The purpose of this Appendix is to define the conditions under which FYGR, in its capacity as subcontractor and within the scope of the services defined in the document, undertakes to carry out personal data processing operations on behalf of its users in accordance with the provisions applicable to the protection of personal data, in particular the amended Act of January 6, 1978 relating to data processing, data files and individual liberties as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 applicable since May 25, 2018 (hereinafter "RGPD").
For the purposes hereof, FYGR therefore acts as a "subcontractor" in the following cases: where the customer stores or provides access to personal information relating to third parties through the use of the Powens service, Bridge API or Fintecture.
The user, for his part, is presumed to be acting as a "data controller" within the meaning of the definitions given by the RGPD.
Within the framework of their contractual relations, the parties thus undertake, each insofar as it is concerned, to comply with the regulations in force applicable to the processing of personal data.
Within the framework of their contractual relations, the parties thus undertake, each insofar as it is concerned, to comply with the regulations in force applicable to the processing of personal data.
Personal data: any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Sensitive data or special categories of data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (Article 9 of the RGPD).
Processing: any operation or set of operations which may or may not be performed upon personal data or sets of data by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing.Sub-processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient: the natural or legal person, public authority, department or any other body that receives communication of personal data, whether a third party or not. However, public authorities which may receive personal data in the context of a specific investigation in accordance with EU law or the law of a User State are not considered as recipients; the processing of such data by the public authorities in question complies with the applicable data protection rules according to the purposes of the processing.
FYGR is authorized, as a Subcontractor acting under the instructions of the user, to process the Personal Data of the Data Controller to the extent necessary to provide the services.
The nature of the operations carried out by FYGR concerning Personal Data may be the storage of information and/or any other services as described in the GTCU. The type of Personal Data and the categories of persons concerned are determined and controlled by the user, at its sole discretion. The processing activities are carried out by FYGR for the duration specified in the GTU.
As a subcontractor, FYGR undertakes to :
1. To process Personal Data solely for the purpose of providing the Services;
2. Not to access or use Personal Data for purposes other than those necessary for the performance of the Services;
3. Process Personal Data in accordance with the user's documented instructions;
4. Inform the User if, in its opinion and taking into account the information available to it, any of the instructions constitutes a breach of the GDPR or any other provision of Union law or the law of the States Users relating to data protection ;
5. Guarantee the confidentiality of personal data processed in the course of its duties;
6. Where applicable, ensure that users of its personnel authorized to process Personal Data :
7. Take into account the principles of data protection by design and data protection by default for its tools, products, applications and services;
8. Subsequent Subcontractors:
FYGR may engage another subcontractor to process Personal Data in connection with the performance of the Services ("Subsequent Subcontractor"). The user expressly authorizes FYGR to engage such companies as Subsequent Subcontractors.
In any event, the Subsequent Subcontractor is required to perform the obligations of this Agreement on behalf of and as directed by FYGR. It is FYGR's responsibility to ensure that the Subsequent Subcontractor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the European Data Protection Regulation. Should the Subsequent Subcontractor fail to meet its data protection obligations, FYGR would remain fully liable to the user for the performance by the other subcontractor of its obligations.
9. Data subjects' right to information:
The user as Data Controller is fully responsible for informing data subjects of their rights and for ensuring that these rights are respected, including the rights of access, rectification, erasure, restriction or portability.
10. Exercise of individuals' rights:
FYGR provides cooperation and assistance, to the extent reasonably necessary, in responding to requests from data subjects. Such reasonable cooperation and assistance may include (a) communicating to the user any request received directly from the data subject and (b) enabling the Data Controller to design and deploy the technical and organizational measures necessary to respond to the data subject's requests.
The user, as the Data Controller, is solely responsible for responding to such requests.
The user acknowledges and agrees that, in the event that such cooperation and assistance requires significant resources on the part of FYGR, this may be charged to the user provided that the user is notified and agrees to this in advance.
11. Notification of personal data breaches:
FYGR undertakes to notify the user by any means of any personal data breach within 72 (seventy-two) hours of becoming aware of it. This notification shall be accompanied by any useful documentation to enable the user, if necessary, to notify the relevant supervisory authority (CNIL).
12. FYGR's assistance in the context of the user's compliance with its obligations:
FYGR undertakes, insofar as possible and if necessary, to assist the user in carrying out impact analyses relating to data protection.
FYGR also undertakes, if necessary, to assist the user in carrying out prior consultation with the supervisory authority (CNIL).
13. Security measures:
FYGR implements appropriate technical and organizational measures to ensure the security, confidentiality and integrity of data processing and to protect data against destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
14. Fate of data:
At the end of the service (in particular in the event of termination of the TOS), FYGR undertakes to delete any content (in particular data, files, etc.) reproduced, stored, hosted or otherwise used by the user in connection with the services, unless a request issued by a competent legal or judicial authority, or the applicable law of the European Union or of a User State of the European Union, requires otherwise.
The user is solely responsible for ensuring that the operations necessary (such as backup, transfer to a third-party solution, etc..) for the preservation of Personal Data are carried out, in particular prior to the termination or expiration of the services, and prior to any deletion, update or reinstallation of the services.
In this respect, the user is informed that termination and expiration of the service for any reason whatsoever, as well as certain operations to update or reinstall the services, may automatically result in the irreversible deletion of any content reproduced, stored, hosted or otherwise used by the user in connection with the services, including any potential backups.
15. Register of categories of processing activities:
FYGR declares that it keeps a written register of all categories of processing activities carried out on behalf of the user including:
16. Documentation:
FYGR shall make available to its users the documentation necessary to demonstrate compliance with all of its obligations and to enable and assist in audits, including inspections, to be carried out by the user or another auditor appointed by it.
In the context of such audits, the user or the auditor appointed by it shall not, however, be allowed access to FYGR's business secrets, FYGR's strategic information or information which FYGR has undertaken to keep confidential in respect of its other customers and/or partners. FYGR may object to any measure of control by the user or the auditor appointed by FYGR which might give them access to such data or information. FYGR will in any case ensure that the auditor and, more generally, the personnel carrying out the audit are subject to appropriate confidentiality obligations.
The user undertakes to comply with the obligations incumbent upon it as a data controller pursuant to the RGPD. As such, it is his responsibility in particular to ensure that:
In addition, the user undertakes to :