This Data Processing Addendum ("Addendum") forms part of the Terms and Conditions, EULA, Privacy Policy and any other written or verbal agreement between Parties. The Processor and the Controller may be referred to individually as a "Party" and collectively as the "Parties".

By accepting the Terms and Conditions, Controller expressly accepts the application of the clauses as set out below concerning the processing of personal data by Processor. The contact address for any questions regarding this Addendum is privacy - at - colorlab.io.

1. Definitions

The following terms are given the meaning as indicated below:

  • Data breach: a breach of the security of Personal Data which inadvertently or unlawfully leads to the destruction, loss, modification or unauthorized disclosure of or unauthorized access to data transmitted, stored or otherwise processed.

  • Data subject: the identifiable natural person whose personal data are being processed as described below.

  • Controller: any natural or legal person who determines the purpose and means for the processing of personal data. In this Addendum, the client who uses our services.

  • Employee(s): the natural persons who are authorized by the Parties to perform this Addendum and who work under their direct responsibility.

  • General Data Protection Regulation or GDPR: the Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free traffic of such data, which entered into force on 25 may 2018.

  • Personal Data: all information about an identified or identifiable natural person which can lead to direct or indirect identification, in particular by means of an identifier such as a name, identification number, location data, an online identifier or one or more characteristic elements for the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

  • Privacy Legislation: the complete Belgian and European legislation applicable to data protection, including the General Data Protection Regulation.

  • Processing: any processing or set of operations relating to Personal Data or a set of Personal Data, whether or not carried out via automated processes, such as collecting, recording, organizing, structuring, storing, updating, modifying, retrieving, consulting, using, providing by means of forwarding, distributing or making available in another manner, aligning or combining, blocking, erasing or destroying of the data.

  • Processor: any natural or legal person who processes personal data for the Controller. In this Addendum, Spectrum Group BVBA.

  • Sub-processor: any natural or legal person engaged by the Processor who agrees to process Personal Data on behalf of that Processor.

  • Supervisory Authority: in Belgium, this is the Data Protection Authority ("Gegevensbeschermingsauthoriteit").

The aforementioned and other terms will be interpreted in accordance with the General Data Protection Regulation.

2. Object of this Addendum

2.1 This Addendum stipulates the conditions under which the Processor may process the Personal Data on behalf of the Controller.

2.2 In accordance with the Terms and Conditions, Processor is responsible for providing a Software as a Service. The software enables customers to implement or improve an automated web to print workflow.

2.3 The Parties agree that this Addendum forms an integral part of the Terms and Conditions between the Controller and the Processor.

3. Authorized Processing

3.1 Annex to this Addendum sets out certain information regarding Processor’s Processing of the Personal Data as required by EU Data Protection Laws, more specifically Article 28(3) of the GDPR. “Annex: scope and nature of the processing” sets out the subject matter and duration of the processing, nature and purpose of the processing, the types of Personal Data being processed and the categories of Data Subjects.

3.2 Processor may make reasonable amendments to Annex by written notice to the Controller from time to time.

4. Rights and obligations of Controller

4.1 Controller has the duty to provide the information as stipulated in articles 13 and 14 of the GDPR to the Data Subjects who are the object of the Processing under this Addendum.

4.2 Controller provides the Personal Data to the Processor, as set forth in this Addendum. Controller determines the purposes and means of the Processing of the Personal Data. He guarantees that the Processing, including the transfer of the Personal Data to the Processor, complies with the Privacy Legislation and with this Addendum.

4.3 Controller will make available to the Processor his written instructions concerning the Processing. Controller guarantees that his instructions comply with the Privacy Legislation. If the instructions for Processing change, the Controller will immediately notify the Processor.

4.4 Controller will keep a data register of the processing activities carried out under his responsibility, in accordance with article 30(1) of the GDPR.

4.5 All Personal Data and information provided by the Controller to the Processor will remain the property of the Controller and remain his responsibility.

5. Rights and obligations of Processor

5.1 Processor will only process the Personal Data that is strictly necessary for the execution of the Terms and Conditions and commits to only process the Personal Data for the purposes as stated in this Addendum. Processor will not process the Personal Data for any other purpose than as determined by Controller.

5.2 Processor commits to only process the Personal Data on the basis of the documented instructions of Controller and in accordance with the provisions of this Addendum. If Processor is expected to pass on Personal Data, under the law of the European Union or according to the law of a Member State that applies to it, to a third country or to an international organization, Processor must report this to the Controller prior to the processing, except when the relevant right prohibits such notification on the grounds of general interests.

5.3 Processor guarantees the confidentiality of the Personal Data made available to him under the Addendum. Processor furthermore ensures that his Employees have committed to respect the confidentiality of the Personal Data or are bound by a legal obligation of confidentiality.

5.4 Processor is given a general permission by Controller to store, transfer or process the Personal Data at a location outside of the EEA. Processor must ensure that the third country provides an adequate level of data protection.

5.5 Processor processes the Personal Data transmitted by the Controller for as long as necessary for the execution of the provided services. As soon as the processing is done, Processor will, within a reasonable period of time, put an end to any Processing of the Personal Data, other than necessary for the deletion or return of the Personal data to the Controller, unless explicitly agreed otherwise.

5.6 Processor will respect the rights of the Data Subjects as laid down in the GDPR. In this regard, Processor will assist Controller, as far as possible, with his duty to comply with the requests of Data Subjects regarding the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object to automated individual decision-making (including profiling). In the event that a Data Subject submits such a request to the Processor, the Processor will immediately forward the request to the Controller and Controller will process the request, unless explicitly agreed otherwise. Parties may agree on a compensation for the execution of such requests.

5.7 Processor assists Controller for each data protection impact assessment and prior consultation of the Supervisory Authority. In addition, Processor assists Controller to answer requests of the Supervisory Authority. Processor may request a compensation by the Controller for the execution of such requests.

5.8 When necessary for the execution of the Terms and Conditions, Processor can make copies and/or backups. The Personal Data on these copies and backups enjoy the same protection as the original Personal Data.

5.9 Processor will keep a data register of the processing activities carried out on behalf of the Controller, in accordance with article 30(2) of the GDPR.

5.10 Processor guarantees that his Employees have access to the Personal Data only to the extent that this access is necessary to carry out their duties in the light of this Addendum The Employees are also bound by confidentiality. Processor will inform his Employees about the Privacy Legislation and the provisions of this Addendum.

6. Sub-processing

6.1 Processor may subcontract the processing wholly or partially to a Sub-processor. As the date of this Addendum, Processor uses the Sub-processors set out in “Annex 1: scope and nature of the processing”. Processor must notify Controller in writing of any new or replacement Sub-processor. Controller can only refuse on the basis of reasonable grounds. Processor will remain the point of contact for Controller at all times.

6.2 Processor may use the services of a Sub-processor located outside the EEA. In such case, Processor must choose a Sub-processor that provides an adequate level of protection of the Personal Data. Failing that, appropriate guarantees must be provided in a contractual manner, as defined in Article 46 of the GDPR.

6.3 Processor must ensure that the Sub-processor offers the same guarantees with regard to taking appropriate technical and organizational measures in accordance with article 32 of the GDPR.

6.4 All obligations under this Addendum are fully applicable to the Sub-processor. These obligations are stipulated in writing in an agreement between the Processor and the Sub-processor. Processor remains fully responsible towards Controller for compliance by the Sub-processor with his obligations.

7. Confidentiality

7.1 Processor is bound to an obligation of confidentiality with respect to all Personal Data and other information that he receives from the Controller in the light of this Addendum. This confidentiality obligation also applies to the Employees of the Processor and to any Sub-processor and their employees.

7.2 This confidentiality obligation applies for the entire duration of the Processing and also after the termination of the Processing.

7.3 This confidentiality obligation does not apply if the Processor is required by the Supervisory Authority, a legal provision or a court order to communicate the Personal Data, when the information is publicly available or when the communication of the Personal Data has been authorised by the Controller.

8. Security

8.1 Controller and Processor shall take the required and appropriate technical and organizational measures ("Safety Measures") to safeguard Personal Data against destruction, either by accident, either unlawfully, or against loss, fraud, unauthorized distribution or access, including when the Processing includes transmission of the Personal Data through a network, or against any other improper processing or use.

8.2 The Safety Measures guarantee an adequate level of security, taking into account the risks of the Processing. In order to determine the appropriate Safety Measures, the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risks of the Processing for the rights of the Data Subjects. These Safety Measures are also intended to prevent any unauthorized data collection or further Processing.

8.3 Controller and Processor will take all reasonable efforts to ensure that their Processing systems and services meet the requirements of confidentiality, integrity and availability, always taking into account the state of the art and the reasonable costs of implementation. Both Parties also check whether their systems are sufficiently resilient.

9. Reporting a Data Breach

9.1 If Processor notices a Data Breach, he shall notify Controller without undue delay, and at the latest within 48 hours after the Data Breach has been noticed. The notification will be accompanied by any useful documentation to enable the Controller, if necessary, to notify the Data Breach to the Supervisory Authority and/or the Data Subjects. The notification shall at least provide or describe the following:

  • The nature of the Data Breach in relation to the Personal Data;
  • The categories of Data Subjects and Personal Data concerned and, approximately, the number of Data Subjects and Personal Data concerned;
  • The consequences that are likely to happen because of the Data Breach regarding the Personal Data;
  • The measures proposed or taken by the Processor to address the Data Breach, including, where appropriate, the measures to mitigate any adverse effects.

9.2 Processor will take reasonable and prompt steps to remedy and mitigate the effects of any Personal Data Breach.

9.3 It is up to the Controller to assess whether or not he will inform the Supervisory Authority and/or the Data Subjects about the Data Breach.

10. Audits

10.1 Controller undertaking an audit shall give Processor reasonable notice of any audit or inspection to be conducted and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Processor need not give access to its premises for the purposes of such an audit or inspection:

  • 10.1.1 to any individual unless he or she produces reasonable evidence of identity and authority;

  • 10.1.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Controller or the relevant affiliate undertaking an audit has given notice to Processor that this is the case before attendance outside those hours begins.

  • 10.1.3 Parties may agree on a compensation for the execution of such audits.

11. Duration and termination

11.1 This Addendum commences on the signing date and shall remain in full force and effect for as long as the Terms and Conditions are in force. This Addendum cannot be terminated separately from the Terms and Conditions, unless the Parties agree that termination is necessary to comply with the Privacy Legislation or decisions of the Supervisory Authority.

11.2 At the end of the duration of the Addendum and only when the Controller requests so, Processor will provide the Controller with all Personal Data that has been processed. In addition, Processor provides all information and documentation necessary for the subsequent Processing of the Personal Data. After all Personal Data has been returned to the Controller, the Processor immediately puts an end to any Processing of the Personal Data and destroys any copy (excluding backups) that he still holds. If the Controller doesn’t request the return of the Personal Data, Processor will destroy all the Personal Data that has been processed and their back-ups. Any costs related to the return and destruction of the Personal Data are at the expense of the Controller.

12. General Terms

12.1 This Addendum replaces all previous or existing agreements between the Parties regarding its subject. This Addendum can only be amended in writing and requires joint signature by the Parties.

12.2 The nullity or invalidity of a provision or part of a provision of this Addendum shall not affect the existence and validity of the other provisions. In that case, the Parties undertake to replace or amend the relevant provision insofar as necessary to make this provision valid and enforceable. In that case, the Parties will negotiate in good faith and will prefer the adoption of a provision of similar scope. If this proves impossible, only that specific provision will be regarded as non-existent.

12.3 Titles or subtitles in this Addendum are considered merely illustrative.

12.4 This Addendum is governed by Belgian law. In the event of any dispute regarding the execution of this Addendum, the Parties are expected to do everything in their power to find an amicable solution. The Parties will provide a reasonable interpretation of this Addendum. In the absence of an amicable solution, the dispute can be submitted to a centre for arbitration and mediation (such as CEPANI) or a competent court. The exclusive competent court is the court of the judicial district of Antwerp.

13. Entire Agreement

This agreement forms part of the Terms and Conditions, together with the End User License Agreement, Privacy Policy and any other written or verbal agreement between Parties.

Annex: Scope and nature of the processing

Subject matter of the processing

Processor will process Personal Data on behalf of the Controller to provide a Software as a Service (SaaS) application as developed and provided by the Processor and which is made available to the Controller. The software enables customers to implement or improve an automated web to print workflow. When using the software provided by Processor, personal data will be processed.

Nature and purposes of the processing

Processor will process Personal Data on behalf of the Controller to the extent necessary to provide the Application to the Controller, as described in the Terms and Conditions.

Types of Personal Data and Data Subjects

Processor will process the Personal Data of the following Data Subjects: any natural person whose personal data is uploaded or shared through the Service. End users can upload Personal Data such as pictures to personalize certain products.

Personal Data includes identifying information (first name, last name, address), contact information (phone number and email address), payment details, shipping details, photo data, documents uploaded by the end-users and any other Personal Data that end-users may upload, disclose or share through the personalization software.

Retention period

Generally the Personal Data that is processed will be retained for as long as necessary to fulfil the purposes for which the Personal Data was collected or as long as required by a legal obligation.

Specifically when Personal Data is uploaded through the software it will be retained for a period of three (3) months. When the uploaded data (e.g. photos) is replaced by other Personal data, the original Personal Data will be deleted after seven (7) days.

Permitted Sub processors

Processor is given a general permission to engage Sub-processors to process the Personal Data on behalf of the Controller. A list of our current Subprocessors are: Google Cloud Platform, Sentry and MailGun. Processor will update the website as soon as changes happen regarding the engaged Sub-processors and notify Controller.