Annex C – Data Processing Agreement (DPA)

For the purpose of this Data Processing Agreement (hereinafter referred to as the “DPA“), terms starting with a capital letter are defined in accordance with the Contract or this Annex.

1. Context and Purpose

The Client, the data controller (hereinafter referred to as “Data Controller”), has subscribed to one or more Services from Partoo, under the General Terms and Conditions of Partoo (or “T&C”) or a specific contract (hereinafter collectively referred to as the “Contract”, whether it is the T&C or a specific contract).

The Data Controller makes available to Partoo personal data required for the performance of the Agreement (hereinafter referred to collectively as “Personal Data”). In this regard, Partoo is given the status of data processor (hereinafter referred to as the “Data Processor”) in accordance with the guidance of the supervisory authorities. Therefore, the purpose of these clauses is to determine the conditions under which the Data Processor undertakes to carry out the Personal Data processing operations defined below on behalf of the Data Controller.

2. Applicable regulations

As part of their contractual relationship, the parties undertake to comply with the regulations in force under the legislation applicable to the Contract regarding the processing of Personal Data (hereinafter referred to as the “Data Protection Regulations”) and in particular, when applicable, the regulation (UE) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2018 (hereinafter referred to as “GDPR”).

3. Description of the processing

3.1. Nature and object of the processing

The nature of processing activities involves their use for identifying the individuals who log into the platform on the one hand, and the hosting and transmission of the data uploaded by Users and third parties, including the Data Controller’s customers, who interact with the Services, on the other hand.

The purpose of the processing is the implementation by the Data Processor of collection, recording, conservation, etc., on behalf of the Customer, within the framework of the Contract and when necessary for the execution of the Services.

It is reminded that, in the context of its commercial relationship with the Data Controller, the Data Processor mainly provides access to the Partoo Applications and Services. Except for the Users whose Personal Data is processed for the purpose of providing the services, the Data Processor has no general obligation to monitor the content hosted on its Partoo Applications. Therefore, the Data Processor does not have knowledge of whether the Client hosts Personal Data within the Services: in this regard, it is expressly specified that, in connection with the use of the Messages product, the Data Controller remains solely responsible for providing the required information to data subjects, selecting the appropriate legal basis for processing, and obtaining any necessary consent. The Data Processor acts indeed exclusively as a technical service provider, ensuring the transmission and temporary hosting of messages.

3.2. Purpose of the processing

The Data Processor is authorized to process Users’ Personal Data in order to provide the Services subscribed by the Data Controller, and especially:

• Provide access to Users;
• Host and transmit on behalf of the Data Controller, the Personal Data that the Data Controller chooses to upload as part of the Services:
• Management of the hosting of the application in Saas mode
• Management of backups and updates of the Partoo Applications
• Insure problems solving on the Partoo Applications:
• Support on the Partoo Applications
• Response to online chat requests
• Access to Users’ online accounts for problem resolution
• Taking into account Users feedback
• Resolution of incident tickets
• Conservation of logs for incident traceability
• Continuous development of the Partoo Applications.

Apart from processing the Personal Data of employees for the purpose of providing the services, as defined hereinabove, the Data Processor is limited to hosting and transmitting the data that may be communicated by the Data Controller or their contact person, if applicable, on the Partoo Applications.

3.3. Categories of Personal Data

The categories of Personal Data that are processed are the following:

• Users identification data: surname, name;
• Professional data: job title, professional email address;
• Login details: logs (time-stamp information, access information such as IP and browser), browsing data on the Partoo Applications.

3.4. Categories of data subjects

The categories of data subjects are:

• Users (employees of the Data Controller)
• Persons who interact with the Data Controller via the Publisher Site.

4. Term

This DPA comes into effect upon the signing of the Contract by the Parties and remains in effect for the entire term of the Contract. Therefore, Personal Data shall be processed for the duration of the Contract and then shall be archived for a duration of ninety days after the termination date of the Contract.

5. Obligations of the Data Processor towards the Data Controller

The Data Processor undertakes to:

1. Process the data solely for the purpose of the subcontracting, as defined hereinabove.
2. Process the data in accordance with the services subscribed by the Client. If the Data Processor considers that an instruction constitutes a violation of the GDPR or any other provision of the Data Protection Regulation, it shall immediately inform the Data Controller. Furthermore, if the Data Processor is required to transfer data to a third country or an international organization, it must inform the Data Controller of this legal obligation before processing, unless the law in question prohibits such information on important grounds of public interest.
3. Guarantee the confidentiality of Personal Data processed under this contract (insofar as the Data Controller does not make its hosting accessible to unauthorized third parties and ensures that security measures allowing confidentiality are taken, since the Data Controller has full access to the Personal Data hosted by the Data Processor).
4. Ensure that persons authorized to process Personal Data under this contract:
5. Commit to maintaining confidentiality or are subject to an appropriate legal obligation of confidentiality.
6. Receive the necessary training in the protection of Personal Data.
7. Consider, with regard to its tools, products, applications, or services, the principles of data protection by design and by default.

6. Sub-processing Activities

6.4. Use of a Sub-processor

The Data Processor has appointed sub-processors (hereinafter referred to as the “Sub-processor“) to carry out specific processing activities in the provision of its Services, which the Data Controller hereby authorizes. The list of Sub-processors approved by the Data Controller, on the day of the conclusion of the DPA, is available on the Data Processor’s dedicated web page. The Data Processor undertakes to regularly update this list and to communicate, on simple request from the Data Controller, the extracted updated list of all its Sub-processors.

In the event of any modification to the list of Sub-processors, the Data Processor will inform the Data Controller. This information must clearly indicate the outsourced processed activities, the identity and contact information of the Sub-Processor. The Data Controller has a maximum of fifteen (15) days from the date of receipt of this information to submit any objections, in any case on reasonable data protection grounds. In the event the Data Controller objects to a new Sub-processor, the Data Processor shall, at its sole discretion, elect to: (i) provide the Services without using the objected Sub-processor; (ii) appoint an alternative Sub-processor; or (iii) terminate the specific Service or feature affected by such objection. This termination right is Data Controller’s sole and exclusive remedy if Data Controller objects to any new Sub-processor.

6.5. Guarantees submitted by the Sub-processor

The Sub-processor must comply with the obligations of this DPA on behalf of and in accordance with the instructions of the Data Controller. It is the responsibility of the Data Processor to ensure that the Sup-processor provides the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and any other legislation applicable to the Contract.

If the Sub-processor fails to meet its obligations regarding data protection, the Data Processor remains fully responsible to the Data Controller for the performance by the Sub-processor of its obligations.

7. Right of information of data subjects

It is the responsibility of the Data Controller to provide information to data subjects concerned by processing operations at the time of the collection of data. The responsibility of the Data Processor cannot be held liable in this regard.

8. Exercise of data subject rights

To the extent possible, the Data Processor must assist the Data Controller in fulfilling its obligation to respond to requests for the exercise of data subject rights: right of access, rectification, deletion, and objection, right to restrict the processing, right to data portability, and right not to be subject to an automated individual decision (including profiling).

When data subjects submit requests to exercise their rights to the Data Processor, the Data Processor must forward these requests upon receipt by email to the address provided by the Client at the time of the subscription to the services.

9. Notification of Personal Data breaches

The Data Processor shall notify the Data Controller without undue delay upon Data Processor becoming aware of a Personal Data breach and by email to the address provided by the Data Controller at the time of the subscription to the Services.

This notification shall be accompanied by all relevant documentation to allow the Data Controller, if necessary, to report this breach to the relevant control authority.

The notification shall contain at least:

• The description of the nature of the Personal Data breach, including, if possible, the category and approximate number of data subjects concerned by the data breach and the categories and the approximate number of Personal Data records concerned;
• The name and contact information of the Data Protection Officer or any other contact person who can provide additional information;
• The description of the likely consequences of the Personal Data breach;
• The description of the measures adopted or suggested by the Data Controller to remedy the Personal Data breach, including, if applicable, the measures to mitigate any potential negative consequences.

If, and to the extent that it is not possible to provide all this information at once, the information may be communicated in stages without undue delay.

The Data Controller handles communication with data subjects concerned by the Personal Data breach. It is reminded that the Data Processor does not have visibility over the nature of the data hosted on behalf of the Data Controller, and is therefore not in a position to assess the level of risk to the rights and freedoms of natural persons in case of a Personal Data breach.

10. Assistance by the Data Processor in helping the Data Controller meet its obligations

The Data Processor will provide the Data Controller the relevant documentation in order to carry out data protection impact assessments by the latter, only with regard to the aspects for which the Data Processor is responsible, that is, for the Data Processor, data hosting.

The Data Processor shall help where possible and reasonable the Data Controller with the preliminary consultation with the control authority by providing the required documentation.

It is expressly understood that any intervention of the Data Processor on behalf of the Data Controller within the scope of the present DPA, and in particular the assistance in the performance of impact analysis, will be invoiced to the Data Controller according to the tariff subject to the Data Controller’s prior consent if such intervention exceeds one (1) day.

11. Security measures

The Data Processor carries out the processing with technical and organizational measures that ensure an adequate level of security for the associated processing risk, in accordance with the provisions of Art. 32 of the GDPR.

These measures include data encryption, robust access control, regular security audits, and any other necessary measure to ensure the confidentiality, integrity and availability of the data. The Data Processor reserves the right to update and improve these security measures according to the regulatory requirements and the industry good practices.

To assess the appropriate level of security, the Data Processor considers the state of the art, the costs of implementation, as well as the nature, scope, context, and purpose of the processing, along with the risks to the data subjects.

In particular, the Data Processor has a written security process and policies that meet at least the requirements imposed by the Data Protection Regulations and are in line with established industry practices. During the term of the Contract, the Data Processor will provide the Data Controller with the security documentation at its first request.

12. Data reversibility at the end of the Contract

Data reversibility at the end of the contractual relationship between the Data Processor and the Client is stipulated in the Contract.

13. Data Protection Officer

The contact details of the Data Processor’s DPO are as follows:

Clément Comoglio – personaldata@partoo.fr

14. Register of processing activity categories

The Data Processor declares to keep a written record of all categories of processing activities carried out on behalf of the Data Controller including:

• The name and contact details of the Data Controller on whose behalf it is acting, of any Sub-processors and, if applicable, of the data protection officer;
• The categories of processing carried out on behalf of the Data Controller;
• Where applicable, transfers of Personal Data to a third country or to an international organization, including the identification of such third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documents attesting to the existence of appropriate guarantees.

15. Transfers of Personal Data outside the European Union

The Data Processor may indirectly transfer, through its Sub-processors mentioned in article 6 herein, the Personal Data outside the European Union. In such a case, the Data Processor is committed to obtain the prior written consent of the Data Controller.

Any transfer of Personal Data outside the European Union shall be carried out in strict accordance with Chapter V of the GDPR, specifically by relying on an adequacy decision or by implementing appropriate safeguards. Therefore, when such transfer is carried out, the Data Processor commits to ensure that it is covered by:

• Standard contractual clauses issued by the European Commission or a Supervisory Authority in accordance with Article 46 of the GDPR; and/or
• Any binding corporate rules approved by a competent Supervisory Authority under Article 47 of the GDPR; and/or
• An approved code of conduct in accordance with Article 46 of the GDPR; and/or
• An approved certification mechanism in accordance with Article 46 of the GDPR; and/or
• An adequacy decision of the European Commission in accordance with Article 45 of the GDPR.

In any case, the Data Processor will inform the Data Controller within a reasonable period of time of any planned transfer and will at the same time provide the Data Controller with all relevant information allowing the Data Controller to comply with its obligations in the event of a Personal Data transfer.

16. Data Protection Impact Assessment

The Data Controller is responsible for determining whether the processing operations carried out through the Services are likely to result in a high risk to the rights and freedoms of natural persons, in accordance with Article 35 of the GDPR. Where such risk is identified, the Data Controller shall carry out a Data Protection Impact Assessment (hereinafter referred to as “DPIA”) prior to the processing.

The Data Processor shall provide the Data Controller with all reasonable assistance, upon request, to enable the completion of the DPIA, including by providing documentation relating to the technical and organizational security measures implemented, as well as any other relevant information concerning the processing operations performed on behalf of the Data Controller.

17. Audits

17.1. Framework

The Data Processor shall make available to the Data Controller the necessary information to demonstrate compliance with all its obligations and to enable audits, including inspections, by the Data Controller or another auditor appointed by the Data Controller, and contribute to these audits. In case of an audit, the following conditions must be met:

The audits provided for in this article can only be conducted under the following conditions:

1. The audit must be requested by registered letter with acknowledgment of receipt, at least thirty (30) calendar days before the desired date for the audit, and must state the reasons justifying the audit. If the audit can be conducted through the provision of documents, the Parties will prioritize an audit based on the presentation of documents;
2. There can only be one (1) audit per year;
3. The audit shall not last more than one (1) day. Beyond that, the Data Processor may charge for the time spent by its teams on the audit at the rates that will be communicated to the Client at the time of the audit request or at any moment upon the Client’s request.

17.2. Purposes

The audit must not disturb the Data Processor’s activities beyond what is strictly necessary, therefore it may only focus on the Data Processor’s compliance with the provisions of this DPA.

If the Client decides to entrust the audit to a third party, the latter must (i) not be a direct or indirect competitor of the Data Processor; (ii) be strictly bound by professional confidentiality that will be submitted by the Data Processor before the audit is conducted; (iii) in any event, the Data Processor can object to the choice of auditor, provided that reasonable justification is given; and (iv) comply with all of the Data Processor’s internal procedures. The Client remains in any case fully responsible for the auditor, without being able to assert any limitation of liability against the Data Processor in the event of a breach by the said auditor.

17.3. Results

It is understood between the Parties that the results of the audit cannot be made public and will remain strictly confidential. The Data Processor may present its observation before the definitive version of the audit report and will have thirty (30) days to do so, except if this timeframe is deemed insufficient, in which case it may request an additional thirty (30) days by notifying via email.

18. Obligations of the Data Controller towards the Data Processor

The Data Controller undertakes to:

1. Document in writing all instructions regarding the processing of data by the Data Processor.
2. Ensure, prior to and throughout the duration of the processing, the compliance with the obligations set out by the applicable legislation by the Data Processor.
3. Supervise the processing carried out by the Data Processor in accordance with the Contract.

19. Scope of the general data exchange terms

This DPA forms a single document with the Contract.

In this regard, all provisions of the Contract that are not amended or are not contradictory to the terms of this DPA remain fully applicable between the Parties. Particularly, the limitation of liability clause provided in the Contract (and particularly in article 10 of the T&Cs when applicable) is fully applicable in the event of a breach of this DPA. In the event of any conflict between the provisions of the Contract and this DPA, this DPA shall prevail.

If any provision of this DPA is found to be null and void under an applicable legal rule or a final court decision, it shall be deemed unwritten, without affecting the validity of this DPA or altering the validity of its other provisions.