Exsion Reporting for Microsoft Dynamics 365 Business Central Privacy Statement

With respect to processing of personal data, the Processor (hereinafter referred to as HB Software) is qualified as a processor as defined in Article 4(8) of the GDPR (see the definition below), and the Controller as a controller as defined in Article 4(7) of the GDPR.
This privacy statement was drawn up for Exsion Reporting, which is (partially) provided through Microsoft AppSource.

Article 1. Terms and Definitions

1.1 In this statement, the terms listed below (starting with a capital letter, either in singular or

plural form) shall have the following meanings:

a. GDPR:
The General Data Protection Regulation (2016/679/EU);

b. Personal data:
Data either directly or indirectly tracible to a natural person, as defined in Article 4(1) of the GDPR;

c. Processing:
Any act related to Personal Data, as defined in Article 4(2) of the GDPR. Exsion Reporting is powered by Microsoft Dynamics Business Central, which is operated by Microsoft. Microsoft can also be qualified as a processor. Microsoft has its own privacy policy, that is herewith assumed as known.

d. Controller:
The organisation responsible for the processing of personal data and/or purchasing Exsion Reporting.

Article 2 The Controller and Processor of Personal Data

2.1 The Processor undertakes to process Personal Data with regard to this Privacy Statement, on behalf of the Controller.

2.2 The Controller guarantees that the assignment to process Personal Data complies with all relevant and applicable law and legislation. The Controller shall indemnify the Processor against all damages and costs arising from and/or related to third-party claims with respect to not complying with this guarantee.

2.3 The Controller is responsible for the processing of Personal Data as defined in this Privacy Statement.

Article 3 Confidentiality

3.1 The Processor shall treat all Personal Data as strictly confidential, and ensure that all persons who are authorised to process Personal Data are bound to confidentiality. These obligations shall not restrain a Party from sharing information with third parties, insofar that disclosure is mandatory pursuant to applicable law.

Article 4 Technical and Organisational Measures

4.1 The Processor shall take appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, or accidental loss, modification, unauthorised disclosure or access, as well as all other unlawful forms of Processing. Taking into account the state of the art and implementation costs, these measures should ensure an appropriate security level, given the risks presented by the processing and nature of the data to be protected.

Article 5 Third Parties and Subcontractors

5.1 The Processor may engage third parties and/or subcontractors for the Processing of Personal Data pursuant to this Processor Agreement.

5.2 The Processor is responsible for these third parties and/or subcontractors and shall impose the same conditions, obligations and responsibilities defined in this Processor Agreement on third parties and/or subcontractors.

5.3 The Processor shall notify the Controller of all intended amendments regarding the addition or replacement of these third parties and/or subcontractors, granting the Controller the opportunity to object to suchlike amendments within a week.

Article 6 International Data Transfers

6.1 The Processor shall only transfer Personal Data to a country outside the European Economic Area without an adequate level of data protection if suchlike transfers are permitted by applicable law.

Article 7 Information and Audits

7.1 If the Processor believes that an instruction of the Controller is an infringement of the GDPR or any other applicable law, he/she shall immediately notify the Controller. Together, the Parties shall try to find an appropriate solution, in case external developments endanger the lawfulness of processing Personal Data.

7.2 Upon written request of the Controller, the Processor shall provide all information reasonably deemed necessary to demonstrate compliance with this Processor Agreement.

7.3 The Controller shall have the right to conduct an audit at the Processor, in order to determine to what extent the Processor complies with the provisions of this Processor Agreement. This audit shall be conducted by an independent third party and take place at a time mutually agreed upon by both Parties. The audit costs shall be borne by the Controller.

Article 8 Cooperation of the Processor

8.1 The Processor shall notify the Controller within 36 hours upon becoming aware of a (possible) incident related to the Processing of Personal Data. In case of an incident, the Processor shall endeavour to provide reasonable assistance.

8.2 Upon becoming aware of an incident, as referred to in Article 8.3 below, the Processor shall take reasonable measures to limit the consequences of the incident as much as possible.

8.3 The term ‘incident’, as referred to in this article, includes, but is not limited to:

a) Any non-authorised or unlawful Processing, erasure or loss of Personal Data;

b) Any infringement of the security and/or confidentiality resulting from unlawful Processing, erasure or loss of Personal Data, or any indication that a suchlike infringement may occur or already has occurred.

8.4 In the event that a Processor receives a complaint or a request from a natural person regarding Personal Data (such as access, rectification or erasure requests), the Processor shall notify the Controller within a week upon receipt of the complaint or request, and provide reasonable assistance to the Controller.

8.5 All notifications made pursuant to this article shall be addressed to the contact details of the Controller’s liaison, as listed below. The Controller is responsible for keeping these contact details up-to-date and guarantees that he/she will notify any changes as soon as possible.

Article 9 Liability

9.1 The Processor is responsible for the implementation of the measures laid down in this Privacy Statement. The Processor shall not be liable if these measures prove to be insufficient. The Controller shall indemnify the Processor against claims made by third parties, including data protection authorities, which, for whatever reason, arise from the Processing of Personal Data as set out in this Privacy Statement.

9.2 Any liability on behalf of HB Software arising from the use of Exsion Reporting is excluded.

Article 10

10.4 The Processor shall store Personal Data no longer than is necessary for the purpose(s) for which the data were collected.

Article 11

Customers may ask questions about their data to our DPO:
Alfred van Duren
HB Software
vanduren@hbsoftware.nl