DPA - Data Processing Agreement

DPA - Data Processing Agreement Magileads

Data processing agreement

This data processing agreement or Data Processing Agreement (DPA) defines the conditions under which Magileads, as a subcontractor, processes personal data on the instructions of the Client. In this DPA, Magileads relies on the standard contractual clauses of the European Commission (accessible at the following address: https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX:32021D0915 ).

It completes the contract between Magileads and the Client and is incorporated into the Contract formed by the Client's acceptance of the General Conditions of Use (accessible at the following address: https://www.magileads.com/cgu-conditions- generales-d-usage/ ), including the Magileads Confidentiality Policy (accessible at the following address: https://www.magileads.com/accord-de-confidentialite/ ).

In the event of a contradiction with the Contract, the DPA prevails.

Magileads acting as a subcontractor, the Client is presumed to act as Data Controller for all processing operations other than those carried out by Magileads for its own needs, detailed in the Magileads Privacy Policy.

If he himself acts as a subcontractor processing data on the instruction of a third party Data Controller, the Customer undertakes to:

  • Obtain all authorizations allowing the conclusion of this DPA from the Data Controller;
  • Declare Magileads as a sub-processor to the Data Controller;
  • Have concluded a contract with the Data Controller in accordance with Article 28 of the GDPR and in accordance with this DPA and the Contract concluded between Magileads and the Client;
  • Give Magileads instructions consistent with those it received from the Data Controller, without Magileads receiving instructions directly from the Data Controller, except in cases where the Client has transferred its rights and obligations to the Data Controller who provides proof
  • Make this DPA available to the Data Controller.

The Customer remains fully responsible towards Magileads for the application of this DPA by the Data Controller. The Client releases Magileads from any liability for any failure by the Data Controller to comply with applicable law as well as for any action, claim or complaint by the Data Controller relating to this DPA, the Contract concluded between Magileads and the Client, or the instructions given by the Customer to Magileads.

SECTION I

Clause 1
Purpose and scope
  1. These standard contractual clauses (hereinafter the “clauses”) are intended to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. Controllers and processors have accepted these clauses in order to ensure compliance with the provisions of Article 28(3) and (4) of Regulation (EU) 2016/679.
  3. These clauses apply to the processing of personal data as described in Annex I.
  4. Annexes I to III form an integral part of the clauses.
  5. These clauses are without prejudice to the obligations to which the data controller is subject under Regulation (EU) 2016/679.
  6. The clauses alone are not sufficient to ensure compliance with the obligations relating to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.

 Clause 2

Invariability of clauses
  1. The parties undertake not to modify the clauses, except with regard to adding information to the annexes or updating the information contained therein.
  2. The parties are not, however, prevented from including the standard contractual clauses defined in these clauses in a broader contract, nor from adding other clauses or additional guarantees, provided that these do not directly contradict or indirectly, the clauses or that they do not infringe the fundamental rights and freedoms of the persons concerned.

Clause 3

Interpretation
  1. When terms defined respectively in Regulation (EU) 2016/679 appear in the clauses, they are understood as in the regulation in question.
  2. These clauses must be read and interpreted in light of the provisions of Regulation (EU) 2016/679.
  3. These clauses must not be interpreted in a manner contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or in a manner which adversely affects the fundamental rights or freedoms of the data subjects.

Clause 4

Hierarchy

In the event of any contradiction between these clauses and the provisions of related agreements which exist between the parties at the time these clauses are agreed or which are subsequently entered into, these clauses shall prevail.

Clause 5

Mooring clause
  1. Any entity which is not party to these clauses may, with the agreement of all parties, adhere to them at any time, as either controller or subcontractor, by completing the annexes.
  2. Once the annexes mentioned in point a) are completed and signed, the adhering entity is considered a party to these clauses and enjoys the rights and is subject to the obligations of a data controller or a processor.
  3. These clauses do not create for the adhering party any rights or obligations for the period preceding membership.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 6

Description of the treatment(s)

The details of the processing operations, and in particular the categories of personal data and the purposes of the processing for which the personal data are processed on behalf of the controller, are specified in Annex I.

Clause 7

Obligations of the parties
7.1. Instructions
  1. The processor shall process personal data only on the documented instructions of the controller, unless it is required to do so under Union law or the law of the Member State to which it is processed. is submitted. In this case, the processor informs the controller of this legal obligation before processing, unless the law prohibits it for important reasons of public interest. Instructions may also be given subsequently by the controller for the duration of the processing of personal data. These instructions must always be documented.
  2. The processor shall immediately inform the controller if, in its opinion, an instruction given by the controller constitutes a violation of Regulation (EU) 2016/679 or other provisions of Union or state law. members relating to data protection.
7.2. Limitation of purpose

The processor processes personal data only for the specific purpose(s) of the processing, as defined in Annex I, unless otherwise instructed by the controller.

7.3. Duration of processing of personal data

Processing by the processor only takes place for the duration specified in Annex I.

7.4. Treatment safety
  1. The processor implements at least the technical and organizational measures specified in Annex II to ensure the security of personal data. These measures include the protection of data against any security breach resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of personal data or unauthorized access to such data. data (personal data breach). When assessing the appropriate level of security, the parties shall take due account of the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks for those affected.
  2. The subcontractor grants members of its staff access to the personal data subject to processing only to the extent strictly necessary for the execution, management and monitoring of the contract. The processor shall ensure that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
7.5. Sensitive data

If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data or biometric data for the purposes of identifying a natural person uniquely, data concerning health or data concerning the sex life or sexual orientation of a natural person, or data relating to criminal convictions and offenses ("sensitive data"), the processor applies specific limitations and/or additional warranties.

7.6 Documentation and compliance
  1. The parties must be able to demonstrate compliance with these clauses.
  2. The Processor shall promptly and adequately handle the Controller's requests regarding data processing in accordance with these clauses.
  3. The subcontractor makes available to the controller all the information necessary to demonstrate compliance with the obligations set out in these clauses and arising directly from Regulation (EU) 2016/679. At the request of the data controller, the processor also allows audits of the processing activities covered by these clauses to be carried out and contributes to them, at reasonable intervals or in the presence of indications of non-compliance. When deciding on a review or audit, the controller may take into account the relevant certifications held by the processor.
  4. The data controller may decide to carry out the audit himself or to appoint an independent auditor. Audits may also include inspections at the subcontractor's premises or physical facilities and are, where appropriate, carried out with reasonable notice.
  5. The Parties shall make available to the competent supervisory authority(ies), upon request, the information set out in this clause, including the results of any audit.
7.7. Use of subcontractors
  1. The processor has the general authorization of the controller for the recruitment of sub-processors based on an agreed list. The processor specifically informs the controller in writing of any proposed modification of this list by the addition or replacement of subprocessors at least 30 (thirty) days in advance, thus giving the controller sufficient time to be able to object to these changes before the recruitment of the sub-processor(s) concerned. The processor provides the data controller with the information necessary to enable him to exercise his right of opposition.
  2. Where the processor engages a sub-processor to carry out specific processing activities (on behalf of the controller), it does so by means of a contract which imposes on the sub-processor, in substance, the same data protection obligations than those imposed on the subcontractor under these clauses. The subcontractor ensures that the subcontractor complies with the obligations to which it is itself subject under these clauses and Regulation (EU) 2016/679.
  3. At the request of the controller, the processor shall provide the controller with a copy of this contract concluded with the subprocessor and any modifications subsequently made to it. To the extent necessary to protect trade secrets or other confidential information, including personal data, the processor may redact the text of the contract before releasing a copy.
  4. The processor remains fully responsible to the controller for the performance of the sub-processor's obligations in accordance with the contract concluded with the sub-processor. The processor shall inform the controller of any failure by the sub-processor to fulfill its contractual obligations.
  5. The processor agrees with the sub-processor a third-party beneficiary clause according to which — in the event that the subcontractor has materially disappeared, ceased to exist in law or has become insolvent — the controller has the right to terminate the contract concluded with the subprocessor and to instruct the subprocessor to erase or return the personal data.
 7.8. International transfers
  1. Any transfer of data to a third country or an international organization by the processor is only carried out on the basis of documented instructions from the controller or in order to satisfy a specific requirement of Union law or legal of the Member State to which the subcontractor is subject and is carried out in accordance with Chapter V of Regulation (EU) 2016/679.
  2. The Controller agrees that where the Processor engages a subprocessor in accordance with clause 7.7 to carry out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of data to personal character within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor may ensure compliance with Chapter V of Regulation (EU) 2016/679 by using the standard contractual clauses adopted by the Commission on the basis of Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the use of these standard contractual clauses are met.

Clause 8

Assistance to the data controller
  1. The processor shall inform the controller without delay of any request it has received from the data subject. He does not respond to this request himself, unless the data controller has authorized him to do so.
  2. The processor shall assist the controller in fulfilling its obligation to respond to requests from data subjects to exercise their rights, taking into account the nature of the processing. In carrying out its obligations under points a) and b), the processor shall comply with the instructions of the controller.
  3. In addition to the Processor's obligation to assist the Controller under Clause 8(b), the Processor shall further assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to the processor:
  4. The obligation to carry out an assessment of the impact of envisaged processing operations on the protection of personal data (“data protection impact assessment”) where a type of processing is likely to present a high risk for the rights and freedoms of natural persons;
  5. The obligation to consult the competent supervisory authority(ies) prior to processing where a data protection impact assessment indicates that the processing would present a high risk if the controller did not take appropriate measures measures to mitigate risk;
  6. The obligation to ensure that personal data is accurate and up to date, informing the controller without delay if the processor becomes aware that the personal data it processes is inaccurate or has become obsolete;
  7. The obligations provided for in Article 32 of Regulation (EU) 2016/679. 
  8. The Parties define in Annex II the appropriate technical and organizational measures by which the Processor is required to provide assistance to the Controller in the application of this clause, as well as the scope and extent of the assistance. required.

Clause 9

Notification of personal data breaches

In the event of a personal data breach, the processor shall cooperate with and assist the controller in complying with its obligations under Articles 33 and 34 of Regulation (EU) 2016 /679, taking into account the nature of the processing and the information available to the subcontractor.

9.1 Data breach in relation to data processed by the controller

In the event of a personal data breach relating to data processed by the controller, the processor shall assist the controller:

  1. for the purposes of notifying the personal data breach to the competent supervisory authority(ies), as soon as possible after the controller becomes aware of it, where applicable (unless the breach of personal data is unlikely to create a risk for the rights and freedoms of natural persons); 
  2. for the purposes of obtaining the following information which, in accordance with Article 33(3) of Regulation (EU) 2016/679, must be included in the controller's notification, and include, at least:
  3. the nature of the personal data, including, where possible, the categories and approximate number of individuals affected by the breach and the categories and approximate number of personal data records affected; 
  4. the likely consequences of the personal data breach;  
  5. the measures taken or measures that the controller proposes to take to remedy the personal data breach, including, where applicable, measures to mitigate possible negative consequences. 

Where and to the extent that it is not possible to provide all information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall be provided. thereafter as soon as possible;

  1. for the purposes of satisfying, in accordance with Article 34 of Regulation (EU) 2016/679, the obligation to communicate the personal data breach to the data subject as soon as possible, where the personal data breach personnel is likely to create a high risk for the rights and freedoms of natural persons.

9.2 Data breach in relation to data processed by the processor

In the event of a personal data breach relating to data processed by the subcontractor, the latter informs the data controller as soon as possible after becoming aware of it. This notification contains at least:

  1. a description of the nature of the breach found (including, where possible, the categories and approximate number of individuals affected by the breach and personal data records affected);
  2. contact details of a contact point from which further information can be obtained regarding the personal data breach;
  3. its likely consequences and the measures taken or proposed to be taken to remedy the breach, including to mitigate possible negative consequences.

Where and to the extent that it is not possible to provide all information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall be provided. thereafter as soon as possible.

The Parties define in Annex III all other elements that the processor must communicate when providing assistance to the controller for the purposes of fulfilling the latter's obligations under Articles 33 and 34 of Regulation (EU ) 2016/679.

SECTION III – FINAL PROVISIONS

Clause 10 

Non-compliance with clauses and termination
  1. Without prejudice to the provisions of Regulation (EU) 2016/679, in the event of failure by the processor to fulfill its obligations under these clauses, the controller may instruct the processor to suspend the processing of the data to personal character until the latter has complied with these clauses or until the contract is terminated. The processor shall promptly inform the controller if it is unable to comply with these clauses, for any reason.
  2. The controller is entitled to terminate the contract insofar as it concerns the processing of personal data in accordance with these clauses if:
  3. the processing of personal data by the processor has been suspended by the controller in accordance with point a) and compliance with these clauses is not restored within a reasonable period and, in any event, within a period of one month from the suspension;
  4. the subcontractor is in serious or persistent breach of these clauses or of its obligations under Regulation (EU) 2016/679; 
  5. the processor fails to comply with a binding decision of a competent court or competent supervisory authority(ies) regarding its obligations under these clauses or Regulation (EU) 2016/ 679.
  6. The processor is entitled to terminate the contract insofar as it concerns the processing of personal data under these clauses where, after having informed the controller that its instructions contravene the applicable legal requirements in accordance with clause 7.1(b), the controller insists that its instructions be followed.
  7. Following termination of the contract, the processor deletes, at the choice of the controller, all personal data processed on behalf of the controller and certifies to the controller that it has carried out such deletion, or return all personal data to the controller and destroy existing copies, unless Union or national law requires them to be retained for a longer period. The processor continues to ensure compliance with these clauses until the data is deleted or returned. 

ANNEX I

Description of treatments

Categories of personal data processed and data subjects

The type of Personal Data and the categories of persons concerned are determined and controlled by the Client, at its sole discretion, through its use of the Magileads Platform.

In order to ensure the security of the Platform, error management and access logging, Magileads will be required to process the following personal data on behalf of the Client: IP address and User Agent of connections to the Platform (including access to applications hosted on the Platform by the Client), the addresses of the resources accessed (URLs).

Nature of treatments

The processing operations carried out by Magileads concerning Personal Data may include the calculation, classification, organization of data, storage, security and/or any other processing carried out by the Client in the context of its use of the Magileads platform.

Duration of treatments

The processing covered by this DPA is carried out for the duration of the contract, or for any shorter duration under the exclusive control of the Client.

ANNEX II

Technical and organizational measures, including technical and organizational measures to ensure data security

Magileads implements organizational and technical measures to guarantee the security and confidentiality of the data processed on behalf of the Client. These measures include the use of:

  1. Data encryption measures in transit and during storage;
  2. Physical security measures (including identity verification) and logical control of access rights to Magileads servers and the data center rooms housing said servers;
  3. Strengthened authentication processes for all access to Magileads and its customers' data;
  4. Physical and/or logical isolation of personal and non-personal data from different Magileads clients;
  5. Procedures for systematically applying security patches documented by CERT-FR within the shortest possible timeframes;
  6. Confidentiality commitments required of all employees and service providers acting on behalf of Magileads;
  7. Logging of actions carried out on Magileads information systems.
  8.  

Hereinafter designated the data controller.
Francois KOLLI DPO – dpo@magileads.eu
Company KA-Groupe – MAGILEADS
40 Rue de Plaisance, 75014 Paris

RC / Siret number: number 848746632
APE code: 7022Z