1. Introduction
1.1 StreetSmart Impact is a solution developed by Mobile School, a non-profit organisation incorporated under the laws of Belgium, with registered office at Brabançonnestraat 25, 3000 Leuven, Belgium, and registered under company number BE-0478.688.664 (hereinafter “Mobile School”, “we”, “us” or “our”).
1.2 When the Customer (hereinafter “Customer” or “you”) uses StreetSmart Impact, Mobile School may have access to and process personal data on behalf of the Customer in connection with the provision of the Services.
1.3 This Data Processing Agreement (hereinafter the “Agreement”) applies to the processing of personal data by Mobile School on behalf of the Customer in the context of StreetSmart Impact.
1.4 The purpose of this Agreement is to define: how Mobile School manages, secures and processes personal data; and the responsibilities of both parties under applicable data protection legislation.
1.5 By using the Services of Mobile School, the Customer acknowledges that it has read and accepted this Agreement.
2. Definitions
In this Agreement, the following capitalised terms have the meanings set out below.
App
The mobile application developed by Mobile School through which information is collected and transmitted to the Platform.
Controller
The entity which determines the purposes and means of the processing of personal data. In the context of StreetSmart Impact, this is the Customer.
Data Breach
Any unauthorised disclosure, access, loss, alteration, destruction or other compromise of personal data.
Data Subject
The natural person to whom the personal data relates, such as youth workers, minors or contact persons.
End-user
The individuals authorised by the Customer to use the Platform and App, including youth workers, volunteers, staff members and other authorised users.
Personal Data
Any information relating to an identified or identifiable natural person, as defined under applicable data protection legislation. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.
Platform
The StreetSmart Impact platform developed by Mobile School and used to collect, store, structure and analyse information related to activities and participants.
Processing
Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor
The entity that processes personal data on behalf of the Controller. In this Agreement, this is Mobile School.
Services
All services provided by Mobile School that involve the processing of personal data, including access to the Platform, the App and related support services.
Sub-processor
Any third party engaged by Mobile School to process personal data on behalf of the Customer.
Applicable Data Protection Legislation
The General Data Protection Regulation (EU) 2016/679 (“GDPR”); the Belgian Privacy Act of 30 July 2018; Directive 2002/58/EC (ePrivacy Directive); and any other applicable or successor data protection legislation.
3. Use of the services
3.1 The parties acknowledge that:
- the Customer acts as Controller of the personal data entered into StreetSmart Impact; and
- Mobile School acts as Processor of such personal data.
3.2 Mobile School shall process personal data only on documented instructions from the Customer, unless processing is required by applicable law.
3.3 The Customer is responsible for:
- determining which personal data are collected and entered into the Platform;
- ensuring that such processing complies with Applicable Data Protection Legislation;
- informing End-Users and Data Subjects about the processing of their personal data; and
- ensuring that only lawful and appropriate personal data are entered into the Services.
3.4 The Customer remains responsible for the actions and omissions of its End-Users when using the Services.
3.5 Mobile School will not access personal data unless this is necessary:
- to provide the Services;
- to resolve technical issues;
- to maintain, secure or improve the platform; or
- when requested or authorised by the Customer.
4. Object
4.1 The Customer acknowledges that, as a consequence of using the Services, Mobile School shall process personal data on behalf of the Customer.
4.2 Mobile School shall process personal data in a proper, careful and lawful manner and in accordance with Applicable Data Protection Legislation and other applicable rules concerning the processing of personal data.
4.3 More specifically, Mobile School shall implement appropriate technical and organisational security measures, as described in Annex II, and shall use its expertise to perform the Services in accordance with applicable data protection requirements.
4.4 The Customer retains control over:
- how personal data must be processed by Mobile School;
- the types of personal data processed;
- the purposes of the processing; and
- whether such processing is proportionate and lawful.
4.5 Because the Customer may collect personal data relating to minors, the Customer shall ensure that such collection is lawful and that Data Subjects are informed about the processing of their personal data through an appropriate privacy notice written in clear and understandable language, including where relevant for minors.
5. Security of processing
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, Mobile School shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
5.2 These measures are intended to protect personal data against:
- unauthorised or unlawful processing;
- accidental loss, destruction or damage; and
- risks affecting the confidentiality, integrity and availability of personal data.
5.3 The security measures implemented by Mobile School are described in Annex II.
6. Sub-processors
6.1 The Customer agrees that Mobile School may engage third-party Sub-processors in connection with the performance of the Services.
6.2 Mobile School shall ensure that any Sub-processor is bound by data protection obligations that are no less protective than those set out in this Agreement, insofar as applicable to the nature of the services provided by that Sub-processor.
6.3 The current Sub-processors used by Mobile School are listed in Annex III, including their identity and country of location.
6.4 Mobile School may update Annex III whenever a Sub-processor is added, replaced or removed and shall notify the Customer of significant changes.
6.5 If the Customer wishes to object to a new Sub-processor on reasonable data protection grounds, the Customer must notify Mobile School in writing within thirty (30) days after the relevant update.
6.6 If such objection is well founded, Mobile School will use reasonable efforts to:
- make available a change in the Services; or
- recommend a commercially reasonable change to the Customer’s use of the Services in order to avoid the processing of personal data by the objected Sub-processor.
6.7 If such change cannot reasonably be implemented within thirty (30) days following the objection, the Customer may terminate the Services relating to the affected processing activities.
6.8 Mobile School remains responsible for the acts and omissions of its Sub-processors as if it were performing the relevant Services itself.
7. Transfer of personal data to third countries
7.1 Mobile School shall ensure that any transfer of personal data to a country outside the European Economic Area is carried out in accordance with Applicable Data Protection Legislation.
7.2 Such transfers shall only take place where:
- the European Commission has adopted an adequacy decision; or
- appropriate safeguards are implemented, including the Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914, binding corporate rules, or any other recognised transfer mechanisms under Applicable Data Protection Legislation.
8. Confidentiality
8.1 Mobile School shall treat all personal data as confidential and shall not disclose or transfer such personal data to third parties without the Customer’s prior authorisation, unless required by law or by a competent public authority.
8.2 Where legally permitted, Mobile School shall inform the Customer of the scope and nature of any such disclosure before the disclosure takes place or, where that is not possible, as soon as reasonably possible thereafter.
8.3 Personnel authorised to process personal data are informed of the confidential nature of the data and are bound by confidentiality obligations.
8.4 Access to personal data is limited to personnel who require such access for the performance of the Services.
9. Notification
9.1 Mobile School shall inform the Customer without undue delay if:
- it receives a request from a competent public authority relating to the processing of Personal Data;
- it intends to disclose Personal Data to a competent public authority, unless legally prohibited; or
- it becomes aware of or reasonably suspects a Data Breach.
9.2 In the event of a Data Breach, Mobile School shall:
- notify the Customer without undue delay after becoming aware of the Data Breach;
- provide reasonable assistance to enable the Customer to comply with its legal obligations under applicable data protection legislation; and
- take appropriate measures to mitigate the effects of the Data Breach and to prevent similar incidents.
10. Rights of data subjects
10.1 If Mobile School receives a request from a Data Subject regarding the exercise of their rights under applicable data protection legislation, Mobile School shall notify the Customer without undue delay.
10.2 Mobile School shall not respond directly to such requests unless instructed or authorised by the Customer, unless required by applicable law.
10.3 Taking into account the nature of the processing, Mobile School shall provide reasonable assistance to the Customer in fulfilling its obligations to respond to Data Subject requests.
11. Liability
11.1 Each party shall be responsible for its own compliance with applicable data protection legislation and this Agreement. Each party shall be liable for damages, claims or administrative fines resulting from its own breach of this Agreement or applicable data protection legislation.
11.2 The liability of Mobile School under this Agreement shall be subject to the limitations set out in the Terms of Service.
12. Return and deletion of Personal Data
12.1 Upon termination of the Services, the Customer’s access to the Personal Data shall be deactivated.
12.2 Mobile School may retain the Personal Data for a limited period following termination, solely for the purpose of enabling data export or reactivation requests from the Customer. During this period, Mobile School shall not access or actively process the Personal Data.
12.3 After this period, the Personal Data shall be deleted or anonymised, unless retention is required by applicable law.
12.4 Where a Data Subject’s profile is deleted within the Services, the related Personal Data shall be deleted or anonymised without undue delay.
13. Audit and compliance
13.1 Mobile School shall make available to the Customer all information reasonably necessary to demonstrate compliance with this Agreement.
13.2 Upon reasonable prior notice, Mobile School shall allow for audits or inspections by the Customer or an independent auditor mandated by the Customer, provided that:
(a) such audits are limited to what is reasonably necessary;
(b) they do not unreasonably interfere with Mobile School’s operations; and
(c) appropriate confidentiality obligations are respected.
14. Term
This Data Processing Agreement shall remain in force for as long asMobile School processes Personal Data on behalf of the Customer in connectionwith the Services.