Subcontract general conditions of personal data processing
These General Conditions involve the contractual provisions related to the subcontracting of personal data, provided by EVALANDGO, a simplified joint-stock company with a share capital of € 75,614 registered at the RCS of MONTPELLIER under the number 528 723 703 00013, and which head office is at Business Plaza, Bat 3, 159 rue de Thor, 34000 Montpellier for the benefit of the Customers and Users of the EVALANDGO Online Survey Solution (hereinafter referred to as "the Services").
The Services are provided via a survey platform accessible through the website https://app.evalandgo.com (hereinafter referred to as "EVALANDGO Platform")
Within the Services, Customers and Users could, through their personal and secured access to the Services (hereinafter referred to as "Account"), create and publish digital questionnaires (hereinafter referred to as "Questionnaires"), to which persons surveyed (hereinafter referred to as "Respondents") could respond. The answers of the Respondents are collected through the Services. These answers may contain Personal Data and are processed for Customers and Users as part of the Services by EVALANDGO.
As a result, among the Services, the Clients and Users may be responsible for processing, and EVALANDGO may be a subcontractor for the processing of the personal data.
These provisions are, in addition to those of the Regulation and the Confidentiality policy of the services, valid for the entire contractual period of the Services.
In this context, EVALANDGO is designated as "the Subcontractor" or "EVALANDGO" and the Customer or the User will be designated "the Manager". Together, they are referred to as "the Parties".
In these Subcontract General Conditions, the terms or expressions mentioned below will have the following meaning if their first letter is capitalised.
Personal data: any information identifying a natural person directly or indirectly (eg name, registration number, phone number, photo, date of birth, city of residence, IP address...).
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
The purpose of these Subcontract General Conditions is to define the conditions under which the Subcontractor undertakes, within the Services, to perform Processing on behalf of the Processing Manager. These Subcontract General Conditions are also meant to define the rights and obligations of the Parties with regard to the subcontracting of Processing.
In their contractual relations, the Parties undertake to respect, in addition to these Subcontract General Conditions, the regulations in force applicable to the personal data processing and, more specifically, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable from 25 May 2018, European General Data Protection Regulation (hereinafter "GDPR").
DESCRIPTION OF THE PROCESSING SUBJECT TO SUBCONTRACT
The Subcontractor is authorised to process on behalf of the Data Manager the Personal Data necessary for the Services.
The nature of the operations performed on the Personal Data is as follows: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
The purpose(s) of the Processing may be as follows: customer surveys, execution of a contract, quality control of products or services, customer or user satisfaction survey, research and development, market, pre-market research for a product or service, management of human resources, consultation of providers or potential providers, search for partners. When creating a Questionnaire, the Data Manager should specify the exact purpose of the Questionnaire. The purpose of the Treatment cannot benefit the Subcontractor.
The personal data that may be processed in the context of the Services are: any type of Personal Data within the meaning of the GDPR, with the exception of (i) sensitive data, and (ii) data relating to offenses, convictions and security measures. The social security number can only be processed in the context of a Treatment whose purpose is the management of human resources.
The categories of respondents can be: major natural and legal persons, customers, service users, prospects, employees, candidates for employment, partners or potential partners, contractors, service providers or potential providers, persons concerned by the object of the research and development activity of the client.
OBLIGATIONS OF THE SUBCONTRACTOR FOR THE TREATMENT
The Subcontractor undertakes:
1) To treat Personal Data only for the sole purpose(s) meant for the subcontract
2) To process the Personal Data in accordance with the instructions of the Data Manager mentioned on the EVALANDGO Platform. If the Subcontractor considers that an instruction constitutes a violation of the GRPD or any other provision of EU law or the data protection law of the Member States, he shall immediately inform the Manager. Moreover, if the Subcontractor is asked to transfer Personal Data to a third country or to an international organisation, dependent from Union law or the law of the Member State to which it is subject, he shall inform the Manager of this legal obligation before the Processing, unless the right in question prohibits such disclosure for important reasons of public interest.
3) To guarantee the confidentiality of the Personal Data processed because of the Services.
4) To ensure that all the persons authorised to process personal data respect this contract:
- that they respect confidentiality or an appropriate legal obligation of confidentiality,
- that they receive the information necessary about the protection of personal data
5) To take into account, for the Services, the principles of protection of Personal Data since the collection, and protection of Personal Data more generally.
6) Subcontracting: The Subcontractor may use another subcontractor (hereinafter referred to as "the subsequent subcontractor") to conduct specific Processing activities. In this case, it informs the Processing Manager in advance of any possible changes about the addition or replacement of other subcontractors. This must indicate the outsourced Processing activities clearly, the subcontractor's identity and contact information, and the dates of the subcontract. The Manager has a minimum delay of SEVEN DAYS since the notification date to present his objections. This subcontract can only be done if the Manager has not objected within the period allowed. The subsequent subcontractor has to respect the obligations of these general conditions of subcontracting. The Subcontractor responsibility is to ensure that subsequent subcontractor provides the same guarantees about technical and organisational measures, so that the Processing meets the requirements of the GRPD. If the subsequent subcontractor does not fulfill obligations about the protection of personal data, the Subcontractor is fully responsible for the control of the execution of the subcontractor’s obligations.
7)Information rights of data subjects: the Data Manager is responsible of informing the persons concerned by the Processing Operations at the time of data collection. The Manager may use the Services to provide this information.
8) Exercise of rights of the persons: whether it is possible, the Subcontractor must support the Data Manager in the fulfillment of his obligation to respond to requests for the exercise the rights of the persons, more specifically : right of access, modification, erasure and opposition, right to limitation of processing, right to portability of data, right not to be choose automated decision (including profiling).
When the persons contact the Subcontractor to exercise their rights, the Subcontractor must send these requests as soon as they are received by e-mail to the Data Manager.
9) Notification of personal data breaches: The Subcontractor notifies the Data Manager of any violation of Personal Data within a maximum of 48 hours via email. This notification will include all relevant documentation to enable the Manager to notify the relevant supervisory authority of the breach if necessary. 10) Aide du sous-traitant dans le cadre du respect par le responsable de traitement de ses obligations : Le Sous-traitant aide le Responsable de traitement pour la réalisation d’analyses d’impact relative à la protection des données.
The Subcontractor supports the Data Manager to prepare the prior consultation of the supervisory authority.
11) Security measures: The Subcontractor undertakes the following security measures:
- A secure access to the EVALANDGO online questionnaire platform through a user account with password.
- Ciphering of Personal Data to ensure confidentiality while transfers are made.
- Not using the data for purposes that do not concern the reason of the collection.
- Keeping personal data for a set amount of time.
- Not transferring this data to third parties, other that EVALANDGO service providers involved in the execution of the contract of EVALANDGO online questionnaires.
- Implementing high security standards in order to provide a high level of security for the Services.
- Applying methods to ensure the ongoing confidentiality, integrity, availability and resilience of Treatment systems and services;
- Ensuring the means to restore the availability of data and access to them quickly in case of physical or technical accident,
- Applying a procedure to test, analyse and evaluate the effectiveness of technical and physical organisational measures properly for security of the treatment
- Using of one or more personal data hosting provider(s) who made reliable commitments about compliance with the GRPD, more specifically:
- Physical security measures for unauthorised persons to prevent access to the infrastructure on which EVALANDGO data are stored,
- Security staff responsible for ensuring the physical security of the data hosting structure, 24/24 hours, 7/7 days
- A system managing authorisations to limit access to data only to those who need to be in contact with data, only because of their professional duties.
- A system of physical and/or logical isolation (per service) of customers.
- Strong authentication processes for users and administrators through a password management policy and, in some cases, a double-authentication measure.
- Processes and devices to keep a trace of actions carried out on the information system in order to report, as established by the regulations, the event of an incident affecting the customer's data
Access to personal information is strictly reserved to the employees, corporate officers and subcontractors of EVALANDGO that need to access on behalf of EVALANDGO. Every access will be made following this obligation and may be subject to disciplinary sanctions, up to and including the end of employment or the service contract in case of breach of these obligations.
12) Extraction of data: At the end of the Services, the Subcontractor undertakes the destruction of all Personal Data after a period of 6 months after the termination of the Services. During the performance of the Services, the Subcontractor undertakes the destruction of Personal Data within a period of 24 months after their collection.
13) Register of Categories of Treatment Activities: The Subcontractor declares write a record of all categories of treatment activities performed on behalf of the Treatment Manager including:
- The name and contact details of the Manager on whose behalf he acts, any subcontractors and, where applicable, the Data Protection Manager;
- Categories of Treatments performed on behalf of the Manager;
- Transfers of data to a third country or to an international organization, when needed, including the identification of that third country or international organisation and, in case of transfers referred to in Article 49 (1), second subparagraph of the European Data Protection Regulation, documents proving the existence of appropriate security measures;
- A general description of the technical and organisational security measures, including, as far as possible, as follows:
Ciphering of Personal Data to ensure confidentiality while transfers are made.
Means to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services of treatments;
Means to ensure the restoring of the availability of data and access to them quickly in case of physical or technical accident,
A procedure to test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the safety of processing regularly.
14)Documentation: The Subcontractor will provide the Data Manager the necessary documentation to demonstrate compliance with all obligations and to enable audits that could be carried out by the Manager or another auditor.
15) OBLIGATIONS OF THE DATA MANAGER WITH THE SUBCONTRACTOR
The Manager is committed to:
Perform Treatments in accordance with these general conditions through the Services.
Not to carry out, through the EVALANDGO platform, regular and systematic monitoring of the surveys,
Comply with the treatment guidelines, mentioned in the EVALANDGO Platform, more specifically for the creation of Questionnaires, specify the questions for which the answers will contain Personal Data,
Ensure, in advance and throughout the duration of the Treatment, compliance with the obligations provided by the GRPD.
Supervise the Processing of Data, including audits and inspections with the Subcontractor.
Not to do personal business like saving Personal Data collected within the framework of the Services, beyond the period referred to in paragraph IV. 12 above.