1. Introduction
The Data Processing Agreement (hereinafter the « Agreement ») aims to govern the use of Personal Data belonging to clients (hereinafter the « Client ») of Revealead (hereinafter the « Processor » or « Revealead ») when they use the Revealead service (hereinafter the « Service »).
2. Definitions
The terms "adequacy decision", "technical and organisational measures", "data subjects", "data protection by design", "data protection by default", "register", "joint controller(s)", "controller", "processor", "processing", "personal data breach" in the Agreement have the meanings described in Articles 4 et seq. of the GDPR.Other terms are defined below:
"Agreement" means the appendix to the Contract governing the use of the Client's Personal Data in accordance with the provisions of Article 28 of the GDPR, also referred to as the "Data Processing Addendum" ("DPA").
"DPIA" means a data protection impact assessment that allows the proportionality of Personal Data processing to be verified and the risks associated with Personal Data processing to be prevented.
"Anonymisation": means processing aimed at making it impossible to identify the persons concerned by the processing carried out in the context of the Service, in an irreversible manner.
"Supervisory Authority": refers to the supervisory authority responsible for GDPR compliance for the Service provided by the Processor.
"Client" means the entity that has subscribed to the Service provided by the Processor.
"Client's Employees": refers to natural persons (e.g. employees) working on behalf of the Client and using the Service in this capacity.
"Contract" means the contract concluded between the Processor and the Client for the use of the Service, to which this Agreement is attached.
"Right(s) request(s)": refers to the fundamental rights created by the GDPR in Articles 15 et seq. (e.g. right of access, right to erasure, etc.).
"Client's Personal Data": refers to any data relating to an identified or identifiable natural person transmitted to the Processor and processed by the latter on behalf of the Client in connection with the Service, a detailed list of which is provided in the appendix.
"White label": refers to the unbranded Service provided by the Processor that allows the Client to customise and market the Service under its own brand.
"Party(ies)" means jointly the Client and the Processor.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the "General Data Protection Regulation"."
Applicable regulations on the protection of personal data" means French Law No. 78-17 of 6 January 1978 on information technology, files and civil liberties and the GDPR.
"Reversibility": refers to the operation of enabling the transfer and integration, in a usable and recognised format, of the Client's Personal Data from the Processor’s Service to an equivalent service offered by another service provider.
"SaaS Service": refers to software hosted by the Processor that can be used simultaneously by an unlimited number of Clients.
"Sub-processor": refers to sub-processors recruited by the Processor to process the Client's Personal Data exclusively within the scope of the Service.
"End Users" means the Client's Clients who use the Service on a white label basis.
3. Contractual relations and terms
The Agreement is an integral part of the Contract signed between the Client and the Processor for the use of the Service.In the event of any conflict between the Contract entered into for the use of the Service and the Agreement, the obligations set out in the Agreement shall prevail over the Contract with regard to the GDPR as a whole.The Agreement shall remain in force for the entire duration of the Contract concluded for the use of the Service and may continue beyond that date as long as all obligations set out herein remain applicable.
4. Role of the Parties and scope of application
The Client acts, within the framework of the Agreement, as the data controller and Revealead acts as a data processor within the meaning of Article 28 of the GDPR.Under no circumstances shall the Parties be considered jointly responsible in connection with the Service. However, the Parties agree that in the event of an error or change in their status, the Parties shall meet as soon as possible to amend the Agreement and take all measures relating to such a situation to comply with the requirements of the applicable regulations on the protection of personal data.The Agreement exclusively governs the processing of the Client's Personal Data carried out within the framework of the Service as a Processor within the meaning of Article 28 of the GDPR, to the exclusion of processing carried out as a data controller by Revealead, which is governed by the Contract.
5. Instructions and commitments
The Processor undertakes to use the Client's Personal Data in connection with the use of the Service only in accordance with the instructions documented in the appendix to the Agreement. The Processor shall immediately inform the Client if it considers that an instruction given by the Client is unlawful under the applicable regulations on the protection of personal data. The Processor shall not be held liable if, despite the Processor's notification of the illegality of the instruction, the Client maintains and applies this instruction through the Service.The Processor undertakes to comply with the provisions of the GDPR and, in particular, to keep a record of processing activities specific to the Service and to develop its Service in accordance with the rules of "Data Protection by Design" and "Data Protection by Default".The Processor undertakes never to transfer the Client's Personal Data for reasons other than the provision of the Service and undertakes never to use the Client's Personal Data for its own interests, as data controller.The Processor declares that all internal or external personnel required to process the Client's Personal Data are bound by one or more binding legal acts and regularly undergo training and awareness-raising.The Processor undertakes to guarantee the security of the Client's Personal Data and to implement all technical and organisational measures necessary for its Service, details of which are set out in the appendix to the Agreement.However, the Processor shall never be liable for any breaches by the Client of the applicable regulations on personal data protection when using the Service as data controller.
6. Assistance with the implementation of DPIA
DPIAs must be carried out by the Client in accordance with the provisions of the GDPR. However, the Processor undertakes to provide, upon written request from the Client, all information necessary and required for the Client to carry out a DPIA.However, the Processor is not required to carry out DPIAs on behalf of the Client. Any additional requests for information may be refused.
7. Assistance with data subjects requests
Rights requests sent by End Users shall be forwarded to the Client as soon as possible. The Processor is not required to keep an inventory of Rights requests on behalf of the Client and is not responsible for any failure by the Client to manage Rights requests.The Processor shall, upon written request from the Client, take the technical measures necessary to enable the Client to fulfil its obligation to respond to requests from data subjects.The Client accepts and understands that the Processor is not required to manage Data Subject Requests made in connection with the Service on behalf of and for the account of the Client. Any additional request to ensure such management will be refused.Rights requests sent to the Processor as data controller shall be processed exclusively by the Processor and shall not be transferred to the Client.
8. Assistance with security measures
The Processor undertakes to communicate all necessary and required information on the technical and organisational security measures to be implemented to ensure the security of the Client's Personal Data in connection with the provision of the Service.
9. Personal Data Breaches
The Processor undertakes to notify the Client, as soon as possible and no later than 48 working hours after becoming aware of it, of any personal data breach in connection with the Service that may concern the Client's Personal Data, as well as all necessary and required information in its possession to mitigate the effects of the personal data breach. The Client accepts and acknowledges that the 72-hour period applicable to it shall only start from the moment it becomes aware of the personal data breach and that, as such, the 48-working-hour period complies with the GDPR.The Processor is not authorised to handle notifications of personal data breaches to the Supervisory Authority or to inform End Users on behalf of the Client. Any request to this effect from the Client will be refused.
10. Sub-processors
The Client grants the Processor general authorisation to recruit Sub-processors, provided that it is informed of any changes to these Sub-processors as soon as possible so that the Client can raise any objections. The Client accepts and acknowledges that specific authorisation for a SaaS tool is not applicable and could lead to the Service being blocked.If no objections are raised by the Client within eight (8) days of notification, the new Sub-processor shall be definitively recruited without the Client being able to object, claim damages or request termination of the Contract. If the objection raised within the time limit is considered admissible by the Processor, the latter may offer the Client one of the following solutions:
i) withdrawal of the Sub-processor,
ii) implementation of additional measures to guarantee the security of the Client's Personal Data,
iii) termination of the Service without the Client being entitled to claim damages.To be considered admissible by the Processor, objections must be objective and serious and be duly substantiated. The Parties agree that the following situations shall, by default, be considered admissible:
i) the proposed Sub-processor is a direct competitor of the Client,
ii) the Sub-processor is in a dispute with the Client,
iii) the Sub-processor has been convicted by a Supervisory Authority within the 12 months prior to its recruitment,
iv) the Sub-processor does not comply, where applicable, with the applicable rules on transfers outside the European Union.The Processor undertakes to recruit only Sub-processors who, after verification, provide the necessary and sufficient guarantees to ensure the security and confidentiality of the Client's Personal Data. The relationship between the Processor and the Sub-processor must be governed by an agreement containing obligations similar to those in this Agreement.The Processor shall remain liable, within the limits of liability provided for in the Contract, for any breaches of the GDPR that may be committed by its Sub-processors in connection with the Service.
11. Hosting and transfers outside the European Union
a) Data hosting
The Processor undertakes to take all necessary measures to host the Client's Personal Data exclusively within a Member State of the European Union. The Client grants the Processor authorisation to choose the Member State of the European Union of its choice. In the event that Personal Data is hosted in a country outside the European Union, the Processor undertakes to obtain the Client's prior authorisation and to implement all the mechanisms required to regulate this transfer, such as concluding standard contractual clauses and, where necessary, implementing additional technical measures to enhance the security of the Client's Personal Data.
b) Data transfers
The Client grants the Processor general authorisation to transfer data outside the European Union if, cumulatively:
i) the transfers are made exclusively to Sub-processors that comply with the GDPR, and
ii) the transfers are made exclusively to a country that has received an adequacy decision or are governed by appropriate safeguards, such as, in particular, Standard Contractual Clauses.If these conditions are not met, transfers outside the European Union are only permitted with the prior consent of the Client. Additional technical security measures to enhance the security of the Client's Personal Data must be implemented if the Personal Data is transferred to a non-democratic country.
12. Retention periods and fate of the Client's Personal Data
The Processor undertakes to retain the Client's Personal Data only for the duration of the use of the Service, in accordance with the detailed instructions in the appendix, and to delete it at the end of the Contract. The Processor shall, upon written request, certify the deletion of the Personal Data and all existing copies.The Client is informed that they must retrieve their Personal Data before the end of the Agreement. Failing this, the Client will no longer be able to retrieve their Personal Data, as the deletion of personal data is irreversible and final. The Processor cannot be held liable for any loss of Personal Data after its deletion, with the Client assuming full responsibility. The Client agrees that the total, irreversible and definitive anonymisation of the Client's Personal Data shall be used as a means of deletion and that the Processor shall retain the anonymised data for the improvement of the Service, as accepted by the Supervisory Authorities.The Processor informs the Client that the return of Personal Data provided for in the GDPR does not constitute Reversibility of data to a new processor and that any request to this effect will always be refused by the Processor.
13. Audits
The Client has the right to conduct an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire shall have the force of a sworn undertaking binding on the Processor. The questionnaire may be communicated in any form to the Processor, who undertakes to respond as soon as possible after receipt.The Client also has the right to carry out, once a year and at its own expense, an on-site audit, if necessary at the Processor's premises in the event of a data breach due to a proven and demonstrated breach by the Processor resulting in duly justified damage to the Client. An audit at the Processor's premises may be carried out either by the Client or by an independent third party appointed by the Client and must be notified in writing to the Processor at least thirty (30) days before the audit is carried out. The Processor has the right to refuse the choice of the independent third party if the latter is:
i) a direct or indirect competitor of the Processor,
ii) in a situation of conflict of interest with the Processor (e.g. advisor to a competitor of the Processor), or
iii) in pre-litigation or litigation with the Processor.In this case, the Client undertakes to choose a new independent third party to carry out the audit. The Processor may refuse access to certain areas for reasons of confidentiality or security. In this case, the Processor shall carry out the audit in these areas and communicate the results to the Client.In the event of any discrepancies identified during the audit, the Processor undertakes to implement, without delay and at its own expense, the measures necessary to comply with this Agreement. Discrepancies may only relate to the applicable Regulations on the Client's Personal Data and may not relate to internal procedures or measures implemented by the Client on a specific basis. Discrepancies must be duly demonstrated, justified and documented.In the event of a dispute by the Processor regarding the identified discrepancies, the Processor may, at its discretion and with the prior written consent of the Client, propose to:
i) meet to find an amicable solution and a compromise,
ii) refer the matter to the Supervisory Authority for arbitration, and
iii) refer the matter to an independent expert for arbitration.
14. Cooperation with the authorities
The Processor undertakes to cooperate with the CNIL, the competent Supervisory Authority, in the event of an inspection concerning the processing carried out in connection with the Service and undertakes to notify the Client as soon as possible in the event of requests concerning its Personal Data made by the Supervisory Authority or by an administrative, judicial or police authority.
15. Contact
The Client and the Processor shall each appoint a contact person responsible for this Agreement, who shall be the recipient of the various notifications and communications to be made under the Agreement.The Processor informs the Client that it has appointed Dipeeo SAS as its Data Protection Officer, who can be contacted at the following address:
Email address: privacy@revealead.com
Postal address: Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France
Telephone number: 01 59 06 81 85
16. Revisions
The Processor reserves the right to modify this Agreement in the event of changes to the
applicable rules on the protection of Personal Data or in the event of changes to the Service
that would have the effect of modifying any of its provisions.
Certified compliant by Dipeeo ®
