RGPD Charter and Contract

ChallengeMe provides all its customers with a charter. We are committed to data confidentiality and protection.

GAR / MEN use

All users registering for GAR use of ChallengeMe register for GAR Processing. The applicable RGPD notices can be found at this address: https: //gar.education.fr/mentions-informatives-rgpd/vv

RGPD CONTRACT

I. Preamble

In the context of the application on May 25, 2018, of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter, "RGPD"), the purpose of this appendix is to define the conditions under which ServicesYou, which has the status of Processor under the RGPD, undertakes to carry out the personal data processing operations defined in Article VII of this appendix, on behalf of and on the instructions of Organisation et Développement, the Data Controller, in compliance with the regulations in force, and in particular the RGPD and any national laws or regulations applicable to the Data Controller and the Subcontractor (hereinafter the "Applicable Regulations").

II. Subcontractor's obligations to the Controller

The Subcontractor undertakes to:

1. process the data solely for the sole purpose(s) for which it is outsourced, as described in Article VII.

2. process the data in accordance with the provisions of this appendix and any subsequent documented instructions from the Data Controller. If the Subcontractor considers that an instruction constitutes a breach of the applicable Regulations, it shall immediately inform the Data Controller.

3. guarantee the confidentiality of personal data processed under the Contract or Agreement.

4. ensure that persons authorized to process personal data:

undertake to respect the confidentiality of said data or are subject to an appropriate legal or contractual obligation of confidentiality
receive the necessary training in the protection of personal data

5. take into account, with regard to its tools, products, applications or services, the principles of data protection by design and data protection by default.

6. Subsequent subcontracting

In the event that the Subcontractor resorts to its own subcontractor (hereinafter the "Subsequent Subcontractor") for the processing of the data entrusted to it, it shall inform the Data Controller in advance and in writing, indicating in particular the subcontracted processing activities, the identity and contact details of the subcontractor and the duration of the Subsequent Subcontracting. The Data Controller will then have a period of 30 days from the date of receipt of this information to present any reasoned objection to the further subcontracting.

The Subcontractor undertakes to ensure that the subsequent subcontractor presents the same sufficient guarantees as to the implementation of appropriate technical and organizational measures in compliance with the applicable Regulations, and to carry forward the stipulations of this amendment, including the right of verification and audit, in the contract binding it to any subsequent subcontractor. The Subcontractor remains solely and fully liable to the Data Controller, under the conditions of this appendix, for any failure by the subsequent subcontractor to meet its obligations.

The Subcontractor shall keep a list of subsequent subcontracting agreements entered into pursuant to this clause, which shall be updated regularly and at least once a year. This list shall be made available to the Data Controller and, if requested, to the CNIL.

In the event that the Subcontractor, having obtained the prior written agreement of the Data Controller, chooses a subsequent subcontractor located outside the European Union, any necessary compliance work will be borne financially by the Subcontractor. In such a case, the Subcontractor must, at the very least, justify to the Data Controller :

a) Have signed the European Commission's Standard Contractual Clauses with the subsequent subcontractor, or failing that

b) the application to the subsequent subcontractor of "Binding Corporate Rules" approved by the competent supervisory authority, when the subsequent subcontractor is one of the Subcontractor's subsidiaries.

7. Duty to inform

The Subcontractor will keep the Data Controller informed, without delay and within a maximum of 5 working days:

of any request for communication of personal data from a competent authority or which is imposed on the Data Processor by virtue of Union law or the law of the Member State to which it is subject, unless a duly justifiable legal exception prohibits such information for reasons of public interest ;
any request from the Data Subject to exercise his/her rights with regard to the processing entrusted to the Subcontractor. In this event, the Subcontractor will not reply directly to the Data Subject unless it has been authorized to do so in writing by the Data Controller.

8. Exercising the claims of the Persons concerned

Insofar as possible, the Subcontractor undertakes to assist the Data Controller in the performance of its legal obligations in connection with respect for the rights of Data Subjects, namely the rights :

information: the Subcontractor in charge of collecting the personal data of Data Subjects undertakes to transmit to the latter, at the time of collection, the information provided to the Subcontractor by the Data Controller;

access: extraction and transmission to the Data Controller by the Subcontractor, in a readable format, of the data entrusted to it concerning the Data Subject;

rectification, deletion and opposition: the Subcontractor must send a certificate of performance to the Data Controller;
to the limitation of processing: transmission of a certificate of performance to the Data Controller by the Subcontractor;
to data portability: extraction and transmission to the Data Controller by the Data Processor, in a structured, commonly used and machine-readable format, of the data entrusted to it about the Data Subject;
not to be the subject of an automated individual decision (including profiling): transmission to the Data Controller by the Subcontractor of a certificate of performance.

The Subcontractor also undertakes to provide the Data Controller with any information necessary for the latter to respect the rights of the Data Subjects, as soon as possible, and at the latest within 10 working days of the Data Controller's request.

9. Notification of Personal Data Breaches

The Subcontractor shall notify the Data Controller's contact person identified in article 7 of any personal data Breach without delay, and at the latest within 48 hours, after becoming aware of it.

This notification shall be accompanied by any useful documentation to enable the Data Controller, if necessary, to notify this Violation to the competent Control Authority and at least the following information:

a description of the nature of the personal data Breach including, if possible, the categories and approximate number of persons affected by the Breach and the categories and approximate number of personal data records affected;

a description of the likely consequences of the Personal Data Breach;

a description of the measures taken or proposed to be taken by the Subcontractor to remedy the Personal Data Breach, including, where appropriate, measures to mitigate any negative consequences.

The Subcontractor will coordinate its external communication activities with the Data Controller and will refrain from any unilateral and/or spontaneous public or private communication, in particular to the competent supervisory authority and the data subjects, without the prior consent of the Data Controller.

Once the incident that led to the Data Breach has been closed, the Subcontractor will submit a detailed report to the Data Controller showing, in particular:

the causes of the Data Breach,
breaches of personal data, in particular data confidentiality and integrity,
the Subcontractor's response and intervention time
the measures taken to put a stop to the Violation and to ensure that it does not happen again.

In the event of recurring incidents and/or given the seriousness of a single incident attributable to the Subcontractor leading to the Violation of personal data in a production environment, the Data Controller shall be entitled to terminate the Contract or the Agreement in advance by registered letter with acknowledgement of receipt to the exclusive detriment of the Subcontractor without compensation and without prejudice to any damages that may be claimed by the Data Controller.

10. Impact assessments (PIA)

Taking into account the nature of the processing concerned and the information at its disposal, the Subcontractor will advise and diligently assist the Data Controller by providing it with the information necessary to carry out any Data Protection Impact Analysis (PIA).

11. Safety measures

The Subcontractor undertakes to implement the technical and organizational security measures necessary to ensure that the data entrusted to it is not distorted, damaged or communicated to unauthorized persons, as listed in Article VII.

The Subcontractor undertakes to implement technical and organizational security measures at least equivalent to those developed by the CNIL or ANSSI in the guides listed below or the ISO 270001 standard.

The guides published by CNIL and ANSSI are available at the following addresses:

In any event, the Subcontractor undertakes, in the event of a change in the means used to ensure the security of the data and documents transmitted, to replace them with equivalent or superior means and to inform the Data Controller in good time.

12. Ownership and fate of data

The data entrusted to the Subcontractor by the Data Controller under the terms of the Contract or the Agreement remain its property. Under no circumstances may the Subcontractor claim a right to this data, nor may it directly or indirectly use, modify or destroy it without the express instruction of the Data Controller.

At the end of the Contract or the Agreement, the Subcontractor must, as soon as possible, spontaneously and at its own expense, justify this at the first request of the Data Controller:

return to the Data Controller any data not in the latter's possession;
destroy other data.

In any event, the Subcontractor will destroy all existing copies of the data entrusted to it in its information systems and those of its subsequent subcontractors and provide the Controller with a certificate of completion, unless Union law or the law of the Member State requires the retention of personal data.

13. Location

The Subcontractor shall notify the Data Controller of the physical location of its servers via Article VII, as well as any change in said location. This information applies as soon as the Subcontractor takes the decision to change the location of its servers, without waiting for their actual move.

Any location of servers in a country outside the European Union which is not recognized by national authorities as offering an adequate level of protection must be subject to the prior written agreement of the Data Controller. In the event of disagreement, the Data Controller shall be entitled to terminate the Contract or the Agreement under the conditions set out in the Contract or in the Agreement.

Any transfer authorized by the Controller may only take place once the Parties have signed the European Commission's standard clauses as defined in the "Commission Decision of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council", or in a more recent Commission Decision.

In such a case, the Data Controller will be considered as the Exporter and the Subcontractor as the Importer.

14. Register of categories of processing activities

Where applicable, the Subcontractor undertakes to keep a written Register of all categories of processing activities carried out on behalf of the Controller including:

the name and contact details of the data controller on whose behalf it is acting, of any subcontractors and, where applicable, of the data protection officer;
the categories of processing carried out on behalf of the Data Controller;
where applicable, transfers of personal data to a third country or to an international organization, including identification of the third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the European Data Protection Regulation, documents attesting to the existence of appropriate safeguards;
as far as possible, a general description of the technical and organizational security measures, including among others, as appropriate :

pseudonymization and encryption of personal data ;
means to guarantee the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the means to restore availability and access to personal data within an appropriate timeframe in the event of a physical or technical incident;
a procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

15. Documentation, checks and audits

15.1 The Subcontractor shall provide the Data Controller with the documentation necessary to demonstrate compliance with all of its obligations and undertakes to conduct regular audits of all of its information systems, internal procedures and premises in order to verify, in particular, compliance with all of the obligations incumbent upon it under this Appendix and the applicable Regulations and, in particular, to ensure that the security measures provided for in these clauses are properly implemented and cannot be circumvented without this being detected and notified.

To this end, the Subcontractor will provide the Data Controller, on request, with the conclusions of the audit report carried out by the Subcontractor or any service provider of its choice who is subject to an obligation of confidentiality in accordance with the conditions set out in this Contract or this Agreement and who is not a competitor of the Data Controller and/or its subcontractors, whose identity will be communicated to the Data Controller at least ten (10) days prior to the audit.

In the event of a finding of non-compliance, the Subcontractor will bear the cost of the resources required to achieve compliance within a reasonable timeframe agreed between the Parties. Once compliance has been achieved, the Subcontractor will provide the Data Controller with a certificate of completion demonstrating that compliance has been achieved.

In the event of failure to comply with the provisions of this article, the Controller shall be entitled to terminate the Contract or the Agreement to the exclusive detriment of the Subcontractor without notice or compensation and without prejudice to any claim by the Controller in the event of prejudice to him resulting therefrom.

15.2 The Subcontractor acknowledges that the Control Authority (CNIL) and the Agents of the DGCCRF have the right to carry out checks on the Subcontractor and any subsequent subcontractor to the same extent and under the same conditions as in the case of checks carried out on the Data Controller in accordance with the applicable Regulations.

The Subcontractor shall inform the Data Controller as soon as possible of the existence of any legislation concerning it or any subsequent subcontractor that prevents checks from being carried out at its premises or at the premises of any Subcontractor in accordance with the preceding paragraph. In such a case, the Data Controller reserves the right to suspend data processing and/or immediately terminate the Contract or the Agreement at no cost.

III. Obligations of the Controller towards the Subcontractor

The Data Controller undertakes to:

1. provide the Subcontractor with the information specified in Article VII of this Appendix.

2. document in writing any instructions concerning the processing of personal data by the Subcontractor

3. ensure, beforehand and throughout the duration of the processing, that the Subcontractor complies with the obligations set out in the RGPD.

4. supervise the processing, including carrying out the verifications and audits provided for in Article II of this appendix with the Subcontractor.

IV. Liability

Notwithstanding any stipulation to the contrary in the Contract or the Agreement, the Parties acknowledge that any failure to comply with this Appendix shall constitute direct and compensable damages, for which the Subcontractor shall be liable in the event of any failure on its part and/or on the part of any subsequent subcontractor.

Consequently, the Subcontractor guarantees the Data Controller and will hold it harmless from any financial consequences (condemnation or compensation paid, costs and expenses) caused by the violation of the rules provided for in this appendix by the Subcontractor or its subsequent subcontractors, without limitation.

V. General provisions

1. This Appendix forms an integral part of the Contract or the Agreement and is binding on the Parties.

2. Capitalized terms not defined in this appendix are defined in the RGPD.

3. The fact that one of the Parties does not at any time require strict compliance by the other Party with a provision of this Annex shall in no case be deemed to constitute a waiver, of any kind whatsoever, of such compliance.

4. In the event of changes in legislation concerning personal data, the Parties shall negotiate in good faith any amendments to this Annex necessary to comply with such changes, within a reasonable period of time to be determined by mutual agreement.

VI. DESCRIPTION OF THE PERSONAL DATA PROCESSING OPERATION(S) TO BE OUTSOURCED

The nature of the operations carried out on data in this context is defined below:

X Accommodation
Customer relationship management and after-sales service operations
Management of promotional operations and competitions
Marketing operations
Human resources management operations
Payroll operations
Database enrichment
X Provision of a SaaS service
Application & software development and testing
X Data archiving
Document destruction
X Statistics
Other(s) :

...............................................................................................................................................................

The purpose(s) of the processing are as follows:

Electronic document management
Customer / prospect management
Management of promotional operations and competitions
Managing an e-commerce site
Claims and after-sales service management
Measuring satisfaction
Mail management and processing
Human resources management
X Statistics
Archiving for evidential purposes
Other(s) :

...............................................................................................................................................................

The personal data processed are defined below:

X Identification data (marital status, address, telephone number, email, etc.)

...............................................................................................................................................................

Professional life

...............................................................................................................................................................

Family & social situation

...............................................................................................................................................................

Banking and payment data

...............................................................................................................................................................

Personal life, lifestyle habits, preferences

...............................................................................................................................................................

Social security number

IP address

Geolocation

X Connection data

...............................................................................................................................................................

Biometric data

...............................................................................................................................................................

Sensitive data (health, racial, political opinions, religion, judicial conviction)

...............................................................................................................................................................

Other(s)

...............................................................................................................................................................

The categories of people concerned are defined below.

X Employees
Customers
Suppliers
Business partners
Service providers
Others: Students........................................................................................................................

...............................................................................................................................................................

To perform the service covered by the Contract or Agreement, the Subcontractor implements the following technical and organizational security measures:

pseudonymization and encryption of personal data
X means of guaranteeing the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
X the means for restoring availability and access to personal data within an appropriate timeframe in the event of a physical or technical incident;
X a procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing
Other: ................................................................................................................................................

...............................................................................................................................................................

Personal data are hosted by :

OVH Roubaix, OVH Gravelines, OVH Strasbourg

RGPD

Solution

Our resources

Contact us