RGPD - ChallengeMe

ChallengeMe provides a charter to all its clients. We are committed to data privacy and protection.

Use in the GAR / MEN framework

All users registering for a GAR use of ChallengeMe register for the GAR Treatment. The applicable RGPD notices can be found at this address: https: //gar.education.fr/mentions-informatives-rgpd/vv

RGPD CONTRACT

I. Preamble

In the context of the application on 25 May 2018, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, "RGPD"), the purpose of this Annex is to define the conditions under which ServicesYou, which has the status of Processor under the RGPD, undertakes to carry out the personal data processing operations defined in Article VII of this Annex, on behalf of and on the instructions of Organisation et Développement, the data controller, in accordance with the regulations in force, and in particular the RGPD and any national law or regulation applicable to the Data Controller and the Subcontractor (hereinafter the "Applicable Regulations").

II. Obligations of the Processor towards the Controller

The Contractor undertakes to :

1. process the data only for the sole purpose(s) for which the data is outsourced as described in Article VII.

2. process the data in accordance with the provisions of this Annex and any subsequent documented instructions from the Controller. If the Processor considers that an instruction constitutes a breach of the Applicable Regulations, it shall immediately inform the Controller.

3. to ensure the confidentiality of the personal data processed under the Contract or the Agreement.

4. ensure that persons authorised to process personal data:

undertake to respect the confidentiality of such data or are subject to an appropriate legal or contractual obligation of confidentiality
receive the necessary training on the protection of personal data

5. take into account the principles of data protection by design and data protection by default in its tools, products, applications or services.

6. Subsequent subcontracting

In the event that the Processor uses its own subcontractor (hereinafter the "Subcontractor") to process the data entrusted to it, it shall inform the Controller in advance and in writing, indicating in particular the processing activities subcontracted, the identity and contact details of the subcontractor and the duration of the subcontracting. The data controller shall then have a period of 30 days from the date of receipt of this information to present any reasoned objection to the further processing.

The Subcontractor undertakes to ensure that the subsequent subcontractor presents the same sufficient guarantees as to the implementation of appropriate technical and organisational measures in accordance with the applicable Regulations and to carry over the stipulations of this amendment, including the right of verification and audit, into the contract binding it to any subsequent subcontractor. The Subcontractor shall remain solely and fully liable to the Controller, under the conditions of this appendix, for any failure by the subsequent subcontractor to fulfil its obligations.

The Processor shall keep a list of subsequent subcontracting agreements entered into under this clause which shall be updated regularly and at least once a year. This list shall be made available to the Controller and, if requested, to the CNIL.

In the event that the Processor, having obtained the prior written consent of the Controller, chooses a subsequent processor located outside the European Union, any necessary compliance work shall be borne financially by the Processor. In such a case, the Subcontractor must, as a minimum, justify to the Controller :

a) Have signed with the subsequent subcontractor the European Commission's Standard Contractual Clauses, or failing that

b) the application to the subcontractor of "Binding Corporate Rules" approved by the competent supervisory authority, where the subcontractor is one of the Subcontractor's subsidiaries.

7. Duty to inform

The Processor shall keep the Controller informed without delay and at most within 5 working days:

of any request for disclosure of personal data from a competent authority or which is required of the Data Processor by Union law or the law of the Member State to which it is subject, unless a duly justifiable legal exception prohibits such disclosure on grounds of public interest;
any request from the Data Subject to exercise his/her rights with regard to the processing entrusted to the Data Processor. In this case, the Data Processor shall not respond directly to the Data Subject unless it has been authorised to do so in writing by the Data Controller.

8. Exercise of Data Subjects' Claims

To the extent possible, the Contractor undertakes to assist the Controller in the performance of its legal obligations in relation to the respect of the rights of the Data Subjects, namely the rights :

information: the Subcontractor in charge of collecting the personal data of the Data Subjects undertakes to transmit to the latter, at the time of collection, the information provided to the Subcontractor by the Data Controller;

access: extraction and transmission to the Data Controller by the Data Processor, in a readable format, of the data entrusted to it about the Data Subject;

of rectification, erasure and objection: transmission to the Controller by the Processor of a certificate of performance;
to the limitation of processing: transmission of a certificate of performance to the Controller by the Processor;
to data portability: extraction and transmission to the Controller by the Processor, in a structured, commonly used and machine-readable format, of the data entrusted to it about the Data Subject;
not to be the subject of an automated individual decision (including profiling): transmission to the Controller by the Processor of a certificate of performance.

The Subcontractor also undertakes to provide the Data Controller with any information necessary for the latter to respect the rights of the Data Subjects, as soon as possible, and at the latest within 10 working days of the Data Controller's request.

9. Notification of Personal Data Breaches

The Processor shall notify the Data Controller's contact person identified in Article 7 of any personal data Breach without delay, and at the latest within 48 hours, after becoming aware of it.

This notification shall be accompanied by all relevant documentation to enable the Controller, if necessary, to notify the competent supervisory authority of the Breach and at least the following information:

a description of the nature of the personal data breach including, if possible, the categories and approximate number of persons affected by the breach and the categories and approximate number of personal data records affected;

a description of the likely consequences of the personal data breach;

a description of the measures taken or proposed to be taken by the Contractor to remedy the Personal Data Breach, including, where appropriate, measures to mitigate any negative consequences.

The Contractor shall coordinate its external communication actions with the Data Controller and shall refrain from any unilateral and/or spontaneous communication, whether public or private, in particular to the competent supervisory authority and to the data subjects, without the prior consent of the Data Controller.

Upon completion of the incident that led to the Data Breach, the Processor shall submit a detailed report to the Data Controller including

the causes of the Data Breach,
breaches of personal data, including data confidentiality and integrity,
the response and intervention time of the Subcontractor
the measures taken to stop the violation and to ensure that it does not happen again.

In the event of recurring incidents and/or given the seriousness of a single incident attributable to the Data Processor leading to the Breach of personal data in a production environment, the Data Controller shall be entitled to proceed with the early termination of the Contract or the Agreement by registered letter with acknowledgement of receipt to the sole detriment of the Data Processor without compensation and without prejudice to any damages that may be claimed by the Data Controller.

10. Impact assessments (AIP)

Taking into account the nature of the processing concerned and the information at its disposal, the Subcontractor will advise and assist the Controller diligently in providing the information necessary to carry out any Data Protection Impact Assessment (DPI).

11. Security measures

The Subcontractor undertakes to implement the technical and organisational security measures necessary to ensure that the data entrusted to it is not distorted, damaged or communicated to unauthorised persons, as listed in Article VII.

The Subcontractor undertakes to implement technical and organisational security measures at least equivalent to those developed by the CNIL or ANSSI in the guides listed below or the ISO 270001 standard.

The guides published by the CNIL and ANSSI are available at the following addresses:

In any event, the Subcontractor undertakes, in the event of a change in the means of ensuring the security of the data and documents transmitted, to replace them with equivalent or superior means and to inform the Data Processor in good time.

12. Ownership and fate of data

The data entrusted to the Processor by the Controller under the Contract or the Agreement shall remain its property. Under no circumstances may the Subcontractor claim a right to this data, nor may it directly or indirectly use, modify or destroy it without the express instruction of the Controller.

At the end of the Contract or the Agreement, the Processor must, as soon as possible, spontaneously and on its own responsibility, justify this at the first request of the Data Controller:

return to the controller any data not in the controller's possession;
destroy other data.

In any event, the Contractor shall destroy all existing copies of the data entrusted to it in its information systems and those of its subsequent subcontractors and provide the Controller with a certificate of completion, unless Union law or the law of the Member State requires the retention of personal data.

13. Location

The Contractor shall communicate to the Controller the physical location of its servers via Article VII, as well as any change in said location. This information shall apply as soon as the Processor takes the decision to change the location of the servers, without waiting for them to be actually moved.

Any location of the servers in a country outside the European Union that is not recognised by the national authorities as having an adequate level of protection shall be subject to the prior written agreement of the Data Controller. In the event of disagreement, the Data Controller shall be entitled to terminate the Contract or the Agreement in accordance with the terms of the Contract or the Agreement.

Any transfer authorised by the Controller may only take place after the Parties have signed the European Commission's standard clauses as defined in the "Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council", or in a more recent Commission Decision.

In such a case, the Controller will be considered as the Exporter and the Processor as the Importer.

14. Register of categories of processing activities

Where applicable, the Processor undertakes to keep a written Register of all categories of processing activities carried out on behalf of the Controller including:

the name and contact details of the controller on whose behalf it is acting, of any subcontractors and, where appropriate, of the data protection officer;
the categories of processing carried out on behalf of the Controller;
where appropriate, transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the European Data Protection Regulation, the documents attesting to the existence of appropriate safeguards;
to the extent possible, a general description of the technical and organisational security measures, including inter alia, as appropriate :

pseudonymisation and encryption of personal data;
means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
means to restore the availability of and access to personal data within an appropriate timeframe in the event of a physical or technical incident;
a procedure to regularly test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the security of processing.

15. Documentation, verifications and audits

15.1 The Data Processor shall provide the Data Controller with the documentation necessary to demonstrate compliance with all its obligations and undertakes to carry out regular audits of all its information systems, internal procedures and premises in order to verify, in particular, compliance with all of its obligations under this Annex and the applicable Regulations and, in particular, to ensure that the security measures provided for in these clauses have been put in place and cannot be circumvented without this being detected and notified.

In this respect, the Subcontractor shall communicate to the Controller, on request, the conclusions of the audit report carried out by itself or any service provider of its choice subject to an obligation of confidentiality in accordance with the conditions set out in this Contract or in this Agreement and not competing with the Controller and/or its subcontractors, the identity of which shall be communicated to the Controller at least ten (10) days prior to the audit.

In the event of a finding of non-compliance, the Subcontractor shall bear the cost of the resources required to bring the data into compliance within a reasonable timeframe agreed between the Parties. Upon completion of its compliance, the Subcontractor shall provide the Controller with a certificate of completion demonstrating its compliance.

In the event of failure to comply with the provisions of this article, the Controller shall be entitled to terminate the Contract or the Agreement to the exclusive detriment of the Subcontractor without prior notice or compensation and without prejudice to any claim by the Controller in the event of prejudice to him as a result.

15.2 The Contractor acknowledges that the Control Authority (CNIL) and the Agents of the DGCCRF have the right to carry out checks on the Contractor and any subsequent subcontractor to the same extent and under the same conditions as in the case of checks carried out on the Controller in accordance with the applicable Regulations.

The Processor shall inform the Controller, as soon as possible, of the existence of legislation concerning him or any subsequent processor that prevents checks from being carried out on him or any processor in accordance with the preceding paragraph. In this case, the Data Controller reserves the right to suspend the processing of data and/or to terminate the Contract or the Agreement immediately and without charge.

III. Obligations of the Controller towards the Processor

The data controller undertakes to :

1. provide the Subcontractor with the information set out in Article VII of this Annex.

2. document in writing any instructions regarding the processing of personal data by the Processor

3. to ensure, beforehand and throughout the processing, that the obligations laid down in the GDPR are complied with by the Processor

4. supervise the processing, including carrying out the checks and audits provided for in Article II of this Annex on the Contractor.

IV. Responsibility

Notwithstanding anything to the contrary contained in the Contract or the Agreement, the Parties acknowledge that any breach of this Schedule shall constitute direct and compensable damages for which the Subcontractor shall be liable in the event of a breach by it and/or any subsequent subcontractor.

Accordingly, the Contractor shall indemnify and hold harmless the Controller from any financial consequences (judgement or compensation paid, costs and expenses) arising from the breach of the rules set out in this Annex by the Contractor or its subsequent subcontractors, without limitation.

V. General provisions

1. This Annex forms an integral part of the Contract or Agreement and is binding on the Parties.

2. Capitalized terms not defined in this Annex are defined in the GDPR.

3. The failure of either Party at any time to require strict compliance by the other Party with any provision of this Annex shall not be deemed to constitute a waiver of such compliance.

4. In the event of changes in legislation concerning personal data, the Parties shall negotiate in good faith any amendments to this Annex necessary to comply with such changes, within a mutually agreed reasonable timeframe.

VI. DESCRIPTION OF THE PERSONAL DATA PROCESSING OPERATION(S) TO BE OUTSOURCED

The nature of the operations carried out on the data in this context is defined below:

X Accommodation
Customer relationship management and after-sales service operations
Management operations for promotional operations and competitions
Marketing operations
Human resources management operations
Payroll operations
Enrichment of databases
X Provision of a service in SaaS mode
Development and testing of applications & software
X Data archiving
Destruction of documents
X Production of statistics
Other(s) :

……………………………………………………………………………………………………………………………………………

The purpose(s) of the processing are as follows:

Electronic document management
Customer / prospect management
Management of promotional operations and competitions
Management of an e-commerce site
Complaints and after-sales service management
Measuring satisfaction
Mail management and processing
Human resources management
X Production of statistics
Archiving for evidential purposes
Other(s) :

……………………………………………………………………………………………………………………………………………

The personal data processed are defined below:

X Identification data (civil status, address, telephone number, email ...)

……………………………………………………………………………………………………………………………………………

Professional life

……………………………………………………………………………………………………………………………………………

Family & social situation

……………………………………………………………………………………………………………………………………………

Banking or payment data

……………………………………………………………………………………………………………………………………………

Personal life, lifestyle habits, preferences

……………………………………………………………………………………………………………………………………………

Social security number

IP address

Geolocation

X Connection data

……………………………………………………………………………………………………………………………………………

Biometric data

……………………………………………………………………………………………………………………………………………

Sensitive data (health, racial, political opinions, religion, judicial conviction)

……………………………………………………………………………………………………………………………………………

Other(s)

……………………………………………………………………………………………………………………………………………

The categories of persons concerned are defined below.

X Employees
Customers
Suppliers
Business partners
Service providers
Others: Students........................................................................................................................

……………………………………………………………………………………………………………………………………………

For the performance of the service covered by the Contract or the Agreement, the Contractor shall implement the following technical and organisational security measures:

pseudonymisation and encryption of personal data
X the means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
X the means of restoring the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
X a procedure to regularly test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the security of processing
Other: ................................................................................................................................................

……………………………………………………………………………………………………………………………………………

Personal data are hosted by :

OVH Roubaix, OVH Gravelines, OVH Strasbourg