4. Scope, object and roles

4.1 The processor has entered into an agreement with Glowing Roots a contract for the provision by the Processor to Glowing Roots of services involving the processing of personal data by the Processor (hereinafter "the Agreement").

4.2 The parties wish to enter into this IMP as a supplement to the Agreement and to regulate all possible future data processing activities that the Processor performs for the Customer. An overview of the data processing activities will be listed in Annex 1 to this Agreement.

4.3 In the event of any contradiction or inconsistency between the data protection clauses in the Agreement and the clauses of this IMP, the latter shall prevail.

4.4 Glowing Roots determines the purposes and means of the processing and is consequently the controller, and processor is the processor of personal data for the purposes of Glowing Roots, determined by data processing activity.

5. Processing in accordance with the regulations and written instructions of Glowing Roots

5.1 When processing personal data, the Parties shall act in accordance with the Data Protection Act.

5.2 The Processor shall process the personal data received from Glowing Roots received personal data only to provide the services under the respective agreement(s). These services are determined per data processing activity.

5.3 The Processor shall process the Personal Data solely on the basis of the written instructions of Glowing Roots, unilaterally determined by Glowing Roots. If the written instructions are not clear, the Processor shall notify in writing to Glowing Roots whereupon the instructions shall be clarified in mutual consultation.

5.4 Secrecy and confidentiality: the processor is obliged to keep the personal data it receives from the controller confidential. An exception to this is only possible if a legal regulation or court order obliges the processor to disclose or if the data provision takes place on the instructions of the controller.

The confidentiality shall remain in effect after the transfer or termination of this Agreement. This does not apply to personal data that is publicly available.

5.5 Except as otherwise provided in this CSR, the Processor will not process the Personal Data for its own purposes or those of third parties, nor provide the Personal Data to third parties, nor transfer the Personal Data to a country located outside the European Union without receiving written instructions to do so from Glowing Roots. Processing in accordance with the instructions of Glowing Roots may also mean that the processing must be stopped (immediately).

If the processor passes on references to Glowing Rootsit must have the consent of the data subjects and be able to provide proof thereof to Glowing Roots.

If European or national regulations require the Processor to carry out a particular processing operation, the Processor shall notify Glowing Roots, prior to the processing, of that legal requirement, unless such regulation prohibits such notification for important public interest reasons.

Glowing Roots gives instructions to the Processor in accordance with the Data Protection Legislation and ensures that all personal data entrusted to the Processor was lawfully obtained and can be processed in the context of the agreement(s) between the parties.

6. Processing by a "Subprocessor" or employee

6.1 The Processor shall ensure that the provisions of this CSR are complied with by its representatives, agents, subcontractors and employees.

By extension, the Processor ensures that:

- the persons authorized to process personal data have committed themselves to maintaining confidentiality or are bound by an appropriate legal obligation of confidentiality;

- that measures are in place to ensure that any natural person acting under his authority and having access to the personal data, processes them only on behalf of the Glowing Roots processes them, unless he is required to do so by European or national regulations.

6.2 The Processor shall not engage any other processor ("Subprocessor") without the prior specific or general written consent of Glowing Roots.

In the case of a specific written consent, the Processor shall provide the full details of the processing taken over by the subprocessor with this IMP.

In the case of a general written consent, the Processor shall only engage a third party as a subprocessor to the extent that it has Glowing Roots informed in a timely manner and in any event in advance of the identity of the sub-processor and to the extent that Glowing Roots has not objected thereto.

6.3 Where the Processor uses a sub-processor, the Processor shall impose on such sub-processor, by contract, the same data protection obligations as apply between the Processor and the Processing Agent. The Processor shall, upon first request, provide to Glowing Roots the agreement with the sub-processor.

6.4 Where the sub-processor fails to comply with its data protection obligations, the Processor shall remain fully liable in respect of Glowing Roots for the performance of the sub-processor's obligations .

7. DUPLICATION AND RETENTION OF DATA

7.1 The Processor shall not make a copy of the data made available except for the purpose of backup or unless it is necessary for the performance of the task as described in the contract.

7.2 The processor will not keep the data any longer than necessary to perform the services for which they are provided. If the data is no longer needed after the termination of the underlying contract, the Processor will irretrievably erase it or return it to the Processor in accordance with any agreements made or as determined by mutual agreement.

7.3 The Processor shall immediately make available and/or irretrievably destroy all copies of the Processed Personal Data and Derivatives, originating from the Processor or processed on behalf of the Processor, upon the Processor's request.

7.4 The processor will never store the data at a location outside the European Economic Area

7.5 Any duplicate data shall be subject to the same restrictions and obligations as the original data.

8. Appropriate technical and organizational measures

8.1 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

8.2 The measures shall be determined taking into account the state of the art, the cost of implementation, as well as the nature, scope, context and purposes of the processing, and the risks to the rights and freedoms of individuals that vary in their probability and severity.

8.3 The assessment of the appropriate level of security shall take into account, in particular, the processing risks, especially as a result of the destruction, loss, alteration or unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed, whether accidental or unlawful.

The Processor shall conform to the standards of approved codes of conduct and certification mechanisms as applicable within the industry.

9. Provide assistance with data protection policy obligations of Glowing Roots

9.1 Taking into account the nature of the processing and the information available to it, the Processor undertakes to provide assistance to Glowing Roots in the responsibility of Glowing Roots to comply with the following data protection obligations:

- Taking appropriate technical and organizational measures to ensure a risk-appropriate level of security;

- Reporting a personal data breach to the supervisory authority;

- the communication of a personal data breach to the data subject;

- Conducting a data protection impact assessment (DPIA);

- prior consultation of the supervisory authority if the data protection impact assessment (DPIA) shows that the processing would pose a high risk if Glowing Roots does not take measures to mitigate the risk.

The time and resources spent by the Processor in providing the assistance shall be at the Processor's own expense.

9.2 As an extension of Article 9.1the Processor shall Glowing Roots circumstantially and immediately - at the latest within 24 hours of establishing the incident - about a (suspected) breach related to personal data as well as about any data leak (also at the sub-processor) as soon as the Processor becomes aware of it. The notification shall be made in such a way that Glowing Roots can comply with its legal obligations as a data controller under the Data Protection Act in a timely manner. The Processor shall indemnify Glowing Roots for any possible prejudice that Glowing Roots may suffer or be likely to suffer.

9.3 The Processor shall also provide assistance in the investigation, mitigation and remediation of a breach related to a processing of personal data. In doing so, it will also provide assistance, among other things, for the purpose of documenting measures such as data protection by design and by default.

9.4 The Processor shall Glowing Roots immediately of any complaint, allegation or request made (including if from a regulator) relating to the Processing of Personal Data by the Processor. The Processor shall provide all necessary cooperation and support that Glowing Roots can reasonably expect in relation to such complaint, allegation or request, including by providing full information about such complaint, allegation or request together with a copy of the personal data relating to the data subject in the possession of the Processor.

10. Providing assistance with the requests of the individuals.

10.1 Taking into account the nature of the processing, the Processor shall Glowing Roots assist, through appropriate technical and organizational measures, in fulfilling the duty of Glowing Roots to respond to requests to exercise the rights of the data subject, as provided for in the Data Protection Legislation.

This implies, among other things:

• that the Processor provides all the personal Glowing Roots requested, within the (reasonable) time period requested by Glowing Roots requested (reasonable) time period, in any event including full details and copies of the complaint, notice or application and any personal data in its possession relating to a data subject;

• That the Processor implements such technical and organizational measures thatGlowing Roots allow for effective and timely responses to relevant complaints, communications or requests.

The time and resources spent by the Processor in providing the assistance shall be at the Processor's own expense.

10.2 Following on from Article 10.1, the Processor undertakes to Glowing Roots notify without delay if it receives from a data subject (or third party acting on behalf of a data subject) any of the following requests:

- A request for access to the personal data processed from the data subject;

- A request for rectification of inaccurate personal data;

- A request for erasure of personal data;

- An application for restriction of the processing of personal data;

- A request to obtain a portable copy of the personal data, or to transfer a copy to a third party;

- an objection to any processing of personal data; or

- any other request, complaint or communication relating to the obligations of Glowing Roots under the Data Protection Legislation.

The Processor does not itself respond to the requests and inquiries of Data Subjects, except as may be otherwise agreed in writing between Glowing Roots and the Processor.

11. Right to control by Glowing Roots

11.1 Glowing Roots shall always have the right to monitor the Processor's compliance with this CSR.

Glowing Roots will notify the Processor in writing (including email) at least five (5) days prior to conducting the audit.

The Processor shall make available Glowing Roots all information necessary to demonstrate compliance with its obligations under the Data Protection Legislation.

The Processor shall make audits, including inspections, by Glowing Roots or an auditor authorized by Glowing Roots authorized auditor, and shall facilitate and contribute to such audits. The Processor shall provide full cooperation with respect to any such audit and, upon request of Glowing Roots, proof of compliance with its obligations under this CSR. Deficiencies identified in audits shall be addressed by the Processor and converted into a plan, which shall be submitted for review and approval to Glowing Roots , shall be submitted for review and approval.

11.2 The Processor shall Glowing Roots immediately notify if, in its opinion, any instruction under Clause 11.1 violates the Data Protection Legislation.

12. Liability

12.1 The parties are each responsible and liable for their own actions. The liability governed by this Article shall relate only to liability resulting from a breach of the Data Protection Legislation and of this IMP.

12.2 The Processor shall indemnify and hold harmless Glowing Roots for all claims, actions, demands of third parties and for all damages and losses (including fines from the Data Protection Authority) arising directly or indirectly from a processing of personal data where the processing did not comply with the obligations of the Data Protection Law specifically addressed to Processors or where outside or contrary to the lawful instructions of Glowing Roots has been acted upon.

12.3 The Parties shall ensure adequate coverage for their liability.

13. End of the agreement

13.1 This IMP shall be concluded for a period equal to the time required for the Processor to provide the services, as stipulated in the respective agreement(s).

13.2 If the Processor does not correctly fulfil the obligations of this IMP and fails to take appropriate measures within a maximum period of two months, then Glowing Roots - without prejudice to other grounds for termination as provided for in the agreement(s) between the parties - immediately terminate the Basic Agreement after the aforementioned period of two months and/or stop the processing order.

13.3 This agreement forms a whole with the Basic Agreement and any agreements between the parties and therefore follows the fate of the aforementioned agreements. However, in the event that the Basic Agreement terminates, the provisions of this IMP shall continue to apply to the extent necessary for the settlement of obligations in accordance with the Data Protection Act.

13.4 Upon termination of this Agreement, the Processor shall provide to Glowing Roots a current copy of the data. All information or documents necessary for the subsequent processing of the data and all copies of such information in the possession or control of the Processor, its staff or subcontractors shall be returned in a structured, commonly used and machine-readable form, unless Glowing Roots at that time requests that the information be destroyed.

The Processor shall contribute in good faith to the transmission of all data to the computer system designated by Glowing Roots designated.

Once all data and databases have been transferred, the Processor shall immediately cease all processing of the data and irretrievably destroy any copy and backup of the data that it may still possess, unless otherwise contractually agreed between the parties.

14. Final Provisions

14.1 In the event of nullity or voidability of one or more provisions of this IMP, the remaining provisions shall remain in full force and effect.

14.2 This IMP is governed by Belgian law. Disputes shall be submitted to the courts in the judicial district in which the registered office of the company is located.

ANNEX 1: Details of the personal data to be processed
This Schedule 1 contains certain details regarding the processing of Personal Data as required by Article 28(3) AVG.

Subject of the processing of Personal Data

The Processing of Personal Data is done in the context of the performance of Services, as described in the Master Agreement.

Nature and purpose of processing Personal Data

Personal Data may be processed by the Processor only if and to the extent necessary for the performance of the Master Agreement, including-but not limited to-collecting, storing, structuring, consulting, transferring Personal Data, upon instructions from Processor

Types of Personal Data to be Processed
(indicate what is applicable and complete as necessary)

- Identification data, such as but not limited to last name, first name, email, data via contact forms on the website, email addresses for subscribing to newsletters, IP address.

- Financial data

- Invoice data

- Wage data

- Personal characteristics, such as but not limited to age, gender, date of birth, marital status

- Living habits

- Composition of the family, such as but not limited to details of marriage, name of partner and children.

- Interests

- Memberships

- Education and training, such as academic curriculum, professional competence and teaching experience

- Profession

- State registration number

- Image captures

- Other specific categories that Processor has Processed by Processor:

 .............................................................................................................................................................

Which special categories of personal data, as defined in Art 9 AVG are processed:

- Genetic data for the purpose of unique identification of an individual

- Health data

- Data on racial or ethnic origin

- Data on political views

- Details of religious or philosophical beliefs

- Data on union membership

- Data on sexual behavior or sexual orientation

- Processing of Personal Data on criminal offences, as provided for in Art 10 AVG.
Categories of data subjects to which the Personal Data relates:

Customers, prospects, employees, business partners, website surfers, all related to the Processing Controller.  (Supplement if necessary)

ANNEX 2: Technical and organizational measures

Provisions article 32 AVG

Taking into account the state of the art, the costs of implementation, as well as the nature, scope, context and purposes of the processing, and the risks to the rights and freedoms of individuals that vary in terms of probability and severity, the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

The processor is required to take measures that may include the following:

• Pseudonymization and encryption of personal data

• Ability to ensure, on an ongoing basis, the confidentiality, integrity, availability and resilience of processing systems and services

• The ability to restore availability of and access to personal data in a timely manner in the event of a physical or technical incident

• A procedure for periodically testing, assessing and evaluating the effectiveness of the technical and organizational measures to secure processing

Technical and organizational measures

The list below can be thought of as an afchecklist.

It is requested that the processor indicate in the second column whether or not these measures are taken.

This list contains a division into main headings.

Technical and organizational measures

The list below can be thought of as an afchecklist, divided into main headings.

Please complete the second column.