DATA PROTECTION
In the context of the Agreement, the Client may transfer personal data to the Provider, in particular to allow learners to access the Modules.
The present appendix completes the Agreement and aims to bring the Agreement into compliance with the Applicable Regulations (as defined below) and in particular to define the conditions under which the Service Provider undertakes to carry out on behalf of the Client the personal data processing operations (the “Data”) inherent and/or necessary to be able to benefit from the Services.
The Client is, within the meaning of the data protection regulations, responsible for the processing of personal data on the Data.
In the context of their contractual relationship, the Parties undertake to comply with the regulations in force applicable to the processing of personal data, and, in particular, Law No. 78-17 of 6 January 1978 on information technology, files and freedoms and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Applicable Regulations”).
1. Description of the processing subject to outsourcing
The Provider is authorised to process on behalf of the Client the Personal Data necessary to provide the Services.
The details of the processing operations, and in particular the categories of Data and the purposes of the processing for which the Data are processed are specified below.
The purpose of the processing is to enable the Service Provider to provide the Services. The purposes of the processing are therefore mainly the following:
– Creation and management of learner accounts;
– Feedback of learners’ scores.
The nature of the operations carried out on the data is the transmission, processing and storage of the Data.
The Data is kept for as long as the Client or Learner has an account that has not been closed and for a maximum period of three months following the date of closure. The Service Provider reserves the right to archive the Data it may have collected in the performance of this Agreement, for the duration of the limitation period for liability claims.
The types of personal data processed are :
– the email addresses of the learners, as well as that of the Client’s contact person,
– the score and number of tests taken by the learners,
– connection data (for security purposes).
The categories of persons concerned are the following: the Client’s learners and/or the Service Provider’s contact person within the Client.
2. Obligations of the Provider towards the Customer
The Provider undertakes to:
1. process the Data only for the purposes for which it is outsourced
2. process the Data in accordance with the Client’s instructions.
a. If the Service Provider considers that an instruction constitutes a breach of the Applicable Regulations or any other provision of EU or Member State law relating to data protection, it shall immediately inform the Client.
b. In addition, if the Service Provider is obliged to transfer data to a third country or to an international organisation under the law of the Union or the law of the Member State to which it is subject, it shall inform the Client of this legal obligation prior to processing, unless the law concerned prohibits such information on important public interest grounds;
3. to implement the appropriate means to ensure the confidentiality and security of the Data processed in the context of the services;
4. ensure that the persons authorised to process the Data :
a. undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality
b. receive the necessary training in the protection of personal data;
5. take into account, with respect to its tools, products, applications or services, the principles of data protection by design and data protection by default.
3. Subcontracting
The Service Provider may use a subcontractor (hereinafter the “subcontractor”) to carry out specific processing activities. In this case, the Service Provider shall inform the Customer of any changes envisaged regarding the addition or replacement of further processors, thereby giving the Customer the opportunity to object to such changes.
The subsequent subcontractor shall be obliged to fulfil the obligations hereunder on behalf of and in accordance with the instructions of the Client. The Service Provider is responsible for ensuring that the sub-processor provides the same sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the Applicable Regulations.
If the sub-processor does not fulfil its data protection obligations, the Service Provider, the original sub-processor, is and remains fully responsible to the Client for the performance by its sub-processor of its obligations.
4. Right to information of data subjects
It is the Client’s responsibility to provide information to the persons concerned by the processing operations.
5. Exercise of the rights of data subjects
Wherever possible, the Service Provider shall assist the Client in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to restrict processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
Where data subjects make requests to the Service Provider to exercise their rights, the Service Provider shall address such requests to the Client.
6. Notification of Data breaches
The Service Provider shall notify the Client of any Data breach as soon as possible after becoming aware of it. Such notification shall be accompanied by all relevant documentation to enable the Client, if necessary, to notify the relevant supervisory authority of the Data breach.
7. Location of the servers
The servers used by the Service Provider are located in the European Economic Area or in a country recognised as providing an adequate level of protection.
8. Assistance of the Service Provider in the fulfilment of the Customer’s obligations
The Service Provider shall assist the Customer in conducting data protection impact assessments.
The Service Provider shall assist the Customer in carrying out the prior consultation with the supervisory authority.
The Service Provider shall make available to the Customer the documentation necessary to demonstrate compliance with all its obligations and to enable and assist in audits, including inspections, by the Customer or another auditor appointed by the Customer.
The various actions and services performed by the Service Provider hereunder shall be invoiced on a time basis, by application of the Service Provider’s hourly or daily rate on the day of performance of said actions and services.
9. Register of processing activities
The Service Provider declares that it keeps a written record of all categories of processing activities carried out on behalf of the Client, including
– the name and contact details of the Client, any subcontractors and, if applicable, the data protection officer
– the categories of processing carried out on behalf of the Client, as far as possible;
– where applicable, transfers of personal data to a third country or to an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the Regulation, the documents attesting to the existence of appropriate safeguards;
– to the extent possible, a general description of the technical and organisational security measures.
10. Fate of the data
The Service Provider undertakes to destroy the Data in accordance with the stipulations concerning the duration set out in Article 1 hereof.
11. Obligations of the Client towards the Service Provider
The Client undertakes to :
– to document in writing all instructions concerning the processing of the Data by the Service Provider;
– ensure, beforehand and throughout the processing, that the Service Provider complies with the obligations set out in the Applicable Regulations;
– supervise the processing.