- Description of processing - The Service Provider (hereinafter, the " Processor ") is authorized́ to process on behalf of the Customer (hereinafter, the " Controller ") the personal data necessary for the use of the Product and the provision of the Services.
The nature of operations carried out on data is limited to collection, structuring, storage, modification, consultation, use, communication by transmission, dissemination or deletion.
The purpose of the processing is to enable the Product to function properly (e.g. creation of rights to access the Product) and/or to provide the data controller with the benefit of all the Product's functionalities (e.g. storage of the data of contact persons of the data controller's business partners).
The categories of data subjects and the personal data processed are :
| CATEGORIES OF PERSONS CONCERNED | PERSONAL DATA PROCESSED |
| The users | - Name
- First name - Email address - Telephone/facsimile number - Language |
| The data controller's business partners or contact persons within its business partners | - Name
- First name - Identification number - Function - GSM - Telephone/facsimile number - Address |
- Duration of processing - Personal data will be processed by the subcontractor for the duration of the Orders and until the expiry of the thirty (30) day period provided for data reversibility as stipulated in article XII. c of the general terms and conditions.
- Subcontractor's obligations - The subcontractor undertakes to :
- Process data solely for the purpose(s) for which it is outsourced;
- Process data in accordance with the documented instructions of the controller. If the processor considers that an instruction constitutes a breach of the European Data Protection Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the controller. In addition, if the processor is required to transfer data to a third country or an international organization under Union law or the law of the Member State to which it is subject, it must inform the controller of this legal obligation prior to processing, unless the law concerned prohibits such information on important grounds of public interest;
- Ensure that persons authorized to process personal data under this contract undertake to respect confidentialitý or are subject to an appropriate legal obligation of confidentiality.
- Subcontracting - The processor may call upon another processor (hereinafter " the further processor ") to carry out specific processing activities. In this case, it shall inform the data controller in advance and in writing of any planned changes concerning the addition or replacement of other subcontractors. The data controller has a period of thirty (30) days from the date of receipt of this information to present its objections. Such subcontracting may only be carried out if the data controller has not raised any objections within the agreed period.
The subcontractor hereby informs the data controller that it uses the services of Microsoft AZURE to host the data covered by the Order and to host the applications and security protocols.
The subsequent processor is required to comply with the obligations of this contract on behalf of and in accordance with the instructions of the controller. It is the responsibility of the original processor to ensure that the subsequent processor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the European Data Protection Regulation. If the subsequent processor fails to meet its data protection obligations, the original processor remains fully liable to the controller for the other processor's performance of its obligations.
- Data subjects' right to information - The data controller is responsible for providing information to data subjects at the time of data collection.
- Exercise of personal rights - Wherever possible, the processor must assist the controller in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to restrict processing, right to data portabilitý, right not to be subject to an automated individual decision (including profiling).
- Notification of personal data breaches - The processor shall notify the controller of any personal data breach within a maximum of twenty-four (24) hours of becoming aware of it and by email to its contact person within the controller. This notification shall be accompanied by any useful documentation to enable the data controller, if necessary, to notify this breach to the competent supervisory authoritý and, where appropriate, to communicate it to the data subject.
- Assisting the data processor in complying with the data controller's obligations - The processor assists the data controller in carrying out impact analyses relating to data protection. The processor assists the data controller in carrying out prior consultation with the supervisory authoritý.
- Security measures - The processor undertakes to implement appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, including among others, as required: a) pseudonymization and encryption of personal data; b) means to ensure the constant confidentiality, integrity, availability and resilience of the processing services' systems; c) means to restore the availability of and access to personal data within the appropriate timeframes in the event of a physical or technical incident; and d) a procedure to regularly test, analyze and evaluate the effectiveness of the technical and organizational measures to ensure the security of the processing.
- Documentation - The processor shall make available to the controller the documentation necessary to demonstrate compliance with all its obligations and to allow audits, including inspections, to be carried out by the controller or another auditor appointed by it, and to contribute to such audits.
