Data processing agreement

The terms "adequacy decision", "technical and organizational measures", "data subjects", "protection by design", "protection by default", "register", "joint controller(s)", "controller of processing activities", "processor", "processing", "personal data breach" present in the Agreement have the meanings described in Articles 4 et seq. of the RGPD.

Other terms are defined below:

• "Agreement": means the appendix to the Contract governing the use of the Customer's Personal Data in accordance with the provisions of Article 28 of the RGPD also entitled "Data Processing Addendum" ("DPA").
• "DPIA": means an impact analysis that verifies the proportionality of the processing of Personal Data and prevents the risks associated with a processing of Personal Data
• "Anonymization": refers to a treatment designed to make it impossible to identify the persons concerned by the processing carried out within the framework of the Service, in an irreversible manner.
• "Supervisory Authority": means the supervisory authority in RGPD matters competent for the Service provided by the Subcontractor.
• "Customer": refers to the entity having subscribed to the Service provided by the Subcontractor.
• "Contract": means the contract entered into between the Subcontractor and the Customer in order to use the Service to which this Agreement is annexed.
• "Right Request(s)": refers to the fundamental right(s) created by the RGPD in Articles 15 et seq. (e.g. right of access, right of erasure, etc.).
• "Customer's Personal Data": means any data relating to an identified or identifiable natural person transmitted to and processed by the Subcontractor on behalf of the Customer as part of the Service, the detailed list of which is set out in the Appendix
• "Party(ies)": refers jointly to the Customer and the Subcontractor.
• "GDPR": refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data also known as the "General Data Protection Regulation"
• "Applicable regulations on the protection of personal data": means together the French Law no. 78-17 of January 6, 1978 relating to information technology, files and freedoms and the RGPD
• "Reversibility": means the operation aimed at enabling the transfer and integration, in a usable and recognized format, of the Customer's Personal Data from the Subcontractor's Service to an equivalent service offered by another provider
• "SaaS Service": refers to software hosted by the Subcontractor that can be used simultaneously by an infinite number of customers.
• "Subsequent Subcontractor": refers to subcontractors hired by the Subcontractor to process the Customer's Personal Data for the exclusive purpose of the Service.
• "End Users": refers to the persons whose Personal Data are processed by the Subcontractor on behalf of the Customer.

The Agreement is an indivisible annex to the Contract signed between the Customer and the Subcontractor for the use of the Service.

In the event of any contradiction between the Contract concluded for the use of the Service and the Agreement, the obligations set out in the Agreement shall prevail over the Contract as regards the RGPD as a whole.

The Agreement shall apply for the duration of the Contract entered into for the use of the Service and may continue beyond the duration of the Contract as long as all the obligations set forth herein remain applicable.

The Customer acts, under the Agreement, as the controller of the processing activities and Flatchr International acts as a processor within the meaning of Article 28 of the RGPD.

Under no circumstances may the Parties be considered to be jointly responsible under the Service. However, the Parties agree that in the event of an error or a change in their qualification, the Parties shall meet, as soon as possible, to amend the Agreement and take all measures relating to such a situation to comply with the requirements of the applicable Regulations on the protection of personal data.

The Agreement exclusively governs the processing of the Customer's Personal Data carried out in the context of the Service as a Subcontractor within the meaning of Article 28 of the RGPD to the exclusion of the processing carried out as a data controller by Flatchr International which is framed in the Contract.

The Subcontractor undertakes to use the Customer's Personal Data in connection with the use of the Service only in accordance with the instructions documented in the appendix to the Agreement. The Subcontractor shall immediately inform the Customer if it considers that an instruction given by the latter is illegal with regard to the Regulations applicable to the protection of personal data. The Subcontractor shall not be held liable in the event that, despite the Subcontractor's notification concerning the illegality of the instruction, the Customer maintains and applies this instruction via the Service.

The Subcontractor undertakes to comply with the provisions of the RGPD and, in particular, to keep a register of processing activities specific to the Service and to develop its Service in compliance with the rules of "Protection by Design" and "Protection by Default".

The Subcontractor undertakes never to transfer the Customer's Personal Data for any purpose other than the provision of the Service, and undertakes never to use the Customer's Personal Data for its own purposes as data controller.

The Subcontractor declares that all internal and external personnel involved in the processing of the Customer's Personal Data are bound by one or more binding legal documents and regularly receive training and awareness-raising.

The Subcontractor undertakes to guarantee the security of the Customer's Personal Data and to implement all the technical and organizational measures necessary for its Service, details of which are given in the appendix to the Agreement.

On the other hand, the Subcontractor is never liable for the Customer's failure to comply with applicable regulations on the protection of personal data when using the Service as data controller.

Only recipients duly authorized by Flatchr may access data, in accordance with a security policy that ensures that access is restricted to information required for business purposes. Access rights are granted on a "least privilege" and "need-to-know" basis. Access rights are granted in accordance with the user's function, and are updated in the event of a change of function. Flatchr's personal data protection policy is organized around logical, physical and organizational measures.

PIDAs must be carried out by the Customer, in accordance with the provisions of the GDPR. Nevertheless, the Subcontractor undertakes to provide, at the Customer's written request, all information necessary and required for the Customer to ensure that a DPIA is carried out.

On the other hand, the Subcontractor is not obliged to carry out DPIAs for and on behalf of the Customer. Any additional request for information may be refused.

Entitlement Requests sent by End Users are transferred to the Customer as soon as possible. The Subcontractor is not required to maintain an inventory of Entitlement Requests on behalf of the Customer, and is not liable for any failure by the Customer to manage Entitlement Requests.

Upon the Customer's written request, the Subcontractor shall carry out the technical actions required for the Customer to fulfil its obligation to comply with the requests of the persons concerned.

The Customer accepts and understands that the Subcontractor is not obliged to manage Requests for Rights made by individuals within the framework of the Service in place of and on behalf of the Customer. Any additional request for such management will be refused.

Requests for rights sent to the Subcontractor as data controller are processed exclusively by the Subcontractor and are not transferred to the Customer.

The Subcontractor undertakes to provide all necessary and required information on the technical and organizational security measures to be implemented to guarantee the security of the Customer's Personal Data in connection with the provision of the Service.

The Subcontractor undertakes to notify the Customer, as soon as possible and, at the latest, within 48 working hours of becoming aware of any personal data breach in connection with the Service likely to affect the Customer's Personal Data, together with all necessary and required information in its possession to mitigate the effects of the personal data breach. The Customer accepts and acknowledges that the 72-hour period applying to it only starts from the time it becomes aware of the personal data breach and, as such, the 48-hour working period complies with the RGPD.

The Subcontractor is not authorized to take charge of notifications of personal data breaches to the Supervisory Authority and to inform, on behalf of the Customer, End Users. Any such request from the Customer will be refused.

The Customer grants the Subcontractor general authorization to recruit subsequent Subcontractors on condition that the Subcontractor is informed of any changes to such subsequent Subcontractors as soon as possible to enable the Customer to raise objections. The Customer accepts and acknowledges that a specific authorization, for a SaaS tool, is not applicable and could lead to a blocking of the Service.

In the absence of objections raised by the Customer within eight (8) days of notification, the subsequent new Subcontractor is definitively recruited without the Customer being able to object, claim damages or request termination of the Contract. If the timely objection is deemed admissible by the Subcontractor, the latter may offer the Customer one of the following solutions: i) withdrawal of the subsequent Subcontractor, ii) implementation of additional measures to guarantee the security of the Customer's Personal Data, iii) termination of the Service without the Customer being able to claim damages.

To be considered admissible by the Subcontractor, objections must be objective and serious, and must be duly demonstrated. The Parties accept that the following situations will, by default, be considered admissible: i) the proposed subsequent Subcontractor is a direct competitor of the Customer, ii) the subsequent Subcontractor is in a contentious situation with the Customer, iii) the subsequent Subcontractor has been the subject of a conviction by a Supervisory Authority in the 12 months preceding its recruitment and iv) the subsequent Subcontractor does not comply, if applicable, with the applicable rules provided for transfers outside the European Union.

The Subcontractor undertakes to recruit only Subcontractors who, after inspection, offer the necessary and sufficient guarantees to ensure the security and confidentiality of the Customer's Personal Data. The relationship between the Subcontractor and the subsequent Subcontractor must be set out in an agreement containing obligations similar to the present Agreement.

The Subcontractor remains responsible, within the limits of liability set out in the Agreement, for any breaches of the RGPD that its subsequent Subcontractors may carry out in connection with the Service.

a) Data hosting

The Subcontractor undertakes to do everything necessary to host the Customer's Personal Data exclusively within a member state of the European Union. The Customer authorizes the Subcontractor to choose the European Union member state of its choice. In the event that Personal Data is hosted in a country outside the European Union, the Subcontractor undertakes to obtain the Customer's prior authorization and to implement all the mechanisms required to govern this transfer, such as concluding Standard Contractual Clauses and, where applicable, implementing additional technical measures to reinforce the security of the Customer's Personal Data.

b) Data transfers

The Customer grants the Subcontractor a general authorization for transfers outside the European Union if, cumulatively, (i) the transfers are made exclusively to subsequent Subcontractors that comply with the RGPD and (ii) the transfers are made exclusively to a country benefiting from an adequacy decision or are framed by appropriate safeguards such as, in particular, Standard Contractual Clauses. If these conditions are not met, transfers outside the European Union are only authorized with the Customer's prior consent. Additional technical security measures aimed at reinforcing the security of the Customer's Personal Data must be implemented if the Personal Data is transferred to a non-democratic country.

The Subcontractor undertakes to retain the Customer's Personal Data only for the duration of the use of the Service, in accordance with the instructions detailed in the appendix, and to delete it at the end of the Contract. Upon written request, the Subcontractor will certify that the Personal Data and all existing copies have been deleted.

The Customer is informed that it must recover its Personal Data before the end of the Agreement. Failing this, the Customer may no longer recover its Personal Data, the deletion of Personal Data being irreversible and definitive. The Subcontractor cannot be held responsible for any loss of Personal Data after deletion, as the Customer assumes full responsibility. The Customer agrees that the total and irreversible and definitive anonymization of the Customer's Personal Data may be used as a means of deletion, and that the Subcontractor shall retain the anonymized data for the improvement of the Service, as accepted for the Supervisory Authorities.

The Subcontractor informs the Customer that the return of Personal Data provided for in the RGPD does not constitute Reversibility of the data to a new subcontractor and that any request to this effect will always be refused by the Subcontractor.

The Customer has the right to carry out an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire has the force of a sworn undertaking binding on the Subcontractor. The questionnaire may be sent in any form to the Subcontractor, who undertakes to reply as soon as possible after receipt.

The Customer also has the right, once a year and at its own expense, to carry out an on-site audit, if necessary on the Subcontractor's premises, in the event of a data breach due to a proven and demonstrated breach by the Subcontractor which has resulted in duly justified prejudice to the Customer. An audit at the Subcontractor's premises may be carried out either by the Customer or by an independent third party appointed by the Customer, and must be notified to the Subcontractor in writing at least thirty (30) days prior to the audit. The Subcontractor has the right to refuse the choice of the independent third party if the latter is i) a direct or indirect competitor of the Subcontractor, ii) in a situation of conflict of interest with the Subcontractor (e.g.: counsel to a competitor of the Subcontractor) or ii) in pre-litigation or litigation with the Subcontractor. In this case, the Customer undertakes to select a new independent third party to carry out the audit. The Subcontractor may refuse access to certain areas for reasons of confidentiality or security. In this case, the Subcontractor will carry out the audit in these areas and communicate the results to the Customer.

In the event of any discrepancies identified during the audit, the Subcontractor undertakes to implement, without delay and at its own expense, the measures required to comply with this Agreement. Deviations may only concern the Regulations applicable to the Customer's Personal Data and may not concern internal procedures or measures implemented by the Customer on a specific basis. Deviations must be duly demonstrated, justified and documented.

Should the Subcontractor dispute the discrepancies identified, the Subcontractor may, at the customer's option and subject to prior written acceptance, propose to i) meet to find an amicable solution and compromise, ii) refer the dispute to the Control Authority for arbitration, and iii) refer the dispute to an independent expert for arbitration.

The Subcontractor undertakes to cooperate with the CNIL, the competent supervisory authority, in the event of an inspection concerning the processing carried out as part of the Service and undertakes to notify the Customer as soon as possible in the event of requests concerning his Personal Data made by the supervisory authority or by an administrative, judicial or police authority.

The Customer and the Subcontractor each appoint a contact person to be responsible for this Agreement, who will be the recipient of the various notifications and communications to be made under the Agreement.

The Subcontractor hereby informs the Customer that it has appointed Dipeeo SAS as its Data Protection Officer, who may be contacted at the following addresses:

• Email address: dpo@flatchr.io
• Postal address: Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France
• Telephone number: 01 59 06 81 85

The Subcontractor reserves the right to modify this Agreement in the event of changes to the rules applicable to the protection of Personal Data or in the event of changes to the Service which would have the effect of modifying any of its provisions.

Certified by Dipeeo ®