# Contractual clause of subcontracting
The Parties are bound by the General Terms and Conditions of Use under which the subcontractor, namely the Service Provider, provides Services to the person in charge of processing, namely the Customer, allowing access to APIs (hereinafter the “Services”).
The General Data Protection Regulation (GDPR No. 2016/679 of 27 April 2016, applicable on 25 May 2018) imposes specific obligations on subcontractors whose liability may be incurred in the event of a breach. It also provides for additional provisions to be included in contracts with subcontractors.
These provisions prevail over all other stipulations contained in any other document signed between the parties; they may be amended, in particular as soon as standard contractual clauses are adopted within the meaning of Article 28.8 of the European Regulation.
# I. Purpose
The purpose of these clauses is to define the conditions in which the processor undertakes to carry out, on the controller's behalf, the personal data processing operations defined below.
As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 which is applicable from 25 May 2018 (hereinafter “the General Data Protection Regulation”).
# II. Description of the processing being subcontracted out
The processor is authorized to process, on behalf of the controller, the necessary personal data for providing Services described in the General Terms and Condition of Use (GTCU).
The nature of the operations carried out on the data includes the hosting, the recording, the conservation, the calculation, the provision, the extraction, the collection, the consultation, the erasure, as well as any other operation mentioned in the Contract.
The purposes of the treatment are:
- Creating and managing an account
- Provision of Services
- Taking orders into account
- The management and processing of orders
- Billing
- Information about the Company, the Services and the activities of the Company
- The answer to any questions / complaints from Users
- The development of commercial statistics and use of the Services
- Management of requests for rights of access, portability, erasure, rectification and opposition
- Unpaid and litigation management
The personal data processed are determined by the Customer and depend on the Customers' activities. They may include, but are not limited to, the last name, first name, email address, telephone number, postal address or other data that the Client may require in the course of his business.
The categories of data subjects are: the Customers and partners of the data controller who accesses the Services, the data controller's users all the people who have access to the Services and record data, whether the Client or the users.
# III. Processor's obligations with respect to the controller
# A. The processor shall undertake to:
Process the data solely for the purpose(s) subject to the sub-contracting
Process the data in accordance with the documented instructions from the controller appended hereto. Where the processor considers that an instruction infringes the General Data Protection Regulation or of any other legal provision of the Union or of Member States bearing on data protection, it shall immediately inform the controller thereof. Moreover, where the processor is obliged to transfer personal data to a third country or an international organisation, under Union law or Member State law to which the processor is subject, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Guarantee the confidentiality of personal data processed hereunder.
Ensure that the persons authorized to process the personal data hereunder:
- have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- receive the appropriate personal data protection training.
Take into consideration, in terms of its tools, products, applications or services, the principles of data protection by design and by default.
# B. Sub-contracting
The processor may engage another processor (hereinafter “the sub-processor”) to conduct specific processing activities. In this case, the processor shall inform the controller, in writing beforehand, of any intended changes concerning the addition or replacement of other processors. This information must clearly indicate which processing activities are being subcontracted out, the name and contact details of the sub-processor and the dates of the subcontract. The controller has a minimum timeframe of ten (10) days from the date on which it receives said information to object thereto. Such sub-contracting is only possible where the controller has not objected thereto within the agreed timeframe.
Where the processor recruits other sub-processors, it must obtain the prior, specific, written authorization of the controller.
The sub-processor is obliged to comply with the obligations hereunder on behalf of and on instructions from the controller. It is the initial processor's responsibility to ensure that the sub-processor provides the same sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing meets the requirements of the General Data Protection Regulation. Where the sub-processor fails to fulfil its data protection obligations, the initial processor remains fully liable with regard to the controller for the subprocessor's performance of its obligations.
# C. Data subjects' right to information
It is the controller's responsibility to inform the data subjects concerned by the processing operations at the time data are being collected.
# D. Exercise of data subjects' rights
The processor shall assist the controller, insofar as this is possible, for the fulfillment of its obligation to respond to requests for exercising the data subject's rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
Where the data subjects submit requests to the processor to exercise their rights, the processor must forward these requests as soon as they are received by email to the address indicated when subscribing to the services.
# E. Notification of personal data breaches
The processor shall notify the controller of any personal data breach not later than forty-height (48) hours after having become aware of it. Said notification shall be sent along with any necessary documentation to enable the controller, where necessary, to notify this breach to the competent supervisory authority.
Once the controller has agreed, the processor shall notify the competent supervisory authority (the CNIL), in the name and on behalf of the controller, of the personal data breaches without undue delay and, where feasible, not later than 72 hours after having become aware of them, unless the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons. The notification shall at least:
describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
Once the controller has agreed, the processor shall communicate, in the name and on behalf of the controller, the personal data breach to the data subject without undue delay where said breach is likely to result in a high risk to the rights and freedoms of natural persons.
The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and at least:
describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
# F. Assistance lent by the processor to the controller regarding compliance with its obligations
The processor assists the controller in carrying out data protection impact assessments.
The processor assists the controller with regard to prior consultation of the supervisory authority.
# G. Security measures
The processor undertakes to implement the following security measures:
identity and access checks using an authentication system and a password policy;
encryption of passwords;
protection of data by default: (privacy by design) limitation of access to certain personal data to authorized persons;
limit access rights to tools and administration interfaces to only authorized persons;
install critical updates without delay;
implement the TLS / HTTPS protocol;
protect the Services by firewalls;
a system that physically and / or logically isolates customers from each other;
regular backups of data;
processes and devices to trace all the actions performed on its information system and to carry out, in accordance with the regulations in force, reports in the event of an incident affecting the customer's data;
the means to ensure the ongoing confidentiality, integrity, availability and resilience of treatment systems and services;
the means to restore the availability of personal data and access to it within appropriate deadlines in the event of a physical or technical incident;
a procedure to test, analyze and regularly evaluate the effectiveness of technical and organizational measures to ensure the safety of treatment.
# H. Fate of data
At the end of the service bearing on the processing of such data, the processor undertakes to destroy all personal data.
# I. Record of categories of processing activities
The processor states that it maintains a written record of all categories of processing activities carried out on behalf of the controller, containing:
the name and contact details of the controller on behalf of which the processor is acting, any other processors and, where applicable, the data protection officer;
the categories of processing carried out on behalf of the controller;
where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
where possible, a general description of the technical and organisational security measures, including inter alia: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
# J. Documentation
The processor provides the controller with the necessary documentation for demonstrating compliance with all of its obligations and for allowing the controller or any other auditor it has authorized to conduct audits, including inspections, and for contributing to such audits.
# IV. Controller's obligations with respect to the processor
# A. The controller undertakes to:
Provide the processor with: the nature of the transactions carried out on the data, the purpose (s) of the processing, the personal data processed, the categories of persons concerned.
Document, in writing, any instruction bearing on the processing of data by the processor.
Ensure, before and throughout the processing, compliance with the obligations set out in the General Data Protection Regulation on the processor's part.
Supervise the processing, including by conducting audits and inspections with the processor.