Personal data processor appendix

The purpose of this Appendix is to define the conditions under which FYGR, in its capacity as subcontractor and within the framework of the services defined in the document, undertakes to carry out, on behalf of its users, personal data processing operations in accordance with the provisions applicable to the protection of personal data, in particular the amended Act of January 6, 1978 on Data Processing, Data Files and Individual Liberties as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 applicable since May 25, 2018 (hereinafter "RGPD").‍

The user, for his part, is presumed to be acting as a "controller" within the meaning of the definitions given by the RGPD.‍

Within the framework of their contractual relations, the parties thus undertake, each insofar as it is concerned, to comply with the regulations in force applicable to the processing of personal data.‍

For the purposes hereof, the following terms shall have the same meaning as given to them in the GDPR:

Personal data: any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Sensitive data or special categories of data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (Article 9 of the RGPD).

Processing: any operation or set of operations which may or may not be performed upon personal data or sets of data by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing.Sub-processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient: the natural or legal person, public authority, department or any other body that receives communication of personal data, whether a third party or not. However, public authorities which may receive personal data in the context of a specific investigation in accordance with EU law or the law of a User State are not considered as recipients; the processing of such data by the public authorities in question complies with the applicable data protection rules according to the purposes of the processing.

FYGR is authorized, as a Subcontractor acting under the instructions of the user, to process the Personal Data of the Data Controller to the extent necessary to provide the services.

The nature of the operations carried out by FYGR concerning Personal Data may be the storage of information and/or any other services as described in the GTCU. The type of Personal Data and the categories of persons concerned are determined and controlled by the user, at its sole discretion. The processing activities are carried out by FYGR for the duration specified in the GTU.

As a subcontractor, FYGR undertakes to :

1. Process Personal Data solely for the purpose of providing the Services;‍

2. Not to access or use Personal Data for purposes other than those necessary to perform the Services;‍

3. Process Personal Data in accordance with the user's documented instructions;‍

‍4. Inform the User if, in its opinion and taking into account the information available to it, any of the instructions constitutes a breach of the GDPR or any other provision of Union law or the law of the User States relating to data protection.

5. Guarantee the confidentiality of Personal Data processed in the course of carrying out its missions;‍

‍‍6. Where applicable, ensure that users of its personnel authorized to process Personal Data:
- undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
- receive the necessary training in the protection of Personal Data;

‍‍7. Take into account, with regard to its tools, products, applications or services, the principles of data protection by design and data protection by default

‍8. Subsequent subcontractors :

‍FYGR may engage another subcontractor to process Personal Data in connection with the performance of the Services ("Subsequent Subcontractor"). The User expressly authorizes FYGR to engage these companies as Subsequent Subcontractors.

‍In any event, the Subsequent Subcontractor is obliged to comply with the obligations of this contract on behalf of and according to the instructions of FYGR. It is FYGR's responsibility to ensure that the Subsequent Subcontractor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the European Data Protection Regulation. If the Subsequent Subcontractor fails to meet its data protection obligations, FYGR would remain fully liable to the user for the other subcontractor's performance of its obligations.

‍‍9. Data subject's right to information:

The user as Data Controller is fully responsible for informing data subjects of their rights and for ensuring that these rights are respected, including the rights of access, rectification, erasure, restriction or portability.

10. Exercise of personal rights :

FYGR provides cooperation and assistance, to the extent reasonably necessary, in responding to requests from data subjects. Such reasonable cooperation and assistance may consist of (a) communicating to the user any request received directly from the data subject and (b) enabling the Data Controller to design and deploy the technical and organizational measures necessary to respond to data subjects' requests.

The user, as the Data Controller, is solely responsible for responding to these requests.

The user acknowledges and agrees that, in the event that such cooperation and assistance requires significant resources on the part of FYGR, this may be charged to the user upon prior notification and agreement.

11. Notification of personal data breaches :

FYGR undertakes to notify the user by any means of any violation of personal data within a maximum period of 72 (seventy-two) hours after becoming aware of it. This notification shall be accompanied by any useful documentation to enable the user, if necessary, to notify the competent supervisory authority (CNIL) of the violation.

12. FYGR's assistance in the fulfilment of the user's obligations :

FYGR undertakes to the extent possible and if necessary to assist the user in carrying out data protection impact analyses.

FYGR also undertakes, if necessary, to assist the user in carrying out prior consultation with the supervisory authority (CNIL).

13. Safety measures :

FYGR implements appropriate technical and organizational measures to ensure the security, confidentiality and integrity of data processing and to protect data against destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data.

14. Data output :

Upon termination of the service (including termination of the TOS), FYGR agrees to delete any content (including data, files, etc.) reproduced, stored, hosted or otherwise used by the user in connection with the services, unless a request issued by a competent legal or judicial authority, or applicable law of the European Union or a European Union User State, requires otherwise.

The user is solely responsible for ensuring that the necessary operations (such as backup, transfer to a third-party solution, etc.) to preserve Personal Data are carried out, in particular before the termination or expiration of the services, and before carrying out any operation to delete, update or reinstall the services.

In this respect, the user is informed that the termination and expiration of the service for any reason whatsoever, as well as certain operations to update or reinstall the services, may automatically result in the irreversible deletion of any content reproduced, stored, hosted or otherwise used by the user in connection with the services, including any potential backup.

15. Register of categories of processing activities :

FYGR declares to keep a written record of all categories of processing activities carried out on behalf of the user including:

- the name and contact details of the user on whose behalf it is acting, of any subcontractors and, where applicable, of the data protection officer;

- the categories of processing carried out on behalf of the user;

- where applicable, transfers of personal data to a third country or to an international organization, including the identification of such third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documents attesting to the existence of appropriate safeguards ;

- as far as possible, a general description of technical and organizational security measures.

16. Documentation :

FYGR makes available to its users the documentation necessary to demonstrate compliance with all of its obligations and to enable and contribute to audits, including inspections, by the user or another auditor appointed by the user.

However, in the context of such audits, the user or the auditor appointed by him will not be authorized to access FYGR's business secrets, FYGR's strategic information or information that FYGR has undertaken to keep confidential with regard to its other customers and/or partners. FYGR may object to any measure of control by the user or the auditor appointed by FYGR which might give them access to such data or information. FYGR will in any case ensure that the auditor and, more generally, the personnel carrying out the audit are subject to appropriate confidentiality obligations.

The user undertakes to comply with the obligations incumbent upon it as a data controller pursuant to the RGPD. As such, it is his responsibility in particular to ensure that:

- the processing of personal data has an appropriate legal basis (for example, the consent of the data subject, the legitimate interest of the data controller or a legal provision, etc.);

- data processing registers are updated;

- all required formalities and procedures (such as an impact assessment, notification or request for authorization from the supervisory authority or any other body) have been carried out, where applicable;

- Data subjects are informed of the processing of personal data in a concise, transparent, intelligible and easily accessible manner;

- data subjects have the opportunity to exercise their rights, as provided for by the RGPD;

- technical and organizational measures are implemented within its own systems and operations outside the scope of services to ensure the security of personal data processing.

In addition, the user undertakes to :

- document all data processing instructions in writing;

- ensure, beforehand and for the entire duration of the processing, that FYGR complies with the obligations set out in the RGPD;

- supervise processing, including audits and inspections of FYGR, under the conditions described above.