Data Processing Agreement
In the context of their contractual relations, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as from 25 May 2018 (hereinafter referred to as the "GDPR"), as well as Law No 78-17 of 6 January 1978 on data processing, files and freedoms (hereinafter referred to as the amended "Data Protection Act"). The purpose of this Annex is to define the conditions under which the processor undertakes to carry out on behalf of the controller the processing operations of personal data defined below.
1. Definitions of the terms
For the purposes of this Agreement, the following terms shall have the following meaning:
- "Personal Data" means any information relating to an identified or identifiable natural person; an "identifiable natural person" is defined as a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more elements unique to him/her. In order to determine whether a person is identifiable, all means of identification available or accessible to the Data Controller or any other person must be considered.
- "Data Subject" refers to a natural person whose Personal Data are processed.
- "Data Controller" means the CLIENT, who determines the purposes and means of the Personal Data Processing.
- "Data Processor" refers to the PROVIDER who processes Personal Data under the authority, on instructions and on behalf of the Data Controller.
- "Processing" means any operation or set of operations involving Personal Data by the Data Processor on behalf of the Data Controller, regardless of the process used, and in particular the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as limitation, deletion or destruction.
- "Personal Data Breach" means a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored or otherwise processed.
2. Obligations of the Data Controller
The Data Controller acknowledges and guarantees:
- that the Processing is carried out in accordance with the provisions of the GDPR and the Data Protection Act, in particular, that the Data Subject has been informed of the purpose of the Processing, his rights, the recipients of the Personal Data and the policy on the protection of privacy and personal data;
- only in the event that the Data Controller processes "sensitive" data as defined in Article 9 of the GDPR (i.e. the Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person), the Data Controller has collected them and requires the Data Processor to carry out their Processing, in full compliance with the provisions of the said Article 9;
- that it will respond as soon as possible to any Data Protection Authority requests for information, if any;
- that it will respond, as soon as possible, to requests from any Data Subject by the Processing, to communicate information on its Personal Data and that it will give appropriate instructions to the Data Processor, in due course.
-
The Data Controller also undertakes to:
- document in writing any instructions concerning the Processing of Personal Data by the Data Processor;
- ensure, in advance and throughout the duration of the Processing, that the Data Processor complies with the obligations provided for in the European Data Protection Regulation;
- supervise the Processing, including carrying out audits and inspections of the Data Processor.
3. Obligations of the Data Processor
The Data Processor undertakes to:
- process the data only for the purposes indicated by the Data Controller;
- if the Data Processor considers that an investigation constitutes a violation of the European Data Protection Regulation or any other provision of Union law or of the law of the Member States relating to data protection, it shall immediately inform the Data Controller. In addition, if the Data Processor is required to transfer data to a third country or international organization, under the law of the Union or the law of the Member State to which it is subject, it must inform the Data Controller of this legal obligation before the Processing, unless the law concerned prohibits such information for important reasons of public interest;
- guarantee the confidentiality of the personal data processed under this Agreement;
- ensure that the persons authorized to process personal data under this Agreement:
- undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
- receive the necessary training in the protection of personal data;
- consider, with regard to its tools, products, applications or services, the principles of privacy by design and data protection by default;
- inform its employees of their responsibility regarding the protection of Personal Data, in particular as regards the confidentiality of such data;
- in the event of a possible legal, administrative or judicial prohibition that could prevent it from carrying out the Processing, the Data Processor shall inform the Data Controller and may then terminate the Agreement, without the Data Controller being able to hold the Data Processor liable or claim damages from him;
- cooperate with the CNIL in the event of a request for information from the latter and that it will comply with any recommendation of the CNIL relating to the Processing.
3.1. Subcontracting
The Data Processor may use another subcontractor (hereinafter, the "Subprocessor") to carry out specific Processing activities. In this case, he/she shall inform the Data Controller in advance and in writing of any planned change concerning the addition or replacement of other Subprocessors. This information must clearly indicate the subcontracted Processing Activities, the identity and contact details of the Subprocessor and the dates of the subcontract. The Data Controller has a minimum period of one (1) month from the date of receipt of this information to present his objections. This subcontracting may only be carried out if the Data Controller has not raised any objection within the agreed period.
The Subprocessor is required to comply with the obligations of this Agreement on behalf of and in accordance with the instructions of the Data Controller. It is the initial Data Processor's responsibility to ensure that the Subprocessor provides the same sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the Processing operation complies with the requirements of the European Data Protection Regulation. If the subsequent processor does not fulfill its data protection obligations, the initial Data Processor remains fully liable to the Data Controller for the performance by the subsequent processor of its obligations.
3.2. Right of data subjects to be informed
It is the responsibility of the Data Controller to provide the information to the Data Subjects on the Processing operations at the time of data collection.
3.3. Exercise of data subject’s rights
The Data Controller grants requests to exercise the rights of the Data Subjects (right of access, rectification, deletion and opposition, right to limit the Processing, right to data portability, right not to be the subject of an automated individual decision, including profiling) and will give appropriate instructions to the Data Processor in due course. As far as possible, the Data Processor shall assist the Data Controller in fulfilling his obligation to comply with requests to exercise the rights of the Data Subjects.
3.4. Notification of Personal Data Breaches
The Data Processor shall notify the Data Controller of any breach of personal data as soon as possible and, at the latest, 72 hours after becoming aware of it. This notification shall be accompanied by all relevant documentation in order to enable the Data Controller, if necessary, to notify this Violation to the competent supervisory authority.The Data Processor must take all necessary steps to identify the causes of such Personal Data Violation and take all measures that it deems necessary and reasonable to remedy the origin of such Violation when such remedy is under the control of the Data Processor.
3.5. Security measures
The Data Processor must at all times have technical and organizational measures in place to prevent unauthorized access to the Personal Data and the use of the Personal Data for purposes other than those agreed for their transmission to the Data Processor. The Data Processor represents and warrants that the security measures taken are in no event less than those required by applicable law or those that a person performing the same activity as the Data Processor would reasonably have taken for the protection of Personal Data against unauthorized access or use.
In cases where the Data Processor has obtained the prior consent of the Data Controller for the transmission of Personal Data to a third party, the Data Processor must again take appropriate security measures to ensure the secure transmission of the Personal Data. The Data Processor must protect and maintain the Personal Data as confidential information. The confidentiality requirements required by each of the commercial documents and/or confidentiality agreements signed between the Data Controller and the Data Processor must apply to the Personal Data.