ARTICLE 1 – SCOPE OF APPLICATION

1.1. LAB EVENT is a limited liability company with a capital of 110,000 euros registered in the Nanterre Trade and Companies Register under the number RCS: 879 740 629, its registered office is located at 129 rue Aristide Briand 92300 Levallois Perret. It is represented by its President, Mr. Vadim TOROPOFF.

1.2. These General Terms and Conditions of Sale (hereinafter referred to as the “GTC”) govern the contractual relationship (hereinafter referred to as the “Contract”) between LAB EVENT (hereinafter referred to as the “Provider”) and another company (hereinafter referred to as the “Client”) (hereinafter referred to jointly as the “Party or Parties”).

1.3. The Provider is the publisher of an IT solution in SaaS mode that covers all the organizational needs of the event industry (hereinafter the “Solution”), allowing Customers to manage their events, their customers and their partners (the “Services”).

1.4. The Provider also offers as services: database rental, training on the Solution, specific developments adapting the Solution to the Customer’s needs.

1.5. These GTC are systematically communicated to each Customer with the order form/quotation (hereinafter the “Order Form”). Consequently, the fact of placing an order for Services (hereinafter the “Order”) by signing the Order Form implies the Customer’s full and unreserved acceptance of these GTC and the Order Form, to the exclusion of any other documents in its possession such as prospectuses, catalogs or advertising brochures issued by the Service Provider, which shall only have an indicative and non-contractual value.

1.6. These Terms and Conditions govern the entire relationship between the Provider and the Customer. No general terms and conditions of purchase shall prevail or be enforced by the Customer against the Provider. Similarly, no special terms and conditions communicated by the Customer to the Provider shall prevail over the GTC, unless formally accepted in writing by the Provider.

1.7. any reservation made by the Customer regarding the GTC shall, therefore and under any circumstances, in the absence of express acceptance by the Provider, be unenforceable against the Provider.

1.8. Any provisions deviating from these GTC shall be subject to the express agreement of the Parties, reflected in the Order confirmed by the Provider or any other document evidencing the agreement of both Parties.

1.9. The fact that the Provider does not at any time rely on any term of these GTC shall not be construed as a waiver of any subsequent reliance on such term.

ARTICLE 2 – OBLIGATIONS OF THE PARTIES
2.1. Obligations of the Customer
The Customer undertakes not to undermine the Solution and the Services in any way whatsoever. The Customer is not authorized to decompile or analyze the Services and the Solution or to attempt to discover or modify any source code.

The Customer expressly declares to have received from the Provider all information and advice necessary for the use of the Services and the Solution and thus waives the Provider’s liability for such use.

The Customer agrees to cooperate closely with the Service Provider and to provide all information, documentation, services, and all means useful for the realization of the Services and the use of the Solution and agrees to make available to the Service Provider all elements allowing to satisfy its obligation, including the personnel dedicated to the good realization of the Services.

If applicable, before each intervention of the Provider, the Customer agrees to perform all necessary backup procedures to protect and safeguard its data, programs and computer files.

The Customer agrees not to damage the reputation of the Service Provider, the Services and the Solution in any way whatsoever.

2.2 Obligations of the Service Provider
In the context of this Agreement and the performance of the Services, the Service Provider undertakes to use all necessary means and to make every effort to carry out its mission in accordance with the rules of the trade. This obligation does not constitute an obligation of result, as the Provider provides the Services and the Solution only as a matter of obligation of means.

The Service Provider warrants to the Customer that it shall have the right to use the Services and the Solution for its own personal benefit.

The Provider warrants that it owns the intellectual property rights to the Solution and the Services licensed under the Agreement.

ARTICLE 3 – DURATION OF THE CONTRACT
The Agreement is entered into by the Parties in accordance with the Order Form for subscriptions per month or per year (the “Initial Period”) as of the date the Customer signs the Order Form (anniversary date”).

The formula chosen by Customer is indicated on the Order Form.

With the exception of the Contract concluded for a duration of one month without any commitment of duration, at the end of the Initial Period, the Contract will be automatically renewed by tacit agreement on each anniversary date of the Contract for a new period of one (1) year (the “Renewed Period”).

The initial Period or the renewed Period concerned shall hereinafter be referred to as the “Period”.

In the event that the Customer wishes to terminate the Agreement, the Customer shall notify its intention to terminate by registered letter with return receipt requested addressed to the Provider’s registered office at least thirty (30) days prior to the anniversary date of the renewal of the current Period, as evidenced by the postmark.

The termination shall take full effect, in particular it shall result in the impossibility for the Customer to access the subscribed Services and the Solution, at the end of the Period.

In the event of termination of the Agreement by the Customer, no credit note or refund for the Period shall be granted by the Provider.

ARTICLE 4 – PRICING AND BILLING
The Provider’s pricing terms for the provision of the Solution and Services are set forth in the Order Form validated by the Order.

The prices are given as an indication and are therefore subject to change. The prices invoiced are those in effect at the time the Order is validated by the Customer (signing the Order Form).

Prices will be charged according to the formula chosen by the Customer.

The Service Provider may also invoice in addition to the Solution and Services included, specific developments, database rental or training in the use of the Solution, Services and additional modules.

The prices of the Solution and the Services are expressed and payable in Euros and are exclusive of value added tax and any other tax, the Customer being responsible for the payment of said taxes.

Invoices shall be payable by bank transfer 30 (thirty) days after the invoice date. Without prejudice to any damages, failure by the Customer to pay an invoice on its due date shall automatically entail
– The payment of late penalties which will be calculated, from the due date shown on the invoice until the day of actual payment, at a rate corresponding to three times the legal interest rate.
– In accordance with Article D. 441-5 of the French Commercial Code, the payment of a fixed indemnity for collection costs set at a minimum of 40 euros.
– The suspension of the Services and access to the Solution, after a prior formal notice remained unsuccessful at the end of a period of fifteen (15) working days, without this suspension can engage the responsibility of the Provider.

Any request by the Customer for additional services or modifications, of any nature whatsoever, shall be subject to a new Order Form from the Provider.

ARTICLE 5 – ACCESS TO THE SOLUTION AND TO THE SUBSCRIBED SERVICES
The Service Provider provides the Customer with the Services and the Solution :
– through the internet network 24 hours a day and 7 days a week, except for maintenance periods which will be indicated by email to the Customer.

The Customer is warned of technical hazards and access interruptions that may occur. Consequently, the Provider shall not be held responsible for any unavailability or slowdown of the Services.

The Service Provider undertakes to implement regular controls to provide reasonable assurance that the Customer can access and use the Solution and Services under the conditions determined by the Agreement.

ARTICLE 6 – MAINTENANCE AND AUDIT
The Service Provider is responsible for the corrective and evolutionary maintenance of the Solution.

If the Customer chooses a maintenance package, the Provider commits to the following level of service:
– Telephone support: 10:00 am to 12:00 pm and 2:00 pm to 6:00 pm, Monday to Friday, excluding holidays,
– Support by email: 10:00 am to 7:00 pm, Monday to Friday, excluding holidays,

The Provider is not responsible for the maintenance in the following cases:

– refusal of the Customer to collaborate with the Service Provider in the resolution of the anomalies and in particular to answer questions and requests for information
– use of the Solution and Services in a manner that does not comply with their purpose or documentation
– failure of the Customer to comply with its obligations under the Agreement,
– implementation of any software package, software or operating system that is not compatible with the Solution and the Services
– failure of the Customer’s electronic communication networks,
– voluntary acts of degradation, malice, sabotage,
– deterioration due to a case of force majeure within the meaning of Article 1218 of the Civil Code or to misuse of the Solution and/or Services.

Interventions relating to the usual maintenance of the Solution may make the Services temporarily unavailable. They are carried out only outside working days and hours.

ARTICLE 7 – OWNERSHIP OF DATA
The Customer remains the owner of all data and databases collected in the course of using the Solution and Services.

The Customer’s data and databases are implemented in the Solution so that the Customer can use the Services.

The Customer grants a license to use its data and databases to the Service Provider in order to provide the Solution and the Services for the duration of the Agreement.

ARTICLE 8 – PROTECTION OF PERSONAL DATA
Each Party undertakes to comply with the regulations in force applicable to the processing of personal data and, in particular, the Data Protection Act dated 6 January 1978 as amended by the Act of 20 June 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“RGPD”).

Under the Contract, as the Provider collects and processes the personal data of the Client’s employees, it has the capacity of data controller for such data. As such, the Provider’s obligations in this regard are set forth in Appendix I.

The Service Provider acts in the name and on behalf of the Customer in the processing of personal data provided to it by the Customer, the Service Provider has the status of a processor. As such, the rights and obligations of the Service Provider in this regard are set forth in Appendix II.

ARTICLE 9 – RIGHTS OF USE
The Customer undertakes to respect the scope of the license for the Solution and the Services granted under these GTC and the Order and to do so solely in accordance with their intended purpose.

The Customer may not transfer, assign in any manner whatsoever, sublicense, make available to any third party whatsoever, even temporarily and/or free of charge, the Solution and the Services and/or the related user license, unless it has obtained the Provider’s prior and express authorization.

ARTICLE 10 – INTELLECTUAL PROPERTY
The Solution and the Services remain, in all circumstances, the exclusive property of the Provider who is the sole owner and holds all the necessary rights to ensure the marketing and use thereof.

Consequently, the Customer may not pledge them, transfer them for valuable consideration or free of charge, sublicense them, lend them for valuable consideration or free of charge, or copy them. In addition, the Customer agrees to inform the Service Provider of any infringement of which it may be aware.

The software, data, documentation, processes, methodologies, technologies and documents belonging to the Service Provider (hereinafter “Intellectual Property Rights”) used, if any, in connection with the provision of the Solution and the Services shall remain the exclusive property of the Service Provider.

The Service Provider grants the Customer, to the extent strictly necessary for the provision of the Solution and the Services, a personal, non-exclusive and non-transferable right to use such Intellectual Property Rights for the duration of the Agreement.

As part of the provision of the Solution and Services and as needed, the Customer also grants the Provider a personal, free, non-exclusive and non-transferable right to use its software, data and documents for the duration of the Agreement.

The Provider retains all Intellectual Property Rights attached to any specific developments and updates that it may make in connection with the provision of the Solution and Services, without the Customer being able to claim any right to such specific developments at any time.

ARTICLE 11 – GUARANTEES
The Service Provider warrants that the Services and the Solution are provided in substantial compliance with the Order.

In no event shall the Service Provider be liable for the Customer’s data incorporated by the Customer in connection with the use of the Solution and the Services.

Unless otherwise provided by law, all other warranties, express or implied, are excluded.

The Service Provider shall not be liable for any warranty, in particular if the Customer has modified or caused to be modified the Solution and/or the Services or has used other services than the Services provided by the Service Provider, without its prior written consent or if the Customer or third parties have intervened on the hardware and/or software and systems to which the Services are dedicated or on which they are performed.

Warranty of compliance
The Service Provider warrants to the Customer that the functionality of the Solution and the Services conforms to their presentation in the Order Form.

ARTICLE 12 – LIABILITY
The Provider’s liability is limited to proven direct damages resulting from a defect in the Services or a breach of the Agreement.

In no event shall the Provider be liable for any indirect, incidental or special damages as defined by the case law of the French courts.

The Service Provider shall not be liable for non-performance of the Agreement in case of force majeure as defined by the case law of the French courts, and in case of damages caused by a third party or due to misuse or non-compliant use by the Customer of the Services and/or the Solution, in violation of the Service Provider’s prescriptions or the rules of the art

In particular, the Service Provider shall not be liable for (i) any damage or loss caused by improper use of the Solution and/or Services by the Customer and/or any third party, (ii) any malfunction, error, inaccuracy or improper result attributable to improper, unauthorized or incompatible use of the Solution and/or Services by the Customer and/or third parties.

The Customer declares that he is aware of the characteristics and limits of the Internet, in particular its technical performance, the response times for consulting, querying or transferring data and the risks associated with the security of communications. The risks of alteration or destruction of data by viruses within the network are limited by antivirus software. It is up to the Customer to protect himself against these risks.

The Customer is solely responsible for the relations with its partners and customers. In case of conflict, the Service Provider will not be held responsible.

Except for personal injury or death, and except in the case of gross negligence or intentional misconduct causing proven direct damage or in the case of breach of an essential obligation of the Agreement rendering it void of its substance, the Customer acknowledges that the Provider’s liability is limited to the amount paid by the Customer for the Order in question.

SECTION 13 – TERMINATION
In the event of a breach by either Party of its contractual obligations, the Agreement may be terminated by the other Party thirty (30) days after sending a letter of formal notice by registered mail with return receipt requested that has remained without effect.

The letter of formal notice shall indicate the default or defaults noted.

The Parties have agreed that articles 1224 et seq. of the Civil Code relating to contractual termination shall not apply to the Contract. Each Party waives the provisions, and all related rights, of the aforementioned articles of the Civil Code.

ARTICLE 14 – CONFIDENTIALITY
Each Party agrees, both on its own behalf and on behalf of its employees and partner companies, to maintain the confidentiality of confidential information (“Confidential Information”).

Confidential Information” means all information, regardless of its nature, form or medium, such as content, to which each Party shall have access during the performance of the Agreement, including, without limitation, all resources made available to the Service Provider by the Customer or to the Customer by the Service Provider, all technical, industrial, financial and commercial data, specifications, specifications, all databases of the Customer and the Service Provider, customer databases, product databases and any information and documents relating to each Party’s activities, customers and suppliers, its strategy, its research and development work.

The Confidential Information does not cover documents, data or other information that are :
– known by either Party on a non-confidential basis prior to disclosure by the other Party ;
– has entered or will enter the public domain on the day of its disclosure; or
– legitimately obtained from a third party not bound by an obligation of confidentiality;
– independently developed by the receiving Party that did not have access to any information of the disclosing Party;
– disclosed pursuant to a statutory or regulatory provision.

Each Party agrees:
– to apply the same safeguards to Confidential Information as it applies to its own confidential information,
– to communicate Confidential Information only to its employees and collaborators who need to know it in the course of managing the Order
– not to disclose, publish or transmit to third parties the Confidential Information, in any form whatsoever, without the prior written consent of the other Party
– to use the Confidential Information solely for the purpose of performing the Services.

The Provider undertakes to implement all necessary measures to ensure that its internal representatives (employees) and external partners (partners and subcontractors) who have access to the Confidential Information comply with this clause and the same obligations.

Business secrecy: each of the Parties agrees that the Confidential Information meets the criteria of Article L.151-1 of the French Commercial Code and is therefore protected by business secrecy in accordance with the provisions of Articles L.151-1 and following of the French Commercial Code.
Duty of disclosure: in the event that the Service Provider or one of its representatives is requested to disclose Confidential Information provided by the Client by a third party pursuant to a legal or regulatory provision (including stock exchange regulations) or an accounting standard, or pursuant to a court order issued by a competent court that has become final, or a request from an administrative, supervisory or regulatory authority, the Service Provider undertakes (i) prior to any disclosure, to inform the Client and provide a copy of the Confidential Information as soon as possible and no later than ten (10) working days following the date of receipt of such request and (ii) to disclose the Confidential Information that it is required to disclose only to the extent strictly necessary The Service Provider shall use its best efforts to obtain confidential treatment for any Confidential Information that it is required to disclose.

The obligations set forth in this Section shall survive the termination/expiration of the Agreement.

ARTICLE 15 – INSURANCE
Each of the Parties undertakes to maintain in force, for the entire duration of the Contract, with a solvent insurance company, an insurance policy guaranteeing damage that may occur to its property and personnel, as well as a policy covering its professional liability (tort and contractual liability), so as to cover the financial consequences of bodily injury, property damage and consequential loss for which it would be liable, caused by any event and which would be the act of its employees and/or partner companies during the performance of the Contract.

ARTICLE 16 – STAFF MANAGEMENT
Management
The Provider’s personnel assigned to the performance of the Agreement shall remain under the administrative control and the sole hierarchical and disciplinary authority of the Provider throughout the term of the Agreement. The Service Provider shall ensure the supervision and control of its employees, including when the services are performed on the Customer’s premises.

Health and safety
The Service Provider undertakes to ensure that its employees, when on the Customer’s premises, comply with the Customer’s internal rules and regulations and with the provisions applicable to external companies present on said premises, in particular those relating to health and safety. The Customer agrees to inform the Service Provider of these provisions.

In the event that, within the scope of the Agreement, the Provider’s personnel use the Customer’s information system, the Provider undertakes to take all necessary steps to ensure that its personnel comply specifically with the provisions set forth in an IT charter or any other similar document.

ARTICLE 17 – UNDECLARED WORK
The Service Provider declares that it is registered with the RCS and with the URSSAF and that its registrations expressly cover all of its activities for the performance of the Services defined in the Order.

In compliance with Articles L 8221-1 et seq. of the French Labor Code and in accordance with Article D 8222-5 of the same code, the Service Provider undertakes to provide the following documents at the Customer’s request when the Agreement is entered into and every six months thereafter until the end of its performance

– A Kbis extract attesting to the registration in the trade and companies register;
– A certificate of provision of social declarations from the social protection body responsible for collecting social contributions dated less than six months;
– A certificate on honor of the deposit with the tax authorities, at the date of the certificate, of all the compulsory tax declarations;
– A certificate on honor established by the Provider, certifying that the work is performed by employees regularly employed with regard to Articles D.8222-5, D.8222-7 and D.8222-8 of the Labor Code.

ARTICLE 18 – NON-SOLICITATION OF PERSONNEL
The Parties hereby waive the right to hire or have hired directly, or through an intermediary, any employee of the other Party assigned to the performance of the Services, regardless of his or her specialization, even if the initial request is made by the employee. This waiver is valid for the entire term of the Agreement, plus twenty-four (24) months from its expiration or termination for any reason whatsoever.

In the event that one of the Parties fails to comply with this agreement, it undertakes to compensate the other Party (in particular for selection and recruitment expenses, training costs, damage resulting from its personal reputation or commitments already made on its behalf, etc.) by immediately paying it a lump sum equal to the gross annual remuneration that the employee will have received or should have received prior to his/her departure.

ARTICLE 19 – DUTY OF LOYALTY
The Parties agree, throughout the duration of the Contract, to perform their respective obligations faithfully and to seek in good faith all possible solutions likely to achieve a rapid and balanced resolution of any problems or difficulties that may arise during the performance of the Contract.

ARTICLE 20 – REFUSAL
The Service Provider reserves the right not to accept an Order from the Customer if the Service Provider has already encountered payment problems (non-payment or late payment) with the Customer for one or more previous Orders.

ARTICLE 21 – MODIFICATION OF THE SOLUTION AND SERVICES
The Service Provider reserves the right to make any changes or developments to the Solution and/or the Services in order to improve the Solution and/or the Services or as required by law or regulation.

ARTICLE 22 – COMMUNICATION
The Customer authorizes the Service Provider to mention its name and logo on a list of references that it may distribute on its communication media.

ARTICLE 23 – FORCE MAJEURE
The Parties agree to recognize as force majeure any event meeting the criteria defined by the case law of the Court of Cassation in application of Article 1218 of the Civil Code. It is understood that force majeure may not be invoked for late payment or non-payment by the Customer.

ARTICLE 24 – SUBCONTRACTING
The Service Provider may subcontract all or part of the performance of the Services to subcontractors. In this case, the Service Provider shall remain liable to the Customer for the performance of the Services.

ARTICLE 25 – ARTICLE TITLES
The titles of the Articles and appendices, if any, are inserted herein for convenience only. They shall in no event be considered an integral part hereof or construed as limiting the scope of the Sections to which they refer.

ARTICLE 26 – NO WAIVER / EXERCISE OF RIGHTS
The failure of either Party to exercise any of its rights hereunder, or any delay by either Party in exercising such rights, shall not constitute a waiver thereof.

Similarly, the partial exercise of a right or of only one of the legal remedies available to one of the Parties shall not prevent the latter from exercising this right in full or from exhausting all legal remedies available to it.

ARTICLE 27 – APPLICABLE LAW
The Contract is governed exclusively by French law.

ARTICLE 28 – DISPUTES
Any dispute arising from the interpretation, performance, non-performance, or consequences of the Agreement shall be submitted, in the event that the dispute is brought before the civil courts, to the Commercial Court of the Provider’s registered office.

ARTICLE 29 – GENERAL CLAUSES
The Contract expresses the entirety of the agreements and undertakings of the Parties with respect to their subject matter and replaces any other agreement or prior undertaking, whether written or oral, or any information, of whatever nature, provided prior thereto, having the same subject matter, which shall be deemed null and void.
In the event that any one or more of the provisions of this Agreement are deemed invalid for any reason whatsoever, such invalidity shall not affect any other provision of the Agreement.
The Parties shall replace such provision with a valid and enforceable provision, consistent with legal or regulatory requirements, the effect of which shall be as close as possible to the economic or other result intended by the Parties.
Language of the Contract: The Contract is written in the French language. A foreign language translation may be provided for information purposes. In case of contradiction, only the French version shall be deemed authentic between the Parties.
Quality of the Customer: the Customer acknowledges that he/she is a professional under the Consumer Code.
Agreement of proof: the Provider and the Customer agree that all written documents, in particular electronic documents, exchanged between them as well as all data, in particular technical data, are authentic and valid proof of the content of their exchanges and commitments. The dematerialized signature of the Contract shall be deemed to be the original between the Parties.

APPENDIX 1 PRIVACY POLICY

1.1. In order to enable the Customer to enter into the Agreement, the Service Provider, acting as data controller, collects the following personal data relating to the Customer’s employees:
– Name and surname ;
– Job title ;
– Email address;
– Telephone number.

1.2. The Provider uses the personal data of the Customer’s employees for the following purposes:

Purpose
Legal basis for processing
Processing of Orders
The processing is necessary for the performance of the Contract concluded with the Customer
Management and processing of Orders
The processing is necessary for the performance of the Contract concluded with the Customer
Billing
The processing is necessary for the performance of the Contract with the Customer
Information about the Provider, the Services and the Provider’s activities
Processing is necessary for the purposes of the legitimate interests pursued by the Service Provider: commercial prospecting
Response to any questions/complaints from the Client’s employees
The processing is necessary for the execution of the Contract concluded with the Customer
Management of requests for access, portability, deletion, rectification and opposition rights from the Client’s employees
The processing meets a legal obligation
Management of unpaid invoices and disputes
The processing is necessary for the execution of the Contract concluded with the Customer

1.3. The personal data of the Customer’s employees are kept only for the time necessary to achieve the purpose for which the Service Provider holds the data.

1.4. In determining the length of time personal data is retained, the Service Provider applies the following criteria:

– in the case of an Order for Services, personal data is kept for the duration of the contractual relationship and three years after the collection or the last contact with the Customer, for commercial prospecting purposes;
– the Service Provider may keep certain data in order to fulfill its legal or regulatory obligations in terms of archiving to enable it to exercise its rights and/or for statistical or historical purposes.

1.5. At the end of the above-mentioned periods, the personal data will be deleted or the Provider will proceed to their anonymization.

1.6. The Service Provider shall ensure that the personal data of the Customer’s employees is adequately and appropriately secured and has taken the necessary precautions to preserve the security and confidentiality of the data and in particular to prevent it from being distorted, damaged or communicated to unauthorized persons.

1.7 Rights of the Customer’s employees

– The Customer’s employees have the right to access, rectify, delete (erase), port their personal data, limit the processing as well as a right to object to the processing of their data collected and processed by the Service Provider, by contacting the Service Provider directly at the following email address: contact@lab-event.com

– The Customer’s employees may also, at any time, withdraw their consent to the processing of their personal data by the Service Provider as well as by any subcontractors by contacting the Service Provider at the following email address: contact@lab-event.com.

1.8. In the event of a complaint, the Customer’s employees may contact the CNIL, which is the competent authority for the protection of personal data, whose contact details are as follows: 3 Place de Fontenoy, 75007 Paris, telephone: 01 53 73 22 22.

APPENDIX II: SUBCONTRACTING UNDER THE GDPR

2. Purpose

Within the framework of their contractual relations, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, the French Data Protection Act of January 6, 1978 as amended and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 applicable as of May 25, 2018 (hereinafter, “the GDPR”).

The purpose of these clauses is to define the conditions under which the Service Provider undertakes to carry out the personal data processing operations defined below on behalf of the Customer.

2.1. Description of the processing subject to subcontracting

The Service Provider is a subcontractor, acting in the name and on behalf of the Customer who is the data controller.

The Service Provider collects data from end customers, service providers, partners of the Customer (please confirm/complete), necessary for the performance of the Contract (hereinafter the “Data Subjects”).

The nature of the operations performed on the data is related to collection, processing and hosting. (Please confirm)

2.2 Provider’s obligations to the Customer

The Provider undertakes to:

– Process the personal data collected only for the sole purpose(s) of the Agreement;
– Immediately inform the Client, without this qualifying as legal advice, if the Service Provider considers that an instruction given by the Client constitutes a breach of the GDPR or any other provision of Union or Member State law relating to data protection. In addition, if the Provider is required to transfer personal data to a third country or international organization under Union law or the law of the Member State to which it is subject, it must inform the Client of this legal obligation prior to the processing, unless the relevant law prohibits such information on important grounds of public interest ;
– Guarantee the confidentialitý of the personal data processed under this Contract ;
– Ensure that persons authorized to process personal data under the Contract, including employees of the Provider:
◦ Are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality;
◦ Receive the necessary training in the protection of personal data.
– Take into account, with respect to its tools, products, applications or services, the principles of personal data protection by design and data protection by default.

2.3 Subcontracting

If the Service Provider wishes to use another subcontractor (hereinafter referred to as “the subcontractor”) to carry out specific processing activities, it shall inform the Client in advance and in writing of any planned changes regarding the addition or replacement of other subcontractors. Such information shall clearly indicate the processing activities being subcontracted, the identity and contact information of the subcontractor and the dates of the subcontract. The Customer shall have a minimum of fifteen (15) days from the date of receipt of such information to present its objections. Such subcontracting may only be carried out if the Customer has not raised any objection within the agreed period.

The sub-processor is required to comply with the obligations of this Agreement on behalf of and as directed by the Client. It is the Provider’s responsibility to ensure that the sub-processor provides the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR. If the subsequent subcontractor fails to fulfill its data protection obligations, the Provider shall remain fully responsible to the Client for the other subcontractor’s performance of its obligations.

2.4. Right to information of Data Subjects

It is the Customer’s responsibility to provide information to Data Subjects at the time of data collection.

2.5. Exercise of the rights of the Data Subjects

The Provider undertakes to assist the Client, taking into account the nature of the processing, by implementing appropriate technical and organizational measures, to the fullest extent possible, in fulfilling its obligation to comply with the requests of Data Subjects (Please confirm/complete) who refer to it with a view to exercising their rights provided for in Chapter III of the GDPR. In particular, to the extent possible, the Provider will assist the Client in fulfilling its obligation to comply with requests to exercise the rights of Data Subjects: right of access, rectification, erasure and objection, right to limitation of processing, right to data portabilitý, right not to be subject to an automated individual decision (including profiling).

Where Data Subjects exercise requests to the Service Provider to exercise their rights, the Service Provider shall address such requests upon receipt by email to the person designated by the Client.

2.6. Notification of Personal Data Breaches

The Service Provider shall notify the Customer of any personal data breach as soon as possible after becoming aware of the breach, by email and by telephone. This notification shall be accompanied by any useful documentation to enable the Customer, if necessary, to notify the CNIL of the breach. The Customer is invited to provide the contact details of its Data Protection Officer.

2.7. Assistance from the Service Provider in the context of the Customer’s compliance with its obligations

If necessary, the Service Provider shall assist the Customer in carrying out the prior consultation with the supervisory authority, or in carrying out impact analyses relating to data protection.

2.8. Security measures

The Provider undertakes to implement the following security measures: ____ (e.g. pseudonymization and encryption of personal data and means to ensure the constant confidentiality, integrity, availability and resilience of processing systems and services).

2.9. Fate of the data

At the end of the Agreement or in the event of termination of the Agreement and at the option of the Client, the Service Provider undertakes to delete all personal data or return them to the Client, unless Union law or the law of the Member State requires the retention of personal data.

The return shall be accompanied by the destruction of all existing copies in the Provider’s information systems. Once destroyed, the Service Provider must provide the Client with written justification for the destruction.

2.10. Record of categories of processing activities

The Provider declares that it keeps a written record of all categories of processing activities carried out on behalf of the Client including:

– The name and contact details of the Client on whose behalf it is acting, any subsequent subcontractors and, if applicable, the Data Protection Officer;
– The categories of processing carried out on behalf of the Customer;
– Where applicable, transfers of personal data to a third country or to an international organization, including the identification of such third country or international organization and, in the case of transfers referred to in the second paragraph of Article 49(1) of the GDPR, documents attesting to the existence of appropriate safeguards ;
– To the extent possible, a general description of technical and organizational security measures including, inter alia, as appropriate:
◦ Pseudonymization and encryption of personal data;
◦ Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
◦ Means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
◦ A procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

2.11. Documentation

The Provider shall make available to the Client all information necessary to demonstrate compliance with the obligations set forth in this Schedule and to enable and assist in audits, including inspections, by the Client or another auditor appointed by the Client.

2.12. Customer’s Obligations

The Client agrees to:

– Provide the Provider with the following information: the nature of the operations performed on the personal data, the purpose(s) of the processing, the personal data processed, the categories of Data Subjects ;
– Document in writing any instructions regarding the processing of personal data by the Service Provider;
– Ensure, beforehand and throughout the processing, that the Provider complies with the obligations set forth in the GDPR;
– Supervise the processing of personal data, including conducting audits and inspections of the Provider.

2.13. Right to redress and liability of the Service Provider

Any Data Subject (Please confirm/complete) who has suffered material or non-material damage as a result of a breach of the GDPR has the right to obtain compensation from the Client or the Provider for the damage suffered.

The Client who participated in the processing is liable for the damage caused by the processing which constitutes a breach of the GDPR. The Provider shall only be liable for damage caused by the processing in the following cases:

– If the Provider acts outside of or contrary to the lawful instructions of the Client;
– If the Service Provider fails to comply with its obligation to assist the Customer in complying with its obligations (including notification of a data breach or conducting an impact assessment);
– If the Service Provider does not provide the Customer with information to demonstrate compliance or to conduct audits;
– If the Service Provider does not inform the Customer that an instruction would constitute a breach of the GDPR;
– If the Service Provider uses a subcontractor without prior written authorization from the Client, or if the subcontractor does not provide sufficient guarantees;
– If the Service Provider fails to comply with its obligation to keep a record of the categories of processing activities carried out on behalf of the Client.

The Customer or the Service Provider shall be exempt from liability if it proves that it is not responsible for the event that caused the damage to the Data Subject (please confirm/ complete).

If the Customer and the Provider are involved in the same processing and are both responsible for the damage caused by this processing, they shall each be held liable for the damage in its entirety in order to ensure that the Data Subject receives effective compensation. In the event of full compensation, the Provider or the Customer shall be entitled to claim from the other data controllers or processors involved in the same processing the portion of the compensation corresponding to their share of responsibility for the damage.