Data processing agreement
Data Processing Appendix

“DPA”

The purpose of this Data Processing Appendix (hereinafter “DPA”) is to define the terms and conditions under which DATAGMA, a company incorporated in France (Paris RCS number: 833 914 393) with its registered office located at 3 boulevard de Sébastopol, 75001 Paris, France, duly represented by Raphael Azot, in the capacity of CEO (hereinafter “DATAGMA” or “Service Provider”) undertakes to perform, on behalf of the client (hereinafter “Client”), the processing of personal data set forth herein.

The present Appendix DPA is incorporated into and forms integral part of the main agreement between the Client and DATAGMA. In the event of any conflict or inconsistency between the provisions of the main agreement and this DPA, the provisions of this DPA shall prevail. This DPA supersedes any previously applicable terms relating to their subject matter.

Service Provider and Client are each individually referred to as a “Party” and collectively referred to as the “Parties”.

  • DEFINITIONS

Capitalized terms used in this DPA have the meaning ascribed to them as follows:

"GDPR" means the EU General Data Protection Regulation 2016/679.

Personal Data Regulations” means any applicable law on the protection of personal data, in particular, the GDPR and Law No. 78-17 of 6 January 1978 relating to computers, files and freedoms, as amended.

All definitions in section 4 of the GDPR shall apply to the present DPA including but not limited to: controller, processor, personal data, data subjects, pseudonymization, consent, personal data breach.

  • SUBJECT MATTER AND QUALIFICATION OF THE PARTIES

Client hereby instructs DATAGMA to process personal data described in Schedule 1 in view of providing B2B data enrichment services under the main agreement.

DATAGMA does not generate, nor own any database with the personal data obtained on behalf of Client, other than the opt-out form on DATAGMA’s website which enables data subjects not to be searched for again in the future, it being specified that DATAGMA and does not use such data for its own purpose.

The Parties therefore agree that when processing personal data as part of the provision of the B2B enrichment services under the main agreement, Client shall act as controller of personal data, and DATAGMA shall act on Client’s behalf as data processor, including with respect to the opt-out form provided by DATAGMA on its website.

The Parties agree to comply, each as far as it is concerned, with all the provisions to which they are subject under the applicable Personal Data Regulations.

  • CLIENT’S OBLIGATIONS

Client declares that, whenever the GDPR is applicable, it is aware of its obligations as data controller, in particular its obligations to (i) process personal data lawfully, fairly and in a transparent manner in relation to the data subjects, i.e., to inform data subjects of the processing of their personal data and ensure that the processing of such data has a legal basis and that the data subjects have, where applicable, given their consent to the processing of their personal data, (ii) to keep records of its processing activities, (iii) when applicable, to appoint a data protection officer, (iv) to notify in the event of a data breach, and (v) to carry out privacy impact assessments.

Client acknowledges that the opt-out put in place by DATAGMA on its website does not relieve Client of its obligation to determine the lawful basis for processing and to provide the necessary information to data subjects. Client remains solely responsible for obtaining any required consents or providing the necessary notices to data subjects as required by law.

This list is not exhaustive, and the Client acknowledges that it is the Client's responsibility to take the necessary steps to comply with the applicable Personal Data Regulations in their integrality. DATAGMA can in no way be held responsible for any failure by the Client to meet its obligations regarding data protection.

  • DATAGMA’S OBLIGATIONS

Whenever the GDPR is applicable, in its capacity as processor, DATAGMA undertakes to:

  • Only process personal data on documented instruction from Client, including with respect to transfers of personal data to a third country or international organization, unless required to do so by European Union or French law. In such case, DATAGMA shall inform Client of such legal requirement before processing, unless the applicable law prohibits such information on important grounds of public interest.

  • Ensure that employees authorized to process personal data under the main agreement have committed themselves to confidentiality or are subject to an appropriate legal obligation of confidentiality.

  • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, implement technical and organizational measures required under Article 32 of the GDPR, as listed in Schedule 2.

  • Taking into account the nature of the processing, assist Client, at the Client’s cost, through appropriate technical and organizational measures, insofar as possible, in fulfilling its obligation to respond to requests made by data subjects to exercise their rights under Chapter III of the GDPR (right to information, right of access, right to rectification, right to erasure and to object, right to limitation of processing, right to data portability, right not to be subject to an automated individual decision, including profiling). In the event a data subject contacts DATAGMA directly to exercise its rights, DATAGMA will transmit this request to Client, as soon as possible.

  • Upon request and at the Client’s cost, provide reasonable assistance to Client in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to DATAGMA, and in particular assist Client to ensure compliance with its obligations related to the notification of a personal data breach and the conduct of impact assessments relating to data protection.

  • Within thirty (30) business days of communicating any requested personal data to the Client, delete such personal data and any existing copy thereof, unless European Union law or Member State law requires further storage of the Personal Data.

  • Upon request, make available to Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, on an annual basis at the most, including inspections by Client or another independent auditor appointed by Client, provided that such audit is (i) conducted upon at least ten (10) business days’ prior written notice, during regular business hours and without interrupting DATAGMA's normal business operations, and (ii) is restricted to the areas and documents relevant in the context of the processing of personal data under the main agreement. Client shall alone bear the costs of the audit.

  • Inform Client immediately if, in the opinion of DATAGMA, instructions given by Client infringe the GDPR or the applicable European Union or Member State data protection provisions.

  • Should DATAGMA become aware, under the main agreement, of a personal data breach, DATAGMA undertakes to notify Client of this breach as soon as possible and to provide Client with all information that will allow it to meet its own obligations.

  • SUBPROCESSORS

Client hereby grants a general authorization to authorizes DATAGMA to engage subprocessors to carry out all or parts of the personal data processing activities on behalf of Client as part of the provision of the B2B data enrichment services.

DATAGMA undertakes to impose on any such subprocessors the same data protection obligations as those stipulated in this DPA, in particular as regards providing sufficient guarantees relating to the implementation of appropriate technical and organizational measures, in such a manner that the processing meets the requirements of the GDPR.

DATAGMA also undertakes to inform Client of any intended changes concerning the addition or replacement of a subprocessor, notably by providing the owner of Client's account with notice of any such addition or replacement and/or by posting updates on its website, thereby giving the Client the opportunity to raise objections to such changes on reasonable grounds. Any objections must be notified by Client to DATAGMA in writing within eight (8) business days of receipt of DATAGMA's notification. The addition or replacement of the subprocessor is deemed to have been approved by Client if Client does not object in writing within such period of eight (8) days of said notification. If Client objects to that change, the Parties will meet in good faith to resolve the issue through a mutually acceptable solution.

  • DATA TRANSFERS

The Client agrees that in the course of providing the B2B data enrichment services, personal data may be transferred outside of the European Economic Area, including to the United States.

Where the GDPR is applicable and no adequacy decision has been granted pursuant to Article 45 GDPR, such transfer will be governed by the standard contractual clauses for international data transfers as adopted by the European Commission on June 4, 2021 (hereinafter "Standard Contractual Clauses"), signed between DATAGMA and its subprocessors, and specific organizational and technical guarantees will be put in place, including, where appropriate, data encryption, the implementation of HTTPS protocol, security updates data backup and certifications.

The Parties acknowledge that, where appropriate, the execution of this DPA is equivalent to the execution of the updated version of the Standard Contractual Clauses and agree to be bound by such Standard Contractual Clauses.

DATAGMA and Client choose the following terms and options offered by the Standard Contractual Clauses:

  • In clause 11(a) of the Standard Contractual Clauses, the option for independent dispute resolution is deemed to be omitted.
  • In clause 17 of the Standard Contractual Clauses, OPTION 1 is selected, and the Parties agree that it is the law of France.
  • In clause 18 of the Standard Contractual Clauses, the parties agree that the courts of France shall have jurisdiction.
  • In Schedule I:
    • The list of parties is identical to the list of parties in the main agreement.
    • The description of transfers is provided in Schedule 2 entitled "Description of the processing of personal data" of this DPA;
    • The competent authority is the CNIL (Commission Nationale de l'Informatique et des Libertés).
  • In Schedule II of the Standard Contractual Clauses, the measures are provided for in Schedule 2 of this DPA entitled "Technical and organizational measures implemented by DATAGMA".
  • In Schedule III of the Standard Contractual Clauses, the list of subsequent subprocessors, as defined hereunder, is set forth in Schedule 3 of this DPA entitled “Subprocessors list”.

  • LIMITATION OF LIABILITY

DATAGMA’s liability regarding any data protection claims will be limited to the amount of the fees paid by Client under the main agreement during the 6 months preceding the claim. DATAGMA’s liability is conditioned upon Client (i) notifying DATAGMA of any claim or action in connection with DATAGMA's obligations as soon as Client becomes aware of such claim or action and promptly furnishing DATAGMA with any related information in its possession and (ii) mitigating any potential damage.

  1. TERM

This DPA shall come into effect on the signature date of the main agreement and shall end on the expiration or termination date of the main agreement.

  • MISCELLANEOUS

Except as specifically modified and amended herein, all of the terms, provisions, requirements and specifications contained in the main agreement remain unmodified and in full force and effect.

  • GOVERNING LAW AND JURISDICTION

This DPA is governed by the laws of France.

Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Paris subject to possible appeal to Cour d’Appel.

SCHEDULE 1

DESCRIPTION OF THE PROCESSING OF PERSONAL DATA

This Schedule 1 provides a description of the processing of personal data carried out by DATAGMA on behalf of Client. Client hereby instructs DATAGMA to carry out the processing of personal data as specified hereinafter (hereinafter the “Entrusted Processing” or the “Entrusted Personal Data”):

  • Purpose of Entrusted Processing: 

The purpose of the Entrusted Processing is to provide Client with B2B data enrichment services defined under the main agreement and notably to provide Client with complete and updated business contact information.

  • Nature of Entrusted Processing:

The nature of the Entrusted Processing consists in the collection, consultation, hosting, storage, retrieval, use, erasure, or destruction of personal data.

  • Categories of Entrusted Personal Data: 

Client instructs DATAGMA to process the following categories of personal data on behalf of the Client:

  • Identification data, such as name and first name.
  • Contact data, such as e-mail and phone number.
  • Professional data, such as organization, position, or seniority.
  • Login, passwords, any other login data.

  • Categories of data subjects:

The categories of data subjects concerned by the Entrusted Processing are:

  • Individuals targeted by the Client, for instance, for marketing or recruitment purposes.
  • Client’s employees.

  • Duration of Entrusted Processing:

Duration of the main agreement and at least 3 years for the opt-out list.

SCHEDULE 2

TECHNICAL ANS ORGANIZATIONAL MEASURES IMPLEMENTED BY DATAGMA

DATAGMA undertakes to implemented technical and organizational measures to protect data from being unlawfully distorted, damaged, or accessed by unauthorized parties. Regular checks are carried out to assess the effective implementation of such measures.

In particular, DATAGMA undertakes to implement the following:

  • Technical measures

  • Keeping all software up-to-date (e.g. by updates, patches, etc.).
  • Protection of internal networks against unauthorized access (e.g., by firewalls, virus scanners, etc.).
  • Appropriate logging information is collected and periodically reviewed and analyzed.
  • Appropriate encryption methods are applied on the system and/or service used to store personal data.
  • Use of VPN for remote access.

  • Organizational measures

  • Access to personal data is subject to appropriate confidentiality obligations (e.g., employment contract, confidentiality agreement, etc.).
  • All computers processing personal data are password protected.
  • Personal and individual user log-in for registration in the systems or company network.
  • State-of-the-art password policies for creation of secure passwords.
  • IT systems access blocked after repeated incorrect access attempts.
  • Passwords are stored in hashed form.
  • An automatic session lock procedure is set up on every computer.
  • Employees are bound to respect the applicable data protection regulations and are subject to an obligation of confidentiality.
  • Access to personal data is strictly limited to authorized employees on a “need-to-know basis”.
  • User accounts are deactivated when user leaves company or function.
  • Dedicated procedures for security and privacy incidents are in place.
  • Regular training of employees in data privacy and IT security.

SCHEDULE 3

SUBPROCESSORS LIST

It is expressly agreed between the Parties that, as of the date of the main agreement, DATAGMA uses the following subprocessors, and that Client authorizes DATAGMA to use the services of said subprocessors:

Name Location of the data centers Purpose
Data brokers USA Data enrichment purposes
Amazon Web Services Germany and Ireland Hosting purposes
Google Belgium Hosting purposes