SUBCONTRACTING AGREEMENT FOR PROCESSING PERSONAL DATA
BETWEEN THE UNDERSIGNED:
Archireport
Simplified joint stock company with a capital of €49,210
Whose head office is located at 61 Rue Jean Guéhenno, 35700 Rennes, France Registered with the Rennes Commercial Registry Office (RCS) under number 531 980 605
Hereinafter referred to as “Archireport”
The User of the Archireport program
Hereinafter referred to as the “Client”
The undersigned are hereinafter referred to individually as the “Party” or collectively as the “Parties”.
1 – Purpose
This agreement (hereinafter the “Agreement”) sets out the terms and conditions under which Archireport undertakes to carry out the personal data processing operations defined below, on behalf of and in accordance with the instructions of the Client.
The Parties undertake to comply with the regulations applicable to the processing of personal data and in particular the French Data Protection Act of 6 January 1978 and the European Data Protection Regulation (hereinafter referred to as the “GDPR”).
2 – Description of the processing
The Client, as the data controller, authorises Archireport to process on its behalf the personal data required to provide the following service(s): keep track of construction site works using the Archireport application and, more generally, any use of the Application or the Site.
The personal data processed are the following:
- Client project information (name, address), client and service provider contact information (first name, last name, email, phone number and address).
The operations performed on personal data are:
- Storage/inclusion in a database, analysis, anonymisation.
The purpose of processing this personal data is to:
- Enable the progression of construction site monitoring and the management of the project via the Application or the Site;
- Manage client data and projects;
Restore client projects; - Manage access to and use of certain services available on the Site and/or the Application;
- Carry out operations relating to client management concerning contracts, orders, deliveries, invoices, loyalty programmes, and customer relationship management;
- Establish a file of registered members, users, and clients;
- Comply with our legal and regulatory obligations.
- The persons concerned by the processing of their personal data (the data subjects) are the following: clients and contractors of the Client’s projects.
3 – Duration of the subcontracting
The subcontracting undertaken up will take effect from the time the client account is set up on the Site or in the Application and will last for the entire duration of use of the Site and the Application.
4 – Archireport’s obligations
4.1. Obligations regarding the processing of personal data
Archireport undertakes to carry out the subcontracting services provided for in this Agreement, in accordance with the obligations set out below, and in particular:
- To process the data exclusively for the purposes mentioned in Article 2 of this Agreement;
- To process personal data in accordance with the documented instructions from the Client as provided in Article 8 of this Agreement. In addition, Archireport undertakes to inform the Client immediately if it considers that any of its instructions constitute a breach of the legislation relating to the protection of personal data and in particular of the GDPR. In the event that Archireport is required to transfer data to a third country or an international organisation, by virtue of the law of the European Union or the law of the Member State to which it is subject, it must inform the Client of this prior to any processing, unless the law concerned prohibits such information for reasons of public interest;
- To put in place all measures required to guarantee the confidentiality of the personal data processed. This obligation of confidentiality is extended to all persons authorised to process the personal data covered by this Agreement. To this end, the designation of persons authorised to process personal data must be strictly limited to the requirements linked to the execution of this Agreement and they must receive training on the protection of personal data;
- Take into account the principles of data protection by design and data protection by default for its tools, products, applications and/or services.
Archireport undertakes to put in place the following security measures:
(i) Organisational safety measures
- 2 administrators within Archireport are able to provide access to the platform by inputting the authorised IPs.
(ii) Technical security measures
- Pseudonymisation and encryption of personal data. We only have access to the hash of our clients’ passwords.
- Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.
- Confidentiality: access to our database administration interface is restricted to a list of IPs.
- Integrity: automatic backups of our databases are performed frequently and automatically.
- Availability: client data can be exported in json format upon request.
- Resilience: data can be restored within an hour.
- Means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
- In the event of a minor incident, a backup of our server can be restored on the fly within 15 minutes. In the event of a more incapacitating event, a database backup exists at a different service provider to ensure the resilience of client data.
- A procedure to regularly test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the security of processing.
- We organise an annual security audit by SEKOIA (a company in the process of obtaining PASSI certification, see the ANSSI website) which guarantees a high level of security for our users and their data.
Once the service relating to the processing of personal data has been completed, Archireport undertakes to:
- Delete all personal data processed on behalf of the Client within the time limits defined in the CHARTER GOVERNING THE PROTECTION OF USERS’ PERSONAL DATA
4.2. Obligations regarding data subjects’ rights
- Information to be given to the data subjects:
The persons whose personal data is processed must be informed at the time of collection. It is the Client’s responsibility as the data controller to provide all the information to be sent to the data subjects, in accordance with the provisions of Article 13 of the GDPR.
- Exercise of data subjects’ rights:
In accordance with the provisions of the GDPR, the Client is obliged to comply with requests to exercise the rights of the data subjects, namely the right of access, to rectification, erasure and to object, the right to restriction of processing, the right to data portability, the right not to be subject to an automated individual decision.
To ensure the exercise of these rights, Archireport is required to implement all possible measures to help the Client fulfil its obligations.
If a data subject submits a request to Archireport exercise their rights, Archireport must address the request to the Client upon receipt. This must be done by sending an e-mail to the following address dpo@archireport.com.
4.3. Obligations towards the Client
- Notification of personal data breaches
The GDPR requires that personal data breaches be notified to the competent authority as soon as possible and no later than 72 hours after becoming aware of them.
In order to comply with this obligation, Archireport will notify the Client of any personal data breach within a maximum of 72 hours after becoming aware of it. This notification will be accompanied by any useful documentation in order to determine the nature, extent and impact of the breach on the data subjects, and to enable the Client to notify the competent authority of the breach. The notification may be made by Archireport subject to the prior agreement of the Client.
The notification will contain, at the very least:
(i) A description of the nature of the personal data breach including, if possible, the categories and approximate number of individuals affected and the categories and approximate number of personal data records;
(ii) The name and contact details of the Data Protection Officer or other contact;
(iii) A description of the likely consequences of the personal data breach;
(iv) A description of the measures taken or that the Client wishes to take to remedy the personal data breach, including, if applicable, measures to mitigate any negative consequences.
The GDPR also requires that data subjects be informed of a data breach, if the breach is likely to result in a high risk to the rights and freedoms of an individual.
This notification must be written in clear and simple terms, and must contain all the information mentioned above. Archireport may give such notice with the consent of the Client and acting on behalf of the Client.
- Client support
If necessary, Archireport will help the Client to conduct an impact assessment and with the prior consultation of the supervisory authority.
Archireport will provide the Client with any documentation required to demonstrate compliance with its obligations and to enable audits and/or inspections to be carried out.
- Data Protection Officer
If Archireport appoints a Data Protection Officer, it will inform the Client of the DPO’s name and contact details.
5 – The Client’s obligations
The Client undertakes to:
- Provide Archireport with all the data referred to in Article 2 of this Agreement;
- Document in writing any instructions regarding the processing of personal data by Archireport;
- Ensure that Archireport complies with all GDPR requirements and to supervise the processing, including carrying out the necessary audits and inspections of Archireport.
6 – Subcontracting
Archireport may call upon a subcontractor (hereinafter referred to as the “Subsequent Subcontractor”) exclusively for the following processing: storage/integration in a database.
Any Subsequent Subcontractor will be bound by the obligations set out in this Agreement. The processing for which it is responsible will be carried out on behalf of and in accordance with the instructions of the Client.
Archireport guarantees that the specific Subcontractor implements the necessary technical and organisational measures to ensure the security of the personal data processed and compliance with the legislation on the protection of personal data.
7 – Records of processing activities
In accordance with the provisions of Article 30 of the GDPR, Archireport must keep records of the processing carried out on behalf of the Client, including in particular:
- The name and contact details of the Client on whose behalf it is acting, of any subcontractors and, if applicable, of the Data Protection Officer;
- The categories of processing carried out on behalf of the Client;
- Where applicable, transfers of personal data to a third country or to an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documents attesting to the existence of suitable safeguards;
- As far as possible, a general description of the technical and organisational security measures, including, as appropriate:
– Pseudonymisation and encryption of personal data;
– Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
– Means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
– A procedure to regularly test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the security of processing.