AMENITIZ SOLUTIONS (hereinafter "Amenitiz") protects the Personal Data processed through the implementation of appropriate technical, physical and organizational measures. Such measures ensure that Amenitiz provides its clients and employees with sufficient guarantees so that the processing meets the requirements of the regulations relating to the protection of Personal Data (hereinafter the "Regulations"), including in particular the General Regulation on the Protection of Personal Data 2016/679 adopted on April 27, 2016 (hereinafter the "GDPR"), and thus guarantees the protection of the rights of the Data Subject.
Under this Agreement, Subscriber acts as the Data Controller and Amenitiz acts as the Data Processor as supplier/service provider.
Capitalized terms not defined below shall be interpreted in accordance with the definition given to them in Article 4 of the GDPR.
Roles and Obligations - The obligations of the Data Controller and the Data Processor are defined within this Agreement.
Limitation of Processing - The Data Processor and any person acting under its authority who has access to Personal Data will only process Personal Data on the documented instructions of the Data Controller, unless it is legally required to do so.
Processing Instructions - The Data Processor shall only process Personal Data upon documented instruction from the Data Controller and in accordance with this Agreement. The instructions shall include, among other things, the purpose and duration of the Processing, its nature and purposes, the type of Personal Data and the categories of Data Subjects, the rights and obligations of the Data Controller. The Data Controller shall provide the Data Processor with sufficiently clear instructions. The Data Processor shall immediately inform the Data Controller if any of its instructions appear to constitute a breach of the Regulations.
Sensitive Data - Where the Data Controller requests the Data Processor to process Sensitive Data, the Data Controller shall be responsible for defining the measures to be implemented in this respect and for ensuring that the Processing complies with the Regulations and any other applicable law. In any case, when processing Sensitive Data as a data processor, the Data Processor shall not be required to ensure that the Processing has a legal basis that complies with the Regulations and shall not be liable in this respect as this is an obligation of the Data Controller.
Compliance with the Regulations - Each of the Parties undertakes to comply with the principles and obligations set out in the Regulations, that is the GDPR and any other appliable data protection law, whether acting as a Data Controller or as a Data Processor, respectively.
Data Processor’s workforce - The Data Processor shall ensure that any person under its control has received specific training appropriate to their duties and provide evidence of this training to the Data Controller upon request. The Data Processor guarantees that the persons authorized to process Personal Data are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality and have available an evidence if requested by the Data Controller to demonstrate compliance with the GDPR.
Termination- Unless Regulations require the retention of Personal Data and subject to a written request from the Data Controller, retained Personal Data shall, at the option of the Data Controller, be deleted, returned by the Data Processor at the end of the contract between the Parties or provided to another Data Processor designated by the Data Controller. The Data Controller acknowledges that such operations (1) will be strictly limited to the Personal Data retained by the Data Processor at the time of the request and provided by the Data Controller (2) will take into account the safeguarding requirements, policies and standards regarding security.
Location of the Processing of Personal Data - The Personal Data subject to Processing must be processed:
The Data Processor takes all necessary measures for the security of the Personal Data and follows the instructions communicated by the Data Controller. The Data Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Breach of Personal Data - The Data Processor shall notify the Data Controller of any breach of Personal Data as soon as possible. The notification referred to above shall at a minimum:
Data Protection Impact Assessments - Taking into account the nature of the Processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller when the Data Controller considers that a data protection impact assessment is necessary in view of the nature, scope, context and purposes of the Processing.
Exercise of Data Subjects' Rights - When the Data Controller receives a request from a Data Subject wishing to exercise his or her rights and whose Personal Data is or has been processed by the Data Processor, it shall inform the Data Processor as soon as possible, so that the Data Processor may be in a position to provide the Data Controller with the assistance required to process such request. The Data Controller will inform the Data Processor of the request in writing.
When the Data Processor receives a request from a Data Subject wishing to exercise his/her rights, he/she shall inform the Data Controller in writing. In accordance with the Regulations, the Data Controller is liable for handling such request. The Data Processor is only liable for following the additional instructions of the Data Controller on how to deal with the request.
Information to the Data Subjects - The Data Controller, at the time of collection of the Personal Data, must provide the Data Subjects of the Processing operations with information regarding the Personal Data Processing.
Information and documentation - The Data Processor shall make available to the Data Controller all information necessary to demonstrate its compliance with the Regulations and this Agreement.
Audit of Sub-processors- In addition, the Data Processor shall be entitled to conduct, subject to reasonable notice and in any event not more than once a year, unless specific circumstances require additional audits (e.g. request of a competent data protection authority or a similar circumnstance), at its expense, audits to assess its compliance or the compliance of its Sub-processors with the Regulations and this Agreement.
| PART I - Description of the Processing Activities(s) | ||
|---|---|---|
| Purpose of the Processing | Legal basis of the processing | Sub-purposes |
| Provision of the Services provided by Amenitiz Solutions to Subscribers. | This Data Processing Agreement. | [TO BE COMPLETED BY AMENITIZ] |
| List of Authorized Subcontractors | [TO BE COMPLETED BY AMENITIZ] | |
| PART II - DATA COLLECTION MEANS AND OPERATIONS | ||||
|---|---|---|---|---|
| Categories of Affected Persons | Categories of Affected Persons | Categories of Affected Persons | Categories of Affected Persons | Categories of Affected Persons |
| ☑ Employees of the Data Controller ☑ Customers and prospects of the Data Controller Other: | ☑ Employees of the Data Controller ☑ Customers and prospects of the Data Controller Other: | Employees of the Subcontractor Employees of the Subcontractor Clients and prospects of the Subcontractor Other: | Employees of the Subcontractor Employees of the Subcontractor Clients and prospects of the Subcontractor Other: | ☑ Children and other vulnerable groups, if processed by the Controller when using the Services. People with disabilities, if processed by the Controller when using the Services. Other: |
| Category of Personal Data | Description | Shelf life | ||
| ☑ Identification data | ☑ Name, ☑ First name, ☑ Identity card, passport number ☑ Email ☑ Phone Photo of the person concerned ☑ Mailing address Video of the person concerned Gender Other: | |||
| Privacy data | Lifestyle Family situation CV Pedagogical File Information on social protection Other: | |||
| ☑ Economic and financial data | Payment data Income / salary Financial situation ☑ Invoices Credit card data RIB/ IBAN Other: | |||
| ☑ Technical and connection data | ☑ IP address Logs Device identity data Other: | |||
| Dynamic location data | Motion data Geolocation GPS coordinates Other: | |||
| ☑ Sensitive data - Specific data | Political Opinion Biometric Data Genetic Data Ethnic or racial origin Religious or philosophical belief Union membership Life or sexual orientation Health-related data Criminal record ☑ ID number | |||
| PART III - TRANSFER OF PERSONAL DATA | |||
|---|---|---|---|
| Transfer of personal data to recipients in third countries or international organizations (outside the EEA) | |||
| Data is not transferred outside the EU | Data is transferred outside the EU to the Subcontractor's subsidiaries | Data is transferred outside the EU to third party organizations | |
| Recipient of the data | Country | Goal / Objective | Legal framework |
| N/A | N/A | N/A | N/A |