1. How is personal data processed in the context of the Services?

1.1. General dispositions

As part of their contractual relations, each party shall undertake to comply with the applicable regulations on personal data processing and, in particular, the General Data Protection Regulation (regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016) and the French Data Protection Act of 6 January 1978 (hereinafter referred together as the “Applicable Regulation”).

Each party processes personal data including contact information of the other party involved in the performance of the Terms and Conditions, as data controller within the meaning of the Applicable Regulation for the purpose of managing the contractual relations between the parties and for the duration of the Terms and Conditions. These processing are carried out for the execution of the Terms and Conditions and only identification data (in particular surname, first name, email address, telephone number) are processed by the parties.

Personal data is retained during the duration strictly necessary for the purposes of managing the business relationship between parties. Each of the parties’ employee, their control services (notably auditor) and their data processors may have access to personal data.

The processing may result in the exercise by each party’s contact person of their rights under the Applicable Regulation.

If you would like to know more about the personal data processing carried out by us as data controller, please read our Privacy policy available on our website.

1.2. Processing of personal data by us as a data processor

 Purpose

The purpose of this clause is to define the conditions under which we undertake to carry out, on your behalf, the personal data processing operations defined below.

As part of their contractual relations, we and you shall each undertake to comply with the Applicable Regulation.

 Description of the processing that we carried out

As part of the Services, we process personal data in your name and on your behalf as a data processor, while You act as a data controller within the meaning of the Applicable Regulation. The characteristics of the processing are described in Appendix 1 of these Terms and Conditions.

 Our obligations with respect to you

- Data processing:

We undertake to process personal data only for the purposes listed in Appendix 1 and in accordance with your documented instructions, including with regard to transfers of data outside the European Union. Where we consider that an instruction infringes Applicable Regulation, we shall immediately inform you thereof. Moreover, if we process personal data and transfer them to a third country or an international organization, according to Applicable Regulation, we shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

- Security and data confidentiality:

We undertake to implement appropriate technical and organisational measures to ensure security and integrity of personal data, their backup and the restoration of their availability in the event of a physical or technical incident. We ensure that the persons authorized to process personal data hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

- Sub-processors:

We are authorized to use processors (hereinafter "the Sub-Processor") listed in Appendix 1 to carry out specific processing activities. We shall inform you, in writing beforehand, of any intended changes concerning the addition or replacement of Sub-Processors as listed. This information must clearly indicate which processing activities are concerned, the name and contact details of the Sub-Processor. You have a period of 15 calendar days from the date of receipt of this information to submit your legitimate and justifiable objections. In the absence of notification of objections after this period, you shall be deemed to have authorized the use of the relevant Sub-Processor.

The Sub-Processor shall comply with the obligations hereunder on behalf of and in accordance with your instructions. We shall ensure that the Sub-Processor provides the same sufficient warranties regarding the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the Applicable Regulation. If the Sub-Processor fails to fulfil its data protection obligations, we remain fully liable to you for the Sub-Processor’s performance of its obligations.

- Transfer of personal data outside the European Union:

We are authorized to transfer personal data processed as part of these Terms and Conditions to countries located outside the European Union if appropriate safeguards have been implemented as defined under Chapter V of GDPR.

- Assistance and provision of information:

We undertake to assist you and to respond without undue delay to any request for information sent by you, whether in the context of a request for the exercise of their rights by data subjects, a privacy impact assessment, or a request made by a supervisory authority or your data protection officer.

- Notification of personal data breach:

We shall notify you of any personal data breach relating to the processing operations covered by these Terms and Conditions, without undue delay after becoming aware of it and to provide you with all relevant information and documentation relating to such personal data breach.

- Fate of the data:

We undertake at our election to delete or return personal data at the termination of these Terms and Conditions and not to keep a copy unless Union or Member State law requires storage of the personal data.

- Documentation:

We shall make available to you, at your request, all information and documents necessary to demonstrate compliance with its obligations and allow for audits. You may carry out audits once a year, at your own expense to verify our compliance with the obligations set forth in this article. You will inform us of the audit at least 2 weeks before. We may refuse the identity of the auditor if it belongs to a competing company. The audit shall be conducted during working hours and with the least possible disturbance for our activity. The audit shall not threaten (i) technical and organizational security measures implemented by us, (ii) security and confidentiality of data of our other customers, (iii) our proper functioning and organization. When possible, parties will agree beforehand on the scope of the audit. The audit report will be sent to us as so to submit comments, which will be attached to the final version of the audit report. Each audit report will be considered as a confidential information.

- Your obligations with respect to us:

You undertake to:

1. provide us with the personal data mentioned in Appendix 1, except any improper, disproportionate or unnecessary personal data, and except any “particular” personal data within the meaning of the Applicable Regulation, except if the processing activities justify it. In this case, you will have to document these justifications and to take all measures, notably of prior information, to collect appropriate consent and appropriate security measures, appropriate for such particular data;

2. collect under your liability, lawfully, fairly and in a transparent manner the personal data provided by us, for the performance of the Services, and in particular, to ensure the lawfulness of processing and the information due to data subjects;

3. maintain a record of processing activities carried out and more generally, comply with the principles of the Applicable Regulation;

4. ensure, before and throughout the processing, compliance with the obligations set out in the Applicable Regulation.

2. What are our respective obligations regarding confidentiality?

Unless the other party agrees in writing, we undertake respectively to keep confidential, for the duration of our contractual relationship and 3 years thereafter, all information relating to or held by the other party of which we become aware of on the occasion of the conclusion and performance of our contractual relationship.

This obligation does not extend to information:

- of which the receiving party was already aware;

- already public at the time of their communication or which would become public without violation of this clause;

- which has been lawfully received from a third party;

- whose communication would be required by the judicial authorities, in application of laws and regulations or in order to establish the rights of a party in the context of our contractual relationship.

Confidential information may be passed on to our respective employees, collaborators, trainees, agents and contractors, on condition that they are subject to the same obligation of confidentiality.