DATA PROCESSING AGREEMENT (DPA)
Personal data: any information relating to an identified or identifiable natural person (hereinafter referred to as «data subject»); an «identifiable natural person» is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, a location data, an online identifier, or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity
Processing: Any operation or set of operations that may or may not be performed upon personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
File: Any structured set of personal data accessible according to determined criteria, whether this set is centralized, decentralized or distributed in a functional or geographical manner.
Data controller: The natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of the processing.
Processor: The natural or legal person, public authority, department or other body which processes personal data on behalf of the controller.
Recipient: The natural or legal person, public authority, department or other body that receives personal data, whether or not it is a third party.
ARTICLE 1. PROCESSING OF DATA COLLECTED BY SEMIOLOGIC
- The data controller
The person in charge of the treatment is SEMIOLOGIC, 67 cours Mirabeau - 13100 Aix en Provence represented by Mr. David DJIAN.
- The data collected
In accordance with its obligation of security, SEMIOLOGIC is committed to ensure the confidentiality of the personal data. SEMIOLOGIC implements the technical means to ensure this security and to avoid any destruction, any detour, any theft or any consultation by a third party of the personal data.
The Editor is informed that SEMIOLOGIC, as the person in charge of processing, implements personal data processing concerning the interlocutors, physical persons within the Editor.
The Editor is informed, on any form of collection of personal data, of the obligatory or optional character of the answers by the presence of an asterisk (*). If you do not provide the required information, your request will not be processed.
The data collected are the names and surnames, contact details of the interlocutors - contacts within the Editor. The legal basis of the treatment is the contract.
In order to ensure the payment of our services, the banking data relating to the means of payment used by the Editor are collected. The legal basis of the processing is the contract.
The email address is collected in order to send you newsletters and promotional offers.
The personal data are hosted in France.
The recipients of the personal data are SEMIOLOGIC, and its subcontractors: host, accountant, banking provider, lawyer, auditor.
The natural persons who are interlocutors or users within the Editor whose personal data are treated by SEMIOLOGIC have a right of access to the data concerning them, the right to see their data rectified, completed, updated, locked or erased, on request and in the respect of the legal conditions.
They also have the right to limit their personal data, to portability as well as the right to define their directives as to the fate of their personal data in case of death (conservation, deletion, communication of their personal data).
They also have the right to object on legitimate grounds and/or to withdraw their consent at any time without affecting the lawfulness of the processing based on the consent given prior to the withdrawal of consent.
To exercise any of these rights, the individuals concerned may send their request to:
- Or by mail : 67 cours Mirabeau - 13100 Aix-en-Provence
- Or by e-mail : firstname.lastname@example.org
SEMIOLOGIC will send an answer within ONE (1) month from the date of receipt of the request. This period may be extended by TWO (2) months due to the complexity and number of requests. SEMIOLOGIC will inform the concerned person within ONE (1) month after receipt of the request.
In case of unsatisfactory answer, the concerned person has the right to introduce a complaint to the CNIL, competent control authority (www.cnil.fr).
Concerning the commercial mails/newsletters, the unsubscription is possible at any time by clicking on the hypertext link available in each of the mails sent by SEMIOLOGIC.
The data concerning the sending of promotional mails are kept for a duration of THREE (3) years as from your last activity on the web site of SEMIOLOGIC including the sending of an e-mail.
The data are kept during the duration of the contract and are then, the object of an intermediate filing between 5 and 10 years in order to answer the accounting and tax obligations (article L.123-22 paragraph 2 of the commercial code) or legal such as the 5 years deadline which is the limitation period applicable to the personal or movable actions (article 2224 of the civil code) of
In case of legal proceedings, the personal data concerning SEMIOLOGIC will be kept in order to allow SEMIOLOGIC to ensure its defense or to allow it to establish facts if SEMIOLOGIC is in demand.
ARTICLE 2. PROCESSING OF PERSONAL DATA BY SEMIOLOGIC AS A SUBCONTRACTOR
2.1. Quality of subcontractor of SEMIOLOGIC
Within the framework of these general conditions of sale, SEMIOLOGIC, the subcontractor (defined as data processing subcontractor in the sense of the legislation/regulation referred to below), carries out, on behalf of the Editor (defined as data controller in the sense of the legislation/regulation referred to below), the operations of personal data processing defined hereafter
In accordance with article 35 of the law n° 78-17 of January 6, 1978 known as «Data-processing and Freedoms» law, SEMIOLOGIC is a subcontractor of the Editor and can intervene on the data only on instructions of the Editor, responsible for the treatment.
In the sense of this Appendix, the Editor is the «Data controller» and SEMIOLOGIC is the «Data processor».
2.2. Description of the processing being outsourced
SEMIOLOGIC is authorized to process the personal data of the Editor and the Users within the framework of this contract.
Type of data
Email addresses, usernames, avatar image, company titles and other specific data entered by the controller into the processor platform
Group of people involved
Subscribers to the chat solution, customers and clients, and the controller’s staff and business partners
Extent, type and purpose of collection, processing or use of data
Service contract for the discussion system solution and associated services
2.3. Obligations of the subcontractor (SEMIOLOGIC)
2.3.1. SEMIOLOGIC is committed to:
- Process the data only for the purpose or purposes for which it is outsourced and not to use the data on its own behalf or on behalf of a third party;
- To process the data in accordance with the Editor’s instructions and these clauses;
- To inform the Editor immediately if, in its opinion, an instruction constitutes a violation of the above-mentioned texts or of other provisions of the Union law or of positive national law relating to data protection;
- Ensure that persons authorized to process personal data under the contract are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality.
- Not to make any copies of documents and data carriers entrusted to it, except those necessary for the performance of the Contract.
- Not to use the documents and information processed for any purpose other than those specified in this Agreement;
- Not to disclose such documents or information to other persons, whether private or public, natural or legal;
- Take all measures to avoid any misuse or fraudulent use of computer files during the performance of the Contract;
- Take all security measures, particularly physical measures, to ensure the preservation and integrity of the documents and information processed during the term of this Contract;
- Take into account, with respect to tools, products, applications or services, the principles of data protection by design and data protection by default;
- Implement and maintain appropriate technical and organizational measures so that the processing guarantees the protection of the rights of the persons concerned and complies with the aforementioned texts by taking, in particular, all the security measures required under Article 32 of the aforementioned regulation throughout the performance of the contract.
The Editor is informed that SEMIOLOGIC uses subcontractors to offer its Solution. The subcontractors concerned are:
SEMIOLOGIC may use another subcontractor to carry out specific processing activities. In this case, SEMIOLOGIC will inform the Editor in advance and in writing of any contemplated changes regarding the addition or replacement of other subcontractors. This information must clearly indicate the subcontracted processing activities, the identity and contact information of the subcontractor and the dates of the subcontract. Editor shall have FIFTEEN (15) days from the date of receipt of such information to submit its objections. Such subcontracting may only be performed if the Contractor has not objected within such period.
In any event, any subsequent subcontractor is obligated to fulfill the obligations of the contract and this schedule on behalf of the Editor. It is the responsibility of SEMIOLOGIC to ensure that the subsequent subcontractor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the European Data Protection Regulation. If the subsequent processor does not fulfill its data protection obligations, SEMIOLOGIC remains fully responsible for the other processor’s performance of its obligations.
2.3.3. Support from SEMIOLOGIC
SEMIOLOGIC will assist the Editor, to the extent practicable, in fulfilling its obligation to respond to any requests received from data subjects to exercise their rights or from the competent supervisory authority within a reasonable time. It is specified that it is the responsibility of the Editor to provide information to the data subjects at the time of collection of the data.
In the event that SEMIOLOGIC receives a request to exercise its rights, SEMIOLOGIC undertakes to communicate this request to the Customer within a maximum of 48 hours.
SEMIOLOGIC will assist the Editor to guarantee the respect of:
- Its security and confidentiality obligations
- Its obligations with regard to the carrying out of an impact analysis of the processing operations concerned by the subcontracting, where applicable.
2.3.4. Personal data breach notification (security breach)
SEMIOLOGIC notifies the Editor of any personal data violation within a maximum of 72 hours after having become aware of it and by the following means: electronic mail.
This notification is accompanied by any useful documentation in order to allow the Editor, if necessary, to notify this violation to the CNIL.
2.3.5. Security measures implemented by SEMIOLOGIC
SEMIOLOGIC implements the following measures:
Basic security actions are carried out such as:
- Training and awareness-raising of operational teams in basic computer security practices,
- The implementation of means to restrict access to information (management of authorizations and user authentication),
- Traceability and protection of access and actions carried out by users (developers, operators, administrators, maintainers, etc.)
- The use of strong passwords that comply with the requirements of the CNIL,
- The protection of certificates and passwords used in storage and transport,
- Encryption in transport of stored and processed data,
- The activation and configuration of firewalls,
- Deployment and activation of antiviral mechanisms,
- Logical and physical partitioning of networks according to their exposure and security needs,
- Updating and applying security patches on the information system environments,
- The prohibition of vulnerable solutions such as SMB v1 or V2, http, MD5, SHA1 or non-maintained solutions, in the case where applicable, the implementation of security measures to mitigate the risk of exploitation of vulnerabilities carried by these solutions,
- Consideration of information security when selecting subcontractors,
- Taking security into account in developments,
- The realization of awareness exercises on the risks related to phishing.
2.3.6. Data Fate
At the end of the service, SEMIOLOGIC commits itself to anonymize the personal data without delay at the end of the contract, except for legal provisions imposing SEMIOLOGIC to keep the data.
2.3.7. Keeping a record of activities
SEMIOLOGIC has an updated activity register concerning its subcontracting activity.
2.3.8. Obligations of the data controller (the Editor)
The Editor undertakes to:
- To document in writing any instruction concerning the data processing by SEMIOLOGIC;
- To see to the respect of the obligations provided by the European regulation on the protection of data on the part of SEMIOLOGIC before and during the whole processing;
- To supervise the processing, including by carrying out an audit.
- At the Editor’s request, SEMIOLOGIC will provide all the documents, data and information concerning the processing subject to the subcontracting and its compliance with the legislation on personal data.
- If the communicated elements prove to be insufficient to allow the Editor to ensure that the obligations envisaged by the RGPD as well as the French legislation on the personal data are fulfilled, SEMIOLOGIC and the Editor will meet to agree:
- Technical conditions,
- Security conditions.
For the purpose of conducting an audit. It is expressly provided that the audit may be carried out once per contractual year.
This audit may be carried out by the Editor or a third party of its choice provided that this third party is not in competition with the activities carried out by SEMIOLOGIC.
The third party will have to sign, beforehand, a confidentiality agreement which will be written and transmitted by SEMIOLOGIC.
The costs related to this audit will be taken in charge by the Editor. These expenses include the provision of the necessary personnel of SEMIOLOGIC to carry out the audit. An invoice
The Editor must inform SEMIOLOGIC of his intention to carry out an audit at least FIFTEEN (15) days before the desired audit date. The audit will take place during normal business hours.