This document is an appendix to the General Conditions between the Customer (hereinafter the “Processing Manager“) and Scrupp (hereinafter the “Subcontractor“). Each party is referred to as a “Party” and together the “Parties“.
For the purposes hereof, capitalized terms and expressions shall have the same meaning as that attributed to them in the General Terms and Conditions.
The purpose of these clauses is to define the conditions under which the Subcontractor undertakes to carry out, on behalf of the Data Controller, the personal data processing operations defined below.
Within the framework of their contractual relations, the parties undertake to comply with the applicable regulations on the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “the General Data Protection Regulation”).
The Subcontractor is authorised to process, on behalf of the Controller, the personal data necessary for the provision of the following services: (i) cleaning, correcting, synchronising, enriching, organising and directing the contact details of the Data Controller’s customers, prospects and suppliers, (ii) automatically detecting and merging duplicates and (iii) updating the contact details of the Data Controller’s customers, prospects and suppliers with regard to erroneous e-mails, in particular by synchronising the mailboxes of the Data Controller’s employees (hereinafter together the “Services“).
The categories of data subjects are the customers, prospects and suppliers of the Data Controller (hereinafter the “Persons“).
The nature of the operations carried out on the data is the collection, processing and storage of the personal data of the Persons for the performance of the Services.
The purpose of the processing is the performance of the Services.
The personal data processed are data identifying the Individuals and data relating to the Individual’s professional situation. Pour In the performance of the Services referred to herein, the Data Controller shall provide the Subcontractor with the following necessary information: information and data identifying the Persons.
In any case, no data transfer be made to any third party.
The Subcontractor undertakes to :
1. process the data solely for the purpose covered by this subcontract;
2. process the data in accordance with the documented instructions of the Data Controller. The parties agree that any use or parameterization of the Subcontractor’s solution by the Data Controller will be recorded and considered as a documented instruction. Where the Subcontractor considers that an instruction infringes the General Data Protection Regulations or any other legal provision of the Union or the Member States relating to data protection, it must immediately inform the Data Controller. In addition, where the Subcontractor is required to transfer personal data to a third country or to an international organisation under the law of the Union or the law of the Member States to which it is subject, the Subcontractor must inform the Controller of this legal obligation before carrying out the processing, unless that law prohibits the disclosure of such information on important public interest grounds. Notwithstanding the foregoing, the Subcontractor is expressly authorised by the Data Controller to process the data in order to improve the Subcontractor’s technology and services and to provide such services as described in Section II.
3. to guarantee the confidentiality of the personal data processed hereunder;
4. ensure that persons authorised to process personal data under this :
- are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality;
- receive the necessary training in the protection of personal data.
5. take into account, with regard to its tools, products, applications or services, the principles of data protection by design and default protection.
6. Subcontracting Contracts: The Data Controller hereby acknowledges and agrees to the engagement by the Subcontractor of the following Further Subcontractors, as defined below, with servers within the EU:
The Subcontractor may engage another Subcontractor (hereinafter “the Subcontractor”) to perform specific processing activities. In such a case, the Subcontractor must inform the Controller in writing in advance of any planned changes concerning the addition or replacement of other Subcontractors. This information must clearly indicate which processing activities are subcontracted, the name and contact details of the Subcontractor and the dates of the Subcontracting Contract. The Data Controller shall have a minimum of 30 (thirty) days from the date on which he receives the said information to object to it. The subsequent subcontracting contract is only possible if the Data Controller has not objected to it within the agreed time limit.
The Subsequent Subcontractor is required to comply with these obligations on behalf of and in accordance with the instructions of the Data Controller. It is the Subcontractor’s responsibility to ensure that the Subcontractor provides the same sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the European Data Protection Regulation. Where the Further Processor fails to fulfil its data protection obligations, the Subcontractor shall remain fully liable to the Controller for the performance of its obligations by the Further Processor.
7. Exercise of data subjects’ rights: the Subcontractor shall assist the Controller, as far as possible, in fulfilling its obligation to respond to requests to exercise the data subject’s rights: right of access, rectification, erasure and objection, right to limit processing, right to data portability, right not to be subject to automated individual decision making (including profiling).
When the data subjects send the Subcontractor requests to exercise their rights, the Subcontractor must forward these requests as soon as they are received by e-mail to the Controller.
8. Notification of personal data breach: the Subcontractor must notify the Controller of any personal data breach no later than 72 (seventy-two) hours after becoming aware of it and by e-mail. This notification must be sent with all the documentation necessary to enable the Controller, where appropriate, to notify the competent supervisory authority of the violation.
9. Assistance provided by the Subcontractor to the Data Controller with regard to compliance with its obligations: the Subcontractor shall assist the Data Controller in carrying out data protection risk analyses and with a view to prior consultation of the supervisory authority.
10. Security measures: the Subcontractor undertakes to implement the following security measures: the Subcontractor shall only use SSL/TLS (Secure Sockets Layer) encrypted channels for all sources from which certain personal data is collected. These protocols automatically encrypt all information before it is sent to the Subcontractor. Data is thus encrypted as it travels.
Sort of the data: at the end of the Services relating to the processing of this data, the Subcontractor undertakes to destroy all personal data, no later than one month after the end of the Services.
11. Register of categories of processing activities: the Subcontractor declares that it keeps a written register of all categories of processing activities carried out on behalf of the Controller.
12. Documentation: the Subcontractor shall make available to the Controller the documentation necessary to demonstrate that it complies with all its obligations and to enable the Controller or any other auditor it has authorised to carry out audits, including inspections, and to contribute to such audits.
During these audits, the Controller or the auditor it has engaged for this purpose is not authorised to have access to business secrets, strategic information or any information that the Subcontractor has undertaken to keep confidential. The Subcontractor shall have the right to object to any inspections and/or verifications by the Controller or its auditor which might allow it to access such information, without the Controller being able to assert any right in this respect. In any event, the Controller shall ensure that the auditor and, more generally, its staff carrying out such audits are subject to appropriate confidentiality obligations.
1. Right to information and consent of the data subjects: it is the responsibility of the Controller to inform the data subjects of the processing operations at the time the data are collected. More specifically, insofar as the Controller is not aware of (i) the data subjects of the processing operation, (ii) the possible contractual relationship between the Controller and the data subjects and the purpose of the data processing and (iii) the settings decided and made by the Controller, it is incumbent on the Controller to define the appropriate legal basis for the processing and, where appropriate, to obtain the consent of the data subjects with regard to the processing.
2. Synchronization of the employees’ mailboxes: it is the responsibility of the Data Controller:
– to inform its employees that the Subcontractor will request access to their mailboxes in order to synchronise the data of the persons concerned (via Google Connect).
– to decide whether or not acceptance of this synchronisation is mandatory.
The subcontractor’s use and transfer of information collected from Google APIs are in accordance with the Google API Services User Data Policy, including the Limited Use requirements.
The Controller furthermore undertakes to :
3.1 provide the Subcontractor with the data mentioned in point II of this document;
3.2 record in writing any instructions relating to the processing of data by the Subcontractor. More specifically, the Subcontractor has developed a solution taking into account the principles of privacy by design and by default the least intrusive. Other settings can be added by the Data Controller: it is up to him to define the intended use and the corresponding settings of the solution. As in the situation previously indicated, any setting made by the Data Controller is considered as an instruction from the Data Controller to the Subcontractor;
3.3 ensure, before and during processing, compliance with the obligations of the Data Controller under the European Data Protection Regulation;
3.4 supervise processing, including conducting audits and inspections with the Subcontractor.