Data Processing Policy
Hi, welcome to Henchman! We are glad you use our solution in order to enable your organisation to set up and implement the fastest contract drafting experience ever made (the “Solution”).
Using the Solution leads to the processing of personal data by Henchman. Therefore, we have adopted this Data Processing Policy that we kindly request you to read.
You can be reassured that we will process the personal data in the best interest of your organization and employees. By reading this policy, you will be properly informed about our legal responsibilities with regard the the processing of personal data and the security measures we have adopted in order to ensure the personal data is processed in a safe way.
This is the first and only Data Processing Policy we have. Henchman may update this Data Processing Policy in the future: the latest version can always be found on our Website. You will be able to find our archived Data Processing Policies in pdf format here once changes are made.
Henchman BV is a company incorporated and existing under the laws of Belgium, with registered office at BE- D’Haenestraat (HEU) 22, 9070 Destelbergen, with VAT/company number BE-0784.395.184 ( ‘Henchman’, ‘we’ or ‘us’).
When you (‘you’ or the ‘Customer’) rely on the Henchman Solution, Henchman:
shall have access to Personal Data; and,
will have to Process Personal Data on your behalf.
This Data Processing Policy (: the ‘Policy’) applies to the Processing of Personal Data by Henchman for the Customer and determines:
how Henchman will manage, secure and process the Personal Data; and,
Both parties’ obligation to comply with the Privacy Legislation.
By relying on the Services of Henchman, you acknowledge to have read and accepted this Policy and consequently the way Henchman processes the Personal Data.
In this Policy, the following concepts have the meaning described in this article (when written with a capital letter):
The agreement between Henchman and the Customer.
the entity (being in this case: the Customer), which determines the purposes and means of the Processing of Personal Data;
the recipient of personal data/processor of Henchman in a third country, which is not subject to an adequacy decision of the European Commission;
the natural person to whom the Personal Data relates, as identified in Annex I;
unauthorised disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data;
the people affiliated with the Customer that are allowed to use the Solution (mainly employees and independent contractors);
any information relating to an identified or identifiable natural person (i.e. the Data Subject), as identified in Annex I. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(i) the Belgian Privacy Act of July 30, 2018; (ii) the General Data Protection Regulation 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (‘GDPR’); (iii) Directive 2002/58/EC of the European Parliament and Council of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘e-privacy directive’) (including all future legislative changes and amendments/revisions thereof); and/or (iv) all (future) applicable national laws regarding the implementation of the GDPR;
any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, including, but not limited to: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;
the entity (being in this case: Henchman) which Processes Personal Data on behalf of the Customer as Controller;
all services, provided by Henchman to the Customer implying the Processing of Personal Data, including but not limited to: providing a right of access to the Solution and all support related thereto;
the solution developed by Henchman used by the End-Users as described above;
any processor engaged by Henchman.
The Policy includes the following annexes:
Overview of (i) the Personal Data, which parties expect to be subject of the Processing, (ii) the categories of Data Subjects, which parties expect to be subject of the Processing, the (iii) the nature of the Processing; and (iv) the use (i.e. the way(s) of Processing) of the Personal Data, the purpose and means of such Processing;
3. ROLE OF THE PARTIES
3.1 In accordance with the Privacy Legislation, the Customer shall be considered the ‘Controller’ and Henchman the ‘Processor'.
4. USE OF THE SERVICES
4.1 Parties agree that:
Henchman acts as a facilitator of the Services. Therefore, the Customer shall be responsible on how and to what extent it makes use thereof;
The Customer is responsible for all acts and ommissions of the End-Users (i.e. in case the End-User does (not) take sufficient measures to protect its account on the Solution);
Henchman allows the Customer to make adjustments and/or changes to the Personal Data and shall never consult or adjust these Personal Data itself, unless the Customer requests Henchman to do so;
The Customer is responsible for the material and/or data provided by the Data Subject. The Customer is, as Controller, thus responsible for complying with the Privacy Legislation and/or any other regulations with regard to aforementioned material and/or data;
The Customer shall comply with all laws and regulations (such as but not limited with regard to the retention period or rights of the Data Subject (cf. Article 11)) imposed on it by making use of the Services.
The Customer shall avoid any misuse of the Services and/or the Solution. In case of misuse by the Customer or the End-Users, the Customer agrees that Henchman can never be held liable in this respect nor for any damage that would occur.
5.1 The Customer acknowledges that as a consequence of making use of the Services, Henchman shall Process the Personal Data.
5.2 Henchman shall always Process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.
5.3 More specifically, Henchman shall adopt all necessary security measures and provide all its know-how in order to perform the Services in accordance with the rules of art.
5.4 Henchman assures that it shall only Process the Personal Data upon the Customer’s request and in accordance with the latter’s instructions unless any legal obligation states otherwise.
5.5 The Customer keeps full control concerning the following: (i) how Personal Data must be Processed by Henchman, (ii) the types of Personal Data Processed, (iii), the purpose of Processing, and (iv) the fact whether such Processing is proportionate.
6. SECURITY OF PROCESSING
6.1 Henchman takes the security of the Processing activities very seriously. Taking into account the state of the art, Henchman implements appropriate technical and organisational measures for the protection of (i) the Personal Data – including protection against careless, improper, unauthorised or unlawful use and/or Processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of Personal Data, as set forth in the privacy corner of our website.
7.1 The Customer agrees that Henchman may engage third-party Sub-processors in connection with the performance of the Services. In such case, Henchman shall ensure that the Sub-processors are at least bound by the same obligations by which Henchman is bound under this Policy.
7.2 The current Sub-processor(s) on which we appeal for the performance of the Services are listed in the privacy corner of our website, which includes the identities of those Sub-processors and their country of location.
7.3 Henchman shall update the list whenever a Sub-processor changes (e.g. a new Sub-processor was added, a Sub-processor was substituted, etc.) and will notify the Customer when (significant) changes are made. If you wish to exercise its right to object, please notify Henchman in writing by the latest within thirty (30) days after the list was updated.
- If the objection is well founded, Henchman will use reasonable efforts to (i) make available a change in the Services or (ii) recommend a commercially reasonable change to the Customer’s use of the Services to avoid Processing of Personal Data by the objected new Sub-processor without unreasonably burdening the Customer.
If Henchman is, however, unable to make available such change within a reasonable period of time (which shall not exceed thirty (30) days following your objection), you may terminate the the Services if:
You cannot use the Services without appealing on the objected new Sub-processor;
Such termination only concerns the Services which cannot be provided by Henchman without appealing to the objected new Sub-processor;
You notify Henchman of your wish to terminate the the Services to Henchman within a reasonable time.
7.4 Henchman takes responsibility for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Services itself, directly under the terms of this Policy.
8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
8.1 Henchman assures the Customer that a transfer of personal data to a third country or international organisation shall always be subject to (i) an adequacy decision by the Commission or (ii) one of the following safeguards:
Closing a data transfer agreement with the third country recipient, which shall contain valid standard contractual clauses (‘SCC’), as adopted by the European Commission. Before the transfer takes place, the Data Importer has to guarantee to Henchman that an adequate level of privacy compliance is ensured in this third party country; and/or;
Binding corporate rules. As it is the case for standard contractual clauses, the Data Importer has to guarantee to Henchman that an adequate level of privacy compliance is ensured in the third party country; and/or;
8.2 Every transfer to a third country or international organisation, not recognized by an adequacy decision, is subject to an assessment by Henchman to determine if there is anything in the law and/or practices in force of said third country that may infringe on the effectiveness of the appropriate safeguards in place (as identified above).
Where required on the basis of aforementioned assessment, Henchman shall identify and implement appropriate supplementary measures to govern any data transfer to such international organization or a third country without adequacy decision to ensure the level of data protection as required by EU law.
Furthermore, Henchman shall take all reasonable efforts to oblige the Data Importer to implement sufficient guarantees and measures to protect the Personal Data and ensure the effectiveness of the protection of the SCC’s, binding corporate rules and/or certification mechanisms.
8.3 In case of non-compliance by a Data Importer or where protections in the third country are not adequate, Henchman shall – at its sole discretion - either:
Suspend the transfer of Personal Data to the Data Importer / such third country until the issue has been solved; or,
Terminate the transfer of Personal Data to the Data Importer / such third country and request the Data Importer to delete the Personal Data in its possession.
8.4 In practice, Henchman performed/added some additional checks to its process:
Data mapping: Henchman mapped its data flows (in particular, with regard to data transfers to third parties/countries);
Contact with (sub) processors: Henchman contacted the Data Importers to ensure that the processing is carried out in accordance with the agreements made and with the requirements from the Schrems II-decision.
Transfer tool identification: Henchman re-assessed the transfer tools (e.g. European Commission’s adequacy decisions, Standard Contractual Clauses, etc.) it or its (sub) processor relies on to transfer personal data to (sub) processors located in third countries;
Legal assessment of recipient country - Henchman is assessing the privacy laws of all third countries to which personal data is being transferred. Accordingly, Henchman wishes to establish if these third country recipients provide adequate and effective data protection;
Adequacy assessment - Henchman is requesting (sub) processors that are transferring data to third countries (in which effective protection equal to the GDPR cannot be guaranteed, such as the United States) to provide an overview of the supplementary measures they have taken or intend to take to ensure the safety and security of the data transfer and processing.
EEA alternatives – Prior to each transfer of personal data to a third country (especially where no equivalent level of data protection can be guaranteed) Henchman will assess the necessity of such data transfer by investigating whether there are no alternative options or parties that would ensure that the data is being processed within the European Economic Area (“EEA”);
Vendor cooperation assessment - Henchman will terminate the cooperation with (sub) processors transferring data to or located in third countries that are unable to guarantee an equivalent level of data protection.
Other procedural & organisational steps - upon finalising the vendor assessment, Henchman will implement the necessary procedural and organisational steps;
Periodic monitoring & evaluation - Henchman endeavours to evaluate on an ongoing basis the transfer of personal data to third countries (with regard to necessity, compliance, security…). This includes monitoring developments in such countries that could affect the (earlier) assessments made by Henchman.
9.1 Henchman shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without your permission, unless when such disclosure and/or transfer is required by law or by a court or other government decision (of any kind). In such case Henchman shall, prior to any disclosure and/or announcement, inform you in full transparency on the scope and manner thereof.
9.2 Henchman ensures you that its personnel, engaged in the performance of the Services, is informed of the confidential nature of the Personal Data, are well aware of their responsibilities and are bound by written confidentiality agreements. Henchman ensures that such confidentiality obligations survive the termination of the employment contract.
9.3 Henchman ensures you that the access of its personnel to the Personal Data is limited to such personnel performing the Services in accordance with the Policy.
10.1 Henchman will use its best efforts to inform you as soon as reasonably possible when it:
Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Data;
Has the intention to disclose Personal Data to a competent public authority;
Determines or reasonably suspects a Data Breach has occurred in relation to the Personal Data.
10.2 In case of a Data Breach, Henchman:
Notifies you without undue delay (and within 48 hours) after becoming aware of this Data Breach. In the event you wish so, Henchman shall provide – to the extent possible – assistance with respect to your reporting obligation under the Privacy Legislation;
Undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the Data Breach and to prevent and/or limit any future Data Breach.
11. RIGHTS OF DATA SUBJECTS
Henchman shall promptly notify you if it receives a request from a Data Subject invoking its privacy rights under the Privacy Legislation. Henchman shall not respond to any such data subject request without your prior written consent.
If a Data Subject requests to exercise his/her rights, you must assist the Data Subject in its request. If you do not have the ability to correct, amend, block or delete the Personal Data (as required by Privacy Legislation), Henchman shall assist you (as long as commercially reasonable).
Parties are each individually liable towards authorised supervisory authorities and/or Data Subjects for claims and/or fines that are the result of their own breach of or non-compliance with (i) the provisions of this data processing policy, and (ii) the Privacy Legislation or other applicable rules concerning personal data. Henchman and the Customer indemnify each other in this regard.
The liability of Henchman for a breach of this data processing policy is limited as described in the applicable contractual documentation (i.e. the Terms and Conditions).
13. RETURN AND DELETION OF PERSONAL DATA
Upon termination of the Services, the accounts of the Customer will be deactivated and the Personal Data relating hereto will be deleted or anonymised. You can request to receive an export of its data. In any event, Henchman may, at its sole discretion, determine the format of the export.
Henchman shall retain the Personal Data for two (2) months to ensure export or reactivation request of the Customer can be fulfilled. Henchman shall never access the inactive Personal Data. As soon as the two (2) months ends, Henchman will anonymise the Personal Data, which will then solely be used for improvement of the Solution and statistical purposes.
In case a Data Subject’s profile is being removed from the Solution by the Customer, all Personal Data relating thereto will be deleted or anonymised as well (within 30 days).
All the foregoing does not apply, and Henchman may therefore continue to retain the Personal Data if – and only to the extent that – it is required to do so pursuant to a legal obligation imposed on Henchman.
Henchman is willing to provide you with all information, required to allow verification if we comply with the provisions of this Policy.
In this respect Henchman shall allow you to carry out inspections – such as, but not limited to: an audit – and provide the necessary assistance thereto.
This Policy lasts as long as the Services have not come to an end.
This Policy may be updated from time to time by Henchman, in which case Henchman shall notify you through its website. In any event, the latest version of this Policy can always be accessed on the Henchman website, as well as on the Solution.
15. CONTACT | DPO
Henchman has appointed a Data Protection Officer (or “DPO”) to ensure its compliance with Privacy Legislation. If you have any questions with regard to this Policy or the manner in which we Process the Personal Data, please contact our DPO via email: firstname.lastname@example.org.