Service provider data protection addendum

The conditions relating to the protection of personal data (the “Appendix") are agreed between the entity ESI and the SERVICE PROVIDER, both designated in the Agreement.

This Appendix does not apply to Services that do not process personal data.

ARTICLE 1 - SCOPE AND HIERARCHY OF DOCUMENTS

The Appendix applies to the processing of personal data carried out by the SERVICE PROVIDER acting as a processor for ESI in relation to the services provided (the "Services") under the Agreement.
The Appendix consists of these contractual terms and conditions and the appendices. It forms an integral part of the Agreement. In the event of any conflict within the Appendix, the Annexes to the Appendix shall prevail over the contractual terms of the Appendix. In the event of any conflict between the Agreement and the Appendix, the Appendix shall prevail over the Agreement.
The Appendix describes the rights and obligations of the SERVICE PROVIDER and ESI with regard to the protection of personal data concerning the processing operations referred to in the attached Appendix. All other rights and obligations relating to the Services are governed exclusively by the Appendix.

ARTICLE 2 - COMPLIANCE WITH THE LAW

The SERVICE PROVIDER and ESI will comply with the laws and regulations on the protection of personal data directly applicable to the Services.
The SERVICE PROVIDER is responsible for its compliance with the regulations as a processor of ESI within the meaning of the said applicable regulations. For its part, ESI is considered to be the data controller within the meaning of the aforementioned applicable regulations.

ARTICLE 3 - DURATION AND TERMINATION

The Appendix has the same duration as the Agreement.

Upon expiry of the Appendix, and unless otherwise agreed between the Parties to the Appendix, the SERVICE PROVIDER will delete all personal data made available to it or obtained or generated by it on behalf of ESI in the context of the Services.

ARTICLE 4 - PROCESSING DETAILS

Details of the processing operations provided by the SERVICE PROVIDER, including the purpose of the processing, the nature and purpose of the processing, the types of personal data processed and the categories of data subjects, are set out in Appendix 1 of the Appendix.

ARTICLE 5 - DOCUMENTED INSTRUCTIONS

The SERVICE PROVIDER will only process Personal Data in accordance with ESI's documented instructions. The Agreement and the Appendix constitute ESI's documented instructions to the SERVICE PROVIDER for the processing of Personal Data.

Any additional or alternative instructions must be agreed in writing between the Parties.

ARTICLE 6 - CONFIDENTIALITY OF PROCESSING

The SERVICE PROVIDER will ensure that the staff responsible for processing personal data :

  • preserves the confidentiality of said data,
  • processes the said data in the manner described in the documented instructions (referred to above),
  • has received appropriate training in the protection of personal data.

ARTICLE 7 - TECHNICAL AND ORGANISATIONAL MEASURES

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying probability and seriousness for the rights and freedoms of natural persons, the SERVICE PROVIDER implements the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk linked to the performance of the Services.

The technical and organizational measures implemented by the SERVICE PROVIDER for this purpose are described in Appendix 2 of the Appendix.

The technical and organizational measures are subject to the state of the art and therefore to technical progress. As a result, the SERVICE PROVIDER is entitled to implement appropriate alternative measures, as long as the level of security of the measures is maintained.

For its part, ESI is responsible for implementing and maintaining appropriate technical and organizational measures for the items it provides or controls, such as implementing physical and system access control measures for its own premises, assets and IT systems or configuring the Services to ESI's individual requirements.

ARTICLE 8 - SUBSEQUENT SUBCONTRACTING

The SERVICE PROVIDER acknowledges and accepts that it may not call upon a subsequent sub-contractor (hereinafter referred to as the "Subsequent Sub-Contractor") to process ESIs personal data without having first obtained ESI's explicit written authorization.

In the event of authorization being granted in accordance with the preceding provision, the SERVICE PROVIDER undertakes to impose on the Subsequent Sub-Contractor the same level of protection of personal data as that initially agreed between ESI and the SERVICE PROVIDER, in accordance with the requirements of the general data protection regulation (GDPR) and applicable data protection laws.

The SERVICE PROVIDER remains fully responsible for all the activities of the Subsequent Sub-Contractor with regard to the processing of ESI'S personal data. The SERVICE PROVIDER undertakes to indemnify and hold harmless ESI for any breach by the Subsequent Sub-Contractor of any legal or contractual obligations relating to this appendix.

ARTICLE 9 - INTERNATIONAL DATA TRANSFERS

Transfer of personal data within the EU and the EEA or to a country recognized as adequate by the EU

In the event of a transfer of personal data :

  • (i) within the EU or EEA or
  • (ii) to a country recognized as suitable by the EU

between the SERVICE PROVIDER and ESI or between the SERVICE PROVIDER and its Subsequent Sub-Contractor, the protection of personal data is governed by the European regulations applicable to personal data: the European General Data Protection Regulation.

The transfer of personal data will therefore be subject to the provisions of the Appendix and the Agreement.

Transfer of personal data from the EU to a country outside the EU or the EEA without an adequacy decision

Data controllers and processors may transfer data outside the European Union ("EU") and the European Economic Area ("EEA") provided that they ensure a sufficient and appropriate level of data protection.

Any transfer of personal data made in such a case will be subject to the Standard Contractual Data Protection Clauses adopted by the European Commission (the "CCTCE"), thus providing the appropriate guarantee for such a transfer of personal data.

Data transfers between the SERVICE PROVIDER and ESI :

If the SERVICE PROVIDER, a party to this Appendix and the Agreement, is located outside the EEA or outside a country subject to an adequacy decision, then ESI and the SERVICE PROVIDER hereby enter into Module 2 of the CCTCE.
If ESI itself acts as a subsequent sub-contractor for its own authorized entities, the Parties hereby also enter into Module 3 of the CCTCE.
To this end, the standard contractual clauses available for Modules 2 and 3 at the European Commission's address https://eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=CELEX:32021D0914 are incorporated into the Appendix by reference. It is understood between the Parties that the optional clauses and articles do not apply within the framework of the Appendix.
Annexes 1, 2 and 3 of the Appendix constitute respectively Annexes I to III of the CCTCE.
The Parties agree on the following details:

  • Optional Article 7 of the CCTCE, the "Membership Clause", is not incorporated herein;
  • Application of option 1 of Article 9 ;
  • The optional wording of Article 11 of the CCTCE is not incorporated herein;
  • In accordance with Article 17 of the CCTCE, the parties agree that the CCTCE shall be governed by French law and select Option 2 to this effect;
  • Under Article 18 of the CCTCE, the data exporter and data importer agree that any dispute will be resolved by the French courts. The term "Member State" as used in the CCTCE should not be interpreted to exclude data subjects in Switzerland from asserting their rights in their place of habitual residence (Switzerland) in accordance with clause 18 in the CCTCE;

Transfer of data between the SERVICE PROVIDER and its Subsequent Sub-Contractor:

It is the responsibility of the SERVICE PROVIDER to conclude with its Subsequent Sub-Contractor the CCTCE opening the relevant processing activities for the relevant Services.
Without prejudice to the legal rights of the persons concerned, the limitations of liability contained in the Appendix also apply to the liability of the SERVICE PROVIDER and its Subsequent Sub-Contractor to ESI under the CCTCE.

ARTICLE 10 - RIGHTS OF THE PERSONS CONCERNED

Insofar as permitted by law, the SERVICE PROVIDER will inform ESI as soon as possible and at the latest within two working days if the SERVICE PROVIDER receives a request from a data subject with a view to exercising his/her rights (such as the right of access, rectification, erasure or restriction of processing).

Taking into account the nature of the processing and the information available to the SERVICE PROVIDER, the SERVICE PROVIDER will reasonably assist ESI with appropriate technical and organizational measures, as far as possible, to fulfil ESI's obligation to respond to requests to exercise the data subject's rights.

ARTICLE 11 - REQUESTS FOR ACCESS FROM THIRD PARTIES

If the SERVICE PROVIDER receives an order from a third party to disclose ESI's personal data, the SERVICE PROVIDER:

  1. will endeavor, as far as possible, to redirect the third party to request the data directly from ESI ;
  2. will promptly notify ESI, unless prohibited from doing so by applicable law, and, if prohibited from notifying ESI, will use all lawful efforts to obtain the right to waive the prohibition in order to provide as much information as possible to ESI in a timely manner;
  3. use all legitimate and reasonable efforts to challenge the disclosure order on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflict with applicable law.

ARTICLE 12 - Lawfulness of data collection

The PROVIDER SERVICE guarantees to ESI that the collection of personal data transmitted to ESI as a result of the Services under the Agreement has been carried out in strict compliance with the applicable regulations. The PROVIDER SERVICE guarantees to ESI the lawfulness of the collection of personal data (in particular concerning their compliance with articles 13 and 14 of the GDPR), data controller, with whom it has concluded a written agreement.
Consequently, the PROVIDER SERVICE guarantees ESI against any action, claim, demand or opposition from any person invoking a right linked to the applicable regulations, or brought on another legal basis such as property law or any other private right or right attached to the person, and to which the performance of the Agreement may have infringed.
To this end, the PROVIDER SERVICE undertakes to intervene voluntarily, if necessary, in any proceedings instituted against ESI and relating to personal data transmitted in the course of the Services.
Thus, the PROVIDER SERVICE undertakes to reimburse ESI for any damages or compensation that the latter may pay to a third party, pursuant to a settlement, arbitration award or court decision, on the basis of the illicit collection or use, infringement or otherwise, of Personal Data transmitted to ESI.
In addition to the aforementioned damages and interest or compensation of any nature whatsoever, legal costs, lawyers' fees and experts' fees will be added.

ARTICLE 13 - VIOLATION OF PERSONAL DATA

The SERVICE PROVIDER will inform ESI without delay as soon as it becomes aware of a breach of ESI's personal data.
Breach" means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
The SERVICE PROVIDER will reasonably assist ESI in complying with its obligations in relation to personal data breaches in accordance with applicable data protection legislation and will take necessary and reasonable remedial action.

ARTICLE 14 - AUDITS

Subject to a right of control of public order being provided for by the law applicable to the protection of personal data, ESI has the right to control, by appropriate means, the compliance of the SERVICE PROVIDER and its Subsequent Sub-Contractor with the obligations regarding the protection of personal data. These audits are limited to the information and personal data processing systems that are relevant to the provision of the Services to ESI and are limited to one audit per year.

In order to comply with ESI's imperative right of audit, the SERVICE PROVIDER and its Subsequent Sub-Contractor may call upon auditors (internal or external) to carry out audits in order to verify compliance with the obligations regarding the protection of personal data. Each audit gives rise to the drafting of an audit report ("Audit Report"). At ESI's request, the SERVICE PROVIDER will provide the relevant Audit Reports for the Services concerned.

ESI accepts that these Audit Reports are used primarily to respond to the exercise of the SERVICE PROVIDER's right to audit as provided for in this article.

The SERVICE PROVIDER will authorize additional audits to these Audit Reports, including on-site audits at the SERVICE PROVIDER's facilities and premises by ESI or an independent and accredited third party, during normal business hours, with reasonable notice from ESI (in excess of four working days).

The Audit Reports and any other information or documentation provided in the course of an audit constitute confidential information and may only be provided to the Additional Auditors under confidentiality obligations substantially equivalent to the confidentiality obligations contained in the Agreement and the Appendix.

 

 

 

ANNEXE I OF APPENDIX 3 - DESCRIPTION OF TREATMENT OPERATIONS

(and, where applicable, Annex 1 of the CCTCE)

This Annex specifies the processing operations provided for in the Appendix (including, but not limited to, the purpose of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects).

A. LIST OF PARTIES

ESI (and, where the standard contractual clauses apply, the data exporter) :

Name, address and name, position and contact details of the contact person: The name and address of ESI and the contact details of a contact person are set out in the Agreement.
The contact point for questions relating to data protection is the ESI GROUP Data Protection Officer: dataprotection [at] esi-group.com

Role (controller/processor): ESI acts as controller for the processing activities provided by the SERVICE PROVIDER to ESI and, where applicable, as processor under the instructions of its own data controllers.

 

The SERVICE PROVIDER (AND, WHERE THE STANDARD CONTRACTUAL CLAUSES APPLY, THE DATA IMPORTER) :

Name, address and name of contact person, function and contact details: The SERVICE PROVIDER providing the processing services hereunder is the entity specified in the Appendix.

The contact point for questions relating to data protection is the Data Protection Officer: xxxx

Role (controller/processor): The SERVICE PROVIDER acts as a processor of personal data on behalf of ESI and, where applicable, ESI's other data controllers.

 

B. DESCRIPTION OF TRANSFER/PROCESSING OPERATIONS

Categories of data subjects whose personal data are transferred/processed

The persons concerned are as follows:

  • ESI employees,
  • ESI providers,
  • ESI's customers
  • [...].

CATEGORIES OF PERSONAL DATA TRANSFERRED

  • The personal data transferred/processed concern the following categories of personal data:
  • contact and user information, including name, address, telephone number, e-mail address and time zone;
  • system access, usage, authorization data, operating data and any system log files containing personal or other usage-specific data [.....]; and
  • where applicable, other personal data determined by ESI (and its other data controllers where applicable) by uploading or otherwise providing access thereto through the Services.
  • [...].

SENSITIVE DATA TRANSFERRED (IF APPLICABLE)

The Services are not intended for the processing of sensitive personal data. ESI (and its other data controllers where applicable) will not pass on, directly or indirectly, such sensitive personal data to the SERVICE PROVIDER.

THE FREQUENCY OF THE TRANSFER (FOR EXAMPLE, WHETHER THE DATA IS TRANSFERRED ON A ONE-OFF OR CONTINUOUS BASIS)

If the Service provided involves the provision of professional services (as specified below), the SERVICE PROVIDER may only access personal data in connection with the provision of the Service in question, unless otherwise specified in the Appendix.

NATURE OF THE PROCESSING AND PURPOSE(S) OF THE TRANSFER AND FURTHER PROCESSING OF THE DATA

Subject to prior, written and specific authorization, the SERVICE PROVIDER and its Subsequent Sub-Contractor will process personal data for the proper performance of the Services provided for in the Appendix.

HOW LONG THE PERSONAL DATA WILL BE KEPT OR, IF THIS IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THIS PERIOD.

Personal data is kept for the duration of the Agreement.

ESI may correct, delete or restrict the processing of personal data. The SERVICE PROVIDER may also correct, delete or restrict the processing of personal data in accordance with ESI's instructions.

FOR TRANSFERS TO THIRD-PARTY PROCESSORS, ALSO SPECIFY THE PURPOSE, NATURE AND DURATION OF THE PROCESSING.

The purpose, nature and duration of the treatment are specified in Annex III of the Appendix.

 

C. Where CCCT applies : COMPETENT CONTROL AUTHORITY

Where the CCCT applies, the supervisory authority responsible for ESI acts as the competent supervisory authority under the CCCT. A list of EU supervisory authorities is available at the following address: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

 

 

 

 

 

ANNEX II OF APPENDIX 3  - TECHNICAL AND ORGANISATIONAL MEASURES

(and, where applicable, Annex 2 of the CCTCE)

 

This document describes the technical and organizational measures implemented by the SERVICE PROVIDER to protect the processing of personal data:

The following main technical and organizational measures:

  • access and rights management :
  • access to personal data is restricted to those who need it to carry out their duties.
  • put in place access control mechanisms such as strong passwords, password rotation policies and two-factor authentication.
  • data encryption/encryption to protect personal data, particularly when transmitted over networks or stored on physical media.
  • security incident management and security incident response plans, including procedures for notifying and managing personal data breaches.
  • staff training and awareness-raising on data protection principles, good information security practices and the consequences of non-compliance with the rgpd.
  • risk assessment and implementation of risk mitigation measures.
  • data retention policies 
  • physical protection:/physical security measures to protect the premises where personal data is stored, such as alarm systems, access controls and surveillance cameras.
  • management of service providers via data processing agreements to define the responsibilities of each party
  • [....]

 

 

 

 

ANNEX III OF APPENDIX 3 - LIST OF APPROVED Subsequent Sub-Contractor

(and, where applicable, annex 3 of the CCTCE)

No Subsequent Sub-Contractor is authorized as it stands.

Any request to use a Subsequent Sub-Contractor must follow the provisions of the Appendix.

 

 

 

 

 

 

ANNEX IV OF APPENDIX 3: NATIONAL LEGAL SPECIFICITIES

UNITED KINGDOM

For transfers of personal data from the UK, the CTBT will apply subject to the following changes:

  • the CCTCEs are amended as specified in Part 2 of the International Data Transfer Rider to the European Commission's standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018, as it may be amended or replaced at any time (the "UK Rider") ;
  • the information set out in tables 1 to 3 of Part 1 of the UK Addendum corresponds respectively to that set out in the Addendum and the Agreement (as the case may be); and
  • table 4 of part 1 of the UK Rider is completed by selecting "neither party".

UNITED STATES

If the SERVICE PROVIDER processes personal data of US residents, it makes the following additional undertakings to ESI: the SERVICE PROVIDER will process the personal data on behalf of ESI and will not retain, use or disclose it for any purposes other than those set out in the Agreement and Appendix as permitted by US data protection law.
These additional terms do not limit or reduce the SERVICE PROVIDER's obligations to ESI with respect to the protection of personal data under the Appendix or the Agreement entered into between ESI and the SERVICE PROVIDER. The SERVICE PROVIDER hereby certifies that it understands the restrictions contained herein and that it will comply therewith.

BRAZIL

Each Party undertakes to :

  • comply with its obligations under the Brazilian General Data Protection Law, nº 13.709 de 2018 (Lei Geral de Proteção de Dados Pessoais) ("LGPD") ;
  • keep a register of the personal data processing operations it carries out;
  • appoint a Data Protection Officer; and
  • adopt security, technical and administrative measures to protect personal data against unauthorized access and against accidental or unlawful destruction, loss, alteration, disclosure or any form of inappropriate or unlawful processing, including applicable minimum technical standards as defined by the national authority.

To the extent that ESI transfers personal information from Brazil to the SERVICE PROVIDER, established outside Brazil, the SERVICE PROVIDER will comply with the principles, data subject rights and data protection regime set out in the GDPR, unless the Parties can rely on another mechanism or basis for transfer under data protection laws.