The aim of the Data Protection Agreement (hereinafter "DPA") is to regulate the use of personal data of the client, which acts as a data controller (hereinafter "Client"), by Leadjet, which acts as a processor (hereinafter "Processor") within the framework of the Agreement (hereinafter "Agreement").
The Processor undertakes and certifies that it complies with all provisions of the applicable data protection rules, which include the General Data Protection Regulation1 (hereinafter the "GDPR") and the French Data Protection Act.2
The Processor declares to offer all the sufficient safeguards to meet the requirements of the applicable data protection rules and, more particularly, to guarantee the confidentiality and protection of the Client's data.
The Processor declares and undertakes to only use the Client's data on its documented instructions described in the Agreement.
The Client undertakes to inform the Processor of any modification of the instructions that may be done regarding the use of its personal data.
The Processor must notify the Client, in writing and without delay, if the latter's documented instructions constitute a breach of the applicable data protection rules.
The Processor declares and certifies that all of its employees who process the Client's personal data are bound by a confidentiality clause or by any other legal act that guarantees the confidentiality of the Client's personal data.
The Processor undertakes to regularly train its collaborators on the applicable data protection rules.
The Processor certifies and undertakes to guarantee the security of the Client's personal data and to implement all technical and organisational measures required to prevent any risk of data breach.
The Processor undertakes to notify the Client, without delay after having acknowledged it at the latest, any data breach that may affect the Client's personal data.
The notification must specify all information necessary for the Client to process the data breach described in Article 28 of the GDPR.
In the event of a data breach, the Processor undertakes to take all required measures to remedy the impact of the data breach.
Unless the Client has given its express, prior and written consent, the Processor is not authorised to notify data breaches to the supervisory authority and to the persons concerned by the processing carried out under the Agreement.
The Processor shall provide the Client with all necessary and required information on the technical and organisational security measures to be implemented under the Agreement to guarantee its personal data security.
The Processor shall provide the Client, upon written request, with all the necessary and required information to ensure that a privacy impact assessment ("PIA") is carried out.
The Processor does not have to ensure or monitor the Client’s security or to carry out a PIA on behalf of the Client. Any additional request to provide information may be refused, and if necessary, an additional service can be charged.
The Processor shall provide the Client, upon written request, with all necessary and required information to enable the Client to fulfil its obligation to comply with the requests of the concerned persons.
The Processor executes, upon written request from the Client, the technical actions to undertake in order for the Client to fulfil its obligation to comply with the requests of the persons concerned.
However, the Processor does not have to handle requests for the rights of individuals in place of and on behalf of the Client. Any additional request to ensure such management may be refused and, if necessary, an additional service could be charged.
The Client agrees that the Processor may recruit Sub Processors solely for the purpose of performing the Agreement provided that the Processor informs the Client of any modification to its Sub Processors so that the Client may object to those.
The Processor undertakes to only recruit Sub Processors with necessary and sufficient safeguards to ensure the security and confidentiality of the Client's personal data.
The Agreement between the Processor and the Sub Processor shall contain similar obligations to those set out in this Agreement.
The Client may object by registered letter with acknowledgement of receipt if (i) the Sub Processor is a competitor of the Client, (ii) the Client and the Sub Processor are in a pre-litigation or litigation situation, and (iii) the Sub Processor has been convicted by a data protection supervisory authority within one year of its recruitment by the Processor. Each of these situations must be demonstrated.
In the absence of an undertaking by the Processor to modify the Sub Processor within three months from receiving the objection, the Client may terminate the Agreement subject to prior notice of six (6) months and without compensation.
In any event, the Processor shall remain liable for the actions of the Sub Processor under the Agreement.
The Client shall inform the Processor, in writing and at the latest one month before the end of the Agreement,, of its choice (option 1) to return the personal data to the Processor and then to erase the personal data and all existing copies, or (option 2) to erase the personal data and all existing copies directly, or (option 3) to transfer the personal data to a new provider and then to delete the personal data and all existing copies. Unless otherwise provided in the Agreement, option 3 must be subject to an estimate by the Processor.
If the Client fails to inform the Processor of its choice within the specified period, the Processor reserves the right to erase the data and all copies directly (option 2).
The Processor shall attest in writing to the Client that the personal data and all copies thereof have been effectively erased.
The Client shall have the right to carry out an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire shall have the force of a sworn statement binding on the Processor.
The questionnaire may be transmitted in any form to the Processor, who undertakes to reply to it within a maximum of two months of its receipt.
The Client shall also have the right to carry out an on-site audit, at its own expense, once a year only in the event of a data breach or non-compliance with the applicable data protection rules and this Agreement, including as established by the written questionnaire.
An on-site audit may be conducted either by the Client or by an independent third party appointed by the Client and must be notified to the Processor in writing at least thirty (30) days prior to the audit.
The Processor shall have the right to refuse the choice of the independent third party if the latter is i) a competitor or ii) in pre-litigation or litigation with him.
In this case, the Client undertakes to select a new independent third party to carry out the audit.
The Processor may refuse access to certain areas for confidentiality or security reasons. In this case, the Processor shall carry out the audit in these areas at its own expense and report the results to the Client.
In the event of any discrepancy during the audit, the Processor undertakes to implement, without delay, the necessary measures to comply with this Agreement.
The Processor certifies and undertakes to do all the necessary to not transfer the Client's personal data outside the European Union or recruit any Sub Processor located outside the European Union.
Nevertheless, if such transfers appear necessary regarding the Agreement, the Processor certifies and declares that it will implement all the required mechanisms to govern those transfers, as, in particular, to enter into binding corporate rules ("BCR") or standard data protection clauses adopted by the European Commission.
Regarding processing implemented under the Agreement, the Processor undertakes to provide, on request, all the necessary information for the Client to cooperate with the competent supervisory authority.
Each of the Client and the Processor appoint an interlocutor who is in charge of this Agreement and who is the recipient of the various notifications and communications to intervene under the Agreement.
If a Data Protection Officer ("DPO") has been appointed by the Client and/or the Processor, the interlocutor will necessarily be the Data Protection Officer.
In case of the nullity of the Agreement, regardless of the cause, the Client has to communicate to the Processor, in writing, within a period of one month from the pronouncement of the nullity, its decision regarding its data fate, in accordance with Article 10 of this Agreement.
The Client reserves the right to amend this Agreement in the event of modifications in the applicable data protection rules which would have the effect of modifying one of its provisions.
Notwithstanding anything to the contrary contained in the Agreement, this Agreement is subject to French law. Any dispute relating to the performance of this Agreement shall be subject to the exclusive jurisdiction of the courts of the jurisdiction of the Client’s place of residence Court of Appeal.
End of the Agreement