The following elements of this annexe apply to all clients of the Belgian and Luxemburg legal entities of the “Knokke Out” Group, and is composed of the following legal entities:
- Recreation & Leisure SA, business number: BE 0656.917.652
- River Woods Beach Club SPRL, business number: BE 0826.241.743
- KO Kottage SPRL, business number: BE 0667.921.412
- KOU XL SPRL, business number: BE 0666.625.174
- Kolline SPRL, business number: BE 0678.531.331
- KO Luxembourg SàRL, business number: B 23.299
- B19 Luxembourg SPRL, business number : pending
Article 1 – The Contractual Object (Art. 28, para. 3, a)
Knokke Out acts exclusively on behalf of the client and will consult and/or process personal data if and only if it is seen to be indispensable to the execution of the contract. In so doing, Knokke Out will follow all reasonable procedures as per instructions given by the Data Processing Officer.
Article 2 – Compliance with General Data Protection Regulations
The parties are committed in principle and explicitly to respecting the provisions of European Regulations 2017/679 relative to the protection of individuals with regard to the processing of personal data and the free movement of such data.
Article 3 – Use of Personal Data (Art.28, para. 3, 4)
Only the personal data that is strictly necessary for fulfilling the purposes to be achieved in Article 1 may be processed by Knokke Out. The processing as well as the access
for usage of this data must be carried out in a secured manner. This data may be processed exclusively by Knokke Out, and this solely in accordance with Article 1 and its purpose, as defined by the present contract. It is the duty of Knokke Out to ensure the confidentiality of personal data received by the client. An exception to this may only be considered possible under legal provision or court injunction obliging Knokke Out to divulge this data, or if the client gives the instruction to do so. The client must be notified by Knokke Out, in advance, about all legally obliged communication of personal data to third parties.
Article 4 : Security (Article 32)
Knokke Out and the client both take appropriate technical and organisational measures to guarantee an appropriate level of security. Knokke Out and the client take all requisite measures, as enumerated in Article 32 of the General Regulations concerning Data Protection (GRDP).
Taking into account the present state of the art, of execution fees, as well as the nature, scope, context and goals of processing, including the risks for which the degree of probability and seriousness vary in regards to the rights and liberties of the individuals, Knokke Out and the client take the appropriate technical and organizational measures in order to guarantee a level of security adapted to such risk.
Knokke Out will, in particular, secure the personal data against destruction, loss, alteration, or unauthorised disclosure of transmitted, conserved or otherwise processed data, including unauthorized access to this data, whether accidental or illicit. Knokke Out will at all times inform the client of the technical and organizational measures undertaken in order to protect personal data against its destruction, loss, falsification, transmission or unauthorized access.
Article 5 : Notification of Data Breach
Knokke Out undertakes to notify of any and all attempts of illicit access or processing or otherwise unauthorized access to personal data or other confidential data. Knokke Out will notify of the breach in question immediately, and at the latest 24 hours after having observed the incident. In addition, the sub-contractor will take all reasonable measures necessary to prevent or limit all (new) violations of security measures.
Knokke Out will, as a minimum, indicate the following in its notification:
• Nature of the incident
• Time of observation
• Data impacted
• Measures immediately taken in order to limit further damage
• Time of the end of the incident
• Structural preventive measures taken for the future
Article 6 – Physical and functional restriction of access
Knokke Out will take the necessary technical and organizational measures in order to ensure that the premises where personal data is processed following the client’s instruction are not accessible to unauthorized persons. Knokke Out will limit access to personal data to members of its personnel in need of this data in order to execute the remit for which the client has signed the present contract.
Article 7 : Raising awareness and training of personnel (Article 29)
Knokke Out is committed to informing the persons with access to data, in compliance with the present contract, on all provisions concerning General Rules and Regulations on Data Protection. Knokke Out guarantees that the persons entitled to process personal data will be fully committed to respecting the confidentiality of this data or will be bound by adequate legal obligation as regards confidentiality of it.
Article 8 : Application of Duty of Notification (Article 13)
If Knokke Out, through the execution of the present contract, directly collects personal data from the persons in question and saves this data, Knokke Out must respect the provisions of Article 13 of the General Rules and Regulations on Data Protection and therefore inform the persons in question.
Article 9 - Inspection by the Data Processing Officer (Article 28, para. 3, h)
Knokke Out has the right, at any time, to verify the compliance with this contract. Upon simple request of the Officer, Knokke Out must make available all information necessary to demonstrate compliance with all statutory obligations and allow the carrying out of audits, including inspections, by the client or other auditor mandated by the client, and must contribute to these audits.
Article 10 : Duration of this contract
The present contract comes into effect after having been signed by both parties. If the last contract were to end, then the present contract will also come to an end, exception made for the confidentiality clause which remains valid after transfer or expiration of the present contract, taking into account that the data must remain archived for a period of 7 years.