Plusmo is an IT service provider which has developed a range of services enabling a company to verify or confirm the identity of one of its customers or prospective customers who are natural persons, in the event of transactions carried out online with the company by this customer or prospective customer.
This verification or confirmation of identity, which contributes to the fight against fraud for the company having subscribed to this service, is carried out by querying mobile telephone operators with regard to the data in their possession concerning the company's customer or prospect.
The Customer has subscribed to one or more of the identity verification or confirmation services offered by Plusmo (hereinafter the "Service(s)"), which are detailed in one or more order form(s) countersigned by Plusmo (hereinafter the "Order Form(s)") and to which the general sales conditions of Plusmo (hereinafter the "General Conditions") apply.
The present agreement (hereinafter the "Agreement") is intended, within the meaning and on the basis of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 , the Florida Information Protection Act (FIPA – 2014) and the argentinian law Ley n° 25 326 – “Ley de Protección de los Datos Personales” (2000) y su decreto 1558/2001 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, to provide a framework for the execution and organization of the processing of personal data carried out by Plusmo, in its capacity as processor in the context of the execution of the Services, on behalf of the Customer in its capacity as data controller.
Upon validation of an Order Form by Plusmo, which includes an Appendix specific to the personal data processing(s) implemented within the framework of the Services subscribed to by the Customer (hereinafter the "Appendix"), the present Agreement and the said Appendix shall bind Plusmo and the Customer alongside the General Conditions and any specific conditions agreed between Plusmo and the Customer in relation to the Services referred to in the Order Form (hereinafter the "Contract").
In the event of any contradiction between certain stipulations contained in the present Agreement and certain stipulations contained in the General Conditions or specific conditions applicable to the processing of personal data, the present Agreement shall prevail. This Agreement supersedes all oral and/or written agreements, contracts, understandings and deeds that may have been previously entered into between the Parties in relation to the same subject matter.
1.DEFINITIONS
Capitalized terms used in this Agreement which are not specifically defined in this Agreement are defined in the General Terms and Conditions.
"Personal Data": any information relating to an identified or identifiable natural person.
"Instruction": any written instruction and/or any written document issued by the Data Controller which determines the conditions of the Processing implemented by the Subcontractor on behalf of the Data Controller in the context of the performance of the Services.
"Personal Data Regulations" : Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data as well as any legislation or regulations relating to the protection of Personal Data applicable on US territory or Argentinian territory to the Processing carried out in application of this Agreement, including Ley n° 25 326 – “Ley de Protección de los Datos Personales” (2000) y su decreto 1558/2001.
"Data Subject": an identified or identifiable natural person, i.e. a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
"Data Controller": the natural or legal person, department or other body which, alone or jointly with others, determines the purposes and means of the Processing. For the purposes of this Agreement, the Data Controller is the Customer.
"RGPD": the Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Florida Information Protection Act (FIPA – 2014)
"Processor": the natural or legal person, department or other organization that processes Personal Data on behalf of the Data Controller. For the purposes of this Agreement, the Subcontractor is Plusmo.
"Subsequent Processor": the natural or legal person, service or other organization recruited by the Processor to carry out specific Processing activities on behalf of the Data Controller.
"Processing": any operation or set of operations which may or may not be performed using automated processes and applied to data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction. In the context of this Agreement, the Processing carried out by the Subcontractor on behalf of the Controller for the performance of the Services is specifically determined in the Annex to the Order Form relating to the said Services.
"Personal Data Breach": a breach of security, resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored or otherwise processed.
2.PURPOSE OF THE AGREEMENT
AUTHORIZATION TO PROCESS
By this Agreement, the Data Controller authorizes the Subcontractor to process Personal Data on its behalf for the sole purpose of performing the Services and in accordance with the Data Controller's Instructions and the Appendix to the Order Form concerned by the Services.
DATA CONTROLLER'S INSTRUCTIONS
The Customer acknowledges that, on the date of validation of an Order Form by Plusmo, this Agreement and the Appendix to the relevant Order Form constitute the entirety of its Instructions given to Subcontractor by virtue of which the Subcontractor carries out the Processing on behalf of the Data Controller as part of the performance of the Services referred to in the Order Form. Any modification of the Instructions or addition of new Instructions during the performance of the Services must be the subject of a written document from the Data Controller, which is subject to the written agreement of the Subcontractor.
DETERMINATION OF PROCESSING
The object, purpose, duration and nature of the Processing carried out by the Subcontractor on behalf of the Data Controller for the performance of the Services are determined in the Appendix to the Order Form concerned by the Services.
The Customer acknowledges that the object, purpose, duration and nature of the Processing determined in the said Appendix are in accordance with its needs and Instructions for the performance of the Services.
CATEGORIES OF PERSONAL DATA AND PERSONS CONCERNED
The categories of Persons concerned by the Processing and the categories of Personal Data involved in the Processing are described in the Appendix to the Order Form concerned by the Service(s) under which the Processing is implemented. Personal Data are controlled and supplied to the Subcontractor exclusively by the Customer. The Customer acknowledges that the categories of Data Subjects and the categories of Personal Data determined in the Appendix to the Order Form for the Service(s) under which Processing is implemented comply with the Customer's Instructions for the performance of the Service(s).
TECHNICAL AND ORGANIZATIONAL MEASURES
The technical and organizational measures implemented by the Subcontractor as part of the Processing are set out in the Appendix to the Order Form for the Service(s) under which the Processing is implemented. The Customer acknowledges that the technical and organizational measures set out in the aforementioned Appendix comply with the Customer's requirements for the performance of the Services.
SPECIFIC OBLIGATIONS OF THE PROCESSOR
INSTRUCTIONS FROM THE CONTROLLER
The Subcontractor undertakes to process Personal Data as part of the Processing only on the documented instruction of the Data Controller, unless it is required to do so under Union law or the law applicable in France. In such a case, the Subcontractor shall inform the Data Controller of this legal obligation prior to Processing, unless prohibited by law for important reasons of public interest.
The Data Controller expressly acknowledges that the Subcontractor is not bound by Instructions that would violate the Personal Data Regulations. If, in the opinion of the Subcontractor, an Instruction given by the Data Controller constitutes a breach of the Personal Data Regulations, the Subcontractor shall immediately inform the Data Controller.
The Subcontractor shall in no way be held liable for any loss or damage resulting from the Subcontractor's compliance with the Instructions.
REGISTER OF CATEGORIES OF PROCESSING ACTIVITY
The Subcontractor undertakes to keep a register of the categories of processing activities carried out on behalf of the Data Controller that complies with the obligations set out in Article 30.2 of the RGPD.
SECURITY MEASURES
The Subcontractor undertakes to take, for the duration of the Processing, technical and organizational measures to ensure the security of Personal Data as listed in the Appendix to the relevant Order Form. These measures are intended in particular to prevent any deformation, alteration, deterioration, accidental or unlawful destruction, loss, disclosure and/or access by unauthorized third parties to Personal Data.
The Subcontractor is responsible for the security of the Personal Data for the aspects under its control and, where applicable, those of its subsequent Subcontractors. The Subcontractor may update the security measures in place according to changes in the Personal Data Regulations, as well as approved codes of conduct and/or approved certifications that may be published by the CNIL or by the competent European authorities.
The Subcontractor will inform the Data Controller of such security updates.
SUBCONTRACTOR'S PERSONNEL
The Subcontractor undertakes to authorize access to the Personal Data implemented in the Processing only to those of its employees and any subsequent Subcontractors who require access in order to perform their duties in connection with the execution of the Processing or the execution, management and monitoring of the Agreement.
The Subcontractor will ensure that the persons authorized to process the Personal Data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
3.ASSISTANCE
IMPACT ANALYSIS FOR THE PROTECTION OF PERSONAL DATA
The Data Controller remains solely responsible for carrying out the impact analyses provided for in Article 35 of the RGPD with regard to the protection of Personal Data implemented as part of the Processing.
However, the Subcontractor undertakes to provide the Data Controller, at the latter's request, with the information required to conduct an impact analysis relating to the protection of Personal Data implemented as part of the Processing.
In the event that an impact analysis relating to the protection of Personal Data implemented as part of the Processing indicates that the Processing would present a high risk if the Data Controller did not take measures to mitigate the risk, the Subcontractor undertakes to assist the Data Controller in fulfilling the latter's obligation to consult the competent supervisory authority prior to the Processing.
REQUESTS MADE BY DATA SUBJECTS
The Data Controller remains solely responsible for complying with any request made by a Data Subject concerning the exercise of his/her rights.
However, the Subcontractor shall assist the Data Controller, at the latter's request, in fulfilling the said obligation to comply with the Data Subject's requests, taking into account the nature of the Processing.
In the event that the Subcontractor receives a request from a Data Subject to exercise his or her rights, the Subcontractor shall inform the Data Controller without delay, without itself acting on such a request, and shall refer the Data Subject to the Data Controller.
UPDATED DATA
The Data Controller remains solely responsible for ensuring that the Personal Data implemented in the Processing is accurate and up to date.
However, the Subcontractor shall inform the Data Controller without delay in the event that the Subcontractor learns that the Personal Data implemented in the Processing is inaccurate or has become obsolete.
COOPERATION WITH SUPERVISORY AUTHORITIES.
In accordance with the Personal Data Regulations, the Data Controller and the Subcontractor shall cooperate with any competent supervisory authority, at the latter's request, in the performance of that supervisory authority's task and shall make available to that competent supervisory authority, as soon as such authority so requests, any information that may be requested, including the results of any audit.
CONTACT
The Subcontractor undertakes to maintain dedicated personnel for the processing of requests from the Data Controller occurring during the Processing Period, who will be contactable at the coordinates specified in the Appendix to the Purchase Order.
NOTIFICATION OF VIOLATION OF PERSONAL DATA
NOTIFICATION
In the event of Personal Data Breach in relation to Personal Data processed by the Subcontractor , the Subcontractor shall notify the Data Processor as soon as possible after becoming aware of it.
This notification shall contain at least:
-a description of the nature of the breach observed (including, if possible, the categories and approximate number of Data Subjects affected by the breach and of Personal Data records concerned);
-details of a contact point from which further information can be obtained about the Personal Data breach;
-its probable consequences and the measures taken or proposed to be taken to remedy the breach, including mitigation of any negative consequences.
Where, and to the extent that, it is not possible to provide all the information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall subsequently be communicated as soon as possible.
The initial notification, as well as the sending of any additional information, where applicable, will be made to the Data Controller at the e-mail address mentioned in the Appendix to the relevant Order Form.
OBLIGATIONS OF THE DATA CONTROLLER
The Data Controller shall remain solely responsible for determining the appropriateness of notifying a Personal Data Breach in relation to Personal Data processed by the Subcontractor to any competent supervisory authority, as well as for determining the appropriateness of notifying such a breach to the Data Subjects who would be impacted thereby.
The Data Controller remains solely responsible for making such notifications.
CONTROL POWERS OF THE DATA PROCESSOR
SUB-CONTRACTOR'S GENERAL OBLIGATION TO PROVIDE INFORMATION
The Subcontractor shall provide the Data Controller with all the information required to demonstrate compliance with the obligations set out in this Agreement and arising directly from the Personal Data Regulations.
AUDIT
Once per year of performance of the Agreement or in the presence of indications of non-compliance, the Data Controller may request an audit of the Processing activities covered by this Agreement, in which the Subcontractor undertakes to cooperate.
The Data Controller shall notify the Subcontractor of its intention to hold an audit on site or at the Subcontractor's business premises at least 15 days prior to the actual holding of such an audit.
The Data Controller may itself carry out an audit or appoint an independent auditor to carry out an audit. If an independent auditor is appointed, this auditor must be subject to specific confidentiality obligations subscribed directly with the Subcontractor.
In the event of an audit on the Subcontractor's business premises, the Data Controller, or any independent auditor appointed by him, must comply with any internal regulations and respect the Subcontractor's operational organization.
RESULTS OF AN AUDIT
On completion of an audit, the Data Controller will notify the Subcontractor of an audit report, to which the Subcontractor may make any observations it considers useful within one month of notification of the audit report.
AUDIT FEES
All expenses incurred by the Data Controller in connection with an audit shall be borne exclusively by the Data Controller.
PROVISION OF INFORMATION TO THE COMPETENT AUTHORITIES
The Parties undertake to make available to the competent supervisory authorities, as soon as they so request, the information set out in this article, including any audit report and any observations made by the Processor under article 7.3 of this Agreement.
SUBSEQUENT SUBCONTRACTORS
USE OF SUBCONTRACTORS
The Subcontractor is not authorized to subcontract to a subsequent Subcontractor, other than those mentioned in the Appendix to the relevant Purchase Order, the Processing it carries out on behalf of the Data Controller under this Agreement without the prior specific written authorization of the Data Controller.
The Subcontractor shall submit the request for specific authorization at least one month prior to the recruitment of the Subsequent Subcontractor in question, together with the information necessary to enable the Controller to make a decision regarding authorization, namely the following: (i) indication of the identity of the Subsequent Subcontractor, (ii) the Personal Data Processing activities concerned and (iii) the duration of the contractual relationship between the Subcontractor and the Subsequent Subcontractor. The list of subsequent Subcontractors authorized by the Data Controller appears in the Appendix to the relevant Purchase Order, which the Parties keep up to date.
Where the Processor recruits a Subsequent Processor to carry out specific processing activities on behalf of the Data Controller, it does so by means of a contract which imposes on the Subsequent Processor, in substance, the same obligations with regard to the protection of Personal Data as those imposed on the Processor under this Agreement. The Subcontractor shall ensure that the Subsequent Subcontractor complies with the obligations to which it is itself subject under this Agreement and the Personal Data Regulations.
At the request of the Data Controller, the Subcontractor shall provide the latter with a copy of the contract entered into with the Subcontractor and of any subsequent amendments thereto. To the extent necessary to protect business secrets or other confidential information, including Personal Data, the Subcontractor may redact the text of the contract before distributing a copy.
AUTHORIZATION OF THE DATA CONTROLLER
The Data Controller has a period of 7 days following receipt of the request for specific authorization referred to in article 8.1. above to authorize or not the use of a subsequent Subcontractor by the Subcontractor.
In the absence of a response from the Data Controller within the aforementioned 7-day period, the Data Controller will be deemed to have rejected the Subcontractor's use of a subsequent Subcontractor.
In the event of the Data Controller's express or tacit refusal to use a subsequent Subcontractor, the Subcontractor may, at its sole discretion, either propose an alternative subsequent Subcontractor to the Data Controller, or terminate the Contract, ipso jure and without the Data Controller being entitled to claim any compensation.
LIABILITY
The Subcontractor shall remain fully responsible to the Controller for the performance of the obligations of the Subsequent Subcontractor under this Agreement.
The Subcontractor shall inform the Data Controller without delay of any breach by the Subsequent Subcontractor which may result in a breach by the Subcontractor of the provisions of this Agreement.
INTERNATIONAL DATA TRANSFERS
Personal Data implemented in the Processing is processed by the Subcontractor and any possible subsequent Subcontractor exclusively on the territory of a Member State of the European Union, without any transfer to the territory of a State outside the European Union.
Any transfer by the Subcontractor of Personal Data implemented in the Processing to the territory of a State outside the European Union i) is carried out only on the basis of Instructions from the Data Controller or in order to satisfy a specific requirement of the Personal Data Regulations to which the Subcontractor is subject ii) and is carried out in accordance with Chapter V of the RGPD.
DURATION OF THE AGREEMENT AND FATE OF PERSONAL DATA
DURATION
This Agreement shall come into force with respect to a Processing on the day on which the Contract concerning the Service associated with that Processing comes into force, and shall thereafter remain in force for the duration of the performance of that Contract.
This Agreement shall automatically terminate in respect of a Processing operation when the Contract concerning the Service associated with that Processing operation comes to an end, for any reason whatsoever.
FATE OF PERSONAL DATA
At the end of this Agreement, for any reason whatsoever, the Subcontractor will, at the option of the Controller, either i) delete all Personal Data processed on behalf of the Controller and certify to the Controller that it has done so, or ii) return all Personal Data to the Controller and destroy existing copies, unless the Personal Data Regulations require them to be retained for longer.
The Data Controller will inform the Subcontractor of its choice in writing at least 15 days before the end of this Agreement, for any reason whatsoever.
Provided that the Data Processor complies with the aforementioned 15-day period, the Subcontractor will delete or return the personal data on the date of expiry of the Agreement and will ensure until then that the Processing remains compliant with this Agreement.
SUSPENSION OF PROCESSING
SUSPENSION BY THE CONTROLLER
In the event that the Subcontractor fails to comply with its obligations under this Agreement , the Data Controller may instruct the Subcontractor to suspend Processing until the Subcontractor has complied with its obligations under this Agreement.
In such a case, the Data Controller shall notify the Subcontractor in writing, giving reasons, of the existence, in its opinion, of a breach of one or more of the obligations incumbent on the Subcontractor under this Agreement.
Without this constituting recognition of the validity or otherwise of the Data Controller's notification, the Data Processor shall suspend the Processing concerned by the notification as soon as it is received.
If the Subcontractor considers that the notification is well-founded and that it is unable to comply with it, it shall promptly inform the Data Controller after receiving the notification.
Any request for suspension of Processing by the Data Controller which appears to be unfounded will render the Data Controller liable to the Subcontractor.
SUSPENSION BY THE PROCESSOR
In the event of a breach by the Controller of its obligations under this Agreement, the Subcontractor may suspend Processing until the Controller has complied with its obligations under this Agreement.
In such a case, the Subcontractor shall notify the Controller in writing, giving reasons, of the existence, in its opinion, of a breach of one or more of the obligations incumbent on the Subcontractor under this Agreement.
The Subcontractor may suspend Processing immediately upon receipt by the Data Controller of such notification, in particular in the event that it considers that the breach of this Agreement is constituted by an Instruction that does not comply with the Personal Data Regulations.
Any suspension of Processing by the Subcontractor which appears to be unfounded shall render the Subcontractor liable to the Data Controller.
TERMINATION
TERMINATION BY THE DATA CONTROLLER
12.1.1. The Controller is entitled to terminate this Agreement before its term if the Processing has been the subject of a request for suspension by the Controller pursuant to article 11.1 of this Agreement and if, within a reasonable period and in any event within one month of notification of suspension, either compliance with this Agreement is not restored, or no agreement is reached between the Parties for the continuation of Processing in compliance with the Personal Data Regulations.
12.1.2. The Controller is also entitled to terminate this Agreement before its term if:
-the Data Processor is in serious or persistent breach of its obligations with regard to Processing under the Agreement or the Personal Data Regulations;
-the Subcontractor fails to comply with a binding decision of a court or competent authority concerning its obligations with regard to Processing under this Agreement or the Personal Data Regulations.
Termination shall be effective ipso jure if, at the end of a period of one month following receipt or first presentation of a letter of formal notice stating the reasons, either this letter has not been followed by action, or the Parties have not reached an agreement concerning the continuation of the Agreement in compliance with the Personal Data Regulations.
TERMINATION BY THE SUBCONTRACTOR
12.2.1. The Subcontractor is entitled to terminate this Agreement before its term if the Processing has been suspended by the Subcontractor pursuant to article 11.2 of this Agreement and if, within a reasonable period and in any event within one month of notification of the suspension, either compliance with this Agreement is not restored, or no agreement is reached between the Parties for the continuation of the Processing in compliance with the Personal Data Regulations.
12.2.2. The Subcontractor is also entitled to terminate this Agreement before its term if: -after having informed the Processor that its Instructions infringe the requirements of the Personal Data Regulations, the Processor insists that its instructions be followed; -the Data Controller is in serious or persistent breach of its obligations with regard to Processing under the Agreement or the Personal Data Regulations; -the Data Controller fails to comply with a binding decision of a court or competent authority concerning its obligations with regard to Processing under this Agreement or the Personal Data Regulations.
Termination will be effective ipso jure if, at the end of a period of one month following receipt or first presentation of a letter of formal notice stating the reasons, either this letter has not been followed up, or the Parties have not reached an agreement concerning the continuation of the Agreement in compliance with the Personal Data Regulations.
CONSEQUENCES OF TERMINATION
Termination pursuant to this Article 12 of the Agreement shall automatically terminate the Agreement and the Processing concerned by the Agreement on the same date.
MISCELLANEOUS
SEPARABILITY
If any provision of this Agreement is annulled or otherwise invalidated, the remainder of the Agreement shall remain in force and the provision in question shall be replaced by a valid provision which reflects as closely as possible the original intention of the Parties.
TRANSFERABILITY
This Agreement and the rights and obligations of the Parties hereunder are not transferable to any third party, directly or indirectly, without the prior written consent of the Parties.
APPLICABLE LAW AND JURISDICTION
This Agreement is governed by French law. In the event of any dispute concerning its formation, performance, interpretation and/or termination, the Parties will make every effort to find an amicable solution to the dispute within one month of the first notification by either Party of such a dispute by registered letter with acknowledgement of receipt. In the event that the Parties are unable to resolve the dispute amicably within the said one-month period, the competent courts of Paris shall have exclusive jurisdiction.