GDPR information
- Preamble
- Processor’s declaration
- Characteristics of the personal data processing
- Obligations and rights of the controller
- Processor’s obligations
- In the event of a personal data breach
- Data retention and destruction
- Audit
- Sub-processor
- Term
- Governing law and jurisdiction clause
- Access to your personal data
Preamble
The client user is responsible for processing personal data governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). This regulation is hereinafter referred to as the GDPR.
The processing of personal data is also governed by French law no. 78-17 of January 6, 1978 on information technology, files and freedoms (as amended).
The controller wishes to entrust the processor with processing personal data, in accordance with Article 28 of the GDPR. The parties undertake to comply strictly with the GDPR, which shall apply in all circumstances, notwithstanding any possible contrary stipulation.
Processor’s declaration
The processor declares that it provides the necessary guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and ensures the protection of the rights of the data subject.
Characteristics of the personal data processing
The controller defines the characteristics as follows.
- Purpose of the processing – The processing aims at on-website behavioral tracking of visitors who have given their consent (cookie acceptance), and the collection of demographic information.
- Duration of the processing – The processing is carried out from the day the account is opened (see contract) until its expiration (see contract).
- Nature and purpose of the processing – The processing of relevant data is intended to ensure proper sales follow-up, their automated segmentation, and the sending of information tailored to their profile and needs.
- Type of personal data – Specific to the use and configuration of the controller. The controller will ensure compliance with the principles of Privacy by Design and Privacy by Default required by Article 25 of the GDPR.
- Categories of data subjects – Prospects, customers and partners.
The controller ensures that, to justify and detail the 5 aforementioned elements, it has established the record of processing activities provided for by Article 30 of the GDPR.
The Processor declares that it keeps in writing a record of all categories of processing activities carried out on behalf of the Controller, including:
- the name and contact details of the Controller on whose behalf it is acting, any processors, and, where applicable, the data protection officer;
- the categories of processing carried out on behalf of the Controller;
- where applicable, the transfers of Personal Data to a third country or to an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in Article 49(1) second subparagraph of the European data protection regulation, documents attesting to the existence of appropriate safeguards;
- where possible, a general description of the technical and organizational security measures as needed.
Obligations and rights of the controller
The controller determines the purposes and means of the processing of personal data.
The controller guarantees that the processing is lawful and that personal data are collected and processed by it in accordance with the GDPR and French law. The controller in particular guarantees that it provides the required information to data subjects concerning the processing operations, at the time of collection when personal data are collected from the data subject, or within the required time limits when personal data have not been collected from the data subject, in accordance with Articles 12 to 14 of the GDPR. The controller shall indemnify the processor against the consequences of any possible breach by the controller of its obligations under the GDPR.
The controller shall provide the processor with all necessary information to enable it to perform its services in compliance with the GDPR and French law.
Processor’s obligations
The processor shall in no case determine the purposes and means of the processing. Failing this, it is considered a controller with regard to the processing concerned.
The processor and any person acting under its authority who has access to personal data may not process those data except on instructions from the controller, unless required to do so by European Union law or the law of a Member State.
The processor shall process personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country outside the European Union or to an international organization, unless it is required to do so under European Union law or the law of the EU Member State to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless the relevant law prohibits such information on important grounds of public interest.
The processor ensures that persons authorized to process personal data commit to confidentiality or are subject to an appropriate legal obligation of confidentiality.
The processor takes all measures required under Article 32 of the GDPR.
Taking into account the nature of the processing, the processor assists the controller, by appropriate technical and organizational measures, insofar as possible, in fulfilling its obligation to respond to requests from data subjects to exercise their rights under Chapter III of the GDPR.
The processor assists the controller in ensuring compliance with the obligations provided for in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the processor.
The processor shall immediately inform the controller if, in its opinion, an instruction constitutes a violation of the GDPR or other Union or Member State data protection provisions.
In the event of a personal data breach
The Processor shall notify the Controller of any Data Breach as soon as possible after becoming aware of it. This notification shall be accompanied by any useful documentation to enable the Controller, if necessary, to notify this breach to the competent supervisory authority.
It is the sole responsibility of the Client, in its capacity as Controller, to notify this Data Breach to the competent supervisory authority and, where applicable, to the data subject. The Processor shall refrain from communicating about the incident unless otherwise requested by the Controller.
The Processor shall communicate, in the name and on behalf of the Controller, the Data Breach to the Data Subject as soon as possible, where this breach is likely to result in a high risk to the rights and freedoms of a natural person.
The communication to the Data Subject shall describe, in clear and plain language, the nature of the Data Breach and shall contain at least:
- a description of the nature of the Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of records of Personal Data concerned;
- the name and contact details of the data protection officer or another contact point where more information can be obtained;
- a description of the likely consequences of the Data Breach;
- a description of the measures taken or proposed by the Controller to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
In addition, the Service Provider undertakes to take all necessary measures to remedy any Data Breach as soon as possible. In this respect, the Service Provider keeps the Controller informed as actions are taken.
Data retention and destruction
At the controller’s choice, the processor shall delete all personal data or return them to the controller at the end of the provision of services relating to processing, and destroy existing copies, unless European Union law or applicable law of a Member State requires the retention of personal data.
Audit
The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this contract and to allow for audits, including inspections, by the controller or another auditor it has mandated, and contribute to such audits.
Sub-processor
The processor complies with the following conditions for engaging another processor.
The processor shall not engage another processor without the prior written authorization, specific or general, of the controller. In the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Where a processor engages another processor to carry out specific processing activities on behalf of the controller, the same data protection obligations as set out in this contract shall be imposed on that other processor by contract or, where applicable, by another legal act under European Union law or the law of a Member State, in particular with regard to providing sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR. Where that other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance by the other processor of its obligations.
Term
This contract shall be in force for as long as the processor holds the personal data. It shall govern the processing of the personal data referred to herein at all times, including after its termination.
Governing law and jurisdiction clause
This contract is subject to French law and the exclusive jurisdiction of the courts territorially competent for the city of Annecy, France.
Access to your personal data
In accordance with the French Data Protection Act, Webmecanik SAS allows any person to exercise their right of access to data concerning them and to have it rectified or deleted.