Next Gate Tech
Current as of February 16th 2024
Data Processing Addendum

PROCESSING OF PERSONAL DATA

PART 1: PROCESSING OF PERSONAL DATA BY NEXT GATE TECH AS A CONTROLLER

Preamble

In relation to these specific data protection requirements, unless the context otherwise requires:
Agreement means any agreement entered into between the Client and Next Gate Tech enabling the Client to benefit from certain product(s) developed by Next Gate Tech. Terms in capital letters used herein shall have the meaning ascribed to them under the relevant Agreement unless otherwise specifically defined hereunder.
Data Protection Laws means the General Data Protection Regulation 2016/679 (GDPR) and any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated, and the terms “controller”, “process”, “data subject”, and “personal data” shall have the meanings given to those terms in the GDPR.

The Client (or Client’s Affiliates and/or Client Data Providers or Third Party Data Providers as the case may be) will provide Next Gate Tech, or Next Gate Tech will have access to personal information of, inter alia, and as the case may be, their governing bodies, authorised representatives, Authorised Users, directors, employees, officers, individuals related to their service providers (including Client Data Providers or Third Party Data Providers as relevant) (the “Data Subjects”), that constitutes personal data (“Personal Data”), and that Next Gate Tech will collect, store and process, by electronic or other means i) for the purpose of execution of the Agreement (including any and all services provided thereunder) and all ancillary technical and commercial services as the case may be, and/or, ii) where any individual referred there above uses certain features of Next Gate Tech’s Website (such as the dashboard or forms) or any other relevant application (including mobile application).

The Client can contact Next Gate Tech, acting as controller, at the following coordinates:
Next Gate Tech S.A
26A, boulevard Royal
L-2449 Luxembourg
Email: privacy@nextgatetech.com

A. Collected and processed Personal Data

The Personal Data to be processed by Next Gate Tech as a controller are:

  • Name, job title, professional phone number, professional email address, country, company
  • Initial set of credentials to access the Product;
  • Log-activity;
  • Operating system type and version number;
  • Browser type and language;
  • Screen resolution;
  • IP address;
  • Billing and mailing addresses;
  • Areas of interest;
  • Event attendance;
  • Event information, including dietary preferences.

B. Cookies-related information

When a Data Subject visits the dashboard, some information is collected automatically. For example the name of the Data Subject’s internet service provider, the Website the Data Subject visited the dashboard from, the parts of the site the Data Subject visits, the date and duration of the Data Subject’s visit, and information from the device, as more fully explained under Next Gate Tech’s Cookie Policy.

C. Purposes and legal basis

i) Data Subjects are hereby informed that Next Gate Tech processes (including without limitation collects, uses, stores, transfers as the case may be) the Personal Data for the purposes of:

  1. performing the Agreement and providing its correlated services;
  2. managing communications following the use of the contact form or the “request a demo” form via Next Gate Tech’s Website or the dashboard messaging app functionality;
  3. issuance of initial set of login credentials in order to access the Product(s);
  4. control of log-activity on the relevant Product(s) for the purpose of incident management, including Data Subject’s type and version of browser, browser language, operating system type and version number, manufacturer and model and and URL;
  5. providing application support services related to the use of the Product(s) including managing queries and incident received from the Client;
  6. providing maintenance operations on the hosting infrastructure of the Product(s);
  7. performing “Customer Relationship Management” (CRM) and correlated management of services;
  8. offering similar products and services with respect to the services already provided to the Data Subjects in the context of direct marketing solicitation, notably via post, email, being understood that any Data Subject can object at any time, on request and free of charge, to the processing of his/her Personal Data relating to him/her which Next Gate Tech anticipates being processed for the purposes of direct marketing;
  9. inviting clients and client-related contacts to Next Gate Tech events (either physical or online events) or events endorsed or sponsored by Next Gate Tech, or events where Next Gate Tech is affiliated or subscribed to the event;
  10. management of disputes, litigations and complaints;

(together the “Purposes”).

ii) The Personal Data are processed (including without limitation collected, used, stored, transferred) by Next Gate Tech:
With respect to Purposes 1 to 6:
- for the performance of pre-contractual steps when entering into discussions with the Client based on Next Gate Tech’s offer of services,
- for the necessary execution of the Agreement and the services provided thereunder, including inter alia, the use of any dashboard feature or (mobile) application.
With respect to Purposes 7 to 10:
- for satisfying Next Gate Tech’s (or a third party’s) legitimate interests such as seeking maximum efficiency (including administrative, organisational and IT efficiency) of the services and their correlated maintenance.

D. Recipients

The Personal Data, are, or may be transmitted, or made available to the following recipients, by Next Gate Tech, when such disclosure or transmission is necessary for satisfying the Purposes:

  • The authorized staff of Next Gate Tech,
  • Telkea ICT SA (as local infrastructure operator),
  • Proximus Luxembourg S.A./ Google Cloud as hosting provider for the Purposes referred to above
  • Next Gate Tech’s legal advisors and auditors,
  • External legal advisors, auditors and other parties in relation to any due diligence process (e.g. in case of merger and/or acquisition) subject to entering into a non-disclosure agreement (where relevant),
  • Public, governmental, administrative or judicial entities.

E. Retention

The Personal Data shall not be retained longer than the time required for satisfying the Purposes, subject to the legal periods of limitation and to the situations where the applicable laws authorize or require that Personal Data be retained for a certain period of time after the termination of a contract (such as the legal obligation to keep accounting documents for a period of 10 years).
Without prejudice to the foregoing, the Client is in particular informed that:

  • The Personal Data processed for the purpose of performance of the Agreement and correlated services will be retained during the whole duration of the Agreement and subject to prescription periods after termination of a contract notably in regard of articles 16 and 189 of Commercial Code (i.e. archiving of the Agreement for a 10-year period in this respect);
  • The Personal Data processed for the purpose of issuance of the initial set of login credentials will be retained for the whole duration of the Agreement without prejudice to further archiving after termination of the Agreement based on applicable legal limitation periods;
  • Invoices will be retained for a minimum period of 10 years after their issuance according to the foregoing;
  • The Personal Data used as contact details for email and CRM will be retained during the whole duration of the Agreement and any subsequent commercial relation which may still exist between the Data Subject and Next Gate Tech;
  • The log activity is retained for the whole duration of the Agreement without prejudice to further archiving after termination of the Agreement based on applicable legal limitation periods;
  • The Personal Data processed for the purpose of provision of support services and/or maintenance will be retained during the whole duration of the Agreement;
  • The Personal Data processed for the purpose of direct marketing communication will be retained during the whole duration of the Agreement, and up to a period of three years after termination of this Agreement, being understood that each concerned Data Subject benefits from an opt-out right at any time.

F. Rights

Subject to the conditions of the Data Protection Laws, a Data Subject may request from Next Gate Tech any of the following:

  • right to access his/her Personal Data...
  • rectification of his/her Personal Data...
  • erasure of his/her Personal Data,
  • restriction of the processing of his/her Personal Data...
  • right to object to the processing of the Personal Data...
  • where relevant, the right to request the portability of his/her Personal Data...

The concerned Data Subject may exercise such rights by written instruction to be sent to:
Email: privacy@nextgatetech.com
The concerned Data Subject is also entitled to address any claim relating to the processing of his/her Personal Data carried out by Next Gate Tech to the relevant data protection supervisory authority (i.e. in Luxembourg, the “Commission Nationale pour la Protection des Données”).

PART 2: PROCESSING OF PERSONAL DATA BY NEXT GATE TECH AS A PROCESSOR

1. Definitions and interpretation

In relation to these specific data protection requirements, unless the context otherwise requires:

Agreement means any agreement entered into between the Client and Next Gate Tech enabling the Client to benefit from certain product(s) developed by Next Gate Tech. Terms in capital letters used herein shall have the meaning ascribed to them under the relevant Agreement unless otherwise specifically defined hereunder.

Data Protection Laws means the General Data Protection Regulation 2016/679 (GDPR) and any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated, and the terms “controller”, “processor”, “process”, “data subjects”, and “personal data” shall have the meanings given to those terms in the GDPR.

Personal Data Breach means any breach of Next Gate Tech’s security leading to the accidental or unauthorised destruction, loss, alteration, disclosure of, or access to, Relevant Personal Data on systems managed or controlled by Next Gate Tech. Personal Data Breach do not include unsuccessful attempts or activities that do not compromise the security of Relevant Personal Data; and

Relevant Personal Data means the categories of personal data that are set out herein and that are processed by Next Gate Tech for or on behalf of the Client (or as the case may be Client’s Affiliates) under, or in connection with the provision of the services related to the relevant Product(s).

2. Data Protection Requirements

The Parties have described the processing of Relevant Personal Data being undertaken by Next Gate Tech as processor in Part 3 below. The Parties understand and agree that depending on the circumstances, the Client, or the Client’s Affiliates having recourse to the services subject to the provisions of the Agreement, may act as controller or processor while Next Gate Tech may subsequently act as processor or as sub-processor.

Next Gate Tech shall in relation to Relevant Personal Data that it processes on behalf of the Client, or Client’s Affiliates as the case may be (subject to the provisions of the Agreement), and in connection with the performance of the Agreement:

  • act only in accordance with the Agreement (and this Appendix) and with the instructions of the Client or Client’s Affiliates in relation to the processing of Relevant Personal Data (including instructions in relation to the return or destruction) and as needed to comply with law. In the event that Next Gate Tech is required to process Relevant Personal Data to comply with EU laws, Next Gate Tech shall, unless such legal requirement prohibits it from doing so, inform the Client or Client’s Affiliates of the relevant legal requirement before carrying out the relevant processing activities ;
  • take reasonable steps to ensure that all persons (legal or natural) to whom it discloses Relevant Personal Data have committed themselves to appropriate obligations of confidentiality (or are under an appropriate statutory obligation of confidentiality);
  • implement appropriate technical and organisational measures, in accordance with Data Protection Laws, to ensure a level of security appropriate to the risk. Next Gate Tech shall maintain such security measures for as long as it is processing the Relevant Personal Data;
  • transfer Relevant Personal Data to or access it from various locations, which may include locations both inside and outside of the European Economic Area (“EEA”) by taking into account the EU Standard Contractual Clauses published by the European Commission and/or any other suitable safeguards as appropriate;
  • taking into account the nature of the processing and the information available to Next Gate Tech, Next Gate Tech will:
    • afford to the Client (or Client’s Affiliates as the case may be) all information necessary to demonstrate compliance with Next Gate Tech’s obligations as processor, and, allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client, subject to an access in normal working hours on reasonable notice and at reasonable intervals to the premises used to process the Relevant Personal Data (which may also depends on Authorized Sub-Processors’ own visitation rules);
    • assist the Client (or Client’s Affiliates as the case may be), by appropriate technical and organisational measures, with the Client’s (or Client’s Affiliates as the case may be) obligation to respond to requests by individuals to exercise their rights under the GDPR; if Next Gate Tech receives any request from an individual in relation to personal data rights, Next Gate Tech will advise the individual to submit their request to the Client (or Client’s Affiliates as the case may be) and the Client (or Client Affiliate) will be responsible for responding to such request;
  • assist the Client in meeting its compliance obligations regarding carrying out data protection impact assessments and related consultations with supervisory authorities;
  • as soon as reasonably practical, and in any event without undue delay, notify the Client upon becoming aware of any Personal Data Breach. Next Gate Tech shall provide the Client with reasonable assistance in the Client’s compliance with the Data Protection Laws in relation to the Personal Data Breach; and
  • return and/or erase the Relevant Personal Data on termination of the Agreement as provided under the Agreement or as otherwise agreed between the Parties subject always to circumstances where Next Gate Tech shall be entitled to retain personal data to the extent required by applicable EU laws.

The Client specifically authorizes the engagement of Next Gate Tech’s affiliated entities as sub-processors (if any) and generally authorises the engagement of any other third parties as sub-processors. Next Gate Tech shall maintain a list of all sub-processors authorized hereunder (either affiliates or non-affiliates) (“Authorized Sub-Processors”) on an ongoing basis (the “List”). A version of the List indicating the actual Authorized Sub-Processors as hired by Next Gate Tech at the date of signature of this Agreement (also indicating their location) is set out under Part 4 below. To the extent Next Gate Tech engages additional sub-processors from time to time, Next Gate Tech shall update the List accordingly. Next Gate Tech will communicate such updated List to the Client, and, unless the Client reasonably objects to a sub-processor being added (or replaced) to the List within 15 business days following reception of such notice of changes, the Client shall be deemed to have given its authorisation to the said change(s) or replacement(s) of Authorized Sub-Processors.

PART 3: DETAILS OF THE PROCESSING ACTIVITIES CONDUCTED BY NEXT GATE TECH AS A PROCESSOR

1. Details of Data Processing

Description of subject matter

Next Gate Tech’s provision of Product(s) to the Client under the Agreement.

Description of categories of data subjects whose personal data is being processed

  • Private individuals appearing in any documentation to be processed via the Product(s)
  • Private individuals granted access to the Product(s)

Types of Relevant Personal Data

  • Contact details – name, professional address, professional telephone number, corporate email, country of domicile
  • Authentication data - user ID, activity logs including user’s type and version of browser, browser language, operating system type and version number, manufacturer and model and IP address.

Purpose of the data processing

  • Performance of the Agreement, including inter alia the provision of certain software’s features.
  • Managing security incidents / requests upon specific instructions received from the Client.

Duration of data processing

The term of the Agreement and thereafter to the extent necessary to enable Next Gate Tech to comply with its own legal obligations following expiry or termination of the Agreement.

PART 4: DETAILS OF AUTHORIZED SUB-PROCESSORS

Sub-ProcessorPurpose of processingLocation
Next Gate Tech ltdWholly owned subsidiary performing the same processing activities as Next Gate Tech SAUK
Auth0Identity management, authentication and authorization services.Ireland and Germany
Google CloudCloud hostingGermany and Belgium
Google WorkspaceCloud-based email communications, document storage, and collaboration functionalities.Europe
HubspotCustomer Relationship ManagementGermany
ZohoInvoicing systemLuxembourg