data processing agreement

version: 201906

This Data Processing Agreement (“Agreement”) forms part of the General Terms and Conditions (“GTC”) between Cropland and the Member that subscribes to the Cropland Seeds platform (together as the “Parties”)


(A) The Member is the natural person or legal person, public authority, agency or other body that acts as a Data Controller;

(B) The Member wishes to use the Cropland Services, which could imply the processing of personal data, and has agreed to the General Terms and Conditions by subscribing for an account to the Cropland Seeds Services;

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

(D) The Parties wish to lay down their rights and obligations.


Article 1. Definitions

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1. The “Agreement” means this Data Processing Agreement;

1.2. "Confidential Information" means any information disclosed to the other Party in writing or in any other material form in accordance with this Agreement and which is classified as confidential or which may be considered confidential due to the nature of the data or the nature of the circumstances that require disclosure, such as, but not limited to, product information, customer lists, price lists, and financial information;

1.3. "Controller" means the natural or legal person, the government agency, the agency or any other body that, alone or together with others, determines the purposes and means for the processing of Personal Data processed under its authority, within the framework of this Agreement understood as the Controller;

1.4. "Data Subject" means an identified or identifiable natural person;

1.5. "Employee" means a person hired by an employer who has concluded an employment contract or works for the provision of labor services in exchange for a wage or a fixed payment. An Employee does not offer professional services as part of an independent company. Agents, distributors, advisers, consultants, freelancers, (independent) (sub) contractors or other third parties are not considered Employees for the purposes of this Agreement;

1.6. "Personal Data" means all information regarding a Data Subject;

1.7. "Data breach" means a security breach that led to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data that has been sent, stored, or otherwise processed;

1.8. "Processor" means a natural or legal person, a government agency, an agency or other agency that is authorized to process Personal Data on behalf of the Controller, such as Processor;

1.9. "Security measures" are those measures intended to protect Personal Data against accidental or unlawful destruction or loss, as well as against unauthorized access, alteration or transmission;

1.10. "Services" means the services performed by Processor in accordance with the Agreement and as set out in introduction B;

1.11. "Subprocessor" means any processor who is engaged as a subcontractor by the Processor and who agrees to process Personal Data for and on behalf of the Controller in accordance with this Agreement;

1.12. "Supervisory Authority" means an independent public authority established by a Member State in accordance with Article 51 of the Regulation;

1.13. "Third Party" means any party that is not a Data Subject, Controller, Processor or Subprocessor under this Agreement or a person authorized to process Personal Data under the direct authority of the Controller or Processor;

All other used but undefined terms have the same meaning as in the General Terms and Conditions

Article 2. Subject matter

2.1. The Controller wants to entrust the Processor with the processing of Personal Data. The Processor will process the Personal Data in the name and for the account of the Controller. For the execution of Services, the Controller is responsible for the processing of Personal Data and the Processor is a data processor.

2.2. The Processor performs the Services in accordance with the provisions of this Agreement.

2.3. Both Parties explicitly undertake to comply with the provisions of the relevant applicable data protection legislation and will not do or fail to do anything that could cause the other Party to infringe the relevant and applicable data protection laws.

2.4. Processing activities. The processing performed by the Processor in the name and for the account of the Processing Controller relates to the Services performed by the Processor. The processing activities consist of:

  • Enroll Members on the Services and thereby store Personal Data for onboarding, support and invoicing purposes.

  • Provide a cloud-based data science toolkit in which Members can analyze their proprietary data;

  • Allow the Member to run data science programs and algorithms whereby the data is calculated  in-memory and in a persistent Docker container that is hosted by the Processor;

  • Allow the Member to connect to third party data sets (e.g. CRM software, DB software, …) and integrate this data into data science programs.

2.5. Categories of Personal Data. Given the nature of the Services, the Processor does not directly access the Personal Data; it is the end-user working as an Employee for the Controller that will use the Services and control the Personal Data.  Only when the Controller grants the Processor access to the Services (for assistance or training purposes), will the Process have temporary and direct access to the Personal Data.  In any case, the Processor only directly processes the Personal Data of the Member itself.  Personal Data processed are:

  • First & Last Name

  • Company name

  • Function

  • Email address

  • Telephone number

  • Physical address

As per our licensing agreement with RStudio Inc. (see Article 9 below) for the use of RStudio Connect and RStudio Server Professional, we are obligated to disclose these details to RStudio, Inc. in order to enable RStudio, Inc. to invoice the license fees to Cropland.

2.6. The Data Subjects for which the Processor processes Personal Data are:

  • Employees and subcontractors of the Controller

  • Data Subjects that are part of the Controller data analyses

2.7. Purposes. The Processor will only use the Personal Data to ensure proper performance of the Services as part of the General Terms and Conditions in accordance with the provisions of this Agreement.

2.8. Only the Personal Data referred to in Article 2.5 can and will be processed by the Processor. In addition, Personal Data will only be processed in the light of the Purposes determined by the Parties in this article.

2.9. Both Parties undertake to take appropriate measures to ensure that the Personal Data is not used or obtained in an unauthorized manner by an unauthorized Third Party.

Article 3. Processing duration

3.1. This Agreement applies as long as the Processor processes Personal Data in the name and for the account of the Controller as part of the General Terms and Conditions. If the General Terms and Conditions ends in accordance with Article 3. Closing your account  this Agreement will also end.

3.2. In the event of a violation of this Agreement or the applicable provisions of the Regulation, the Controller may instruct the Processor to stop further processing of the Personal Data with immediate effect.

3.3. In the event of the end of the Agreement, or in the event that the Personal Data is no longer relevant for the performance of the Services, the Processor will process the Personal Data it has received or obtained under the General Terms and Conditions to the extent of the possible anonymization or pseudonymization and this solely for the internal purposes to improve the services of the Processor.


4.1 The Processor processes the Personal Data only on the documented instructions of the Controller to perform the Services and in any case in accordance with the agreed Processing Activities as set out in Article 2.4 of this Agreement. The Processor will not further process the Personal Data covered by this Agreement in a manner incompatible with these instructions and the provisions laid down in this Agreement.

4.2 The Controller can only unilaterally change the instructions to a limited extent. The Processor must be consulted before major changes are made to the instructions. Changes that impact the core of this Agreement must be agreed upon by both Parties.

4.3 The Processor processes the Personal Data in accordance with Article 4.1 of this Agreement, including with regard to transfers of Personal Data to a third country or international organization, unless required by Union or Member State legislation to which the Processor is subject; in such a case, the Processor will inform the Controller of that legal requirement prior to processing, unless that law prohibits such communication for important reasons of public interest.[GV4] 


5.1 Compliance with legislation. The Processor assists the Controller in ensuring compliance with its obligations under the Regulation, taking into account the nature of the processing and the information available to the Processor.

5.2 Data Breach. In the event of a data breach relating to the processing subject of this Agreement, the processor will notify the Controller without delay after having taken note of the Data Breach.

This notification contains at least the following information:

  1. The nature of the breach of Personal Data;

  2. The struck categories of personal data;

  3. The categories and the estimated number of Stakeholders;

  4. The categories and the estimated number of records with Personal Data of Data Subject;

  5. The likely consequences of the Data Breach;

  6. Measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible harmful effects.

5.3 In the event that the Processor uses a Subprocessor, the Processor will oblige the Subprocessor to provide him with the same information when a Data Breach occurs at the Subprocessor’s. The Processor sends the information, received from the Subprocessor immediately to the Controller.

5.4 The Processor and its Subprocessor(s) shall designate among their staff members a single point of contact responsible for all communication between the 
Processor, the Subprocessor(s) and the Controller in the event of an incident that has caused or may cause an accidental or unauthorized destruction or loss or unauthorized access, modification or transfer of the Personal Data processed on behalf of the Controller.[GV6] 

5.5 The Controller will only, at its discretion and in accordance with the relevant and applicable data protection laws, decide whether Data Subjects whose Personal Data are affected by a data breach will be informed. It is the responsibility of the Controller to inform the Supervisory Authority of a data breach.

5.6 The Parties and, if applicable, the Subprocessor(s) shall ensure that they cooperate in good faith in order to limit the possible adverse effects of a Data Breach.

5.7 Data protection impact assessment. In addition, the Processor assists the Controller in executing Data Protection Assessments, as determined under Article 35 of the Regulation. The Processor is entitled to request a reasonable remuneration for the access to its premises and provision of information.  In addition, all Data Protection Assessments shall be performed at the Controller’s expenses.


6.1 At any time, the Processor will provide the Controller, at the request of the Controller, all information required by the Controller, to the extent that the Controller’s request pertains to the information determined by the provisions of this clause (however, a request must be made to give the Processor a reasonable time to comply with such a request) :

  • All relevant details regarding its own corporate structure, as well as accurate and up-to-date identification data about all entities of Processor’s involved in the processing of Personal Data, including the location of their headquarters;

  • Without prejudice to what has been agreed in Article 9, Controller will accept the Agreement regarding the aspects of the processing that are based on or have the intention to be based on the Services of a Subprocessor as well as the identification data of a Subprocessor (including the location of its headquarters). The Agreement, which is transmitted to the controller related to, or is relevant with regard to the processing of Personal Data, except where this agreement with the Subprocessor(s) includes confidential information, in which case such confidential elements from the Agreement may be removed;

  • Geographical data of processing locations, including backup and redundancy facilities;

  • The physical, organizational, technical and logical security measures implemented by the Processor and its Subprocessor(s), as set out in Article 11 of this Agreement.


7.1 The Processor will handle all reasonable requests from the Controller with regard to the processing of Personal Data in connection with this Agreement, immediately or within a reasonable period (depending on the legal obligations defined in the Regulation) in an appropriate manner.

7.2 The Processor guarantees that there are no obligations arising from applicable legislation that make it impossible to comply with the obligations of this Agreement.

7.3 The Processor commits to not processing Personal Data for a purpose other than the performance of the Services and compliance with the responsibilities of this Agreement, in accordance with the documented instructions of the Controller; if the Processor for any reason cannot meet this requirement, he will immediately inform the Controller of this.

7.4 The Processor will notify the Controller if he believes that an instruction of the Controller violates applicable laws concerning data protection.

7.5 The Processor ensures that access to Personal Data, its inspection, processing, and publication will only occur in compliance with the principle of proportionality and the need-to-know principle (i.e., Personal data is only disclosed to those employees who need personal information to provide the Services).

7.6 The Processor commits to not disclosing any Personal Data to persons other than Employees of the Processor who need the Personal Data to fulfill the obligations of this Agreement. The Processor will ensure that the relevant employees respect the confidential nature of the Personal Data or that they are legally required to maintain confidentiality, unless such disclosure is provided for in the General Terms and Conditions.

7.7 From May 25, 2018, the Processor has an obligation to create a register of processing operations relating to this Agreement and to maintain it; the processor sets the register available on demand of the Controller, designated by the controller and / or Supervisory Authority auditor.


8.1 The Controller will provide all necessary assistance and will cooperate in good faith with the Processor to ensure that all processing of Personal Data complies with the requirements of the Regulation, in particular with regard to the principles concerning the processing of Personal Data.

8.2 The Controller will agree with the Processor on appropriate communication channels to ensure that instructions, directions, and other communication relating to Personal Data being processed on behalf of the Controller by the Processor, are exchanged between the Parties. The Controller will inform the Processor of the identity of a central contact person at the Controller, who must contact the Processor in application of this article 8.2.

8.3 The Controller guarantees that he will not formulate any instructions, instructions or requests to the Processor that do not comply with the provisions of the Regulation.

8.4 Without prejudice to Article 14.2 of this Agreement, the Controller will provide the assistance needed for the Processor and / or Subprocessor(s) to comply with a request, order, demand or summons addressed to the Processor or Subprocessor(s) by a competent national governmental or judicial authority.

8.5 Controller guarantees that he will not give instructions, directions or requests to the Processor of the Processor and / or its Subprocessor(s) which would require that they violate any obligation imposed by the applicable mandatory national law the Processor and / or its Subprocessor (s) are subject to.

8.6 Controller guarantees that he will work in good faith with the Processor to mitigate the negative impact of a security incident affecting the Personal Data processed by Processor and / or its Subprocessor (s) on behalf of the Controller.


9.1 The Processor will not engage any other Processor without prior specific or general written permission from the Controller. In the case of general written permission, the Processor will inform the Controller of all intended changes with regard to the addition or replacement of other Processors, as a result of which the Controller has the possibility to object to such changes.

9.2 Without prejudice to the foregoing, the Parties agree that the Processor is not required to disclose the identity of each Subprocessor; it suffices to provide the Subprocessor’s category, in addition to the information required by articles 6 and 7 with respect to Subprocessors. Notwithstanding the aforementioned, the Controller may request at any time that the Processor disclose the identity of a Subprocessor and the Processor will be required to do so, provided such disclosure does not breach any confidentiality agreement or trade secret provision entered into by the Processor with the relevant Subprocessor. If the Processor is unable to reveal the identity of a Subprocessor, the Processor is required to provide a formal justification in writing;

9.3 The Processor will ensure that Subprocessors are bound by the obligations in this Agreement regarding Personal Data.

9.4 The Processor will relay the goals and instructions determined by the Controller in an accurate and fast way to the Subprocessor(s) when and where these objectives and instructions relate to the part of the processing in which the Subprocessor(s) is (are) involved.

9.5 As part of this Agreement, the Processor uses the following categories of Subprocessors to ensure the performance of the Services for the Data Subject.

  • Efactive BVBA, headquartered in Aartselaar, Belgium: Supplier of management services for Cropland BVBA

  • Google Ireland Limited, headquartered in Dublin, Ireland: Supplier for secure data storage facilities located in St. Ghislain, Belgium

  • Google Ireland Limited, headquartered in Dublin, Ireland: Supplier for secure servers located in St. Ghislain, Belgium. 

  • Google Ireland Limited, headquartered in Dublin, Ireland: Supplier of e-mail and office productivity software and services

  • RStudio, Inc., headquartered in Delaware, United States: Supplier for the RStudio Server Professional and RStudio Connect programs included in the Cropland Seeds offering

  • Sendgrid, Inc., headquartered in Colorado, United States: Supplier of e-mail relay services

  • Teamleader BVBA, headquartered in Ghent, Belgium: Supplier of software for customer and project management software

  • Winbooks NV, headquartered in Louvain-La-Neuve – Ottignies, Belgium: Supplier of software for financial management


10.1 Taking into account the nature of the processing and to the extent that this is possible, the Processor will assist the Controller with appropriate organizational and technical measures in order to enable the Controller to fulfill his obligations to comply with requests by Data Subjects in relation to the execution of their rights, as described in Chapter III of the Regulation.

10.2 With respect to any request of Data Subjects in relation to their rights concerning the processing of personal data that relate to them by the Processor and / or its Subprocessor(s), the following conditions apply:

  • The Processor will make his best effort to notify the Controller of any request from a Data Subject regarding Personal Data processed by the Processor and/or his/her Subprocessor(s) on behalf of the Controller , without complying with any such request, unless explicitly authorized by the Controller to do so;

  • The Processor will comply immediately and require from his Subprocessor(s) immediate compliance with any request of the Controller so that the Controller can meet the request of the Data Subject who wishes to exercise any of his/her rights;

  • The Processor must ensure that both he and the Subprocessor(s) have the technical and organizational capabilities required to block access to Personal Data and physically destroy data without recovery within 90 days, if and when such a request is made by the Controller;

  • The Processor shall provide on request of the Controller and based on the best efforts all necessary assistance and provide all information necessary for the Controller to defend its interests in proceedings and litigations - legal, arbitrary or otherwise - against the Controller or its Employee for any violation of fundamental rights to privacy and protection of personal data of Data Subjects. 


11.1 During the term of this Agreement, the Processor must take and maintain appropriate technical and organizational measures in such a way that the processing complies with the requirements of the Regulation and guarantees the protection of the Data Subject's rights.

The Processor will, among other things, take technical and organizational measures against unauthorized and unlawful processing, and will periodically evaluate the suitability of the security measures and adjust them where necessary.

11.2 More specifically, the Processor must take appropriate technical and organizational measures to ensure appropriate security levels in accordance with the risk, in accordance with Article 32 of the Regulation.

11.3 In assessing the correct level of security, particular account was taken of the risks involved in processing, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data being sent, stored or otherwise processed.

11.4 The Controller reserves the right to suspend and/or terminate the General Terms and Conditions if the Processor can no longer provide technical and organizational measures that are suitable for the risk of processing.

11.5 The Processor has implemented, among other things, but not limited to, the following general physical, logical, technical and organizational security measures:

  • Personal Data that are processed by users of the Service are stored and processed in a secure cloud-based solution from Google;

  • Personal Data that is processed in the context of financial settlement is stored in a secure infrastructure of TEAMLEADER and WINBOOKS;

  • All Hardware of the Processor and Subprocessors is protected with a strong password that must be renewed monthly; in addition, all hard drives are encrypted;

  • Personal Data that is processed in the context of the Services is encrypted, both at rest (stored in the database) and in transit (during transmission to the end user);

  • The application, which is being developed within the framework of the Services, uses 256-bit SSL encryption for login verification;

  • The passwords for the application are encrypted with sha3-256 technology prior to storing them in the database

  • The Hardware of the Processor’s Employees is protected by two-factor authentication; 

  • An established Data Breach Policy that is followed by all Processor Employees;


12.1 The Processor recognizes that the Controller is supervised by one or several Surveilling Authorities. The Processor recognizes that the Controller and  all Surveilling Authorities involved have the right to perform audits, at any time during the term of this Agreement and in any case during the Processor’s normal business hours, in order to assess whether the processor meets the Regulation and the provisions of this Agreement. The Processor ensures the necessary cooperation.

This right to audit may not be executed more than once per calendar year, unless the Controller and/or the Supervisory Authority has reasonable grounds to believe that the Processor is acting in violation of this Agreement and/or the provisions of the Regulation.

12.2 At the written request of the Controller, the Processor will grant access to an independent third party, a certified auditor, appointed by the controller or the relevant Surveilling Authority, to relevant parts of the Processor’s administration and all sites and information of interest (and those of its agents, subsidiaries, and subcontractors) to determine whether the Processor complies with the Regulation and the provisions of this Agreement. At the request of the Processor, the parties involved will enter a non-disclosure agreement.

12.3 The Controller will take all appropriate measures to minimize any impact caused by the audit on the Processor’s daily operations or the Services performed by the Processor.

12.4 The Controller shall bear all costs related to the audit. The Processor is entitled to request a reasonable remuneration for the access to its premises and provision of information. 

12.5 The Controller shall, free of any cost, provide the Processor with the result of the audit. The Controller shall ensure that its employees or appointed third parties have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Controller shall in no event communicate the result of the audit to the public.

12.6 If there is agreement between the Processor and the Controller about a material shortcoming in compliance with the Regulation and / or the Agreement, as revealed in the audit, the Processor will rectify this error as quickly as possible. The Parties may agree to a plan, including a timetable to implement the plan, to respond to the shortcomings revealed in the audit.


13.1 The transfer of Personal Data to third parties in any possible way is prohibited, unless this is required by law or in the event that the Processor has obtained the express permission of the Controller to do so. If a legal obligation applies to transfers of Personal Data covered by this Agreement to third parties, the Processor will notify the Controller before the transfer.[GV12] 


14.1 The parties agree that the Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Controller. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses ,  for the transfer of personal data,  such as those published in the decision of the European Commission on February 5, 2010 (Decision 2010/87/EC) or other mechanisms provided for by applicable laws and regulations.

14.2 Before any international transfer, the Processor must inform the Controller on the specific measures taken to ensure the protection of the Personal Data of the Data Subject concerned, in accordance with the Regulation.


15.1 The Processor will notify the Controller immediately of any subpoena, order, request or summons issued by a competent national governmental or judicial authority addressed to the Processor or Subprocessor and related to the disclosure of Personal Information being processed by the Processor or Subprocessor on behalf of the Controller or related to any data and/or information concerning such processing.

15.2 Without prejudice to Article 15.1 of this Agreement, the Processor guarantees that there are no obligations under applicable legal legislation that make it impossible for the Processor to fulfill its obligations under this Agreement.


16.1 All intellectual property rights with regard to the Personal Data and with regard to the databases containing this Personal Data are reserved for the Controller, unless otherwise contractually agreed between the Parties. Nothing in this Agreement constitutes a transfer of intellectual property rights from the Controller to the Processor, unless otherwise contractually agreed between the Parties.


17.1 The Processor commits to treating the Personal Data and the processing thereof with the utmost confidentiality. The Processor guarantees confidentiality with measures that are no less restrictive than the measures that he uses to protect his own confidential material, including Personal Data.

17.2 The Processor ensures that employees or Subprocessors who are authorized to process the Personal Data are obliged to maintain confidentiality or have an applicable legal obligation to maintain confidentiality.


18.1 Without prejudice to the General Terms and Conditions, the Processor is only liable for the damage caused by processing if he has not complied with the obligations of the Regulation that are specifically aimed at processors, or if he has acted outside of or has contravened the legal instructions of the Controller.

18.2 The Processor owes administrative fines arising from a breach of the provisions of the Regulation. The Processor cannot be held liable under any circumstances if he proves that he is not responsible for the event that caused the damage.

18.3 If it appears that both the Controller and the Processor are responsible for the damage caused by the processing of Personal Data, both Parties are liable and pay compensation, in accordance with their individual share in the responsibility for the damage caused by the processing.


19.1 Until May 25, 2018, this Agreement must be interpreted in accordance with both the Belgian Privacy Act and the Regulation to comply with the Regulation. The Regulation will be fully applicable to this Agreement from 25 May 2018 onward.

19.2 The Processor agrees that, if a Data Subject appeals to the Agreement to submit a claim, the Processor will accept the decision of the Data Subject concerned, namely:

  • Refer the dispute to mediation by an independent person;

  • Submit the dispute to the courts in Belgium.

19.3 The Parties agree that the choice of a Data Subject does not affect the substantive or procedural rights of the Data Subject to seek redress in accordance with other provisions of applicable national or international law.

19.4 Any dispute between the Parties regarding the terms of this Agreement will be submitted to the competent courts, as stipulated in the General Terms and Conditions.


20.1 This Agreement applies as long as the Processor processes Personal Data on behalf of the Controller.

20.2 In case of violation of this Agreement or the Regulation, the Processor may order that the further processing of the information be stopped with immediate effect.

20.3 The Processor does not store the data any longer than necessary for the performance of the Services for which the data is provided. At the termination of the Agreement, the Processor will remove or return all Personal Data to the Controller. The Processor will remove all existing copies after a maximum of 90 days, and state that this is done, unless laws of the Union or a Member State require the storage of Personal Information. The Personal Data is provided to the Controller, unless otherwise agreed.

ARTICLE 21: Applicable law and jurisdiction

21.1 All issues, questions and disputes concerning the validity, interpretation, enforcement, performance or termination of this Agreement shall be governed by and construed in accordance with Belgian law.

21.2 Any dispute concerning the validity, interpretation, enforcement, performance or termination of this Agreement shall be submitted to the exclusive jurisdiction of the Belgian courts in Antwerp.