🚨 Webinar Alert: From Chaos to Control: Evaluating and Managing NC & CAPA with Ease

📅 Tuesday, March 31 | 🕐 1:00–2:00 PM CET

👉 Click here for more info

  • Pricing
    • CONTACT USBOOK A DEMO

    Data Processing Agreement

    This data processing agreement (hereinafter referred to as “DPA”) applies between a client of TraceX (hereinafter referred to as the “Client”) and TraceX, a simplified joint stock company (société par actions simplifiée) with its registered office at 44 rue de Neuilly - 92110 Clichy, France (hereinafter referred to as “Service Provider” or “TraceX”). This DPA sets forth the respective obligations of Client and TraceX regarding the processing of personal data in the context of the Services.

    The Client and Service Provider shall be individually referred to as a “Party” or collectively as the “Parties”.

    Whereas:

    This DPA is automatically annexed to the agreement governing the provision of the Services (as defined below).

    Under this DPA, the Parties agree that the terms “Personal Data Breach”, “Data Subject”, “Personal Data”, “Data Controller”, “Controller”, “Data Processor”, “Processor”, “Subprocessor(s)”, “Processing(s)”, “Supervisory Authority” and, any other personal data related relevant terms, shall have the meaning assigned to them in the GDPR.

    In addition, the following terms shall have the meaning set out below:

    Agreement: means the agreement governing the provision of the Services, and in particular the Software licence agreement, and order form signed between the Parties.

    GDPR: means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as well as any of its amendments and replacement laws and regulations.

    Personal Data Laws: means any applicable laws, rules and regulations regarding personal data protection.

    Services: means the services provided by Service Provider to the Client within the framework of the Agreement regardless how they are named in the Agreement.

    Unless defined otherwise in the DPA, capitalized terms have the meaning attributed to them under the Agreement.

    Therefore, it is agreed as follow:

    1. Scope of the DPA and status of the Parties

    This DPA does apply for the Services. Service Provider, who acts as Data Processor, will process the Personal Data on behalf of and in accordance with the lawful documented instructions it receives from the Client, who acts as Data Controller, and that exclusively for the purpose of providing the Services to the Client.

    In any case, each Party shall comply with its obligations under GDPR and the Personal Data Laws.

    2. Personal data processing

    Service Provider is authorised to process, on behalf of the Client, the Personal Data required to provide the Services.

    Service Provider undertakes to:

    • process the Personal Data solely for the purposes of providing the Services covered by the Agreement and for the duration defined in the Agreement;

    • process the Personal Data in accordance with the Client’s written documented lawful instructions, which may be specific instructions or general instructions as set out in this DPA and its appendixes or as otherwise notified in writing (including by email) by the Client to Service Provider;

    • comply with any lawful request from the Client requiring Service Provider to rectify or delete Personal Data.

    If Service Provider cannot comply with an instruction of the Client and/or considers that an instruction constitutes a breach of the Personal Data Laws, Service Provider shall promptly inform the Client and wait for the Client to provide lawful written instructions.

    In addition, if Service Provider is required by any law to which it is subject to process Personal Data for any other purpose, Service Provider will inform the Client of this legal obligation prior to processing, unless the law concerned prohibits such information on important grounds of public interest.

    Service Provider undertakes also to:

    • ensure that its personnel and authorized Subprocessors (as defined below) that will Process Personal Data under the Agreement:

      • undertake to respect confidentiality or are subject to appropriate obligations of confidentiality;

      • are contractually bound to comply with similar obligations as Service Provider’s obligations set out in this DPA.

    • take into account, with regard to its tools, products, applications or services, the principles of data protection by design and data protection by default;

    • co-operate fully with the Client in the implementation of any measures or provisions that may be required in relation to the protection of Personal Data in accordance with the obligations of the Personal Data Laws, or of any court order, or of any competent supervisory authority that the Client may reasonably require.

    Service Provider shall maintain a record of all categories of Processing activities carried out for the conduct of the Services for the duration stated in the DPA.

    Moreover, the Parties will regularly train their personnel having access to Personal Data with applicable Personal Data Laws, including in particular data security and data privacy measures.

    3. Assistance

    Service Provider shall, at the Client’s reasonable written request, cooperate and assist the Client as required by the Client to comply with the Client’s obligations under Personal Data Laws.

    Service Provider undertakes to provide the Client with the necessary information to demonstrate Service Provider’s compliance with the obligations set out in Personal Data Laws and in this DPA.

    4. Termination of the processing and deletion of Personal Data

    The duration of the Processing shall not exceed the term of the Services for the project concerned.

    Upon termination of the Services for the project concerned, for whatever reason, Service Provider shall cease processing any Personal Data on behalf of the Client.

    At the Client’s written request at any time and, nevertheless thirty (30) days after the end of the Services for the project concerned, Service Provider shall destroy all Personal Data collected and processed for the Services, and keep no evidence of them, except limited to the Personal Data that have to be kept for a longer duration for Service Provider to fulfil its obligations under any applicable law. The Personal Data shall be entirely deleted when such obligations have been fulfilled.

    A certificate of destruction may be provided to the Client upon its written request.

    5. Security measures

    Service Provider undertakes to implement and maintain appropriate technical and organisational measures to ensure the security and confidentiality of Personal Data and to prevent any unlawful or unauthorised processing, accidental or unlawful destruction, damage, accidental loss, alteration, disclosure or unauthorised access to Personal Data, in accordance with the Personal Data Laws.

    Additionally, Service Provider undertakes to comply with good practice and the state of the art in this area.

    6. Violation of personal data

    If Service Provider becomes aware of a Personal Data Breach, it undertakes to:

    • notify the Client within forty-eight (48) hours of becoming aware of it, providing a detailed description of the Personal Data Breach, including the type of Personal Data that is the subject of the Personal Data Breach and the categories of Data Subjects affected. If this information is not available within forty-eight (48) hours, it will be provided to the Client in a staggered manner, without undue delay;

    • take immediate action to promptly investigate such a Personal Data Breach and identify the effects of the Personal Data Breach;

    • take steps to prevent and mitigate further effects and take any other actions to remedy the Personal Data Breach;

    • continue to promptly provide the Client with all reasonable assistance required to investigate the causes and implement mitigating and remedial measures with respect to the personal data breach.

    7. Subprocessing

    In the event that the Service Provider wishes to use subprocessors to perform the Services, Service Provider will send a written request to the Client for the Services concerned. The Client shall provide its prior written approval within three (3) business days after the receipt of such written request by Service Provider. In case this approval is provided after such time period or the proposed Subprocessor is refused by the Client, Service Provider will not be liable of any delay regarding the conduct of the Services that is due to such delay or refusal.

    Service Provider remains responsible for the Subprocessors’ performance of the Services under the Agreement and this DPA to the same extent Service Provider is responsible for its own performance.

    Service Provider commits that such Subprocessors will be bound by at least similar obligations as those to which Service Provider is bound to under this DPA.

    8. Data transfer

    The Client acknowledges and agrees that, for some Services, Service Provider may transfer and process Personal Data processed for the Services anywhere in the world where Service Provider and/or its affiliates and/or its Subprocessors maintain data processing operations, provided that i) Service Provider will at all times provide an adequate level of protection of Personal Data processed, and ii) provided that the Client prior approved such transfer in accordance with the requirements of GDPR, the Agreement and this DPA.

    If, for the performance of the Services, Personal Data are transferred outside of the European Economic Area (hereinafter referred to as “EEA”), the UK or the Switzerland, to a country without an equivalent data protection standard and without appropriate safeguards, or where such country do not ensure an adequate level of data protection within the meaning of GDPR, the Parties will comply with the provisions of the EU Standard Contractual Clauses between Data Controllers and Data Processors as adopted by the European Commission under GDPR as amended or replaced at any time, including when applicable, the UK’s International Data Transfer Addendum to the Standard Contractual Clauses or the Switzerland Addendum to the Standard Contractual Clauses (hereinafter referred to as “SCC”).

    The SCC shall apply to the transfers of Personal Data outside of the EEA where Service Provider is data exporter and the Client data importer, and where Service Provider is data importer and the Client data exporter.

    By exception to the above, when UK’s International Data Transfer Addendum or the Switzerland Addendum do apply, governing law and competent court shall be respectively the law of UK and the courts of UK, or the law of Switzerland and the courts of Switzerland.

    The Parties warrants that the SCC will remain in full force and effect for the duration of the DPA.

    9. Liability

    9.1. Service Provider undertakes to perform the Services with the due diligence and care specific to a professional specializing in the Services offered. Service Provider shall be responsible for direct damages that may be caused to the Client and/or its Affiliates arising from or in connection with the performance of Services either by Service Provider and/or its subcontractors and that are found admissible by a competent court.

    9.2. In the event that Service Provider’s liability is incurred regarding data it deal with in the conduct of the market research concerned, Service Provider’s maximum aggregate liability towards Client for all claims shall be limited to the amount of the budget paid for the Services under the Agreement concerned and shall not exceed the amount provided for in the Service Provider’s cyber insurance.

    9.3. Under no circumstances will either Party be liable for: (a) any loss of business, revenue, profits, anticipated savings, opportunity, goodwill, use, data, whether arising directly or indirectly, or (b) for any indirect, punitive, special, incidental or consequential damages.

    10. Applicable law and jurisdiction

    This DPA is governed by and construed in accordance with French Laws.

    In the event of any disputes, misunderstandings and/or differences arising out of or in connection related to this DPA, the Parties shall make their best efforts to settle amicably any such disputes, misunderstandings and/or differences. However, if such settlement cannot be reached on an amicable basis within a period of sixty (60) days, such disputes, misunderstanding and/or differences shall be definitively settled by the competent Court of Paris, France

    Cookie Settings
    This website uses cookies

    Cookie Settings

    We use cookies to improve user experience. Choose what cookie categories you allow us to use. You can read more about our Cookie Policy by clicking on Cookie Policy below.

    These cookies enable strictly necessary cookies for security, language support and verification of identity. These cookies can’t be disabled.

    These cookies collect data to remember choices users make to improve and give a better user experience. Disabling can cause some parts of the site to not work properly.

    These cookies help us to understand how visitors interact with our website, help us measure and analyze traffic to improve our service.

    These cookies help us to better deliver marketing content and customized ads.

    View Cookie Policy