Data Protection Agreement
This document is an appendix to the General Conditions between the Customer (hereinafter the “Processing
Manager“) and Scrupp (hereinafter the “Subcontractor“). Each party is referred to as a “Party” and
together the “Parties“.
For the purposes hereof, capitalized terms and expressions shall have the same meaning as that attributed
to them in the General Terms and Conditions.
The purpose of these clauses is to define the conditions under which the Subcontractor undertakes to
carry out, on behalf of the Data Controller, the personal data processing operations defined below.
Within the framework of their contractual relations, the parties undertake to comply with the applicable
regulations on the processing of personal data and, in particular, Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 (hereinafter “the General Data Protection
II. Description of the outsourced processing
The Subcontractor is authorised to process, on behalf of the Controller, the personal data necessary for
the provision of the following services: (i) cleaning, correcting, synchronising, enriching, organising
and directing the contact details of the Data Controller’s customers, prospects and suppliers, (ii)
automatically detecting and merging duplicates and (iii) updating the contact details of the Data
Controller’s customers, prospects and suppliers with regard to erroneous e-mails, in particular by
synchronising the mailboxes of the Data Controller’s employees (hereinafter together the
The categories of data subjects are the customers, prospects and suppliers of the Data
Controller (hereinafter the “Persons“).
The nature of the operations carried out on the data is the collection, processing and storage
of the personal data of the Persons for the performance of the Services.
The purpose of the processing is the performance of the Services.
The personal data processed are data identifying the Individuals and data relating to the
Individual’s professional situation.
Pour In the performance of the Services referred to herein, the
Data Controller shall provide the Subcontractor with the following necessary information: information
and data identifying the Persons.
In any case, no data transfer be made to any third party.
III. The Subcontractor’s obligations towards the Controller
The Subcontractor undertakes to :
1. process the data solely for the purpose covered by this subcontract;
2. process the data in accordance with the documented instructions of the Data Controller.
The parties agree that any use or parameterization of the Subcontractor’s solution by the Data
Controller will be recorded and considered as a documented instruction. Where the Subcontractor
considers that an instruction infringes the General Data Protection Regulations or any other legal
provision of the Union or the Member States relating to data protection, it must immediately inform the
Data Controller. In addition, where the Subcontractor is required to transfer personal data to a third
country or to an international organisation under the law of the Union or the law of the Member States
to which it is subject, the Subcontractor must inform the Controller of this legal obligation before
carrying out the processing, unless that law prohibits the disclosure of such information on important
public interest grounds. Notwithstanding the foregoing, the Subcontractor is expressly authorised by the
Data Controller to process the data in order to improve the Subcontractor’s technology and services and
to provide such services as described in Section II.
3. to guarantee the confidentiality of the personal data processed hereunder;
4. ensure that persons authorised to process personal data under this :
- are committed to confidentiality or are subject to an appropriate legal obligation of
- receive the necessary training in the protection of personal data.
5. take into account, with regard to its tools, products, applications or services, the principles of data
protection by design and default protection.
6. Subcontracting Contracts: The Data Controller hereby acknowledges and agrees to the engagement by
the Subcontractor of the following Further Subcontractors, as defined below, with servers within the
The Subcontractor may engage another Subcontractor (hereinafter “the Subcontractor”) to perform specific
processing activities. In such a case, the Subcontractor must inform the Controller in writing in
advance of any planned changes concerning the addition or replacement of other Subcontractors. This
information must clearly indicate which processing activities are subcontracted, the name and contact
details of the Subcontractor and the dates of the Subcontracting Contract. The Data Controller shall
have a minimum of 30 (thirty) days from the date on which he receives the said information to object to
it. The subsequent subcontracting contract is only possible if the Data Controller has not objected to
it within the agreed time limit.
The Subsequent Subcontractor is required to comply with these obligations on behalf of and in accordance
with the instructions of the Data Controller. It is the Subcontractor’s responsibility to ensure that
the Subcontractor provides the same sufficient guarantees for the implementation of appropriate
technical and organisational measures so that the processing meets the requirements of the European Data
Protection Regulation. Where the Further Processor fails to fulfil its data protection obligations, the
Subcontractor shall remain fully liable to the Controller for the performance of its obligations by the
7. Exercise of data subjects’ rights: the Subcontractor shall assist the Controller, as far as possible,
in fulfilling its obligation to respond to requests to exercise the data subject’s rights: right of
access, rectification, erasure and objection, right to limit processing, right to data portability,
right not to be subject to automated individual decision making (including profiling).
When the data subjects send the Subcontractor requests to exercise their rights, the Subcontractor must
forward these requests as soon as they are received by e-mail to the Controller.
8. Notification of personal data breach: the Subcontractor must notify the Controller of any
personal data breach no later than 72 (seventy-two) hours after becoming aware of it and by e-mail. This
notification must be sent with all the documentation necessary to enable the Controller, where
appropriate, to notify the competent supervisory authority of the violation.
9. Assistance provided by the Subcontractor to the Data Controller with regard to compliance
with its obligations: the Subcontractor shall assist the Data Controller in carrying out data
protection risk analyses and with a view to prior consultation of the supervisory authority.
10. Security measures: the Subcontractor undertakes to implement the following security measures:
the Subcontractor shall only use SSL/TLS (Secure Sockets Layer) encrypted channels for all sources from
which certain personal data is collected. These protocols automatically encrypt all information before
it is sent to the Subcontractor. Data is thus encrypted as it travels.
Sort of the data: at the end of the Services relating to the processing of this data, the
Subcontractor undertakes to destroy all personal data, no later than one month after the end of the
11. Register of categories of processing activities: the Subcontractor declares that it keeps a
written register of all categories of processing activities carried out on behalf of the Controller.
12. Documentation: the Subcontractor shall make available to the Controller the documentation
necessary to demonstrate that it complies with all its obligations and to enable the Controller or any
other auditor it has authorised to carry out audits, including inspections, and to contribute to such
During these audits, the Controller or the auditor it has engaged for this purpose is not authorised to
have access to business secrets, strategic information or any information that the Subcontractor has
undertaken to keep confidential. The Subcontractor shall have the right to object to any inspections
and/or verifications by the Controller or its auditor which might allow it to access such information,
without the Controller being able to assert any right in this respect. In any event, the Controller
shall ensure that the auditor and, more generally, its staff carrying out such audits are subject to
appropriate confidentiality obligations.
IV. Obligations of the Controller
1. Right to information and consent of the data subjects: it is the responsibility of the
Controller to inform the data subjects of the processing operations at the time the data are collected.
More specifically, insofar as the Controller is not aware of (i) the data subjects of the processing
operation, (ii) the possible contractual relationship between the Controller and the data subjects and
the purpose of the data processing and (iii) the settings decided and made by the Controller, it is
incumbent on the Controller to define the appropriate legal basis for the processing and, where
appropriate, to obtain the consent of the data subjects with regard to the processing.
2. Synchronization of the employees’ mailboxes: it is the responsibility of the Data
– to inform its employees that the Subcontractor will request access to their mailboxes in order to
synchronise the data of the persons concerned (via Google Connect).
– to decide whether or not acceptance of this synchronisation is mandatory.
The subcontractor’s use and transfer of information collected from Google APIs are in accordance with the Google
API Services User Data Policy, including the Limited Use requirements.
The Controller furthermore undertakes to :
3.1 provide the Subcontractor with the data mentioned in point II of this document;
3.2 record in writing any instructions relating to the processing of data by the Subcontractor. More
specifically, the Subcontractor has developed a solution taking into account the principles of privacy
by design and by default the least intrusive. Other settings can be added by the Data Controller: it is
up to him to define the intended use and the corresponding settings of the solution. As in the situation
previously indicated, any setting made by the Data Controller is considered as an instruction from the
Data Controller to the Subcontractor;
3.3 ensure, before and during processing, compliance with the obligations of the Data Controller
under the European Data Protection Regulation;
3.4 supervise processing, including conducting audits and inspections with the Subcontractor.