Mis à jour le 19 mai 2023
- Preamble
- Technical and organizational measures
- Subcontracting
- Transfer outside the European Union (EU)
- Information right of concerned persons
- Exercise of the rights of individuals
- Notification of personal data breaches
- Data Protection Officer
- Fate of Personal Data
- Management of client/supplier accounts
Preamble
This agreement applies to the processing of personal data carried out by the Client, as Data Controller, and Nonli, as Sub-processor, in the context of providing the client with a solution for analyzing website audience, trend analysis, and social media publishing. This agreement constitutes an independent document aimed at defining the respective obligations of the Parties to ensure compliance with legislation on personal data processing and privacy.
Personal data is only used so that the client can authenticate with two-factor authentication and use the platform. We undertake to guarantee the confidentiality of personal data, to ensure that persons authorized to process such personal data respect confidentiality or are subject to a legal obligation of confidentiality, and that they receive necessary training on personal data protection.
The Parties undertake to respect the principles of Article 25 of the Regulation concerning "Data protection by design and by default".
The anonymous data collected by the SDK is only used on the order and benefit of our client.
We undertake not to use our clients' data for our own purposes.
Technical and organizational measures
We undertake to implement all the security measures specified below:
Subcontracting
We do not subcontract any personal data processing. If this were the case, we would inform our client and ensure data confidentiality with them.
We will ensure that the subcontractor provides sufficient guarantees on the implementation of the technical and organizational measures required by the Regulation.
Transfer outside the European Union (EU)
In case of transfer of personal data outside the EU, we guarantee compliance with the obligations provided for in CHAPTER V "Transfers of personal data to third countries or international organizations" of the Regulation.
We will be able to provide all guarantees that our client is entitled to demand in order to ensure the compliance of data transfers outside the EU.
Information right of concerned persons
It is the client's responsibility to provide information to individuals concerned by processing operations at the time of data collection.
Exercise of the rights of individuals
We undertake to assist our client in fulfilling their obligation to respond to requests to exercise the rights of individuals concerned: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, right not to be subject to an individual automated decision (including profiling). When individuals concerned exercise their requests to exercise their rights, we forward these requests to our client.
Notification of personal data breaches
We will notify our client by e-mail of any personal data breaches as soon as possible after becoming aware of them, and in any event within timeframes that allow our client to comply with the deadlines imposed by the General Data Protection Regulation. This notification is accompanied by any useful documentation to allow the client to notify this breach to the competent supervisory authority as well as to the individuals concerned where such notifications are required by Personal Data Regulations.
Data Protection Officer
In accordance with Article 37, we are not required to appoint a DPO because we are not a public body and our activity does not consist of personal data processing operations.
Fate of Personal Data
In accordance with Article 28.3.g of the Regulation, at the end of the services related to the processing of this data, we undertake to return the personal data to the client or to any subcontractor designated by them - in the most appropriate technically adapted format, in a non-proprietary, structured and consolidated format - and to destroy all existing copies in their information systems.
Management of client/supplier accounts
The purpose of this processing is to manage the client and supplier accounts of each of the Parties, such as the commercial relationship, administrative management, invoicing, technical incident processing, and complaint management. This processing is implemented by each of the Parties as a separate Data Controller. This processing is necessary for the performance of the Contract, and also responds to the legitimate interests of each of the Parties as well as to the legitimate interest of each Party to provide communication means to their personnel.
The individuals concerned by these processing operations are the employees of each Party.
The Personal Data concerned are the identity data of the Interlocutors: Name - First Name - Tel No - e-mail. The retention period for the aforementioned personal data is limited to three (3) years from the end of the commercial relationship between the Parties and may be deleted immediately if the client requests it.