This document is an appendix to the Terms and Conditions between the Client (hereinafter the “Controller”) and Dropcontact (hereinafter the “Processor”). Each party is designated as a “Party” and together the “Parties”.
For the purposes hereof, the terms and expressions used with capital letters have the same meaning as the one attributed in the Terms and Conditions.
The purpose of these clauses is to define the conditions in which the Processor undertakes to carry out, on the Controller's behalf, the personal data processing operations defined below.
As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "the General Data Protection Regulation").
II. Description of the processing being subcontracted out
The Processor is authorized to process, on behalf of the Controller, the necessary personal data for providing the following services: (i) clean, correct, synchronize, enrich, organize and lead the contact details of the Controller’s clients, prospects and providers, (ii) detect and automatically merge the duplications and (iii) update the contact details of the Controller’s clients, prospects and providers with regard to incorrect emails (hereinafter together the “Services”).
The categories of data subjects are the Controller’s clients, prospects and providers (hereinafter the “Persons”).
The nature of operations carried out on the data is the collect, the treatment and the storage of the Persons’ personal data for the realization of the Services.
The purpose of the processing is the realization of the Services.
The personal data processed are the Persons’ identification data.
To perform the Services covered herein, the Controller shall provide the Processor with the following necessary information: the information and identification data of the Persons.
In any case, there is no transfer of data to any third parties
III. Processor's obligations with respect to the Controller
The Processor shall undertake to:
1. process the data solely for the purpose subject to the sub-contracting;
2. process the data in accordance with the documented instructions from the Controller. The parties agree that any use or setting up of the Processor’s solution by the Controller shall be logged and considered as a documented instruction. Where the Processor considers that an instruction infringes the General Data Protection Regulation or of any other legal provision of the Union or of Member States bearing on data protection, it shall immediately inform the Controller thereof. Moreover, where the Processor is obliged to transfer personal data to a third country or an international organization, under Union law or Member State law to which the Processor is subject, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
3. guarantee the confidentiality of personal data processed hereunder;
4. ensure that the persons authorized to process the personal data hereunder:
• have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• receive the appropriate personal data protection training.
5. take into consideration, in terms of its tools, products, applications or services, the principles of data protection by design and by default;
6. Sub-contracting: controller hereby acknowledges and agrees to the engagement of the following sub-Processors as defined below, with servers in the EU:
- Amazon Web Services P.O. Box 81226, a company incorporated under the laws of the United States, headquartered at Seattle, WA, United States 98108-1226 (servers in Ireland);
- ONLINE (who operates under the tradename Scaleway), a French simplified stock corporation, headquartered at 8 rue de la ville l’Evêque - 75008 Paris, FRANCE (servers in France).
The Processor may engage another Processor (hereinafter "the sub-Processor") to conduct specific processing activities. In this case, the Processor shall inform the Controller, in writing beforehand, of any intended changes concerning the addition or replacement of other Processors. This information must clearly indicate which processing activities are being subcontracted out, the name and contact details of the sub-Processor and the dates of the subcontract. The Controller has a minimum timeframe of 30 (thirty) days from the date on which it receives said information to object thereto. Such sub-contracting is only possible where the Controller has not objected thereto within the agreed timeframe
The sub-Processor is obliged to comply with the obligations hereunder on behalf of and on instructions from the Controller. It is the initial Processor's responsibility to ensure that the sub-Processor provides the same sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of the General Data Protection Regulation. Where the sub-Processor fails to fulfil its data protection obligations, the initial Processor remains fully liable with regard to the Controller for the sub-Processor's performance of its obligations.
7. Exercise of data subjects' rights: the Processor shall assist the Controller, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject's rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
Where the data subjects submit requests to the Processor to exercise their rights, the Processor must forward these requests as soon as they are received by email to the Controller.
8. Notification of violation of personal data: the Processor shall notify the Controller of any personal data breach not later than 72 (seventy two) hours after having become aware of it and via email. Said notification shall be sent along with any necessary documentation to enable the Controller, where necessary, to notify this breach to the competent supervisory authority.
9. Assistance lent by the Processor to the Controller regarding compliance with its obligations: the Processor assists the Controller in carrying out data protection impact assessments and with regard to prior consultation of the supervisory authority.
10. Security measures: the Processor undertakes to implement the following security measures: Dropcontact only uses SSL/TLS (Secure Sockets Layer) encrypted channels for all sources from which certain personal data is collected. These protocols automatically encrypt all information before it is sent to Dropcontact. The data is thus encrypted as it circulates.
11. Fate of the data: at the end of the Service bearing on the processing of such data, the processor undertakes to destroy all personal data.
12. Record of categories of processing activities: the Processor states that it maintains a written record of all categories of processing activities carried out on behalf of the Controller, containing:
• the name and contact details of the Controller on behalf of which the Processor is acting, any other Processors and, where applicable, the data protection officer;
• the categories of processing carried out on behalf of the Controller;
• where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
• where possible, a general description of the technical and organizational security measures.
13. Documentation: the Processor provides the Controller with the necessary documentation for demonstrating compliance with all of its obligations and for allowing the Controller or any other auditor it has authorized to conduct audits, including inspections, and for contributing to such audits.
During such audits, the Controller or the auditor it has entrusted for this purpose shall not be authorized to access to the Processor’s trade secrets, its strategic information or any information that the Provider has undertaken to keep confidential. The Processor shall have the right to oppose all inspections and/or checks from the Controller or its auditor that may enable them to access to such information, without the Controller being able to make any claim in this regard. In any event, the Controller shall ensure that the auditor and, more generally, its personnel proceeding to said audits are submitted to appropriate confidentiality obligations.V. Controller's obligations
1. Data subjects' right to information and consent: it is the Controller's responsibility to inform the data subjects concerned by the processing operations at the time data are being collected. More specifically, in the extent that the Processor does not have any knowledge of (i) the persons concerned by the processing, (ii) the eventual contractual link between the Controller and the persons concerned and the purpose of the data processing and (iii) the settings decided and made by the Controller, it is the Controller's responsibility to define the appropriate legal basis for the processing and, if need be, to obtain the consent of the Persons with regard to the processing.
2. Controller’s other obligations: moreover, the Controller undertakes to:
2.1 provide the Processor with the data mentioned in II hereof;
2.2 document, in writing, any instruction bearing on the processing of data by the Processor. More specifically, the Processor has developed a privacy by default and privacy by design solution, which is by default the least intrusive. Other settings can be added by the Controller: it is the responsibility of the Controller to define the intended use and related settings of the solution. As provided above, any settings made by the Controller shall be considered as an instruction of the Controller to the Processor;
2.3 ensure, before and throughout the processing, compliance with the obligations set out in the General Data Protection Regulation on the Processor's part;
2.4 supervise the processing, including by conducting audits and inspections with the Processor.