Acquire

Data Protection Addendum

1. Introduction

The purpose of the Data Protection Annex (hereinafter "DPA or "Agreement") is to govern the use of personal data of the Client, who acts as the controller (hereinafter the "Client"), by Mantra, who acts as the Processor (hereinafter the "Processor") within the framework of the contract (hereinafter the "Contract").

The DPA is an integral part of the Contract signed between the Client and the Processor. In the event of any inconsistency between the Contract and the DPA, the obligations set forth in the DPA shall prevail with respect to the applicable data protection rules.

All data protection terms used in the DPA (e.g. controller, processor, etc.) are defined in Article 4 of the General Data Protection Regulation ("GDPR").

2. Declaration

The Processor declares that it complies with all applicable data protection rules included in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("GDPR") and Law No. 78-17 of 6 January 1978 on information technology, files and freedoms, together referred to as the "applicable data protection rules".

The Processor undertakes that it has all sufficient safeguards to meet the requirements of applicable data protection rules and, in particular, to guarantee the confidentiality and protection of Client's data.

The Processor declares that all of its employees who process the Client's personal data are bound by a confidentiality agreement or by any other legal document (e.g. rules of good conduct, information systems charter, etc.) that guarantees the confidentiality of the Client's personal data.

The Processor declares that it regularly trains and educates its employees on the applicable data protection rules.

3. Instructions

The Processor agrees to use the Client's personal data only upon documented instructions from the Client.

The Client undertakes to inform the Processor of any changes in the instructions that may be carried out regarding the use of its personal data.

The Processor shall promptly notify the Client if the Client's documented instructions constitute a violation of applicable data protection rules.

4. Privacy by default and by design

The Processor shall provide its service as is, in compliance with (i) service compliance by design and (ii) service compliance by default.

The Processor provides a service with all functionalities enabling the Client to meet its obligations as a data controller.

Accordingly, the Processor shall never be liable for Client's non-compliant use of the Service.

5. Security

The Processor undertakes to ensure the security of the Client's personal data and to implement all technical and organizational measures necessary to prevent any risk of data breach.

6. Breach of data

The Subcontractor undertakes to notify the Client, as soon as possible and within 48 working hours of becoming aware of any breach of data which may concern the Client's personal data.

The Processor undertakes to provide the Client, in accordance with the provisions of Article 28 of the GDPR, with all information necessary for the Client to process the data breach.

In the event of a data breach, the Processor agrees to take all necessary steps to remediate and diminish the impact of the breach on Client's personal data.

Unless the Client has given its express prior written consent, the Processor is not authorized to take charge of data breach notifications to the French supervisory authority, the CNIL. Similarly, the Processor is not, as a matter of principle, authorized to inform on behalf of the Client the persons concerned by the processing carried out under the Contract.

7. Help and assistance in matters of security

The Processor shall provide the Client, upon written request, with all necessary and required information on the technical and organizational security measures to be implemented to guarantee the security of its personal data.

The Processor shall provide to the Client, upon written request, all information necessary and required to ensure the completion of an impact analysis ("PIA ") directly related to the service provided.

The Processor shall not be obliged to ensure or audit the Client's security or to carry out impact analyses ("PIA") in the place and on behalf of the Client. Any additional request for information may be refused and, if necessary, an additional service may be charged.

8. Help and assistance in matters of rights of data subjects

Upon written request, the Processor shall provide the Client with all information necessary and required for the Client to fulfill its obligation to respond to requests of data subjects.

The Processor shall, upon written request from the Client, perform the technical actions to be undertaken in order for the Client to fulfill its obligation to respond to requests from data subjects.

However, the Processor is not obliged to manage requests for personal rights in the place and on behalf of the Client. Any additional request to ensure such management may be refused and, possibly, an additional service charged.

9. Subprocessors

The Client generally agrees that Processor may engage Subprocessors in the performance of the Service provided that the Client is notified of any changes in such Subprocessors during the performance of the Service.

The Client may issue objections by registered letter with return receipt if (i) the Subprocessor is one of its competitors, (ii) Client and the Subprocessor are in a dispute or litigation situation, and (iii) the Subsprocessor has been the subject of a condemnation by a Data Protection Supervisory Authority within one year of its recruitment by the Processor. Each of these situations must be demonstrated.

In the event that the objection is sustained, the Processor shall have 6 months from receipt of the objection to modify the Subsprocessor or to ensure compliance with applicable data protection rules by such Subprocessor.

In all cases, the Processor agrees to engage only Subprocessors who have the necessary and sufficient guarantees to ensure the security and confidentiality of Client's personal data.

As such, the Processor agrees to (i) control its subsequent Subprocessors and (ii) that the contract with the subsequent Subprocessors used in the service will contain obligations similar to those in the DPA.

In any event, the Processor shall remain liable for the actions of the Subprocessor under the Agreement.

10. Fate of personal data

The Client shall inform the Processor, in writing prior to the end of the business relationship, of its choice (option 1) to return the personal data to the Processor and then delete the personal data and all existing copies, or (option 2) to delete the personal data and all existing copies directly, or (option 3) to transfer the personal data to a new provider and then delete the personal data and all existing copies. Unless otherwise provided for in the Agreement, option 3 must be quoted by the Client.

If the Client does not inform the Processor of its choice, the Processor will directly delete the Client's data and all copies (option 2) at the end of the business relationship.

The deletion of data is irreversible. The Client is therefore invited to recover its data before the service is stopped. In case of deletion of the Client's data by the Processor, the Customer remains solely responsible for the disappearance of the data and any consequences that may occur.

The Processor shall certify to the Client, upon written request, the effective deletion of the personal data and all existing copies.

11. Audits

The Client has the right to conduct an audit in the form of a written survey once a year to verify compliance with this Agreement. The survey shall have the force of a sworn undertaking binding on the Processor.
The survey may be communicated in any form to the Processor, who undertakes to respond within a maximum of two months of receipt.

The Client also has the right to conduct an on-site audit, at its own expense, once a year only in the event of a data breach or failure to comply with applicable data protection rules and this DPA, including as established by the written survey.

An on-site audit may be conducted either by the Client or by an independent third party designated by the Client and must be notified to the Processor in writing at least thirty (30) days prior to conducting the audit.

The Processor has the right to refuse the selection of the independent third party if the independent third party is (i) a competitor or (ii) in pre-litigation or litigation with the Processor. In such case, the Client agrees to select a new independent third party to perform the audit.

The Processor may refuse access to certain areas for reasons of confidentiality or security. In this case, the Processor will audit these areas at its own expense and report the results to Client.

In the event of any breach found during the audit, the Processor agrees to implement, without delay, the measures necessary to comply with this Agreement.

12. Data transfer outside of European Union

The Processor undertakes to use its best endeavours to not transfer personal data of the Client outside the European Union or to recruit a subsequent Processor located outside the European Union.

Nevertheless, in the event that such transfers prove necessary in the context of the Contract, the Processor undertakes to implement all the mechanisms required to govern such transfers, such as, in particular, entering into the Standard Contractual Clauses ("SCCs") adopted by the European Commission.

13. Cooperation with the supervisory authority

Where this concerns processing carried out within the framework of the Contract, the Processor undertakes to provide, on request, all the information necessary for the Client to cooperate with the relevant Data Protection Supervisory Authority.

14. Contact

The Client and the Processor shall each appoint an interlocutor who shall be in charge of this DPA and who shall be the recipient of the various notifications and communications to be made under the DPA.

The Processor informs the Client that it has appointed Dipeeo as its Data Protection Officer, who can be contacted at the following address

  • Email address: dpo@mantra.ms
  • Postal address: Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France
  • Phone number: +00 33 (0)9 86 23 21 29

15. Review

The Processor reserves the right to modify this Agreement in the event of changes in applicable data protection regulations that would alter any of its provisions.

16. Applicable law

This Agreement shall be governed by French law. Any dispute relating to the execution of this Agreement shall be subject to the exclusive jurisdiction of the courts of the Court of Appeal of the place of residence of the Subcontractor.

Compliance certified by Dipeeo