Data Processor Agreement
Eventtia
Data Processor Agreement Eventtia
Eventtia shall from time to time have to process personal data for which the Client shall be the data controller; in so doing, it shall act solely based on the Client’s instructions, in keeping with its role as a data processor, as per the meaning of this term under the applicable data protection regulations.
However, the signatory of this Contract, Eventtia Inc., a company incorporated in the USA, does not have any team or personnel located in the United States that can access this personal data. Indeed, all the operations performed on the Client’s personal data shall be performed by Eventtia’s French subsidiary, which is located in France, or by Eventtia SAS, which is located in Colombia, or by the service providers of Eventtia, as described more extensively below.
For the purposes of this contract, the terms “processing”, “data controller”, “data processor”, “data subjects” and “personal data” hall have the meaning imparted to them by EU Regulation no. 2016/679 of the European Parliament and of the European Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”).
However, the signatory of this Contract, Eventtia Inc., a company incorporated in the USA, does not have any team or personnel located in the United States that can access this personal data. Indeed, all the operations performed on the Client’s personal data shall be performed by Eventtia’s French subsidiary, which is located in France, or by Eventtia SAS, which is located in Colombia, or by the service providers of Eventtia, as described more extensively below.
For the purposes of this contract, the terms “processing”, “data controller”, “data processor”, “data subjects” and “personal data” hall have the meaning imparted to them by EU Regulation no. 2016/679 of the European Parliament and of the European Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”).
1. Description of the processing of personal data by the data processor
provision of an event management platform;
Gathering and management of the personal data of the persons who take part in the Client’s events;
Issuing notifications and handing out of questionnaires to the persons who take part in the events.
Types of data processing operations performed: gathering, storage, viewing, communication and erasure.
Types of personal data processed: identification data, contact data, responses to questionnaires and feedback on the events managed by the Client, connection data.
Categories of data subjects: persons who take part in the events organised by the Client.
Duration of the processing tasks entrusted to the data processor: duration of the contract + any time required for restitution of the personal data, or as of the destruction of the data by the Client, which may occur at any point in time. The Client shall be responsible for compliance with the periods of retention that are applicable to the data processing tasks that are contracted out, by deleting said data on time.
2. General obligations of Eventtia vis-à-vis the Client in its capacity as data processor, under the GDPR
In its capacity as a data processor, Eventtia undertakes to deploy all the measures that are needed to enable the Client to comply with its obligations under the GDPR and all other applicable data protection regulations.
Eventtia shall keep the personal data solely throughout the duration of the Contract, and at the Client’s request, it shall destroy or return the data to the latter upon termination of the Contract, unless Eventtia is legally bound to keep it.
The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In such a case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.
In this respect Eventtia undertakes:
To process the personal data involved only insofar as this is necessary to provide the services stipulated by the Contract, and in general, to only act pursuant to the written and documented instructions of the Client;
To immediately inform the Client if any of its instructions constitutes a violation of the applicable data protection regulations and to suspend the performance of this instruction until confirmation or modification of the instruction by the Client;
To ensure that the persons that are authorised to access the personal data are aware of the instructions of the Client and undertake to only process this data strictly in keeping with these instructions;
To ensure that the persons that are authorised to access the personal data are given the requisite training in terms of data protection;
Not to grant, lease, transfer or otherwise disclose all or part of the personal data to any person, even free of charge, and in general, not to use the personal data for any purposes other than those that are mentioned in the Contract;
Where applicable, to help the Client to perform data protection impact analyses;
Where applicable, to help the Client with its mandatory prior consultation of the regulator.
3. Further subcontracting of data processing tasks / Transfers of data outside Europe
In order to provide the services stipulated by the Contract, Eventtia may also call upon certain third-party service providers which may have access to the Client’s personal data as part of their activity.
The services provided by these service providers are necessary for the operation of the Application, and include hosting the data, routing e-mails, managing connection logs and, in general, providing help and technical support to the users of the Application.
Some of Eventtia’s service providers, and the Colombian subsidiary of Eventtia, are located in countries outside the European Economic Area, specifically in the United States and in Colombia. Under such circumstances, the Client hereby mandates Eventtia to sign for and on its behalf with the companies involved, the standard contractual terms approved by the European Commission that provide a framework regulating the transfer of personal data to a country located outside the European Economic Area.
In accordance with the GDPR, these subsidiaries of Eventtia and these service providers shall be deemed to be acting as data processors on behalf of Eventtia.
Eventtia may call upon another subcontractor in the course of the Contract (the “subsequent data processor”) to perform specific data processing activities. In that case, Eventtia shall inform the Client beforehand and in writing about any planned change involving the addition or the replacement of other data processors. This notification must clearly state the processing activities that shall be subcontracted, the identity and the contact details of the subsequent data processor and the key dates of the subcontracting agreement. The Client shall have one (1) month as of the date of receiving this information to raise any objections. The subcontracting arrangement may only proceed if the data controller shall not have raised any objections during the abovementioned timescale.
Eventtia shall ensure that any subsequent data processor shall offer the same, sufficient guarantees regarding the implementation of appropriate technical and organisational measures so as to ensure that the data processing meets the requirements of the GDPR. Eventtia shall be fully liable to the Client for the performance of its obligations by any other data processor.
4. The data subjects’ right to be informed and the exercising of their rights
If at all possible, Eventtia shall help the Client to discharge its obligation to handle the requests of data subjects wishing to exercise their rights: right of access, rectification, erasure and opposition, right to limit the processing of one’s personal data, right of data portability, right not to undergo an automated individual decision (including profiling). Should any data subjects send requests to Eventtia regarding the exercising of their rights, Eventtia shall forward these requests upon receiving them to the Client by electronic mail to the address stated in the Quote.
5. Notification of data violations
6. Security measures in connection with the processing of personal data
Eventtia shall moreover implement the following specific measures to ensure the security of the personal data entrusted by the Client:
– encryption of all transfers of data,
– monitoring the activity of the Application thanks to a system of logs and analyses,
– testing the Application by the service providers of Eventtia in order to check its security (penetration tests, security scans, threat detection, etc.),
– reviewing the codes and change management procedures to check the compliance of any changes with the security procedures,
– encrypting all passwords,
– positioning the servers in secure facilities that ensure:
encryption of the data that is hosted,
measures designed to achieve permanent confidentiality, integrity, availability and resilience of the data processing systems and services,
measures that provide a means of re-establishing the availability of the personal data and access to said data within appropriate timescales, and at most within twenty four hours, in case of a physical or technical incident,
procedures designed to regularly test, analyse and assess the effectiveness of the technical and organisational measures to ensure the security of any data processing.
7. Assistance and Audit
However, these audits shall be conducted at the expense of the Client and shall be strictly limited to auditing the measures taken in terms of data protection, subject to a limit of one audit per annum, notified in advance to Eventtia.
8. The fate of the personal data
The return of the data must be followed by the immediate destruction of all copies of the data held in the information systems of Eventtia. Once the data shall have been destroyed, Eventtia shall provide written evidence of the destruction.