Data Processing Agreement

ARTICLE 1 - PURPOSE OF THE AGREEMENT

1.1. Definitions of terms used

For the purposes of this Agreement, words and expressions with an initial capital letter shall have the meanings given: (i) in this document, including the preamble; (ii) or, failing that, in the Commercial Agreement otherwise concluded between the Parties; (iii) or, failing that, in Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"). These words shall have the same meaning in the singular and plural.

1.2. Purpose

The purpose of this Agreement is to define the conditions under which the Subcontractor undertakes to perform, on behalf of the Data Controller, the Personal Data Processing operations defined below for technical development support.

1.3. Duration

This Agreement shall enter into force upon signature and shall remain in force for the duration of the Commercial Agreement concluded between the Parties for technical support, with the exception of the provisions of the articles whose effects shall remain in force for their respective durations, if specified.

1.4. Compliance with Regulations

Within the framework of their contractual relations, the Parties undertake to comply with the regulations in force applicable to the Processing of Personal Data and, in particular: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, applicable as of May 25, 2018, known as the "European Data Protection Regulation" or "GDPR"; (ii) Law No. 78-17 of January 6, 1978, as amended, relating to information technology, files, and civil liberties, known as the "Data Protection Act" (hereinafter collectively referred to as the "Regulations").

1.5. Amendments

The Parties agree that this Agreement, entered into pursuant to the provisions of Article 28 of the GDPR, may be amended as a result of the adoption by the competent supervisory authority of standard contractual clauses within the meaning of Article 28.8 of the same text. The Parties therefore undertake to negotiate in good faith and adopt, when the time comes and by way of an amendment, any contractual amendments that may be necessary as a result of the adoption of the said standard contractual clauses.

ARTICLE 2 - DESCRIPTION OF THE PROCESSING SUBJECT TO SUBCONTRACTING

2.1. Authorization

The Subcontractor is authorized to process, on behalf of the Data Controller, the Personal Data necessary for the processing specified in Appendix 1.

2.2. Processing concerned

In accordance with the provisions of the GDPR, the specific appendix ("Specific Appendix") to this Agreement specifies in detail: (i) the purpose of the Processing; (ii) the duration of the Processing; (iii) the nature of the Processing; (iv) the Purposes of the Processing; (v) the types of Personal Data concerned; (vi) the categories of Data Subjects; (vi) the necessary information made available to the Sub-Processor by the Data Controller for the performance of the service covered by this Agreement.

ARTICLE 3 - OBLIGATIONS OF THE DATA CONTROLLER

The Data Controller undertakes to:

• provide the Data Processor with the Personal Data referred to in the Special Annex to this Agreement;
• document in writing any instructions concerning the Processing of Personal Data by the Data Processor;
• ensuring, in advance and throughout the duration of the Processing, that the Processor complies with the obligations set out in the GDPR;
• supervising the Processing, including conducting audits and inspections of the Processor.

ARTICLE 4 - OBLIGATIONS OF THE PROCESSOR

4.1. Commitments

The Subcontractor undertakes to:

• Process Personal Data solely for the purposes that are the subject of the subcontracting;
• Process Personal Data in accordance with the documented instructions of the Data Controller set out in the Appendix to this Agreement. If the Subcontractor considers that an instruction constitutes a violation of the GDPR or any other provision of Union law or Member State law relating to the protection of Personal Data, it shall immediately inform the Data Controller. Furthermore, if the Sub-Processor is required to transfer Personal Data to a third country or to an international organization under Union law or the law of the Member State to which it is subject, it shall inform the Controller of this legal obligation prior to the Processing, unless the relevant law prohibits such information on important grounds of public interest;
• ensure the confidentiality of Personal Data processed under this Agreement;
• ensure that persons authorized to process Personal Data under this Agreement: (i) undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality; (ii) receive the necessary training in the protection of Personal Data;
• take into account, with regard to its tools, products, applications, or services, the principles of Privacy by Design and Privacy by Default;
• assist the Data Controller in carrying out impact assessments relating to the protection of Personal Data;
• assist the Data Controller in carrying out prior consultation with the supervisory authority;
• provide the Data Controller with the documentation necessary to demonstrate compliance with all its obligations and to enable audits, including inspections, to be carried out by the Data Controller or another auditor mandated by it, and contribute to these audits;
• implement the security measures listed in the Special Annex.

4.2. Subprocessing

4.2.1.

The Sub-Processor is authorized to engage one or more other Sub-Processors (hereinafter, "Second-Tier Sub-Processors") to carry out specific Processing activities. In this case, it shall inform the Data Controller in advance and in writing of any changes planned concerning the addition or replacement of other Subcontractors. This information must clearly indicate the Processing activities subcontracted, the identity and contact details of the second-tier Subcontractor, and the dates of the subcontracting agreement. The Data Controller has a minimum period of THIRTY (30) calendar days from the date of receipt of this information to raise any objections. This second-tier subcontracting may only be carried out if the Data Controller has not raised any objections within the agreed period.

4.2.2.

The Sub-Processor is required to comply with the obligations of this Agreement on behalf of and in accordance with the instructions of the Data Controller. It is the responsibility of the Processor to ensure that the Sub-Processor provides the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the GDPR. If the second-tier Subcontractor fails to fulfill its data protection obligations, the Subcontractor remains fully liable to the Data Controller for the performance by the other second-tier Subcontractor of its obligations.

ARTICLE 5 - RIGHT TO INFORMATION FOR DATA SUBJECTS

It is the responsibility of the Data Controller to provide information to Data Subjects at the time of collection of Personal Data; Processors assist in the implementation.

ARTICLE 6 - EXERCISE OF RIGHTS FOR DATA SUBJECTS

6.1. Assistance

Where possible, the Subcontractor and Subcontractor of the second rank must assist the Data Controller in fulfilling its obligation to respond to requests from Data Subjects to exercise their rights: right of access, rectification, erasure, and objection, right to restriction of processing, the right to data portability, the right not to be subject to automated individual decision-making (including profiling).

6.2. Transmission of requests

When Data Subjects submit requests to the Subcontractor to exercise their rights, the Subcontractor must forward these requests as soon as they are received by email to the Data Controller.

ARTICLE 7 - DATA BREACH NOTIFICATION

7.1. Time limit

The Subcontractor shall notify the Data Controller of any Personal Data breach within a maximum of SEVENTY-TWO (72) working hours after becoming aware of it by email. This notification shall be accompanied by any useful documentation to enable the Data Controller, if necessary, to notify the competent supervisory authority of the breach.

7.2. Content of the notification to the supervisory authority

It is recalled that the notification to the supervisory authority shall contain at least: (i) a description of the nature of the Personal Data breach, including, where possible, the categories and approximate number of data subjects concerned by the breach and the categories and approximate number of Personal Data records concerned; (ii) the name and contact details of the Data Protection Officer or another contact point from which further information can be obtained; (iii) a description of the likely consequences of the Personal Data breach; (iv) a description of the measures taken or proposed to be taken by the Data Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects. If, and to the extent that it is not possible to provide all this information at the same time, the information may be provided in a phased manner without undue delay.

ARTICLE 8 - FATE OF PERSONAL DATA

Termination of the Agreement. Upon expiration of the Agreement between the Parties, the Subcontractor undertakes to destroy all Personal Data.