client is obliged by law or (internal) regulations to involve a representative advisory board in the implementation of the Service, then it shall ensure that the relevant boards or persons are informed about the purpose and resources of the Service and are consulted adequately insofar as relevant in this context.

Article

Retention periods

Mapiq shall not process personal data for longer than strictly necessary in the context of providing the Service and/or carrying out work and in accordance with the retention periods specified and determined by Client.

Unless Parties agreed upon retention periods, it will be considered that the processing of personal data is no longer necessary if the Principal Agreement has been terminated.

After the personal data have been deleted and/or destroyed in accordance within the way and terms agreed upon with the Client, Mapiq cannot be held responsible and liable for the removal or destruction of the (personal) data.

Article

Confidentiality

Each of the Parties will take all reasonable measures in order to ensure the confidentiality of confidential information to the extent that this is possible in connection with the performance of the Principal Agreement.

The personal data provided by Client to Mapiq, will not be disclosed to third parties without prior approval of Client, unless there is a written consent by the Client, or unless it is necessary for the execution of the agreed upon activities and services, the performance of a legal obligation, a request from an authority, or judicial ruling.

Mapiq ensures that the personal data of Client will only be disclosed to personnel of Mapiq on need to know basis, and that the personal data will only be disclosed to personnel assigned with carrying out the in the Principal Agreement agreed upon work duties or with rendering in the Principal Agreement agreed upon services.

Article

Technical and organizational measures

Parties ensure that they will adhere to relevant legislation and regulation regarding processing personal data, in particular the GDPR.

Mapiq takes and implements appropriate technical and organizational measures to secure the personal data against any unlawful processing. These measures ensure, taking the current state of technology and the costs of implementing those measures into account, an adequate level of protection, considering the risks of processing, and the nature of, the personal data. The measures are also aimed at preventing unnecessary processing of personal data.

In order to fulfill the aforementioned obligation Mapiq is ISO 27001 certified. As long as Mapiq processes personal data for Client Mapiq is obliged to remain ISO 27001 certified or – in case ISO 27001 will be followed up - to be certified and to remain in compliance with the official successor.

Client takes appropriate technical and organizational measures in accordance with GDPR to protect personal data against loss or against any form of unlawful processing. These measures ensure, taking into account the current state of the technology and the cost of implementation, a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. The measures are also aimed at unnecessary collection and further processing of personal data. An example is: (i) business processes that comply with the relevant legislation in this area processing of personal data; (ii) authorization models where staff which has nothing has to do with certain personal data, does not have access to such data (iii); security of workstations; (iv) an adequate password policy. Client must also ensure that they use an adequate policy in respect of (private) use of internet and e-mail in the workplace, stipulating that when using applications personal data can be logged.

Client will inform Mapiq about the technical and organizational measures taken by it as referred to in the aforementioned paragraph prior to start with the agreed upon work duties and services. It is the responsibility of Client to inform Mapiq timely about any new or amended policy regarding the technical and organizational measures which Client is required to take pursuant to legislation and/or regulation and business practices.

The Client estimates itself and judges independently whether a Data Protection Impact Assessment (DPIA) as referred to in article 35 of the GDPR is required. In case Mapiq deems that in a specific case a DPIA should be carried out, Mapiq informs and requests Client to carry out a DPIA.

In case the Client has carried out a Data Protection Impact Assessment (PIA) regarding processing personal data, Client will, prior to starting with the agreed upon work duties and/or services, provide Mapiq with a copy of the results and the measures that are taken or will be taken.

Article

Audit

For the duration of the applicability of these Data Processing Terms, Client is entitled to audit the measures taken by Mapiq by an independent auditor, provided that: (i) the audit was announced at least two (2) week in advance by Client; (ii) the costs for the audit (including the independent auditor and the time of the staff of Mapiq supporting the auditor, against the hourly rates of that specific staff) are borne by Client; and (iii) the result will be discussed with Mapiq.

Before Client conducts an audit, Client first consults and assesses the available (audit) reports present at Mapiq. If Client after he takes notice of the reports still considers that the consulted reports are insufficient, he will state in the request the reasons and arguments which -in his opinion- an audit still justified. An audit as referred to here can only be carried out under the cumulative conditions as mentioned in the aforementioned article.

Mapiq and Client may as a result of the audit enter into consultation in order to implement further or additional measures and/or agree upon new terms.

Article

Third parties – sub-processors

Mapiq may, in the course of executing the Principal Agreement, use sub-processors. Client hereby grants Mapiq general consent to enable sub-processors. The list of sub-processors is attached to these Data Processing Terms in Schedule 2. Mapiq may at its own discretion and judgment change and/or extend the list. In case Mapiq expands or changes the list with new sub-processors, Client will be notified at least two (2) weeks prior to using the intended sub-contractor, and given the opportunity to object to the proposed new sub-processors within 14 business days.

Mapiq and Client search for reasonable solutions to take the concerns of Client away. In case Client and Mapiq cannot agree upon a workable solution.

Mapiq is not allowed, without consent of Client, to transfer personal data outside of the E.U. / E.E.R. This does not apply for transfer to sub-processors as recorded in Schedule 2.

Mapiq enters -if and insofar as possible- into sub processing agreement with the aforementioned sub-processors.

Mapiq cannot warrants that it will be notified by sub-processor regarding changes of the sub-sub-processors.

In case Mapiq engages third parties with which Mapiq cannot or barely can negotiate the conditions, then in the event of any damage Mapiq cannot be held liable for more than it has been able to recover from those third parties.

Article

Data breaches and rights of data subjects

In case Mapiq suspects or knows that personal data of Client is compromised, due to a data or security breach, Mapiq notifies Client immediately, at least within forty-eight (48) hours.

Client assess itself whether it should notify data subjects and/or supervisory authorities. Client is and remains responsible for the mandatory obligation to notify these actors..

In case a data subject invokes his or her rights under the General Data Protection Regulation, it will forward the request to Client. Client will follow up the request of the data subject. Mapiq may inform data subject about the forward, and will wait further instructions from Client.

Upon first request of Client: (i) Mapiq provides information requested by Client with regard to the processing of personal data of Client; and (ii) Mapiq will support and be cooperative to Client if and insofar necessary to fulfill its obligations under the applicable laws and regulations regarding the processing of personal data. The second sentence of article 1.3 mutatis mutandis also applies here.

Article

Liability

In case of an imputable failure to comply with these Data Processing Terms or any relevant legislation regarding processing of personal data by Mapiq, the liability of Mapiq for damages is limited to what is agreed upon the Principal Agreement regarding limitation of liability. In case the cause of the damages is attributable to a third party as mentioned in paragraph 4.1, the liability of Mapiq is limited to what it is able to actually recover from that third party.

Article

Other stipulations

Client warrants that the contents, the agreed upon use and the assignment to process personal data as mentioned in these Data Processing Terms, is not unlawful and will not infringe any right of third parties. Client indemnifies and holds Mapiq harmless for all claims related hereto.

These Data Processing Terms are applicable for the duration Mapiq in the context of the Principal Agreement carries out work or renders services for Client. After the duration of the Principal Agreement, Mapiq destroys the personal data of Client, or, upon request of Client, provides the personal data of Client to Client, prior to destroying the personal data. Upon first request of Client, Mapiq provides Client a declaration stating that the personal data was destroyed.

Client is responsible for how it provides Mapiq the personal data. Therefore, it is the responsibility of Client to check whether the way of providing to Mapiq complies with relevant legislation and/or (internal compliancy) regulation. Hereby the Client will respect the applicable Mapiq guidelines for data delivery. If the delivery by the Client does not fit with the applicable guidelines of Mapiq, it has the right to refuse the way of delivery and/or demand a delivery that is complaint with the delivery guidelines of Mapiq. Client indemnifies and holds Mapiq harmless for all claims and/or damages in case the personal data is not provided to Mapiq in accordance with the relevant legislation and/or (internal compliancy) regulation.

These Data Processing Terms is governed by the Laws of the Netherlands.

Disputes arising out of or in connection with or as a result of these Data Processing Terms will be solely submitted to the court of Rotterdam, the Netherlands.

These Data Processing Terms cannot be seen separately from the Principal Agreement. In case of conflicting wording between wat is stated in these Data Processing Terms and the Principal Agreement, what is stated in these Data Processing Terms prevails.

These Data Processing Terms also apply to subsidiaries of Parties.

Schedule 1 | Processed personal data and purpose of processing personal data

Description purposes and method of processing:

In accordance with the provisions of the Principal Agreement Mapiq shall solely process and use the personal data for:

  • Offering the services and functionalities of the product Mapiq
  • Ensure the security of the Mapiq service
  • Monitor the performance of the service
  • Improving the service. This includes analyzing the use of functionalities and parts of the Mapiq services

Mapiq does this through automated processing in the Mapiq software. The ultimate goal of processing personal data is to provide Mapiq users with the Mapiq service.

Categories of data subjects:

The following categories of persons will be involved in the processing of personal data:

  • Users of customers who purchase the Mapiq services
  • People who have contact with Mapiq, for example for technical support or project management

Categories of personal data:

  • Name
  • Business email address
  • Business phone number
  • Job title
  • Department

Data generated during the use of Mapiq:

  • The IP address of the computer or smartphone that was used to contact Mapiq web services.
  • What functionalities of the Mapiq web services are used.
  • Safety logs of certain actions.
  • Cookies
  • Reservations made with Mapiq.
  • A profile photo that is set for an account.
  • Last known location of user.

Groups authorized employees who process personal data:

In the table below, the job roles and / or job groups that have access to certain Personal Data and afterwards indicate which processing operations they may perform with regard to the Personal Data.

Function (Group)

(Catagory) Personal data

Type of processing

Service-administrators

All

Database and software maintenance, incident management, problem solving.

Supportstaff

Contact information, log data

Consultation for debugging and diagnosis.

Staff

Contact details of Customer contacts

Regular communication (e-mail, telephone) with project involved from Client and Mapiq. This is business communication that is a further release from the Mapiq SaaS service.

Schedule 2 | Sub-Processors

Company

Activity

Inside or outside E.U. / E.E.A.

Instrument used for export outside E.U. / E.E.A

Microsoft Ireland Operations Ltd

Microsoft Azure Hosting

Inside E.U.