I - Definitions

The terms "Data", "Personal Data", "Processor", "Data Controller", "Processing", "Personal Data Breach", refer to the definitions given in the Regulation.

For the purposes of this Agreement, the following terms are contractually defined below:

"Standard Contractual Clauses": Clauses drawn up by the European Commission in their latest version.

"Adequacy decision": Refers to a decision adopted by the European Commission establishing that a third country ensures an adequate level of protection for personal data on the basis of its domestic legislation or international commitments;

"EEA": Refers to the European Economic Area;

"Third country": Refers to a country that does not belong to the EU or the EEA; 

"Beneficiary Company": Refers to the company benefiting from the Service negotiated within the Contract.

"Subsequent Subcontractor(s)" or "Subsequent Subcontractors": Refers to the Subcontractor(s) of the Subcontractor;

"Transfer outside the EU" or "Processing outside the EU" or "Transfer": Refers to the transmission of Data, from an EU or EEA member country, to a third country or access to Data, located within an EU or EEA member country, from a third country (e.g. remote access to a database located in Europe);

"Processing of personal data" or "Processing" or "Process": Refers to any operation or set of operations which may or may not be performed using automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

"EU": Refers to the European Union;

II - Principles

1. In the event of any contradiction between this Appendix and any other part of the Contract, Appendix 1 shall prevail;
2. Each Beneficiary Company is independently responsible for processing its own Personal Data. To this end, each Data Controller shall enter into an Application Agreement with the Subcontractor, including completed Appendices A, B and C;
3. The Service Provider shall be considered a Subcontractor within the meaning of the Regulations. Any person called upon by the Service Provider to perform services shall be deemed to be a Subsequent Subcontractor;
4. In the event of a change in legislation concerning Personal Data, the Service Provider undertakes to take responsibility for the resources (notably technical, financial, human, etc.) required to comply.

III - Purpose of Data Processing

The purpose of the Processing is defined by the Beneficiary Company in its capacity as Data Controller, and the Subcontractor acts solely on the basis of documented instructions from the Customer. The purpose and nature of the Personal Data Processing carried out under this Agreement, the categories of persons concerned and the Personal Data processed or the categories of Personal Data are set out in the Application Agreement of each Beneficiary Company, based on the model defined in Appendix C of this Agreement.

The Processing carried out by the Service Provider is exclusively that required to perform the services provided for in the Contract, any other use being forbidden without the Customer's express prior consent.

In this context, the Service Provider undertakes to enable the Customer to fulfil its legal obligations in relation to the respect of the rights of the persons concerned, in particular those listed in Article XI "Assistance of the Service Provider", and to keep and present any documentation or register required by law.

Any other use is prohibited and renders the Service Provider liable.

IV - Location of Data Processing

Processing must be carried out exclusively within the EU or the EEA.

If justified by the performance of the Service, Processing outside the EU may be carried out with the Customer's express written authorization. The Service Provider undertakes to fully complete Appendix A with all Processing carried out outside the EU. The Customer's signature on Appendix A constitutes acceptance of the Processing outside the EU. Any subsequent Processing outside the EU shall be subject to the Customer's express prior written authorization, by means of the signature of an amendment to Appendix A.  

In any event, the Service Provider acknowledges that authorization may only be granted if the planned Transfer benefits from one or more of the following valid exceptions relating to the Personal Data transferred:

Should the exception(s) used for the Transfer become invalid, the Parties agree to meet without delay to bring the framework of the envisaged Transfer into conformity.

V - Subsequent subcontracting

The Service Provider undertakes not to use any Third-Party Subcontractors in the performance of the services without the Customer's express prior written consent. The Service Provider undertakes to fully complete Appendix A with the identification of its Third-Party Subcontractors. The Customer's signature on Appendix A constitutes acceptance of the Subsequent Subcontractors. Any addition of a Subsequent Subcontractor shall be subject to the Customer's express prior written authorization, by means of an amendment to Appendix A.

The Service Provider undertakes to enter into a written contract with its Third-Party Subcontractors containing the same Data protection obligations as those set out in this Appendix. In this event, the Service Provider shall be responsible for ensuring that its Subcontractors comply with the commitments it has made to itself, in particular with regard to the commitments it may make in the Standard Contractual Clauses.

In this respect, the Service Provider will draw up, for each of its Subsequent Subcontractors, details of the Subcontracted Processing activity, and of the countries in which they operate on behalf of the Subcontractor within the framework of the Contract within 2 weeks of the Customer's first request.

The Sub-Contractor is liable to the Customer for any breach of the Contract caused by itself or any person acting on its behalf or at its initiative. Personal Data are not transmitted to any other recipient.

On first request, the Service Provider will provide the Customer with the main elements of the Standard Contractual Clauses signed with the importers of the Personal Data in question.    

VI - Safety measures

The Service Provider shall implement organizational and technical measures to ensure the physical and logical security of data, in accordance with the highest of the following standards:

Security measures must guarantee data integrity, traceability of access, availability of Personal Data at all times, and confidentiality of Personal Data, and must include in particular:

It is up to the Service Provider to determine the aforementioned measures and to transmit them to the Customer at the latest when the contract is concluded and at any time upon request by the Customer, or in the event of modification, of its security policy.

The Service Provider, in its capacity as a professional in the field of service provision, retains a general obligation to provide advice and warnings concerning all these measures. Specific security measures may be requested by each of the Beneficiary Companies. In such cases, the recipient Companies concerned will contact the Subcontractor in order to contractualize the said measures in an ad hoc agreement.

VII - Confidentiality measures

In order to ensure a level of confidentiality in line with the Customer's expectations, the Subcontractor undertakes not to:

- to use the Personal Data entrusted to us, directly or indirectly, for purposes other than those established by the Customer within the framework of the services, including for the purpose of improving the services, and acknowledges that such data shall remain the property of the beneficiary Companies.

-to communicate or disclose, directly or indirectly, the Personal Data entrusted or made available to it to third parties to this agreement, including the Subcontractor's subsidiaries. This prohibition does not affect any subcontracting authorization that may be granted to the Subcontractor. 

-to entrust or make Personal Data available to employees/preposts other than those involved in the performance of the Service. The Sub-Contractor undertakes to inform the aforementioned employees/appointees of the stipulations of the present agreement. More generally, the Sub-Contractor undertakes to take all measures to ensure compliance with the stipulations of the present Appendix by its employees and agents for whom it acts as guarantor.

Specific confidentiality measures may be requested by each of the Beneficiary Companies. In such a case, the Beneficiary Companies concerned will contact the Subcontractor in order to contractualize the said measures in an ad hoc agreement.

VIII - Personal Data Breach Notification

The Service Provider undertakes to implement and maintain procedures to detect security incidents affecting the Processing. In the event that an incident constituting a Data Breach is detected, the Service Provider undertakes to notify the Customer within 24 (twenty-four) hours of its detection, using the means defined by the Customer. The Service Provider undertakes to provide the Customer with all information required to document the Data Breach.

The Service Provider undertakes to carry out all necessary investigations into the circumstances which may have led to such a Personal Data Breach in order to remedy it without delay and to minimize the consequences for the persons whose Personal Data has been affected. 

In accordance with the Regulation, the Service Provider undertakes to cooperate actively and to communicate all necessary information to the Beneficiary Company concerned to enable it to meet its obligation to notify and remedy the situation with the supervisory authority. To this end, the Service Provider will use the form attached in Appendix B.

Subject to applicable legislation, the Service Provider shall refrain from any communication action.

Once the Personal Data Breach has been closed, the Service Provider will present a report to the Customer.

IX - Judicial, governmental or administrative requisition

The Service Provider undertakes to notify the Customer of any request for transmission or consultation of Personal Data issued by a judicial, governmental or administrative authority within 24 hours of said request, before responding thereto. Subject to the application of a legal prohibition, the Service Provider will communicate to the Customer the draft response to be transmitted to the authority concerned so that the Customer can be consulted and assist the Service Provider. 

X - Deleting data

The Service Provider undertakes to delete and, at the Customer's request, return all Personal Data under the following conditions:

If justified, in the event of a legal prohibition preventing the Service Provider from deleting the Personal Data transferred, the Service Provider guarantees that it will ensure the confidentiality of the Personal Data transferred and that it will no longer actively process such Personal Data.

In the event that the deletion of Personal Data cannot be carried out directly by the Customer, the Service Provider undertakes to carry out any deletion of any data within 2 weeks of the Customer's first request and to justify such deletion immediately.

In general, the Service Provider must inform the Customer in writing within 2 weeks of the deletion of the Personal Data.

XI - Service provider assistance :

The Service Provider undertakes to enable the Customer to fulfil its legal obligations in relation to the respect of the rights of Data Subjects conferred by the Regulations , including in particular :

In the event that the Service Provider receives, directly or through a Subcontractor, a request relating to the rights referred to above, it undertakes to inform the Customer within 48 hours (forty-eight hours) of said request.

The Service Provider shall not respond directly to requests from the Persons concerned without the Customer's prior written consent.

The Service Provider also undertakes to assist the Customer in carrying out impact analyses relating to the protection of Personal Data when the nature of the Processing requires such an analysis to be carried out.

The Service Provider undertakes to provide all necessary assistance to the Customer in the event of a requisition or request from an administrative or judicial authority, and to do so as quickly as possible.

XII - Data Restitution :

The Customer may at any time request and be assisted in the restitution of the Personal Data transmitted.

In any event, the Service Provider must return the file containing the Personal Data to the Customer within 2 months of the effective end of the services. 

The Service Provider undertakes to maintain Personal Data in at least one standard format recognized on the market.

If justified, in the event of a legal prohibition preventing the Service Provider from returning the transferred Personal Data, the Service Provider guarantees that it will ensure the confidentiality of the transferred Personal Data and that it will no longer actively process such Personal Data.

XIII - Audit

The parties agree that the Customer, after having notified the Service Provider in writing with a minimum of thirty (30) days' notice, within the limit of one audit per year and for a maximum duration of five (5) days, may have an audit carried out at its expense relating to the security of the Services entrusted to the Service Provider. In excess of one man-day devoted by the Service Provider to the audit, the Service Provider may invoice the Customer for the time spent in accordance with the rates specified in the commercial terms and conditions. This audit will be carried out by an external firm that is not a direct competitor of the Service Provider. In this context, the Service Provider undertakes to cooperate fully with the Customer's auditors, and to provide them with all the information necessary for the performance of their assignment. In the case of an audit specifically concerning compliance with instructions relating to personal data, the parties refer to the Data Processing Agreement.

The Customer shall inform the Service Provider of the start of the verification with two weeks' notice.

Where applicable, the Service Provider shall bear the cost of the resources required to ensure compliance with this Appendix. Compliance will be achieved within a reasonable timeframe defined with the Customer, and will give rise to the production of a signed document demonstrating compliance.

In the event that the Service Provider does not authorize verification, does not undertake any compliance work or does not devote the necessary resources to its completion, the Customer reserves the right to suspend Data processing. Any such refusal constitutes a termination clause to the sole detriment of the Service Provider, without notice or compensation.

In the event that the Service Provider loses a certification, the Customer shall have the unilateral right to terminate the Agreement ipso jure and without notice, at the Service Provider's expense and without the Customer owing the Service Provider any sum whatsoever for any reason whatsoever.

XIV - Automatic termination for default

The Customer declares that the stipulations relating to the Data constitute essential obligations of its commitment, without which it would not have contracted with the Service Provider.

Consequently, each Beneficiary Company may avail itself of any breach of these stipulations, or Violation, which then constitutes grounds for termination by operation of law, to the exclusive detriment of the Service Provider.

The Service Provider is hereby informed that any breach of its obligations may be demonstrated, in particular by means of specific secret controls and procedures (customer traps, etc.) implemented by the Customer or any third-party company appointed for this purpose. The Service Provider acknowledges that these actions have evidential value for the purposes of characterizing any breach.

The obligations hereunder shall survive termination of the Contract. 

XV - Liability under these obligations

The Service Provider guarantees and indemnifies the Customer against any financial consequences (condemnation and/or compensation paid, costs and expenses) resulting from the violation of the rules set forth in this Appendix by the Service Provider and/or its Subcontractors, within the limitations of the Contract.

The Parties acknowledge that breaches of this Appendix constitute direct and compensable damages, for which the Service Provider shall be liable in the event of any breach on its part and/or on the part of its subcontractors (including Subsequent Subcontractors).