Legal - Data Processing Agreement

1. Definition

“data controller”, “data subject”, “personal data”, “processing” (“process” and “processed” to be construed accordingly), “data processor” and “appropriate technical and organisational measures” have the meanings given to them in the Data Protection Legislation. For the purposes of this Data Processing Agreement, “personal data” shall only be personal data that is processed in connection with the Agreement between the Parties.

“Data Protection Legislation” means all European Union (EU) or United Kingdom (UK) legislation and regulatory requirements in force from time to time relating to the use of personal data and the privacy of electronic communications, including, without limitation: (a) the Data Protection Act 2018 and UK GDPR, or any successor legislation; (b) the EU GDPR or any successor legislation; and (c) any agreements between the European Commission or the United Kingdom (UK) and a Third Country in respect of the legal transfer personal data from the European Economic Area (EEA) to that third country.

“GDPR” means EU GDPR and UK GDPR.

“EU GDPR” means the General Data Protection Regulation ((EU) 2016/679).

“Permitted Recipients” means the Parties to the Agreement and their Affiliates and each Party’s and its Affiliates’ respective personnel and any third parties engaged to perform the Party’s obligations in connection with the Agreement (as permitted under the Agreement).

“Shared Personal Data” means personal data to be shared between the Parties under the Agreement on a data controller to data controller basis. Shared Personal Data shall be confined to the following categories of information relevant to the following categories of data subject, as applicable:

(a) The Parties' personnel: names, telephone numbers and email addresses; and

(b) Customer’s customers: names, addresses, telephone numbers and email addresses.

"Third Country" means a country which the EU Commission or the UK Government (as applicable) has not designated as a country that provides adequate protections in respect of Personal Data.

“UK GDPR” means EU GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).

2. Controller toControllerProcessing 

2.1 Applicability. This Section 2 shall apply where the Parties share any personal data that is subject to Data Protection Legislation on a data controller to data controller basis.

2.2 Each Party acknowledges that one Party (the “Data Discloser”) may disclose to the other Party (the “Data Recipient”) Shared Personal Data collected by the Data Discloser. Each Party shall:

2.2.1 ensure that it has all necessary consents and notices in place to enable the lawful transfer of the Shared Personal Data to the Data Recipient;

2.2.2 give full information to any data subject whose Shared Personal Data may be processed under the Agreement of the nature of such processing. This includes giving notice that, on the termination of the Agreement, Shared Personal Data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Recipients, their successors and assigns;

2.2.3 process the Shared Personal Data only for the purpose of discharging its obligations or exercising its rights under the Agreement;

2.2.4 not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;

2.2.5 ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding than those imposed by this Data Processing Agreement;

2.2.6 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorized or unlawful processing of the Shared Personal Data and against accidental loss or destruction of, or damage to, the Shared Personal Data; and

2.2.7 not transfer Shared Personal Data received from the Data Discloser to a Third Country unless it ensures that there are appropriate safeguards in place pursuant to the Data Protection Legislation.

2.3 Each Party shall comply with the Data Protection Legislation and agrees that any material breach of the Data Protection Legislation shall, if not remedied within thirty (30) days of written notice from the other Party, give grounds to the other Party to terminate the Agreement with immediate effect.

2.4 Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each Party shall:

2.4.1 consult with the other Party about any notices given to data subjects in relation to the Shared Personal Data;

2.4.2 promptly inform the other Party about the receipt of any data subject access request or any request from a data subject to erase or rectify Shared Personal Data and provide the other Party with reasonable assistance in complying with any data subject access request;

2.4.3 not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other Party;

2.4.4 assist the other Party, at the cost of the other Party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

2.4.5 notify the other Party without undue delay on becoming aware of any breach of the Data Protection Legislation in relation to the Shared Personal Data;

2.4.6 at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of the Agreement unless required by Law to store the Shared Personal Data;

2.4.7 use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;

2.4.8 maintain complete and accurate records and information to demonstrate its compliance with this Article 12 and provide such records and information to the other Party on reasonable request in order to prove such compliance; and

2.4.9 provide the other Party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties' compliance with the Data Protection Legislation.

2.5 Subject to the limitations and exclusions of liability set out in the Agreement, each Party shall indemnify and keep indemnified the other Party against any liability, fines, claims, demands, expenses and costs (including reasonable legal fees) incurred by the other arising out of or in connection with any claim made or brought by a data subject or other legal person in respect of any loss, damage or distress caused to them as a result of any breach by the other Party of the Data Protection Legislation by that Party, its employees or agents.

3. How we share your ‘Personal Information’

3.1 Applicability. This Section 3 shall apply where Bravenn processes any personal data that is subject to Data Protection Legislation on behalf of Customer.

3.2 Scope and status of the Parties.

3.2.1 Bravenn acts as a data processor on behalf of Customer with respect to any personal data which is processed by Bravenn on behalf of Customer under the Agreement, to the extent that it relates to the Product(s) (including in relation to any Support Services to be performed by Bravenn in relation to the Product(s) under the Agreement) (the “Customer Personal Data”). Customer may act as data controller or data processor in respect to Customer Personal Data. This Section 3 sets out Bravenn’s data processing obligations to Customer in respect of Customer Personal Data. Details of the applicable processing activities (including categories of personal data and data subjects) are described in Schedule 1 to this Date Processing Agreement.

3.2.2 Customer warrants, represents and undertakes to Bravenn that:

(a) it will comply at all times with the Data Protection Legislation; and

(b) all necessary consents and notices are in place to enable the lawful transfer (including international transfers, if any) of Customer Personal Data to Bravenn for the duration and purposes of the Agreement (including without limitation, lawful grounds for processing).

3.3 Bravenn’s obligations. Where Bravenn processes Customer Personal Data under or in connection with the performance of its obligations under the Agreement, Bravenn shall:

3.3.1 process the Customer Personal Data only in accordance with the Agreement and with other mutually agreed and documented instructions of Customer (including in relation to any international transfer of Customer Personal Data made in accordance with Section 3.4);

3.3.2 implement appropriate technical and organizational measures necessary to meet the requirements of Article 32 of the GDPR;

3.3.3 ensure Bravenn personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations;

3.3.4 be generally permitted to engage sub-processors to process Customer Personal Data solely as necessary in order for Bravenn to provide the Products and Services in accordance with the Agreement. Bravenn shall, in relation to any sub-processor appointed in accordance with this Section 3.3.4:

(a) ensure that equivalent requirements to those set out in this Section 3.3 are imposed on the sub-processor through a written agreement;

(b) remain liable to Customer for the performance of the sub-processor’s obligations; and

(c) notify Customer of any change to such sub-processors;

3.3.5 taking into account the nature of the processing and the information available to Bravenn, reasonably assist Customer to fulfil Customer’s obligations under Data Protection Legislation:

(a) to respond to data subjects’ requests exercising their rights; and

(b) with respect to security, data protection impact assessments, data breach notifications and consultations with data protection supervisory authorities;

3.3.6 save as required by law, at Customer’s option, either delete or return Customer Personal Data in Bravenn’s possession to Customer on expiry or termination of the Agreement;

3.3.7 make available to Customer such information as Customer reasonably requests and Bravenn is reasonably able to provide, and permit and contribute to such audits, including inspections, conducted by Customer (or agreed auditors other than Bravenn’s competitors), as is necessary to demonstrate Bravenn’s compliance with its obligations set out in this Section. Customer will give reasonable notice of any audit, ensure that any audit does not disrupt Bravenn’s business operations, ensure any agreed auditors (if any) are bound by appropriate (in Bravenn’s opinion) confidentiality obligations to protect Bravenn’s confidential information, and will be fully liable for any associated costs (including those of Bravenn); and

3.3.8 notify Customer without undue delay after becoming aware of any personal data breach involving Customer Personal Data.

Bravenn shall be entitled to charge Customer, at Bravenn’s then-current rate card and in accordance with its expenses policy, for any Bravenn effort or costs under Section 3.3.5 to 3.3.8 (inclusive).

3.4 International transfers. Bravenn may transfer Customer Personal Data to any country or territory (including Third Countries) outside the EEA or the UK or from the EEA to the UK provided that Bravenn ensures that any Customer Personal Data is subject to such transfers is provided an adequate level of protection, including the use of:

3.4.1 appropriate technical and organizational measures; and

3.4.2 appropriate safeguards or derogations under Data Protection Legislation.

3.5 Where applicable, the Parties shall execute the appropriate approved standard contractual clauses for transfers of Customer Personal Data from the EEA or UK to Third Counties (“Standard Contractual Clauses”) and, where applicable, Customer shall procure that the relevant data controller entity does the same. Customer agrees that if, pursuant to the Standard Contractual Clauses, Bravenn is obliged to provide a copy of any applicable sub-processor agreement, such agreement may have all commercial information, or clauses unrelated to the Standard Contractual Clauses, removed by Bravenn beforehand and that such copies will be provided by Bravenn in a manner to be determined in its discretion and only upon request by Customer.

3.6 Indemnity.

3.6.1 Subject to the limitations and exclusions of liability set out in the Agreement, each Party shall indemnify and keep indemnified the other Party against any liability, fines, claims, demands, expenses and costs (including reasonable legal fees) incurred by the other arising out of or in connection with:

(a) any breach by the other Party (including in the case of Customer, by any Listed Affiliate and any other controller of the Customer Personal Data) of its obligations under Data Protection Legislation; and/or

(b) where Bravenn is the indemnified Party, Bravenn acting in accordance with any instruction, policy or procedure of Customer or any Listed Affiliate.

3.6.2 Subject to the limitations and exclusions of liability set out in the Agreement, Customer shall defend and indemnify, at its own expense, Bravenn from and against any third party claim against Bravenn to the extent arising out of or in connection with Customer’s breach of Section 3.2.2(b).

4. Contacting us

If you have any questions about this Privacy Policy or wish to exercise any of your rights, contact the Data Protection Officer team. We will attempt to resolve any complaints regarding the use of your Personal Information in accordance with this Privacy Policy.

​

You may also contact us by mail at:

• 28 rue de l'Amiral Hamelin, 75016 PARIS, FRANCE.