Data Processing Agreement (DPA)

 

1. Introduction

The purpose of the Data Protection Agreement (hereinafter “DPA“) is to govern the use of personal data of the Client, which acts as a controller (hereinafter the “Client“), by BrainTale, which acts as a Processor (hereinafter the “Processor“) within the framework of the Agreement (hereinafter the “Agreement“).

The DPA is part of the Agreement signed between the Client and the Processor. In the event of any inconsistency between the Agreement and the DPA, the obligations set forth in the DPA shall prevail with respect to the applicable data protection rules.

All data protection terms used in the DPA (e.g. controller, processor, etc.) are defined in Article 4 of the General Data Protection Regulation (“GDPR”).

The Processor is a French company. The standard version of the DPA is therefore the French version. In case of misinterpretation due to translation of the documents, the French version always prevails.

 

2. Statement

The Processor declares that it complies with all applicable data protection rules that include the GDPR and the Data Protection Act.

Processor declares that it has all sufficient safeguards to meet the requirements of applicable data protection rules and, in particular, to ensure confidentiality and protection of Client data.

The Processor declares that all of its employees who process the Client’s personal data are bound by a confidentiality clause or by any other legal act (e.g. rules of good conduct, information systems charter, etc.) to guarantee the confidentiality of the Client’s personal data.

The Processor declares that it regularly trains and educates its employees on the applicable data protection rules.

3. Instructions

Processor agrees to use Client’s personal data only on documented instructions from Client.

The Client undertakes to inform the Processor of any changes in the instructions that may be carried out regarding the use of its personal data.

Processor shall promptly notify Client if Client’s documented instructions constitute a violation of applicable data protection rules.

4. Compliance by default and by design

Processor shall provide its service “as is”, in compliance with (i) service compliance by design and (ii) service compliance by default.

The Processor provides a service with all functionalities enabling the Client to meet its obligations as a data controller.

Accordingly, Processor shall never be liable for Client’s non-compliant use of the Service with data protection rules.

5. Security

The Processor certifies and undertakes to ensure the security of the Client’s personal data and to implement all technical and organizational measures necessary to prevent any risk of data breach.

6. Breach of data

The Processor undertakes to notify the Client, as soon as possible after becoming aware of it, of any data breach that may affect the Client’s personal data.

The notification shall specify all information necessary for Client to process the data breach described in Article 28 of the GDPR.

In the event of a data breach, Processor agrees to take all necessary steps to remedy, and lower the impact of the breach on Client’s personal data.

Except with the express, prior and written consent of the Client, the Processor is not authorized to make notifications of data breaches to the supervisory authority and to the persons concerned by the processing carried out under the Contract.

7. Help and assistance in matters of security

The Processor shall provide Customer with all necessary and required information on the technical and organizational security measures to be implemented under the Contract to ensure the security of its personal data.

Processor shall provide to Customer, upon written request, all information necessary and required to ensure the completion of an impact analysis (“PIA”).

The Processor shall not be obliged to ensure or audit the Customer’s security or to carry out impact analyses (“PIA”) in the place and on behalf of the Customer. Any additional request to provide information may be refused and, if necessary, an additional service charged.

 

8. Help and assistance in matters of rights of data subjects

Upon written request, Processor shall provide Customer with all information necessary and required for Customer to fulfill its obligation to respond to requests from data subjects.

Processor shall, upon written request from Customer, perform such technical actions as may be necessary to fulfill Customer’s obligation to respond to requests from affected persons.

However, the Processor is not obliged to manage requests for personal rights in the place and on behalf of the Client. Any additional request to ensure such management may be refused and, possibly, an additional service charged.

 

9. Sub-processor

Client agrees that Processors may engage Sub-processors solely in connection with the performance of the Contract provided that Processors notifies Client of any changes regarding such Sub-processors so that Client may object thereto.

Customer may issue objections by registered letter with return receipt if (i) the Subsequent Subcontractor is one of its competitors, (ii) Customer and the Subsequent Subcontractor are in a dispute or litigation situation, and (iii) the Subsequent Subcontractor has been the subject of a condemnation by a data protection supervisory authority within one year of its recruitment by the Subcontractor. Each of these situations must be demonstrated.

In the event the objection is sustained, Subcontractor shall have 6 months from receipt of the objection to modify the Subsequent Subcontractor or to ensure compliance with the GDPR by such Subsequent Subcontractor.

Failing this, Customer may terminate the Agreement subject to six (6) months notice, without Customer being entitled to claim compensation of any kind.

In all cases, Subcontractor agrees to engage only subsequent Subcontractors that have the necessary and sufficient guarantees to ensure the security and confidentiality of Customer’s personal data.

As such, Subcontractor agrees to (i) regularly monitor its subsequent Subcontractors and (ii) that the contract with the subsequent Subcontractor used in the service will contain obligations similar to those in the DPA.

In any event, the Subcontractor shall remain liable for the actions of the subsequent Subcontractor under the Contract.

10. Fate of personal data

Customer shall promptly notify Subcontractor in writing of its choice (option 1) to return the personal data to Subcontractor and then delete the personal data and all existing copies, or (option 2) to directly delete the personal data and all existing copies, or (option 3) to transfer the personal data to a new provider and then delete the personal data and all existing copies. Unless otherwise provided for in the Agreement, option 3 must be quoted by Contractor.

If the Customer does not inform the Subcontractor of its choice, the Subcontractor reserves the right to directly delete the data and all copies (option 2).

The deletion of data is irreversible. The Customer is therefore invited to recover its data before the service is stopped. In case of deletion of the Customer’s data by the Subcontractor, the Customer remains solely responsible for the disappearance of the data and any consequences that may occur.

The Contractor shall certify to the Customer, upon written request, that the personal data and all existing copies have been effectively deleted.

11. Audits

The Client has the right to conduct an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire shall have the force of a sworn undertaking binding on the Contractor.

The questionnaire may be communicated in any form to the Subcontractor, who undertakes to respond within a maximum of two months of receipt.

Customer also has the right to conduct an on-site audit, at its own expense, once a year only in the event of a data breach or violation of applicable data protection rules and this Agreement, including as established by the written questionnaire.

An on-site audit may be conducted either by Customer or by an independent third party designated by Customer and must be notified to Contractor in writing at least thirty (30) days prior to conducting the audit.

Subcontractor has the right to refuse the selection of the independent third party if the independent third party is (i) a competitor or (ii) in pre-litigation or litigation with Subcontractor. In such case, Client agrees to select a new independent third party to perform the audit.

Contractor may refuse access to certain areas for reasons of confidentiality or security. In this case, Contractor will audit these areas at its own expense and report the results to Customer.

In the event of any deviation found during the audit, Contractor agrees to implement, without delay, the measures necessary to comply with this Agreement.

12. Transfers of data outside the European Union

The Subcontractor undertakes to use its best endeavours not to transfer the Customer’s personal data outside the European Union or to recruit a subsequent Subcontractor located outside the European Union.

Nevertheless, in the event that such transfers prove necessary within the framework of the Contract, the Subcontractor undertakes to implement all the mechanisms required to supervise such transfers, such as, in particular, entering into binding corporate rules (“BCR”) or standard data protection clauses (“STC”) adopted by the European Commission.

13. Cooperation with the supervisory authority

Where this concerns processing carried out within the framework of the Contract, the Subcontractor undertakes to provide, on request, all the information necessary for the Client to cooperate with the relevant control authority.

14. Contact

Client and Processor shall each designate a interlocutor who shall be in charge of this EPA and who shall be the recipient of the various notifications and communications to be made under the EPA.

The Contractor informs the Client that it has appointed Dipeeo as its Data Protection Officer, who can be contacted at the following address

  • Email address: dpo@braintale.eu
  • Postal address: Dipeeo SAS, 104 avenue de la Résistance, 93100 Montreuil
  • Phone number : +33 09 86 23 21 29

15. Review

Customer reserves the right to modify this Agreement in the event of changes in applicable data protection regulations that would alter any of its provisions.

16. Applicable law

Notwithstanding any provision to the contrary in the Contract, this Agreement shall be governed by French law. Any dispute relating to the performance of this Agreement shall be subject to the exclusive jurisdiction of the courts of the jurisdiction of the Court of Appeal of the place of residence of the Subcontractor.

Certifié conforme par Dipeeo ®