ResultX – Data Processing Policy
Last update: November 2024
Pursuant to the Agreement, ResultX provides the Platform and the Services (both as defined below) to the Customer (as defined below). The provision of the Platform and the Service leads to the collection and processing of Personal Data (as defined below) by ResultX, in its capacity as a data processor, on behalf of the Customer. Therefore, ResultX provides the Customer with this Data Processing Policy (“DPP”) which sets out (i) how ResultX shall manage, process and secure the Personal Data; as well as (ii) all parties’ obligations to comply with the Privacy Legislation (as defined below).
By concluding an Agreement with ResultX, the Customer has indicated that it has read, understands and accepts the terms and conditions of this DPP, which forms an integral part of said Agreement. Capitalised terms in this DPP shall have the same meaning as in the Agreement.
This DPP may be updated from time to time by ResultX, in which case ResultX shall notify the Customer through its Website (as defined below) or the ResultX Platform. In any event, the latest version of this DPP can always be accessed on the Website, as well as on the ResultX Platform.
1 DEFINITIONS
1.1 Capitalised terms shall have the meaning as set out below.
| Assignment: | All activities, performed by ResultX for the Customer, and any other form of cooperation whereby ResultX Processes Personal Data for the Customer, regardless of the legal nature of the agreement under which this Processing takes place; |
| Controller: | The entity, which determines the purposes and means of the Processing of Personal Data, meaning the Client as defined in the Agreement; |
| Customer: | The party with whom ResultX has concluded the Agreement, including its Affiliate(s); |
| CSRD: | Directive nr. 2022/2464 of the European Parliament and of the Council of 14 December 2022 amending Regulation (EU) No 537/2014, Directive 2004/109/EC, Directive 2006/43/EC and Directive 2013/34/EU, as regards corporate sustainability reporting; |
| Data Subject: | An identified or identifiable natural person where an identifiable natural person should be considered one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
| Personal Data: | Any information relating to an identified or identifiable natural person (i.e. Data Subject); |
| Personal Data Breach: | Unauthorised disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data, which are processed by ResultX on behalf of the Customer; |
| Privacy Legislation | The (supra)national privacy legislation applicable to the processing of personal data by the Customer or ResultX within the scope of the Agreement, such as, but not limited to: (i) the General Data Protection Regulation 2016/679 of April 27, 2016 (“GDPR”); (ii) United Kingdom (UK) Data Protection Act 2018; (iii) the Belgian Privacy Law of 30 July 2018; (iv) the ePrivacy Directive 2002/58/EC of 12 July 2002, including future amendments and revisions thereof; and/or (v) (future) national legislation regarding the implementation of the GDPR; |
| Processor: | The entity which Processes Personal Data on behalf of the Controller; |
| Process/Processing: | Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, including but not limited to: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data; |
| Platform: | the ESG reporting platform developed by ResultX, for which the Customer can purchase a Subscription; |
| ResultX: | The company ResultX BV, incorporated and existing under the laws of Belgium, with registered office at BE Heikantstraat 27, 3670 Oudsbergen, with VAT/company number BE-1005.682.043; |
| Services: | All services, provided by ResultX to the Customer with respect to the Platform (such as but no limited to support and maintenance); |
| Sub-processor | Any Processor engaged by ResultX. |
1.2 The Policy includes the following annexes:
| Annex I: | Overview of (i) the Personal Data, which Parties expect to be subject of the Processing, (ii) the use (i.e. the way(s) of Processing) of the Personal Data, (iii) the goals and means of such Processing and (iv) the term(s) during which the (different types of) Personal Data shall be stored; |
| Annex II: | Overview and description of the security measures taken by ResultX; and, |
| Annex III: | List of sub-processers engaged by ResultX. |
1.3 The (uncapitalised) terms “(data) controller”; “personal data”; “personal data breach”; “process”; “processing”; “(data) processor” shall have the meaning attributed to them in the Privacy Legislation.
2 ROLES OF THE PARTIES
2.1 Parties acknowledge and agree that with regard to the Processing of Personal Data as instructed by the Customer, the Customer shall be considered ‘Controller’ and ResultX ‘Processor’. Further, ResultX is allowed to engage Sub-processor(s) pursuant to the requirements set forth in Article 7.
2.2 Each party shall comply with its respective obligations under the Privacy Legislation with respect to the processing of the Personal Data.
3 USE OF THE PLATFORM AND/OR THE SERVICES
3.1 The Customer acknowledges explicitly that:
❑ ResultX purely acts as a facilitator of the Platform and/or the Services. Hence, the Customer shall be solely responsible on how and to what extent he/she makes use of the Platform and/or the Services as well as for all Personal Data collected through the Platform;
❑ It is responsible for all acts and omissions of Authorised Users (i.e. in case the Authorised User does (not) take sufficient measures to protect its account on the Platform);
❑ As a result of the use of the Platform, a number of connections between the Customer’s technological infrastructure and the Platform shall be made. Documents shall however only be uploaded upon approval of the Customer;
❑ It is responsible for the material and/or data provided by the Data Subject. The Customer is, as Controller, thus responsible for complying with the Privacy Legislation and/or any other regulations with regard to aforementioned material and/or data; and,
❑ It shall comply with all laws and regulations (such as, but not limited to: with regard to the retention period or rights of the Data Subject) imposed on it by making use of the Service.
3.2 The Customer shall avoid any misuse of the Services. In case of misuse by the Customer of the Platform and/or the Services, the Customer agrees that ResultX can never be held liable in this respect nor for any damage that would occur from such misuse.
3.3 The Customer therefore undertakes to safeguard ResultX when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.
4 OBJECT
4.1 Customer acknowledges that as a consequence of making use of the Platform and/or the Services of ResultX, the latter shall Process Personal Data as collected by the Customer. The nature and purpose of said processing, as well as a description of the Personal Data and categories of Data Subjects processed under the Agreement are further specified in Annex I.
4.2 ResultX shall always Process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.
4.3 More specifically, ResultX shall:
❑ during the performance of the Assignment – provide all its know-how in order to perform the Assignment according to the rules of art, as it fits a specialized and ‘good’ processor; and,
❑ shall adopt, to the best of its abilities, the necessary security measures (cfr. Annex II) and provide all its know-how in order to perform the Service in accordance with the rules of art.
4.4 The Customer keeps full control concerning the following: (i) how the Personal Data must be processed by ResultX; (ii) the types of Personal Data processed; (iii) the categories of Data Subjects whose Personal Data is subjected to the processing; (iv) the purpose of the processing; and (v) the fact whether such processing is proportionate.
4.5 This DPP is without prejudice to the provisions of the Agreement with regard to ‘Data Protection’.
5 INSTRUCTIONS FROM / RESPONSIBILITY OF THE CUSTOMER
5.1 Instructions: ResultX shall only process the Personal Data upon the Customer’s request and in accordance with the Customer’s lawful instructions in Annex I, unless any legal obligation states otherwise. ResultX shall inform the Customer, if in its opinion, the instructions infringe the Privacy Legislation. If the Customer subsequently cannot guarantee the validity or legality of the instruction or fails or refuses to change the unlawful instruction so that it no longer violates the Privacy Legislation, ResultX shall be entitled to (i) suspend/refuse the performance of said instruction and (ii) at its discretion, to either continue to process the Personal Data in accordance with previously provided instructions or to stop the processing altogether, until the Customer has revised its instruction so that it no longer violates the Privacy Legislation
5.2 Responsibilities: Furthermore, the Customer acknowledges that it is responsible for:
❑ the accuracy, quality and legality of (the collection and transfer of) the Personal Data;
❑ compliance with all transparency and lawfulness requirements under the Privacy Legislation for the collection and processing of the Personal Data and the transfer thereof to ResultX; and,
❑ ensuring compliance of its instructions (cfr. Annex I) with the Privacy Legislation.
5.3 Customer shall inform ResultX without undue delay if it is not able to comply with its responsibilities under this Section or the Privacy Legislation.
6 SECURITY OF PROCESSING
6.1 ResultX takes the security of the Processing activities very seriously. ResultX shall at least implement the technical and organisational measures specified in Annex II to ensure the security of the Personal Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (Personal Data Breach). In assessing the appropriate level of security, ResultX and the Customer shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved for the Data Subjects.
7 SUB-PROCESSORS
7.1 Approval of Sub-processor list:
7.1.1 The Customer acknowledges and agrees that ResultX may engage Sub-processors in connection with provision of the Service (and the performance of the Agreement). In such case, ResultX shall ensure that the Sub-processors are at least bound by the same obligations by which ResultX is bound under this DPP.
7.1.2 ResultX has currently appointed as Sub-processors its Affiliates and other third parties as listed in Annex III.
7.1.3 ResultX shall be liable for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Service/processing of the Personal Data itself, directly under the terms of this DPP.
7.2 Update of the Sub-processor list:
7.2.1 ResultX shall:
❑ update the list whenever a Sub-processor changes (e.g. a new Sub-processor was added, a Sub-processor was substituted, etc.);
❑ clearly indicate the changes in the list; and,
❑ add a timestamp (i) when the list was updated, and (ii) when the change of the Sub-processor went or will go into effect.
7.2.2 ResultX shall notify the Customer (e.g. on the Website or through the Platform) when changes to the list are made.
7.3 Objection
7.3.1 If the Customer wishes to exercise its right to object to a new Sub-processor, it shall notify ResultX in writing (cfr. Article 10) and based on reasonable grounds by the latest within thirty (30) days after the notification. If the Customer fails to object within the aforementioned timeframe it shall be deemed to have waived its right to object and to have authorised ResultX to engage the new Sub-processor.
7.3.2 In the event aforementioned objection is not found unreasonable by ResultX, parties will discuss the Customer’s concerns with a view to achieving a reasonable solution. Such solution may include, at ResultX’s discretion, to (i) make available to the Customer a change in the Service; or (ii) recommend a commercially reasonable change to the Customer’s use of the Service to avoid the processing of the Personal Data by the objected new Sub-processor without unreasonably burdening the Customer.
7.3.3 If the parties are, however, unable to come to a solution within a reasonable period of time (which shall not exceed thirty (30) days following the objection of the Customer), the Customer may terminate the Service (in whole or partly) if:
❑ the Service/Platform cannot be used by the Customer without appealing to the objected new Sub-processor; or,
❑ such termination solely concerns that part of the Service which cannot be provided by ResultX without appealing to the objected new Sub-processor;
and this by providing written notice thereof to ResultX (cfr. Article 15) within a reasonable time.
7.3.4 Termination of the Service within the meaning of Article 7.3.3 shall be without liability to either party (but without prejudice to any Fees incurred by the Customer prior to suspension or termination of the Service).
8 TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
8.1 The Personal Data shall be processed within the European Economic Area (“EEA”).
8.2 However, the Customer recognizes that ResultX is entitled to transfer and store the Personal Data to countries outside the EEA for the purpose of providing the Service and fulfilling its obligations under the Agreement, and provided that such transfer/storage is done in accordance with the Privacy Legislation regarding additional safeguards. In particular, any transfer of Personal Data outside the EEA by ResultX to a third party whose domicile or registered office is in a country which does not fall under an adequacy decision enacted by the European Commission, shall be additionally subject to one or more of the listed EU-approved safeguards:
❑ European Commission Adequacy decision
❑ closing a data transfer agreement: with the third country recipient, which shall contain the standard contractual clauses, as referred to in the ‘European Commission implementing decision of 4 June 2021 (Decision (EU) 2021/914) on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council’, including the performance of a transfer impact assessment. Before the transfer takes place, the recipient of the Personal Data/Sub-processor of ResultX in the third country has to guarantee ResultX that an adequate level of privacy compliance is ensured in this third party country;
❑ binding corporate rules: As it is the case for standard contractual clauses, the recipient of Personal Data/Sub-processor of ResultX in the third country has to guarantee ResultX that an adequate level of privacy compliance is ensured in the third party country; and/or,
❑ certification mechanisms.
8.3 In the event the transfer (or disclosure) of the Personal Data to a third country is required by EU law, EU member state law or law of the United Kingdom to which ResultX is subject to, ResultX shall inform the Customer of that legal requirement before the transfer/disclosure, unless that law prohibits such information on important grounds of public interest.
9 CONFIDENTIALITY
9.1 ResultX shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without the prior permission of the Customer, unless when such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case ResultX shall, prior to any disclosure and/or announcement, inform you in full transparency on the scope and manner thereof.
9.2 ResultX shall ensure that its personnel, engaged in the performance of the Agreement, are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. ResultX shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
9.3 ResultX shall ensure that its access to Personal Data is limited to such personnel performing the Assignment in accordance with the Policy.
9.4 The Customer acknowledges the login information to be strictly personal and ensures not to share this information with any third parties.
10 NOTIFICATION
10.1 Notification. ResultX shall use its best efforts to inform the Customer as soon as reasonably possible when it:
❑ receives a request for information, a subpoena or a request for inspection or audit from a competent public authority (incl. supervisory authority) in relation to the processing of the Personal Data;
❑ receives a request from a Data Subject invoking its privacy rights under the Privacy Legislation (cfr. Article 10.3);
❑ has the intention to disclose Personal Data to a competent public authority (incl. supervisory authority); or,
❑ determines or reasonably suspects a personal data breach has occurred in relation to the Personal Data.
10.2 Personal data breach. In case of a personal data breach, ResultX:
❑ shall notify the Customer without undue delay after becoming aware of this personal data breach and, to the extent possible, provide the information as required by Privacy Legislation (e.g. Article 33.3 GDPR). Upon request of the Customer, ResultX shall provide – to the extent possible – assistance with respect to the Customer’s reporting obligation under the Privacy Legislation;
❑ undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the personal data breach (if such has occurred under its responsibility) and to prevent and/or limit any future personal data breaches.
10.3 Rights of Data Subjects
10.3.1 ResultX shall promptly notify the Customer if it receives a request from a Data Subject invoking its privacy rights under the Privacy Legislation. ResultX shall not respond to any such Data Subject request without the Customer’s prior written consent, except to confirm that the request relates to the Customer to which the Customer hereby agrees.
10.3.2 If a Data Subject requests to exercise his/her/their rights, it is the Customer’s responsibility to assist the Data Subject in its request. Only if the Customer does not have the ability to correct, amend, block or delete the Personal Data (as required by Privacy Legislation), ResultX shall assist the Customer (as long as commercially reasonable).
10.3.3 Notwithstanding the foregoing, the Customer remains responsible for compliance of such Data Subject requests.
10.4 Data Protection Impact Assessment. Taking into account the nature of the processing and to the extent that (i) a data protection impact assessment is required under Privacy Legislation and (ii) the required information is reasonable available to ResultX and the Customer does not otherwise have access to said information, ResultX shall – upon request of the Customer – provide reasonable assistance to the Customer with the execution of a data protection impact assessment and possible prior consultation with the competent supervisory authorities. To the extent permitted by the Privacy Legislation, the Customer shall be responsible for any costs arising from ResultX’ provisions of such assistance.
11 LIABILITY
11.1Both parties are solely liable for all damage, claims and/or fines of third parties, competent supervisory authorities or Data Subjects that are the result of their own breach of or non-compliance with (i) the provisions of this DPP, and (ii) the Privacy Legislation or other applicable rules concerning Personal Data. Each party shall indemnify the other party in this regard.
11.2In case of breach/non-compliance as described in Article 9.1 the infringing party is liable to the other party and must reimburse the latter for all damages and costs, including reasonable attorney’s fees, (legal) expenses and damage resulting from such a breach/non-compliance.
11.3In case of a proven breach by ResultX of its obligations under this DPP or under the Privacy Legislation, ResultX shall:
❑ be liable for the proven direct damages incurred by the Customer;
❑ not be liable for indirect, immaterial and/or consequential damages, including (but not limited to:) loss of profit, loss of opportunities, loss of and/or damage to data, loss of reputation, sanctions and/or fines, and unforeseeable damages.
11.4ResultX’s liability towards the Customer shall in any case be limited to the total amount paid by the Customer to ResultX during the last twelve (12) months under the Agreement.
11.5The provisions in this Section shall be without prejudices to any other liabilities as agreed upon in the Agreement.
12 TERM
12.1The total term of this DPP shall be the term of the Agreement. If no term is determined, this DPP shall remain in force as long as the Service has not come to an end.
13 RETURN AND DELETION OF PERSONAL DATA
13.1ResultX shall only retain the Personal Data as long as needed to provide the Service or for the term of the Agreement (cfr. Article 12). The Customer accepts that ResultX may create back-ups of the Personal Data stored on the ResultX Platform.
13.2Upon termination of the Service or the Agreement, the following shall apply:
❑ the Service and ResultX Platform shall be deactivated. Any Personal Data, stored on the ResultX Platform shall as from that moment no longer be available to the Customer;
❑ the Customer may request the Personal Data to be returned (‘export’) within thirty (30) days following the end of the Agreement or the Service, upon which ResultX shall assess whether such export is possible from a technical perspective. In any event, ResultX may, at its sole discretion, determine the format of the export. ResultX reserves the right to charge any costs relating to such exports to the Customer;
❑ after said thirty (30) days-period, the Personal Data on the ResultX Platform shall be deleted within one (1) month , unless it is required by applicable law to retain the Personal Data; and,
❑ the Personal Data may be present on back-ups. The Personal Data shall be deleted once the last back-up containing the Personal Data is rotated.
13.3Please note that data or material provided to or submitted to ResultX by the Customer during the use of the Service that does not contain Personal Data may be further stored by ResultX following the termination of the Agreement or the Service.
14 COMPLIANCE / INSPECTIONS
14.1Compliance. Upon the Customer’s request, ResultX shall make available to the Customer all information necessary and to the extent as requested by law to demonstrate its compliance with its obligations under this DPP.
14.2Inspections
14.2.1 ResultX shall allow the Customer (or a third party on its behalf) to carry out inspections – such as, but not limited to: an audit – and shall provide the necessary assistance thereto.
14.2.2 However, the Customer shall limit its initiatives to perform an inspection to a maximum of once a year. The Customer must notify ResultX at least thirty (30) working days in advance. The performance of inspections may in any case not cause any delay in the performance of the Service by ResultX.
14.2.3 The Customer shall impose sufficient confidentiality obligations on its (internal/external) auditors. As to ensure the confidentiality of other ResultX customers, ResultX has the right to require from the Customer and its auditors to sign a non-disclosure agreement before the start of the inspection and to limit the scope of the inspection or the access of the Customers to certain premises
14.2.4 All inspection costs are exclusively borne by the Customer, except if (and to the extent that) a severe security incident/personal data breach (at ResultX/under ResultX’s responsibility) or a violation of this DPP is determined during the inspection.
15 NOTIFICATION / CONTACT RESULTX
15.1Notifications by the Customer under this DPP and/or any questions or concerns with regard to the provisions of this DPP must be directed at [email protected].
16 MISCELLANEOUS
16.1If one or more provisions of this agreement are found to be invalid, illegal or unenforceable, in whole or in part, the remainder of that provision and of this agreement shall remain in full force and effect as if such invalid, illegal or unenforceable provision had never been contained herein. Moreover, in such event, Parties shall negotiate to replace the invalid provision by an equivalent provision in accordance with the spirit of this agreement. If Parties do not reach an agreement, then the competent court may mitigate the invalid provision to what is (legally) permitted.
16.2Deviations, alterations and/or additions to this Policy shall only be valid and binding to the extent that they have been accepted in writing by both parties.
16.3This Policy and the corresponding rights and obligations that exist in respect of the Parties, cannot be transferred, directly or indirectly, without the prior written consent of the other party.
16.4(Repeatedly) non-enforcement by a party or by both parties of any right or provision of this Policy, can only be regarded as a toleration of a certain state, and does not lead to forfeiture.
16.5This Policy prevails to any other agreement between the parties.
17 GOVERNING LAW & JURISDICTION
This DPP, including its Annexes, shall be governed by the law and subject to the jurisdiction clause as provided in the Agreement.
Annex I – Data Processing
1 OVERVIEW OF THE PERSONAL DATA
| Data Subjects – Category 1 | |
| ❑ Name | ❑ Phone Number |
| ❑ Age | ❑ Residence adress |
| ❑ Gender | ❑ Salary |
| ❑ E-mail address (personal and business e-mail address) | ❑ Degree(s)/certificates obtained by employee❑ License plate number |
| ❑ National registry number | ❑ Bank account |
| ❑ Overview investment portfolio | ❑ Data typically processed in the context of ESG reporting |
| Data Subjects – Category 2 | |
| ❑ Name | ❑ E-mail address (business e-mail address) |
| ❑ Phone Number | ❑ Function |
| ❑ Company name | ❑ Data typically processed in the context of ESG reporting |
2 OVERVIEW OF THE DATA SUBJECTS
| Category 1 | ||
| ❑ Employee | ❑ Freelancers | |
| ❑ Directors | ||
| Category 2 | ||
| ❑ Supplier | ❑ Clients | |
| ❑ Service provider | ||
3 NATURE OF THE PROCESSING
| ❑ Collecting | ❑ Consulting |
| ❑ Sorting | ❑ Comparing |
| ❑ Structuring | ❑ Interconnecting |
| ❑ Modifying | ❑ Communicating |
| ❑ Saving | ❑ Matching |
| ❑ Transferring | ❑ Deleting |
| ❑ Analysis by AI-algorithms |
4 MEANS OF PROCESSING
| ❑ Through ResultX’s developed ESG platform |
5 PURPOSE OF THE PROCESSING
Making an analysis of the Customer’s CSRD-compliance, including the possibility to generate compliance reports.
6 DURATION
For the term of the Agreement (cfr. ResultX’s Terms of Use applicable to the Customer). Upon termination of the Agreement (for whatsoever reason), access to the Platform shall be deactivated and the Personal Data shall either be deleted or returned to the Customer as provided in Article 13.
Annex II – Security
This document entails the technical and organisational security measures implemented by ResultX in support of its (Processing) activities, as set forth by the Privacy Legislation.
1 DATA PROTECTION
Sensitive data which may be used to gain access to the platform, customer data or 3rd parties is protected by encryption both in transit and at rest (e.g. passwords, api tokens, access tokens…).
All data in transit, both internal transport or external transport will be encrypted over the network.
2 ACCESS PROTECTION
Access to data processed by the platform is protected through user and role based access control. The customer is responsible for granting and revoking access to users (employees, consultants, contractors, suppliers, clients…) and assigning relevant access roles to these users.
3 DATA STORAGE AND BACK-UP (HOW AND WHEN)
Backups are made on a daily basis with a retention period of 7 days. Backups are stored in a physically different location than the live data stored by the platform.
4 SYSTEM RELIABILITY AND RESILIENCE
A minimum uptime availability cannot be guaranteed.
Annex III – Sub-processors
Last updated: November 2024
ResultX engages the following Sub-processors to assist in providing the Service as described in the Agreement:
1 SUBPROCESSORS
| Name | Nature of processing | Territory | |
| Microsoft Azure | Provides cloud infrastructure | EEA | |
| Supabase | Web app development program | EEA | |
| OVH Cloud | Provides cloud infrastructure | EEA |
