Data Protection Agreement
1. Purpose
This Data Protection Agreement (hereinafter “DPA”) governs the terms under which the personal data of the client, acting as the data controller (hereinafter “the Client”) , is processed by the service provider Nemorius, acting as a data processor (hereinafter “the Processor”), within the framework of the service agreement (hereinafter the “Agreement”).
This DPA forms an integral part of the Contract. In the event of any conflict between the documents, the provisions of this DPA shall prevail for all matters relating to data protection.
The data protection terms used in this document are to be understood within the meaning of Regulation (EU) 2016/679 (“GDPR”).
2. Obligations of the Processor
The Processor undertakes to comply with all applicable legal and regulatory provisions regarding data protection, in particular the GDPR and the French Data Protection Act.
The Processor guarantees that it has appropriate measures in place to ensure the security, integrity, and confidentiality of the data processed on behalf of the Client.
The Processor ensures that persons authorized to access the data are subject to a confidentiality obligation, whether contractual or statutory.
Furthermore, the Processor implements regular awareness-raising and training initiatives for its teams regarding data protection requirements.
3. Client’s Instructions
The Processor processes personal data solely on the basis of documented instructions from the Client.
The Client undertakes to notify the Processor of any changes to these instructions as soon as possible.
If an instruction given appears to be contrary to applicable regulations, the Processor shall inform the Client without delay. The Client must determine the personal data collected and the purpose thereof in order to meet the legal requirements of the GDPR.
4. Data Protection by Design
The service provided is designed in accordance with the principles of data protection by design and by default.
The Processor provides features that enable the Client to fulfill its obligations as a data controller.
The Client remains solely responsible for its use of the service and for its compliance with applicable rules.
5. Security Measures
The Processor implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, loss, or disclosure.
6. Management of Data Breaches
In the event of a personal data breach, the Processor shall notify the Client as soon as possible and, in any event, within a maximum of 72 business hours after becoming aware of it.
It shall provide the Client with the necessary information to enable the Client to meet its regulatory obligations.
The Processor shall also take all necessary measures to mitigate the consequences of the incident.
Unless the Client has given prior consent, the Processor is not authorized to notify the supervisory authority (CNIL) or to inform the data subjects on behalf of the Client.
7. Assistance with Security and Impact Analysis
Upon written request, the Processor shall provide the Client with the necessary information regarding the security measures implemented as well as the solution’s certifications.
However, the Subcontractor is not required to perform these analyses or to ensure the security of the Client’s system. Additional services may be offered as needed.
8. Assistance regarding data subjects’ rights
The Processor supports the Client by providing the necessary information to respond to requests from data subjects.
It may also, upon written instruction, perform the required technical actions.
The direct management of requests remains the responsibility of the Client, unless a specific service has been agreed upon between the parties.
9. Use of Sub-processors
The Client authorizes the Processor to use third-party service providers in connection with the performance of the Contract, provided the Client is informed thereof.
The Client may raise a reasoned objection in certain cases (competition, litigation, recent data-related conviction).
In the event of a valid objection, the Subcontractor has six months to propose a compliant solution. Failing that, the Client may terminate the Contract under the terms provided.
The Processor ensures that its own subprocessors comply with obligations equivalent to those of this DPA and remains liable for their actions.
10. Disposition of Data at the End of the Contract
Upon termination of the Contract, the Client shall indicate its choice from among the following options:
- return and subsequent deletion of the data,
- immediate deletion,
- transfer to another service provider followed by deletion.
In the absence of instructions, the Processor will delete the data 48 hours after the termination of the contract.
The Client is encouraged to retrieve any necessary data before the end of the service. Since deletion is irreversible, the Client assumes all consequences thereof.
Upon request, the Processor may provide a certificate of deletion.
11. Transfers Outside the European Union
The Subcontractor shall endeavor not to transfer data outside the European Union.
If such a transfer is necessary, the Processor undertakes to implement appropriate safeguards (standard contractual clauses, BCRs, etc.).
12. Cooperation with Authorities
The Processor shall provide the Client with the information necessary to respond to requests from the competent supervisory authorities.
13. Point of Contact
Each party shall designate a contact person responsible for matters relating to this DPA.
The Processor shall provide the contact details of its Data Protection Officer or its GDPR contact person.
The Processor informs the Client that the Data Protection Officer is Mr. Esteban MATHIEU, whose contact information is: gdpr@nemorius.com
14. Amendments to the Agreement
This DPA may be amended to reflect applicable legal or regulatory changes. The Client will be notified in the event of any such amendment.
15. Governing Law and Jurisdiction
This agreement is governed by French law.
Any dispute relating to its performance falls within the jurisdiction of the competent courts in the jurisdiction where the Processor’s headquarters are located.