Data Processing Agreement

This Data Processing Agreement (“DPA”) reflects the agreement between the Parties (“You” and “Stelace”) with the terms governing the processing of Personal Data under the Stelace General Terms and Conditions of Use. This Data Processing Agreement is part of the General Terms and Conditions of Use and is effective upon its publication. This DPA forms an integral and inseparable part of the Agreement of Stelace General Terms and Conditions of Use, also refered to as “Agreement”. This DPA shall become effective when electronically agreed to by the Customer (You). In all cases Stelace (“Processor”), or a third party acting on behalf of Processor, acts as the processor of Personal Data and You (“Controller”) remain controller of Personal Data. The term of this DPA shall follow the term of the General Terms and Conditions of Use. Terms not otherwise defined herein shall have the meaning as set forth in the General Terms and Conditions of Use.

A. Definitions

Unless otherwise defined in this DPA terms shall be understood as mentioned by Art. 4 GDPR.

“GDPR” means the General Data Protection Regulation (EU) 2016/679. “Data Protection Regulation” means all applicable laws relating to data protection, including without limitation the laws implementing EU Directive 95/46/EC and EU Directive 2002/58/EC and the GDPR (when applicable) and any amendments to or replacements for such laws and regulations. “Personal Data” means any individual element of information concerning the personal or material circumstances of an identified or identifiable individual. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. “Personal Data Processing” means processing of Personal Data on behalf, encompassing the storage, collection, recording, organization, preservation, adaptation, modification, extraction, consultation, use, communication by transmission broadcast or any other form of provision, reconciliation or interconnection, locking, deletion or destruction of personal data by the processor acting on behalf of the Controller.

B. Scope and Responsibility

The Customer, hereafter refered to as “Controller”, certifies that the person agreeing has the legal authority to agree to and enter into this DPA. Processor shall process Personal Data on behalf of Controller. Processing shall include actions specified in the General Terms and Conditions of Use in order to provide the Services to the Customer. Within the scope of the General Terms and Conditions of Use, Controller shall be solely responsible for complying with the statutory requirements relating to data protection, in particular regarding the transfer of Personal Data to the Processor and the Processing of Personal Data. Based on this responsibility, Controller shall be entitled to demand the rectification, deletion, blocking and making available of Personal Data during and after the term of the General Terms and Conditions of Use in accordance with the further specifications of such Agreement on return and deletion of personal data. Processing of Personal Data under this DPA is for the purpose of providing the Service to the Customer. Processing of Personal Data in this context refers mainly to maintenance, storage, technical support and other equivalent processing activities. The categories of Data Subjects processed for the purposes of the Service include Customer's representatives and end-users. Type of Personal Data processed contains information, including Personal Data, uploaded to the Service by the Customer or its end-users, for example contact details and purchase data. Personal Data may be processed as long as the Service is provided under the Agreement and after that if required by applicable law or contractual obligations or rights of either Party.

C. Stelace obligations as Processor

Stelace shall collect, process and use Personal Data only within the scope of the Service defined in General Terms and Conditions of Use and in compliance with Data Protection Regulation. Within Processor’s area of responsibility, Stelace shall structure Processor’s internal corporate organisation to ensure compliance with the specific requirements of the protection of Personal Data. Stelace shall take the appropriate technical and organisational measures to adequately protect Controller’s Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure for the purposes of the Service. In the event of a Personal Data Breach, Stelace shall notify the Customer without undue delay after becoming aware of the Personal Data Breach and take reasonable steps to mitigate any damage resulting from such breach. The notification shall contain information Stelace is reasonably able to disclose to the Customer, including following information: a description of the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned; the name and contact details of contact point where more information can be obtained; a description of likely consequences of the Personal Data Breach; a description of the measures taken or proposed to be taken to address the Personal Data Breach. The information may be provided in phases if it is not possible to provide the information at the same time. Stelace shall ensure that its staff with access to Personal Data has committed to appropriate confidentiality. Stelace shall, at the Customer's written request, provide reasonable assistance to the Customer by providing such readily available information, or creating such information, as the Customer may reasonably require and which the Customer does not have, in complying with the requests of the Data Subject or supervisory authority or any other law enforcement or regulatory authority. Stelace shall provide reasonable assistance to the Customer in ensuring compliance with its obligations set out in Data Protection Regulation. Stelace is entitled to charge the Customer for costs and expenses that were incurred as a result of such assistance. Stelace shall inform the Customer, as soon as reasonably practicable, if it receives a request from a Data Subject seeking to exercise his or her rights under the Data Protection Regulation. Stelace shall maintain records of processing activities under its responsibility to ensure Stelace's own compliance as a Data Processor, to the extent necessary to demonstrate compliance with Stelace’s obligations set out in this DPA and in the Data Protection Regulation. Stelace shall appoint a Data Protection Official, if this is legally required and, upon request of Controller, Stelace shall notify to Controller the contact details of the data protection official. Stelace shall inform Controller in case of a serious interruption of operations or violations by Stelace or persons employed by it of provisions to protect Personal Data or of terms specified in this DPA. In such an event, Stelace shall implement the measures necessary to secure the Personal Data and to mitigate potential adverse effects on the Data Subjects and shall agree upon the same with Controller without undue delay.

D. Your Obligations as Controller

Controller shall, upon termination or expiration of the General Terms and Conditions of Use and by way of issuing an Instruction, ask, within a period of thirty (30) days, for its Data return or deletion. Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the General Terms and Conditions of Use shall be borne by Controller.

E. Transfer of Personal Data

Where Controller, based upon applicable data protection law, is obliged to provide information to an individual about the collection, processing or use or its Personal Data, Stelace shall assist Controller in making this information available, provided that: (i) Controller has instructed Processor in writing to do so, and (ii) Controller reimburses Stelace for the costs arising from this assistance. Where a Data Subject requests the Processor to correct, delete or block Personal Data, Stelace shall refer such Data Subject to the Controller. Personal Data may be processed outside of the European Economic Area by Stelace or its subcontractors.

F. Third Parties

Stelace is entitled to use Third Parties and subcontractors for the purposes of providing the Service under the Agreement. Stelace provides a list of all used Third Parties at its Web Site. The Customer hereby consents to Stelace's use of Third Parties as described in this section and mentioned in the General Terms and Conditions of Use. Stelace shall update list at least 14 days before it authorizes new Third Parties. If the Customer objects, the Customer shall have the right to terminate the Agreement by written notice before the effective date of the change. Stelace shall use its commercially reasonable efforts to reasonably ensure that its Third Parties are subject to equivalent requirements regarding confidentiality and data protection, as set out in this DPA. Stelace remains responsible for its Third Parties and their compliance with the obligations of this DPA.

G. Audit

At the Customer's written request, Stelace shall provide the Customer with an audit report, which is not older than 12 months so that the Customer can reasonably verify Stelace's compliance with its obligations under this DPA. The report shall at all times be deemed as Stelace's confidential information. If Stelace hasn't been audited at the time of the request, the Customer may conduct an audit at its own expenses.

H. Terms and termination

The DPA shall continue in force until the termination of the Agreement. Upon termination of the Agreement or upon the Customer’s written request, Stelace shall either destroy or return to the Customer or a third party designated by the Customer in writing the Personal Data processed. If not instructed otherwise in writing by the Customer, Stelace shall have the right to delete and destroy the Personal Data processed hereunder within three (3) months of the termination of the Agreement. In case the Customer demands that the Personal Data are returned to the Customer or to a third party in a specific format, the Customer will pay Stelace for reasonable costs and expenses arising out such return of the Personal Data.

Contacting Us

If there are any questions regarding this Data Processing Agreement, our Privacy Policy, GTCU or Third Parties Services, you may contact us using the information below.

privacy@stelace.com
or
Sharinplace 12 rue Dumas, BAL 68 93800 Epinay-sur-Seine France