Convention de Traitement des Données
1. Le client qui accepte les présentes conditions (le « Client ») et Revevol France SAS (le « Prestataire ») ont conclu un contrat aux termes duquel le Prestataire s’est engagé à fournir certains Services, contrat pouvant être le cas échéant modifié (le « Contrat »).
2. Cette Convention de Traitement des Données et ses annexes (la « CTD »), qui est conclue entre le Prestataire et le Client (chacun, une « Partie » et ensemble les « Parties »), fait partie intégrante du Contrat et constitue l’accord des Parties quant au traitement par le Prestataire des Données à Caractère Personnel du Client. La présente CTD peut être mise à jour périodiquement et elle prendra effet et remplacera toute convention de traitement des données précédemment applicable à compter de la Date d’Effet (tel que définie ci-dessous). En cas de contradiction ou d’incohérence entre les termes de la présente CTD et les autres stipulations du Contrat, les termes de la présente CTD prévaudront. Certains termes sont définis dans la Section 27.
3. Les Parties reconnaissent et conviennent que (a) en vertu de la Législation sur la Protection des Données, le Prestataire est un Sous-Traitant des Données à Caractère Personnel du Client énumérées dans l’Annexe 1, (b) le Client qui souscrit aux services du Prestataire peut être un Responsable du Traitement ou un Sous-Traitant, selon le cas, des Données à Caractère Personnel du Client et (c) chaque Partie se conformera aux obligations qui lui incombent en vertu de la Législation sur la Protection des Données en ce qui concerne le Traitement de ces Données à Caractère Personnel du Client.
4. Des informations détaillées sur les catégories de données traitées et les personnes concernées, les opérations de Traitement ainsi que la finalité et la durée du Traitement figurent à l'Annexe 1.
5. Durée. La présente CTD prendra effet à la Date d’Effet du Contrat et, nonobstant l’expiration de la Durée, restera en vigueur jusqu’à la suppression par le Prestataire de toutes les Données à Caractère Personnel du Client, comme cela est décrit dans la présente CTD, et elle expirera de plein droit à la date de cette suppression.
6. Objet. Les Parties reconnaissent et conviennent que la Législation sur la Protection des Données s’appliquera au Traitement des Données à Caractère Personnel du Client si : (a) le Traitement est effectué dans le cadre des activités d’un établissement du Client situé sur le territoire de l’EEE/ de la Suisse/du Royaume-Uni ; et/ou (b) les Données à Caractère Personnel du Client portent sur des Personnes Concernées qui se trouvent dans l’EEE/ en Suisse/au Royaume-Uni et le Traitement concerne l’offre de biens ou de services dans l’EEE/la Suisse/le Royaume-Uni ou la surveillance de leur comportement dans l’EEE/en Suisse/au Royaume-Uni.
7. Législation Non-Européenne sur la Protection des Données. Les Parties reconnaissent et conviennent que la Législation Non-Européenne sur la Protection des Données peut également s’appliquer au Traitement des Données à Caractère Personnel du Client. Sauf stipulation contraire de la présente CTD, les termes de la présente CTD s’appliqueront, que ce soit la Législation sur la Protection des Données ou la Législation Non-Européenne sur la Protection des Données qui s’applique au Traitement par le Prestataire des Données à Caractère Personnel du Client. Les Parties reconnaissent et conviennent que, si la Législation Non-Européenne sur la Protection des Données s’applique au Traitement des Données à Caractère Personnel du Client par l’une ou l’autre Partie, la Partie concernée se conformera à toutes obligations lui incombant aux termes de cette législation en ce qui concerne le Traitement de ces Données à Caractère Personnel du Client.
8. Responsable du Traitement tiers. Le Client garantit au Prestataire que, si la Législation sur la Protection des Données s’applique au Traitement des Données à Caractère Personnel du Client et que le Client est un Sous-Traitant agissant sur les instructions d’un Responsable du Traitement tiers, les instructions et les actes du Client en ce qui concerne ces Données à Caractère Personnel du Client, notamment sa désignation en qualité de Sous-Traitant, ont été autorisées par le Responsable du Traitement tiers et qu’il en apportera la preuve si le Prestataire lui en fait la demande.
9. Instructions du Client. En concluant la présente CTD, le Client donne instruction au Prestataire de ne traiter les Données à Caractère Personnel du Client que conformément à la Législation sur la Protection des Données et/ou la Législation Non-Européenne sur la Protection des Données, selon le cas : (a) pour fournir les Services et l’assistance technique y afférente ; (b) comme indiqué par le Client ou comme l’exige l’utilisation que fait le Client des Services et de l’assistance technique y afférente ; (c) comme précisé sous la forme du Contrat, en ce compris la présente CTD ; et (d) comme documenté dans toutes autres instructions légitimes et écrites données par le Client et que le Prestataire reconnaît constituer des instructions aux fins de la présente CTD. À compter de la Date d’Effet, le Prestataire se conformera aux instructions du Client indiquées dans la présente Section, notamment en ce qui concerne les transferts de Données à Caractère Personnel, conformément à la Section 21. Le Prestataire s’interdit de traiter, transférer, modifier, changer ou altérer les Données à Caractère Personnel du Client ou de divulguer ou permettre la divulgation des Données à Caractère Personnel du Client à un tiers autrement qu'en conformité avec les instructions du Client (que ce soit dans le Contrat ou autrement), à moins que le droit de l'UE ou le droit de l'État membre de l'UE auquel le Sous-Traitant est soumis n'exige un autre Traitement des Données à Caractère Personnel du Client par le Prestataire, auquel cas le Prestataire informera le Client avant de mettre en œuvre le Traitement (à moins que cette loi n’interdise au Sous-Traitant de le faire pour des motifs importants d'intérêt public), par le biais de l'Adresse Électronique de Notification. Le Prestataire s'engage à informer immédiatement le Client si, à son avis, une instruction contrevient à la Législation sur la Protection des Données applicable.
10. Suppression pendant la Durée. Le Prestataire permettra au Client de supprimer les Données à Caractère Personnel du Client pendant la Durée d'une manière compatible avec la fonctionnalité des Services. Si le Client ou un Utilisateur Final utilise les Services pour supprimer des Données à Caractère Personnel du Client pendant la Durée et que les Données à Caractère Personnel du Client ne peuvent être récupérées par le Client ou un Utilisateur Final, cette utilisation constituera une instruction du Client au Prestataire de supprimer les Données à Caractère Personnel du Client concernées des Systèmes du Prestataire conformément à la Législation sur la Protection des Données applicable. Le Prestataire se conformera à cette instruction dès que raisonnablement possible et dans un délai maximal de quatre vingt dix (90) jours, à moins que le droit de l'UE ou d'un État membre de l'UE n'exige ou ne justifie que ces Données à Caractère Personnel soient conservées par le Prestataire pendant une période plus longue.
11. uppression à l'expiration de la Durée. e supprimer, à l'expiration de la Durée, toutes les Données à Caractère Personnel du Client (en ce compris les copies existantes) des Systèmes du Prestataire conformément à la Législation sur la Protection des Données applicable. Le Sous-Traitant se conformera à cette instruction dès que raisonnablement possible et dans un délai maximal de quatre vingt dix (90) jours, à moins que le droit de l'UE ou d'un État membre de l'UE n'exige ou ne justifie que ces Données à Caractère Personnel du Client soient conservées par le Sous-Traitant pendant une période plus longue. Sans préjudice de la Section 20 (Droits et demandes des Personnes Concernées), le Client reconnaît et convient qu'il sera responsable de l'exportation, avant l'expiration de la Durée, de toutes Données du Client qu'il souhaite conserver par la suite.
12. Instruction de suppression différée. Dans la mesure où des Données à Caractère Personnel du Client couvertes par l'instruction de suppression décrite dans la Section 11 (Suppression à l'expiration de la Durée) sont également traitées, lorsque la Durée prévue à la Section 11 expirera, dans le cadre d’un contrat entre le Client et le Prestataire ayant une Durée indéterminée, cette instruction de suppression ne prendra effet à l'égard desdites Données à Caractère Personnel du Client qu'à l'expiration de la Durée indéterminée. Il est précisé, par souci de clarté, que, dans le cas d'une instruction de suppression différée, la présente CTD continuera à s'appliquer auxdites Données à Caractère Personnel du Client jusqu'à leur suppression par le Prestataire.
13. Mesures de Sécurité du Prestataire. Le Prestataire mettra en place et maintiendra des mesures techniques et organisationnelles pour protéger les Données à Caractère Personnel du Client contre toute destruction, perte, altération ou divulgation non autorisée ou tout accès, de manière accidentelle ou illicite ; tel que décrit dans l’Annexe 2 (les « Mesures de Sécurité »). Les Mesures de Sécurité décrites dans l’Annexe 2 comprennent des mesures destinées à contribuer à garantir la confidentialité, l’intégrité, la disponibilité et la résilience constantes des Systèmes du Prestataire et à rétablir l’accès dans des délais appropriés aux Données à Caractère Personnel du Client après un Incident Affectant les Données, ainsi que des tests réguliers de leur efficacité. Le Prestataire pourra mettre à jour ou modifier périodiquement les Mesures de Sécurité décrites dans l’Annexe 2, à condition que ces mises à jour et modifications n’entraînent pas la dégradation de la sécurité globale des Services ou des Systèmes du Prestataire. Le Client reconnaît que les Données du Client seront hébergées dans les centres de données d’un Prestataire de Services Tiers, par un Prestataire de Services Tiers et/ou une ou plusieurs de ses entités affiliées (ensemble, les « Prestataires de Services Tiers ») (et non par le Prestataire) et que, en conséquence, la plupart des mesures de sécurité techniques et organisationnelles liées aux Données à Caractère Personnel du Client (qui sont visées notamment dans l’Annexe 2) seront appliquées par le Prestataire de Services Tiers concerné sous sa propre responsabilité. Par conséquent, et nonobstant toute autre stipulation du Contrat, le Prestataire décline toute responsabilité au titre de tous actes et/ou omissions du Prestataire de Services Tiers, en ce compris, notamment, au titre de toutes mesures techniques et organisationnelles du Prestataire de Services Tiers, qui sont énumérées dans l’Annexe 2 uniquement à titre d’information et sans aucune déclaration. Le Client s’engage à ne pas engager la responsabilité du Prestataire en cas de manquement par le Prestataire de Services Tiers au contrat applicable.
14. Respect de la sécurité par le Sous-Traitant. Le Prestataire prendra les mesures appropriées pour assurer le respect des Mesures de Sécurité par ses salariés, prestataires, mandataires et Sous-Traitants Ultérieurs dans la mesure où elles s’appliquent à leur champ d'activités, notamment en s'assurant que toutes les personnes autorisées à traiter les Données à Caractère Personnel du Client se sont engagées à respecter leur caractère confidentiel ou sont soumises à une obligation légale de confidentialité appropriée, et que ce personnel a suivi une formation appropriée conformément à la Législation sur la Protection des Données.
15. Assistance par le Sous-Traitant en matière de sécurité. Le Client accepte que le Prestataire (compte tenu de la nature du Traitement des Données à Caractère Personnel du Client et des informations dont le Prestataire dispose) aide le Client à veiller au respect de ses obligations en ce qui concerne la sécurité des Données à Caractère Personnel du Client et les violations des Données à Caractère Personnel du Client, en particulier en cas d'Incident Affectant les Données, en ce compris, le cas échéant, les obligations du Client aux termes des articles 32 à 34 (inclus) du RGPD, en : (a) mettant en place et en maintenant les Mesures de Sécurité conformément à la Section 13 (Mesures de Sécurité du Prestataire) ; (b) se conformant aux termes de la Section 16 (Incidents Affectant les Données).
16. Incidents Affectant les Données. Si le Prestataire vient à avoir connaissance d'un Incident Affectant les Données, il : (a) notifiera au Client l'Incident Affectant les Données dans les meilleurs délais et sans retard injustifié ; et (b) prendra dans les meilleurs délais des mesures raisonnables pour réduire au minimum le préjudice et sécuriser les Données à Caractère Personnel du Client. La notification contiendra, dans la mesure du possible, une description détaillée de l'Incident Affectant les Données, notamment les mesures prises pour atténuer les risques potentiels et les mesures que le Prestataire recommande au Client de prendre pour faire face à l'Incident Affectant les Données. La ou les notification(s) de tout (tous) Incident(s) Affectant les Données sera(ont) envoyée(s) à l'Adresse Électronique de Notification ou, à la discrétion du Prestataire, par communication directe (par exemple, au moyen d’un appel téléphonique ou d’une réunion en personne). Il appartient au Client et à lui seul de s'assurer que l'Adresse Électronique de Notification est à jour et valable à quelque moment que ce soit. Le Prestataire n'évaluera pas le contenu des Données du Client afin d'identifier les informations soumises à des exigences juridiques spécifiques. Le Client est entièrement responsable du respect des obligations de notification prévues par la Législation sur la Protection des Données ou la Législation Non-Européenne sur la Protection des Données, selon celle qui s’applique au Client, et du respect de toutes obligations de notification à des tiers liées à tout (tous) Incident(s) Affectant les Données. La notification ou la réponse du Prestataire à un Incident Affectant les Données en application de la présente Section 16 (Incidents Affectant les Données) ne saurait être interprétée comme une reconnaissance par le Prestataire d’une quelconque faute ou responsabilité en ce qui concerne l'Incident Affectant les Données.
17. Responsabilités du Client en matière de sécurité et évaluation. Le Client convient que, sans préjudice des obligations du Prestataire aux termes des Sections 13 à 15 (Mesures de Sécurité du Prestataire, Respect de la sécurité par le Sous-Traitant et Assistance par le Sous-Traitant en matière de sécurité) et de l'article 16 (Incidents Affectant les Données) : (a) le Client est entièrement responsable de l’utilisation qu’il fait des Services, notamment de : (i) l'utilisation appropriée des Services afin d'assurer un niveau de sécurité approprié au risque lié aux Données du Client ; (ii) la sécurisation des données d'authentification pour l’accès au compte, des systèmes et des dispositifs utilisés par le Client pour accéder aux Services ; et (iii) la sauvegarde des Données du Client ; et (b) le Prestataire n'a aucune obligation de protéger les Données du Client que le Client choisit de conserver ou de transférer en dehors des systèmes du Sous-Traitant et de ses Sous-Traitants Ultérieurs (par exemple, conservation hors ligne ou sur site, ou Prestataire de Services Tiers du Client). Il appartient au Client et à lui seul de déterminer si les Services, les Mesures de Sécurité et les engagements du Prestataire aux termes des Sections 13 à 17 répondent aux besoins du Client, notamment en ce qui concerne toutes obligations de sécurité du Client en vertu de la Législation sur la Protection des Données et/ou de la Législation Non-Européenne sur la Protection des Données, selon le cas. Le Client reconnaît et convient que (compte tenu de l'état de la technique, des coûts de mise en œuvre et de la nature, de la portée, du contexte et des finalités du Traitement des Données à Caractère Personnel du Client ainsi que des risques pour les personnes physiques) les Mesures de Sécurité mises en place et maintenues par le Prestataire, telles qu’elles sont définies à la Section 13 (Mesures de Sécurité du Prestataire) et dans l'Annexe 2, offrent un niveau de sécurité approprié au risque lié aux Données du Client.
18. Audits de conformité. Si la Législation sur la Protection des Données s’applique au Traitement des Données à Caractère Personnel du Client, le Prestataire autorisera le Client ou un auditeur indépendant désigné par celui-ci à effectuer des audits (en ce compris des inspections) afin de vérifier si le Prestataire se conforme à ses obligations concernant les Données à Caractère Personnel du Client aux termes de la présente CTD. Le Prestataire contribuera à ces audits comme indiqué dans la présente Section 18 (Audits de conformité). Si le Client décide de procéder à un audit comme indiqué ci-dessus, il devra alors prendre à sa charge l’ensemble des coûts et dépenses qui y sont liés, y compris mais sans s’y limiter les honoraires des auditeurs, les frais de transport, les honoraires d’avocat. Si le Client a conclu des Clauses Contractuelles Types telles qu’elles sont décrites dans la Section 21 (Transfert de Données à Caractère Personnel), le Prestataire, sans préjudice des droits d'audit d'une Autorité de Contrôle en vertu de ces Clauses Contractuelles Types, autorisera le Client ou un auditeur indépendant désigné par celui-ci à effectuer des audits comme indiqué dans les Clauses Contractuelles Types. En tout état de cause, tout audit imposé par le Client en application de la présente Section 18 ne doit pas entraver ni perturber de quelque manière que ce soit le cours normal des affaires du Prestataire.
19. Analyses d'impact et consultations. Le Client accepte que le Prestataire (compte tenu de la nature du Traitement et des informations dont dispose le Sous-Traitant) apporte au Client une assistance raisonnable pour assurer le respect par celui-ci de toutes ses obligations concernant les Données à Caractère Personnel du Client en matière d’analyses d'impact relatives à la protection des données et de consultations préalables, en ce compris, le cas échéant, les obligations du Client aux termes des articles 35 et 36 du RGPD, dans la mesure où le Prestataire dispose des informations nécessaires.
20. Droits et demandes des Personnes Concernées. Pendant la Durée, le Prestataire permettra au Client, d'une manière compatible avec la fonctionnalité des Services, d'accéder aux Données à Caractère Personnel du Client, de les rectifier ou de les effacer ou d’en limiter le Traitement, selon le cas, notamment par le biais de la possibilité de suppression proposée par le Prestataire comme indiqué dans la Section 10 (Suppression pendant la Durée), et d'exporter les Données à Caractère Personnel du Client, conformément aux exigences de la Législation sur la Protection des Données et/ou de la Législation Non-Européenne sur la Protection des Données, selon le cas. Pendant la Durée, si le Prestataire reçoit une demande de la part d'une Personne Concernée portant sur des Données à Caractère Personnel du Client, le Prestataire conseillera à la Personne Concernée de soumettre sa demande au Client ou de présenter directement cette demande au Client en utilisant l'Adresse Électronique de Notification ou tout autre moyen de communication, et il appartiendra au Client de répondre à une telle demande, notamment, si nécessaire, en utilisant la fonctionnalité des Services. Le Client accepte que (compte tenu de la nature du Traitement des Données à Caractère Personnel du Client) le Prestataire lui apporte une assistance raisonnable afin de se conformer à toute obligation de répondre aux demandes de Personnes Concernées, en ce compris, le cas échéant, l'obligation du Client de répondre aux demandes d'exercice des droits de la Personne Concernée prévus au Chapitre III du RGPD, en respectant les engagements énoncés dans la présente Section 20, dans la mesure où le Prestataire est en mesure de répondre à de telles demandes. Le Client est responsable, dans la mesure où la loi le permet, de tous les coûts et dépenses résultant d'une telle assistance par le Prestataire.
21. Transfert de Données à Caractère Personnel. Le Client reconnaît et convient que le Prestataire peut, sous réserve de la présente Section 21 (Transfert de Données à Caractère Personnel), conserver et traiter les Données du Client aux États-Unis et dans tout autre pays situé en dehors de l'EEE dans lequel le Prestataire ou les Sous-Traitants Ultérieurs disposent d'installations. Si la conservation et/ou le Traitement des Données à Caractère Personnel du Client implique(nt) un Transfert Restreint, le Prestataire et le Client s’engagent par les présentes à conclure les Clauses Contractuelles Types applicables jointes en Annexe 4 ou en Annexe 5, selon le cas, et incorporées par référence dans la présente CTD. En cas de conflit entre une disposition des Clauses Contractuelles Types et toute autre partie de la présente CTD ou du Contrat, la disposition des Clauses Contractuelles Types prévaudra. Tout Transfert Restreint doit être effectué conformément auxdites Clauses Contractuelles Types. Le Prestataire imposera aux Sous-Traitants Ultérieurs, s’il en existe, au moyen d’un contrat écrit, les mêmes obligations que celles imposées au Sous-Traitant aux termes de la présente CTD et des Clauses Contractuelles Types. Dans le cas où le Sous-Traitant Ultérieur ne respecte pas ses obligations en matière de protection des données au titre de ce contrat écrit, le Prestataire demeurera entièrement responsable à l’égard du Client de l'exécution par le Sous-Traitant Ultérieur de ses obligations au titre dudit contrat. En outre, dans le cas où la prestation des Services implique un Transfert Restreint du Prestataire vers un Sous-Traitant Ultérieur situé en dehors de l'UE, le Client (pour son propre compte et pour le compte de ses Affiliées concernées) donne mandat au Prestataire, qui l’accepte par les présentes, de conclure dans les meilleurs délais, au nom et pour le compte du Client en qualité d’'Exportateur de Données (le Sous-Traitant Ultérieur étant l'Importateur de Données), une convention de traitement des Données avec tout Sous-Traitant Ultérieur impliqué par le Prestataire dans un tel Transfert Restreint, avant que ce Sous-Traitant Ultérieur ne commence à traiter les Données à Caractère Personnel du Client, afin de s'assurer qu’un tel Transfert Restreint est conforme à la Législation sur la Protection des Données. Cette convention de traitement des Données à Caractère Personnel devra (a) respecter les conditions énoncées à l'article 28 du RGPD et offrir au moins le même niveau de protection des Données à Caractère Personnel du Client que celles énoncées dans la présente CTD et (b) inclure des Clauses Contractuelles Types. Lorsque le Prestataire utilise la Plate-forme en Nuage d’un Prestataire de Services Tiers pour héberger et/ou fournir les Services, des informations sur les lieux où se trouvent les centres de données des Prestataires de Services Tiers du Prestataire sont disponibles sur les pages des Prestataires de Services Tiers, qui précisent les emplacements des serveurs, et peuvent être mises à jour périodiquement par le Prestataire de Services Tiers. Si le Client a convenu des Clauses Contractuelles Types comme indiqué dans la présente Section 21 (Transfert de Données à Caractère Personnel), le Prestataire s'assurera, nonobstant toute clause contraire du Contrat, que toute divulgation de Données à Caractère Personnel du Client, et toutes notifications relatives à de telles divulgations, soient effectuées conformément à ces Clauses Contractuelles Types. Si, en tout temps, une Autorité de Contrôle, ou un tribunal compétent à l'égard d'une Partie, prescrit que les transferts de responsables de traitement et/ou de sous-traitants dans l'UE ou au Royaume-Uni vers des sous-traitants établis en dehors de l'UE ou du Royaume-Uni doivent être soumis à des garanties supplémentaires spécifiques (y compris, mais sans s'y limiter, des mesures techniques et organisationnelles spécifiques), les Parties collaboreront de bonne foi pour mettre en œuvre ces garanties et s'assurer que tout transfert de Données à Caractère Personnel du Client est effectué sous le bénéfice de ces garanties supplémentaires. De la même manière, si une Autorité de Contrôle adopte des clauses contractuelles types révisées pour les questions traitées dans la présente CTD et que le Client notifie au Prestataire qu'il souhaite incorporer tout élément de ces clauses contractuelles types dans la présente CTD, le Prestataire et le Client pourront convenir de modifier la présente CTD afin d'y incorporer toute modification proposée comme l'exigent raisonnablement les clauses contractuelles types nouvellement adoptées. Dans le cas où les Clauses Contractuelles Types jointes à l'Annexe 4 et l’Annexe 5 seraient considérées comme ne constituant plus un mécanisme de transfert valide pour légitimer les Transferts Restreints, le Prestataire et le Client pourront convenir de modifier la présente CTD afin d'établir un transfert légitime de Données à Caractère Personnel du Client en dehors de l'EEE.
22. Sous-Traitants Ultérieurs. Par les présentes, le Client autorise expressément le recours à des Affiliées du Prestataire en tant que Sous-Traitants Ultérieurs conformément au Contrat et pendant la Durée. En outre, le Client, par les présentes, autorise de manière générale le recours à tous autres tiers en tant que Sous-Traitants Ultérieurs (les « Sous-Traitants Ultérieurs »), sous réserve du respect par le Prestataire de la présente Section 22. Le Client autorise par les présentes tous les « Sous-Traitants Ultérieurs » énumérés à l'Annexe 3. Si le Client a conclu des Clauses Contractuelles Types comme indiqué dans la Section 21 (Transfert de Données à Caractère Personnel), les autorisations ci-dessus constitueront le consentement écrit préalable du Client à la sous-traitance par le Prestataire du Traitement des Données à Caractère Personnel du Client si ce consentement est exigé par les Clauses Contractuelles Types et la Législation sur la Protection des Données et/ou la Législation Non-Européenne sur la Protection des Données, selon le cas. Des informations sur les Sous-Traitants Ultérieurs figurent dans l'Annexe 3 et peuvent être mises à jour par le Prestataire périodiquement conformément à la présente CTD. Lorsqu'il fera appel à un Sous-Traitant Ultérieur, le Prestataire (a) s'assurera, au moyen d'un instrument juridique ou d'un contrat écrit, que (i) le Sous-Traitant Ultérieur n'accède aux Données à Caractère Personnel du Client et ne les traite que dans la mesure nécessaire à l'exécution des obligations qui lui sont sous-traitées, et le fait conformément au Contrat (en ce compris la présente CTD) et à toutes Clauses Contractuelles Types conclues comme indiqué dans la Section 21 (Transfert de Données à Caractère Personnel), le cas échéant ; et (ii) si le RGPD s'applique au Traitement des Données à Caractère Personnel du Client, les obligations de protection des données énoncées à l'article 28(3) du RGPD, telles qu’elles sont décrites dans la présente CTD, sont imposées au Sous-Traitant Ultérieur par ledit instrument juridique ou le contrat ; et (b) demeurera entièrement responsable de toutes les obligations sous-traitées au Sous-Traitant Ultérieur, ainsi que de tous les actes et omissions de celui-ci. Lorsqu'il sera recouru pendant la Durée aux services d’un Sous-Traitant Ultérieur Tiers ne figurant pas dans l'Annexe 3 à la Date d'Effet du Contrat, le Prestataire informera le Client de ce recours (notamment du nom et de la localisation du Sous-Traitant Ultérieur Tiers concerné et des activités qu'il exercera) en envoyant un courrier électronique à l'Adresse Électronique de Notification, au moins trente (30) jours avant que le nouveau Sous-Traitant Ultérieur Tiers ne commence à traiter des Données à Caractère Personnel du Client quelles qu’elles soient. Le Client pourra s'opposer à tout nouveau Sous-Traitant Ultérieur Tiers en résiliant le Contrat avec effet immédiat moyennant une notification écrite adressée au Prestataire, à condition d’envoyer cette notification dans les trente (30) jours suivant la date à laquelle il aura été informé du recours aux services du Sous-Traitant Ultérieur Tiers. Ce droit de résiliation constitue le seul et unique recours du Client si celui-ci s'oppose à un quelconque nouveau Sous-Traitant Ultérieur Tiers.
23. Registres des activités de Traitement. Le Client reconnaît que le RGPD impose au Prestataire de : (a) collecter certaines informations et de tenir des registres contenant ces informations, notamment le nom et les coordonnées de tout Sous-Traitant et/ou Responsable du Traitement pour le compte duquel le Sous-Traitant agit et, le cas échéant, du représentant local et du délégué à la protection des données dudit Sous-Traitant ou Responsable du Traitement, ainsi que les catégories de Traitements effectués pour le compte de chaque Responsable du Traitement et, dans la mesure du possible, une description générale des mesures de sécurité techniques et organisationnelles ; et (b) mettre ces informations à la disposition des Autorités de Contrôle.
24. California Consumer Privacy Act (CCPA). Si et dans la mesure où le CCPA s'applique à la collecte, la conservation, l'utilisation et la divulgation des données personnelles du Client (telles que définies dans le CCPA) pour fournir les Services au Client conformément au Contrat, les Parties reconnaissent et acceptent que le Prestataire ne reçoit aucune donnée personnelle du Client (« Données Personnelles du Client ») en contrepartie des Services ou d'autres éléments fournis par le Prestataire au Client. À l'exception de ce qui est expressément stipulé dans le Contrat, le Fournisseur ne doit pas (a) avoir, obtenir ou exercer des droits ou des avantages concernant les Données Personnelles du Client, (b) vendre des Données Personnelles du Client ou (c) recueillir, conserver, partager ou utiliser des Données Personnelles du Client, sauf si cela est nécessaire à la seule fin d'exécuter les Services et les services professionnels qui y sont liés, le cas échéant, ou si cela est autrement permis en vertu du CCPA. Le Prestataire s'abstiendra de prendre toute mesure qui impliquerait un transfert des Données Personnelles du Client, que ce soit au Prestataire ou par le Prestataire, qui soit considéré comme une vente de données personnelles en vertu du CCPA. Le Prestataire comprend et respectera les restrictions énoncées dans la présente section et les exigences applicables du CCPA. Aux fins de cette Section 24 (« California Consumer Privacy Act (CCPA) » ), le Prestataire est un Prestataire de Services et les termes « Données Personnelles » (Personal Information), « Vendre » (Sell), « Vente » (Sale) et « Prestataire de services » (ServiceProvider) ont la même signification que dans le CCPA. Si une autorité américaine adopte des dispositions révisées du CCPA pour les questions traitées dans la présente CTD et que le Client notifie au Prestataire qu'il souhaite incorporer un élément de ces dispositions révisées dans la présente CTD, le Prestataire et le Client peuvent convenir de modifier la présente CTD afin d'incorporer les changements proposés, comme l'exigent raisonnablement les dispositions nouvellement adoptées.
25. Plafond de Responsabilité Convenu. Le plafond de responsabilité fixé dans le Contrat régissant la prestation des Services, dont la présente CTD fait partie intégrante, s'applique à tout manquement aux stipulations de la présente CTD ou à tout préjudice susceptible de résulter du non-respect par le Prestataire ou son Affiliée de la Législation sur la Protection des Données. Rien dans la présente Section 25 (Plafond de Responsabilité Convenu) n'affectera les autres termes du Contrat relatifs à la responsabilité (notamment toutes exclusions spécifiques d’une quelconque limitation de responsabilité).
26. Stipulations diverses
- Ni les droits ni les obligations d'une Partie ne peuvent être cédés en totalité ou en partie sans le consentement écrit préalable de l'autre Partie, étant toutefois entendu que la présente CTD pourra être transférée ou cédée en cas de restructuration ou de changement de contrôle affectant une Partie aux présentes.
- En cas de différend entre les Parties lié à la présente CTD, celles-ci négocieront de bonne foi afin de résoudre leur différend. Si le différend ne peut être résolu par des négociations de bonne foi entre les Parties, les Parties soumettent irrévocablement par la présente tout litige en vertu de la présente CTD à la juridiction des tribunaux français compétents.
- La présente CTD est soumise au droit français, sans référence à ses règles de conflits de lois.
- Dans le cas où une stipulation de la présente CTD serait jugée nulle ou inopposable par un tribunal compétent, les autres stipulations de la présente CTD resteront valables et en vigueur. La stipulation nulle ou inopposable devra soit (i) être modifiée dans la mesure du nécessaire pour assurer sa validité et son opposabilité, tout en préservant au mieux l’intention des Parties, soit, si cela n'est pas possible, (ii) être interprétée comme si la partie nulle ou inopposable n’avait jamais figuré dans cette stipulation.
- Toute modification de la présente CTD devra faire l’objet d’un avenant écrit, à défaut duquel elle sera nulle et de nul effet.
27. Définitions. Les termes commençant par une majuscule qui sont utilisés sans être définis dans la présente CTD ont la signification qui leur est attribuée dans le Contrat. Dans la présente CTD, sauf indication contraire :
“Adresse(s) Électronique(s) de Notification” désigne l’ (les) adresse(s) électronique(s) indiquée(s) par le Client pour recevoir certaines notifications de la part du Prestataire.
“Affiliée” désigne toute entité qui contrôle, est contrôlée par, ou est sous contrôle commun avec, une Partie, le terme « contrôle » étant défini comme : (a) la propriété d’au moins cinquante pour cent (50 %) des capitaux propres ou des droits conférant la propriété effective de l’entité ; (b) le droit de voter en faveur ou de désigner une majorité des membres du conseil d’administration ou d’un autre organe de direction de l’entité ; ou (c) le pouvoir d’exercer une influence déterminante sur la gestion ou les orientations de l’entité.
“Clauses Contractuelles Types » ou « CCT” désigne les clauses types relatives à la protection des données pour le transfert de données à caractère personnel vers des pays tiers situés en dehors de l'Espace Économique Européen qui n’assurent pas un niveau adéquat de protection des données, telles que (i) approuvées par la Commission européenne, dans la Décision d'Exécution (UE) 2021/914 du 4 juin 2021 “relative aux clauses contractuelles types pour le transfert de données à caractère personnel vers des pays tiers en vertu du RGPD” pour les Transferts Restreints relatifs aux personnes concernées de l'Union Européenne, le cas échéant modifiées, remplacées ou abrogées par tout ensemble de clauses approuvées par la Commission européenne, et (ii) publiées par l'Information Commissioner's Office conformément à la S119A(1) du Data Protection Act 2018 pour les transferts restreints liés aux personnes concernées du Royaume-Uni et approuvées par le Parlement britannique. Les Clauses Contractuelles Types sont jointes en Annexe 4 pour les Transferts Restreints relatifs aux personnes concernées de l'Union Européenne et en Annexe 5 pour Transferts Restreints relatifs aux personnes concernées du Royaume-Uni et font partie de la CTD lorsqu’elles sont applicables.
“Contrat” désigne le Contrat de Prestation de Services conclu entre le Prestataire et le Client pour la prestation de Services par le Prestataire au Client.
“Date d’Effet” désigne la date à laquelle le Client et le Prestataire sont convenus de la présente CTD, et elle correspond à la Date d’Effet du Contrat.
“Données du Client »” désigne les données soumises, conservées, envoyées ou reçues par le biais des Services par le Client, ses Affiliées ou Utilisateurs Finaux. Les Données du Client peuvent également comprendre les Données à Caractère Personnel envoyées ou mises de toute autre manière par le Client à la disposition du Prestataire et/ou des Affiliées du Prestataire lorsque le Client utilise les Solutions d’Affiliées du Prestataire.
“Données à Caractère Personnel du Client” désigne les Données à Caractère Personnel contenues dans les Données du Client, telles qu’elles sont décrites dans l’Annexe 1.
“Durée” ésigne la période s’étendant de la Date d’Effet du Contrat jusqu’à la fin de la prestation par le Prestataire des Services au Client dans le cadre du Contrat, en ce compris, le cas échéant, toute période au cours de laquelle la prestation des Services peut être suspendue et toute période postérieure à la cessation du Contrat au cours de laquelle le Prestataire peut continuer à fournir les Services au Client de manière transitoire.
“EEE” désigne l’Espace Économique Européen ainsi que, aux fins de la présente CTD, la Suisse et le Royaume-Uni.
“Incident Affectant les Donnée” désigne une violation des mesures de sécurité du Prestataire entraînant, de manière accidentelle ou illicite, la destruction, la perte, l’altération, la divulgation non autorisée de Données à Caractère Personnel du Client sur des systèmes gérés par le Prestataire ou contrôlés de toute autre manière par lui, ou l’accès non autorisé à de telles Données à Caractère Personnel du Client. « Incidents Affectant les Données » ne comprend pas les tentatives infructueuses ou les activités qui ne compromettent pas la sécurité des Données à Caractère Personnel du Client, notamment les tentatives de connexion, les pings, les scans de port, les attaques par déni de service et autres attaques de réseau sur les pare-feu ou les systèmes en réseau qui échouent.
“Législation sur la Protection des Données” désigne, selon le cas : (a) le RGPD ; et/ou (b) la Loi fédérale sur la protection des données du 25 septembre 2020 (Suisse) ; et/ou (c) les lois applicables au Royaume-Uni en matière de protection des données, ainsi que toutes lois sur la protection des données qui modifient de manière substantielle, remplacent ou se substituent au RGPD, à la Loi fédérale sur la protection des données de Suisse, aux lois applicables au Royaume-Uni en matière de protection des données, et/ou toute autre législation interne applicable en matière de protection des données ou respect de la vie privée en vigueur dans tout État membre de l’Union européenne, que ce soit au niveau national/ fédéral ou des états fédérés / provinces, en ce compris, selon le cas, les lois, décisions, lignes directrices, notes d’orientation, codes de pratique, codes de conduite et mécanismes de certification en matière de protection des données périodiquement délivrés par un tribunal compétent ou une Autorité de Contrôle, concernant le Traitement de données à caractère personnel et le respect de la vie privée.
“Législation Non-Européenne sur la Protection des Données” désigne toute législation sur la protection des données ou le respect de la vie privée au niveau national/ fédéral ou au niveau des états fédérés / provinces / émirats, autre que la Législation sur la Protection des Données.
“Standard Contractual Clauses” or “SCCs” means the standard data protection clauses for the transfer of personal data to third countries located outside EEA which do not ensure an adequate level of data protection, as (i) approved by the European Commission in the Implementing Decision (EU) 2021/914 of 4 June 2021 “on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR” for Restricted Transfers related to EU data subjects, as amended, replaced or superseded by any set of clauses approved by the European Commission, and as (ii) issued by the Information Commissioner's Office in accordance with S119A(1) of the Data Protection Act 2018 for Restricted Transfers related to UK data subjects and approved by the UK Parliament. The SCCs are enclosed as Appendix 4 for Restricted Transfers related to EU data subjects and enclosed in Appendix 5 for Restricted Transfers related to UK data subjects. Both appendices are part of this DPA when applicable.
“Mesures de Sécurité” means the computing and storage infrastructure contracted by Supplier to run the Services and to store the Customer Data. For the avoidance of doubt, Supplier’s Systems do not include Third-Party Service Provider Solution used by Customer and contracted by Customer, nor any of the Third Party Offerings.
“Subprocessor(s)” a la signification attribuée à ce terme dans la Section 13 (Mesures de Sécurité du Prestataire).
“Plafond de Responsabilité Convenu” désigne le montant maximal financier ou basé sur les paiements, auquel la responsabilité d’une Partie est plafonnée au titre du Contrat, soit par période annuelle, soit par événement donnant lieu à responsabilité, selon le cas.
“RGPD” désigne le Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE.
“Systèmes du Prestataire” désigne l’infrastructure informatique et de conservation utilisée par le Prestataire en vertu d’un contrat pour exécuter les Services et pour conserver les Données du Client. Il est précisé, afin d’écarter toute ambiguïté, que le terme « Systèmes du Prestataire » n’englobe pas les Solutions de Prestataires de Services Tiers utilisées par le Client en vertu d’un contrat, ni aucune des Offres de Tiers.
“Sous-Traitants Ultérieurs” désigne les tiers autorisés par le Sous-Traitant en vertu de la présente CTD à avoir un accès logique aux Données du Client et à les traiter pour le compte du Client afin de fournir certaines parties des Services et l’assistance technique y afférente, notamment les Affiliées du Prestataire.
“Services” désigne les services qui ont été achetés par le Client dans le cadre du Contrat et de tout Bon de Commande ou Cahier des Charges applicable, qui peuvent inclure toute mise à jour ou tout remplacement de ceux-ci ainsi que l’assistance technique fournie par le Prestataire au Client conformément aux termes du Contrat. Le terme « Services » ne comprend pas (i) les Solutions d’Affiliées du Prestataire que le Client a pu se faire concéder en vertu d’une licence distincte, (ii) toutes Offres de Tiers que le Client a pu se faire concéder en vertu d’une licence distincte, ni (iii) les Solutions de Prestataires de Services Tiers utilisées par le Client.
“Solution d’Affiliées du Prestataire“ désigne toute solution ou tout logiciel fourni(e) par une ou plusieurs Affiliée(s) du Prestataire, qui complète et/ou est nécessaire pour fournir les Services exécutés par le Prestataire, que soit (i) le Client s’est fait concéder sous licence par une Affiliée du Prestataire, soit (ii) le Client s’est fait concéder sous licence par le Prestataire.
“Solution de Prestataire de Services Tiers“ désigne toute solution ou tout logiciel sur laquelle (lequel) l’ensemble ou une partie des Services sont exécutés par le Prestataire, que le Client s’est fait concéder en vertu d’une licence distincte, le cas échéant, par un Prestataire de Services Tiers non affilié. Les Solutions de Prestataires de Services Tiers peuvent inclure notamment les solutions ou les logiciels Google, Microsoft et/ou Facebook.
“Transfert Restreint“ désigne (a) un transfert des Données à Caractère Personnel du Client vers le Prestataire ou le Sous-Traitant Ultérieur, ou (b) un transfert ultérieur des Données à Caractère Personnel du Client du Prestataire ou du Sous-Traitant Ultérieur vers le (ou entre deux établissements du) Prestataire ou le Sous-Traitant Ultérieur, dans chaque cas, vers un pays hors de l'EEE, où un tel transfert serait interdit par la Législation Européenne sur la Protection des Données en l'absence de Clauses Contractuelles Types ou d'autres instruments juridiques exigés par la Législation Européenne sur la Protection des Données.
“Utilisateur Final“ désigne les personnes physiques autorisées par le Client à accéder aux Services ou à les utiliser, en ce compris le personnel, les salariés, les mandataires ou les prestataires du Client et des Affiliées de celui-ci.
Les termes “Données à Caractère Personnel“, “Personne Concernée“, “Traitement“, “Responsable du Traitement“, “Sous-Traitant“ et “Autorité de Contrôle“, tels qu’ils sont utilisés dans la présente CTD, ont la signification qui leur est attribuée dans le RGPD, et les termes “Importateur de Données“ et “Exportateur de Données“ ont la signification qui leur est attribuée dans les Clauses Contractuelles Types, dans chaque cas, que ce soit la Législation Européenne sur la Protection des Données ou la Législation Non-Européenne sur la Protection des Données qui s’applique.
Annexe 1 - Informations sur le Traitement des Données à Caractère Personnel du Client
Catégories de Personnes Concernées dont les Données à Caractère Personnel seront Traitées par le Prestataire de Services
Données à Caractère Personnel qui seront Traitées par le Prestataire
Finalités pour lesquelles les Données à Caractère Personnel seront Traitées par le Prestataire
Durée pendant laquelle le Prestataire exercera ses activités de Traitement
Categories of Data Subjects • Categories of Data Subjects whose Personal Data will be Processed by Service Provider
Data Subjects whose Personal Data is provided to Supplier via the Services, by (or at the direction of) Customer or by End Users, including (a) End Users (including Customer’s employees and contractors); (b) Customer’s own customers, suppliers and subcontractors (and each of their personnel); and (c) any other person whose Personal Data is transmitted via the Services, including individuals collaborating and communicating with End Users.
Categories of data • Personal Data that will be Processed by Supplier
Personal Data that will be Processed by Supplier includes data submitted, stored, sent or received by Customer, its Affiliates or End Users via Services, including third party services to which Customer grants access to Supplier, and may include the following categories of data: user IDs, first and last names, work contact details, location data, gender or title, age or date of birth, event attendance, email, textual information used in documents and document titles, description and other metadata, text and images to be displayed by the Services, audit log information, system log information and other data.
As the case may be, subject to the relevant Agreement, special categories of personal data may be submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services.
Purposes • Purposes for which the Personal Data will be Processed by Supplier
Supplier will process Customer Personal Data identified above for the purposes of providing the Services and related technical support to Customer, for the defense of its rights and to comply with any legally binding request for disclosure of Customer Data by a law enforcement authority, in accordance with this DPA.
Duration of Processing • The length of time for which Processing activities will be carried out Supplier
The applicable Term plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with this DPA.
Annexe 2 - Mesures de Sécurité
1. A compter de la Date d’Effet, le Prestataire mettra en œuvre et maintiendra les Mesures de Sécurité énoncées dans la présente Annexe 2 de la CTD. Le Prestataire pourra de temps à autre être amené à mettre à jour ou modifier lesdites Mesures de Sécurité, à condition toutefois que ces mises à jour et modifications n’entraînent pas une dégradation de la sécurité globale du Système du Prestataire et des Services.
2. Sécurité de l'infrastructure. Le Prestataire utilise Google Workspace et Google Cloud Platform (GCP) pour héberger les Systèmes du Prestataire. Tous les Systèmes du Prestataire sont entièrement gérés par Google Inc. (Google), qui est responsable de la sécurité physique et de la sécurité du réseau des Systèmes du Prestataire. Les mesures de sécurité de Google concernant les infrastructures Google Workspace et GCP sont décrites sur cette page (Google Workspace) https://workspace.google.com/security/?secure-by-design_activeEl=data-centers et sur cette page (Google Cloud Platform) : https://cloud.google.com/security/.
3. Sécurité du personnel. Le personnel du Prestataire qui accède aux Systèmes du Prestataire est authentifié via son compte Google Workspace, protégé par les mêmes mesures physiques, de réseau et d'organisation que celles décrites ci-dessus. Le personnel du Prestataire est tenu de se comporter d'une manière conforme aux directives de l'entreprise en matière de confidentialité, d'éthique commerciale, d'utilisation appropriée et de normes professionnelles. Le Prestataire procède à des vérifications raisonnablement appropriées des antécédents dans la mesure où la loi l'autorise et conformément au droit du travail local et aux réglementations statutaires applicables. Le personnel est tenu de signer un accord de confidentialité et doit accuser réception des politiques de confidentialité et de protection de la vie privée du Prestataire et s'y conformer. Le personnel est également tenu de suivre une formation appropriée sur les principes de protection de la vie privée et des données, conformément à la Législation sur la Protection des Données.
4. Sécurité des Sous-Traitants Ultérieurs. Avant d'engager des Sous-Traitants Ultérieurs, le Prestataire effectue un audit des pratiques de sécurité et de confidentialité des Sous-Traitants Ultérieurs afin de s'assurer que les Sous-Traitants Ultérieurs fournissent un niveau de sécurité et de confidentialité adapté à leur accès aux Données à Caractère Personnel du Client et à la portée des services qu'ils sont engagés à fournir. Une fois que le Prestataire a évalué les risques présentés par le Sous-Traitant Ultérieurs, sous réserve des exigences énoncées à l'article 22 (Sous-Traitants Ultérieurs) de la présente Convention de Traitement des Données, le Sous-Traitant Ultérieurs est tenu de conclure des conditions contractuelles appropriées en matière de sécurité, de confidentialité et de respect de la vie privée.
Annexe 3 - Sous-Traitants Ultérieurs
Le Prestataire fait appel aux Sous-Traitants Ultérieurs suivants pour l’exécution des Services :
Annexe 4 -
European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679
This Appendix 4 applies to Restricted Transfers related to EU data subjects and includes 2 Modules:
- Module 2 of the SCCs is applicable to Restricted Transfers of Customer Personal Data, whereby Customer acts as data controller and Supplier acts as data processor; and
- Module 3 of the SCCs is applicable to Restricted Transfers of Customer Personal Data, whereby Customer acts as a data processor and Supplier also acts as data processor.
MODULE 2
Controller to Processor
This Module 2 of the SCCs is applicable to the Restricted Transfers of Customer Personal Data whereby Customer acts as a controller and Supplier acts as a processor.
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e)
(iii) Clause 9(a), (c), (d) and (e)
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Docking clause
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union4(in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non
compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub
processors at least thirty (30) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
(a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Luxembourg.
Clause 18
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Luxembourg.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
MODULE 3
Processor to processor
This Module 3 of the SCCs is applicable to the Restricted Transfers of Customer Personal Data whereby Customer acts as a processor and Supplier also acts as a processor.
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Docking clause
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II - OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
(a) The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of subprocessors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. The data exporter shall forward the notification to the controller.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the controller.
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. The data exporter shall make the assessment available to the controller.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Luxembourg.
Clause 18
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Luxembourg.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
ANNEX I (applicable to MODULE 2 and MODULE 3)
A. LIST OF PARTIES
Data exporter:
1. Customer as data exporter (MODULE 2)
Name: Customer, as defined in the Agreement
Address: Customer’s address, as defined in the Agreement
Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement
Role: Controller
2. Customer as data exporter (MODULE 3)
Name: Customer, as defined in the Agreement
Address: Customer’s address, as defined in the Agreement
Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement
Role: Processor
Data importer (MODULE 2 and MODULE 3):
Name: Revevol France SAS or Revevol Italia Srl, as the case may be
Address: 6, rue Beaubourg, 75004 Paris, FRANCE (Revevol France SAS) ; Via Giosue’ Carducci 125/A, 20099 Sesto San Giovanni, Milan, Italy (Revevol Italia Srl)
Contact person’s name, position and contact details: Emeline Cuchot, DPO, legal@revevol.eu
Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement
Role: Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
Categories of personal data transferred
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Transfer is made on a continuous basis.
Nature of the processing
All kind of processings as defined in article 4(2) of the GDPR, meaning any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose(s) of the data transfer and further processing
Transfer and processing of Customer Personal Data by importer for the provision of Services in accordance with Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
Purpose(s) for which the personal data is processed on behalf of the controller
Processing of Customer Personal Data by importer for the provision of Services in accordance with Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Appendix 3 (“Subprocessors”) of the DPA and ANNEX III of the SCCs (“LIST OF SUB-PROCESSORS”)
Processing will take place during the applicable Term, as defined in the Data Processing Agreement, plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with the Data Processing Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
CNPD (Luxembourg)
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA (applicable to MODULE 2 and MODULE 3)
Technical and organisational measures including technical and organisational measures to ensure the security of the data are detailed in Appendix 2 (Security Measures) of the Data Processing Agreement.
ANNEX III – LIST OF SUB-PROCESSORS (applicable to MODULE 2 and MODULE 3)
The controller has authorised the use of the sub-processors detailed in Appendix 3 (Subprocessors) of the Data Processing Agreement.
Appendix 5 - Transfers from the United-Kingdom (UK Addendum)
This appendix is applicable when personal data is transferred from the United Kingdom to a third country which does not ensure an adequate level of data protection pursuant to UK GDPR.
Part 1: Tables
Table 1: Parties
|
| |
|
|
|
|
|
Trading name (if different): Main address (if a company registered address): 6, rue Beaubourg, 75004 Paris, FRANCE (Revevol France SAS) ; Via Italia 44, 20900 MONZA (MB), Italy (Revevol Italia Srl)
|
|
|
|
Table 2: Selected SCCs, Modules and Selected Clauses
| ☐ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
☒ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
|
|
|
|
|
|
|
| ||||||
|
|
|
|
|
| |
|
|
|
|
|
| |
|
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
|
|
|
Annex III: List of Sub processors (Modules 2 and 3 only): See Appendix 4, Annex III of the DPA |
Table 4: Ending this Addendum when the Approved Addendum Changes
|
|
Part 2: Mandatory Clauses
Entering into this Addendum
- Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
- Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
- Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
- If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
- If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
- If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
- Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
- Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
- Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
- This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
- together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
- Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
- this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
- Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
- No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
- The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
- References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
- In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
- Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
- Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
- Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
- References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
- References to Regulation (EU) 2018/1725 are removed;
- References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
- The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
- Clause 13(a) and Part C of Annex I are not used;
- The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
- In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
- Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
- Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
- The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
- The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
- If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
- From time to time, the ICO may issue a revised Approved Addendum which:
- makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
- reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
- If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
- its direct costs of performing its obligations under the Addendum; and/or
- its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum a
Nos services
Élément juridiques
Contactez nos équipes
dès que possible.
