Data Protection Agreement (“DPA”)

1. Introduction

The Data Protection Agreement (hereinafter”APD”) aims to govern the use of the personal data of the Customer, who acts as data controller (hereinafter the”Customer”), by anaba, who acts as a subcontractor (hereinafter the”Subcontractor”) under the contract (hereinafter the”contract”).

The ADP is an integral part of the Contract signed between the Customer and the Subcontractor. In the event of a contradiction between the Contract and the ADP, the obligations provided for in the ADP prevail with respect to the applicable data protection rules.

All data protection terms used in the ADP (e.g. data controller, subcontractor, etc.) are defined in article 4 of the General Data Protection Regulation (“RGPD”).

2. Declaration

The Subcontractor declares to respect all applicable data protection rules, including the RGPD and the Data Protection Act.

The Subcontractor declares to present all the sufficient guarantees to meet the requirements of the applicable data protection rules and, in particular, for Ensuring confidentiality And the Customer data protection.

The Subcontractor declares that all of its employees who are required to process the Customer's personal data are engaged by a confidentiality clause or by any other legal act (e.g. rules of good conduct, information systems charter, etc.) to guarantee the confidentiality of the Customer's personal data.

The Subcontractor regularly declares train and raise awareness its employees on the applicable data protection rules.

3. Instructions

The Subcontractor undertakes to use the Customer's personal data only on documented instructions of the latter.

The Customer undertakes to inform the Subcontractor of any modifying instructions that could be carried out regarding the use of his personal data.

The Subcontractor must notify the Customer, as soon as possible, if the latter's documented instructions constitute a violation of applicable data protection rules.

4. Compliance by default and by design

The Subcontractor provides its service as is, in compliance with i) service compliance by design and ii) of the default service compliance.

The Subcontractor provides a service accompanied by all the functionalities allowing the Customer to comply with its obligations as the person responsible for the treatment.

Consequently, the Subcontractor is not never responsible for the use that does not comply with the applicable data protection rules of the service by the Customer.

5. security

The Subcontractor undertakes to guarantee the security of the Customer's personal data and to implement all the technical measures and Organizational necessary to prevent the risk of a data breach.

6. Data breach

The Subcontractor undertakes to notify to the Customer, in the as soon as possible and, within 72 working hours, after reading it, all violation of data that would be likely to concern the Customer's personal data.

The Subcontractor undertakes to provide the Customer, in accordance with the provisions of article 28 of the RGPD, with all the information necessary for the treatment of the data breach by the Customer.

In the event of a data breach, the Subcontractor undertakes to take all necessary measures to remedy and lessen the impact of the breach on the Customer's personal data.

Except with the express, prior and written consent of the Customer, the Subcontractor is not allowed to handle data breach notifications to the French supervisory authority, the CNIL. Likewise, the Subcontractor is not, in principle, authorized to inform on behalf of the Customer the persons concerned by the treatments carried out under the Contract.

7. Security help and support

The Subcontractor communicates to the Customer, upon written request, all required information and required On the technical and organizational security measures to be implemented under the Contract to guarantee the security of its personal data.

The Subcontractor communicates to the Customer, upon written request, all necessary and required information to ensure the realization of a impact assessment (“AIPD”) in direct connection with the service provided.

However, the Subcontractor is not required to ensure or audit the Customer's security or to carry out impact analyses (“IAPD”) in place and on behalf of the Customer. Any request additional to the provision of information may be refused and, possibly, an additional service at a price.

8. Help and assistance with the rights of the persons concerned

The Subcontractor communicates to the Customer, upon written request, all necessary and required information in order for the Customer to be able to fulfill its obligation to comply with requests of the persons concerned.

The Subcontractor executes, at the Customer's written request, the technical actions to be undertaken so that the Customer can fulfill its obligation to comply with requests of the persons concerned.

However, the Subcontractor is not required to manage individual rights requests in place of and on behalf of the Customer. Any additional request aimed at ensuring such management may be refused and, possibly, a chargeable additional service.

9. Subsequent subcontractors

In general, the Customer accepts that the Subcontractor recruits Subsequent subcontractors as part of the execution of the Contract provided that the Customer is informed of any change concerning these subsequent Subcontractors occurring during the execution of the Contract.

The Customer may issue objections by registered letter with acknowledgement of receipt i) if the Subcontractor is one of its contestants, ii) if the customer and the Subcontractor are in a situation of pre-litigation Or of litigation, and (iii) if the Subcontractor has been the subject of a conviction by a data protection supervisory authority within the year of its recruitment by the Subcontractor. Each of its situations must be demonstrated.

In the event that the objection is admissible, the Subcontractor has a period of 6 months from the receipt of the objection to modify the Subcontractor or to ensure compliance with the GDPR by this Subcontractor.

Otherwise, the Customer has the option of terminating the Contract subject to a notice of six (6) months, without the Customer being able to request compensation of any kind whatsoever.

In all cases, the Subcontractor undertakes to recruit only subsequent Subcontractors who present the necessary and sufficient guarantees to ensure the security and confidentiality of the Customer's data.

As such, the Subcontractor undertakes i) to regularly check its subsequent Subcontractors and ii) that the contract concluded with the Subcontractor used in the context of the service contains similar obligations to those provided for in ODA.

In any event, the Subcontractor remains responsible for the actions of the Subcontractor under the Contract.

10. Fate of personal data

The Customer informs the Subcontractor, in writing and as soon as possible, of his choice (option 1) to return the personal data to him and then to delete them and all existing copies or, (option 2) to directly delete the personal data as well as all existing copies, or (option 3) to transfer the personal data to a new service provider and then to delete them and all existing copies. Unless otherwise provided in the Contract, option 3 must be the subject of a quotation from the Subcontractor.

In the absence of information by the Customer of his choice, the Subcontractor reserves the right to directly delete the data as well as all copies (option 2).

Deleting data is irreversible. The Customer is therefore invited to recover his data before the service is stopped. In the event of deletion of the Customer's data by the Subcontractor, the Customer remains solely responsible for the disappearance of the data and for any consequences that may occur.

The Subcontractor certifies to the Customer, upon written request, that the personal data and all existing copies have been effectively deleted.

11. Audits

The Customer has the right to carry out an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire has the strength of a commitment on honor that engages the Subcontractor.

The questionnaire may be communicated in any form to the Subcontractor who undertakes to respond to it within a maximum of two months from its receipt.

The Customer also has the right to carry out an on-site audit, at its own expense, once a year only in the event of a data breach or breach of applicable data protection rules and this Agreement, in particular established by the written questionnaire.

An on-site audit may be conducted either by the Customer or by an independent third party designated by the Customer and must be notified in writing to the Subcontractor at least thirty (30) days before the audit is carried out.

The Subcontractor has the right to refuse the choice of the independent third party if the latter is i) a competitor or ii) in pre-litigation or litigation with him. In this case, the Customer undertakes to choose a new independent third party to carry out the audit.

The Subcontractor may refuse access to certain areas for reasons of confidentiality or security. In this case, the Subcontractor carries out the audit in these areas at its own expense and communicates the results to the Customer.

In the event of a discrepancy found during the audit, the Subcontractor undertakes to implement, speedily, the measures necessary to be in compliance with this Agreement.

12. Data transfers outside the European Union

The Subcontractor undertakes to do what is necessary to not to transfer the Customer's personal data outside the European Union or not to recruit a subsequent Subcontractor located outside the European Union.

However, in the event that such transfers are necessary under the Contract, the Subcontractor undertakes to implement all the mechanisms required to supervise these transfers, such as, in particular, concluding binding corporate rules (“BCR”) or standard data protection clauses (“CCT”) adopted by the European Commission.

13. Cooperation with the supervisory authority

When it concerns the treatments implemented under the Contract, the Subcontractor undertakes to provide, on request, all the information necessary for the Customer so that he can cooperate with thecompetent supervisory authority.

14. Contact

The Customer and the Subcontractor each designate a interlocutor who is in charge of this ADP and who is the recipient of the various notifications and communications that should take place under the ADP.

The Subcontractor informs the Customer that he has appointed Dipeeo as Data Protection Officer who can be contacted at the following contact details:

  • Email: dpo@anaba.fr
  • Postal address: Société Dipeeo SAS, 104 Avenue de la Résistance, 93100 Montreuil
  • Phone number: 09 86 23 21 29

15. Revision

The Customer reserves the right to modify this Agreement in the event of changes in the applicable data protection rules which would have the effect of modifying one of its provisions.

16. Applicable law

Notwithstanding anything to the contrary in the Contract, this Agreement is subject to French law. Any dispute relating to the execution of this Agreement shall be subject to the exclusive jurisdiction of the courts under Court of Appeal for the Subcontractor's place of residence.

Posted on 25/11/2022

Certified compliant by Dipeeo®

Your contacts are your greatest treasure

Book a demo