The provisions of this Appendix apply to the processing of Personal Data carried out within the framework of this Agreement, in accordance with the provisions of European Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “GDPR”) and the French Data Protection Act No. 78-17 of 6 January 1978 as amended (“Loi Informatique et Libertés”), all of which are hereinafter referred to as the “Applicable Regulations”.
It is understood that this Appendix supplements the provisions of the General Conditions of Use of the SHIPZZER Software.
You are reminded that pursuant to the Applicable Regulations and in the context of the use of the SHIPZZER Software and/or Services:
the Client acts as the controller of Personal Data or, if necessary, as a processor of its clients;
SHIPZZER acts as a processor only on behalf and on the documented and lawful instructions of the Client.
SHIPZZER and the Client agree that the accomplishment of the purpose of the Agreement as well as the use of the Software and/or the Service and its functions in accordance with its Documentation constitute the documented instructions of the Client.
The Client alone has the control and knowledge, in particular of the origin, of the Personal Data processed in the context of the performance of the Agreement. The Client thus guarantees that it will comply with all of its obligations under the Applicable Regulations in its capacity as data controller.
SHIPZZER will delete the Personal Data and any copies thereof in application of the Article “Return of Client Data” of the GCU unless the applicable law requires the retention of these Personal Data.
The Client shall indicate to SHIPZZER at the time of the signature of the Agreement the person to be contacted for any information, communication, notification or request in application of this Appendix. In the absence of indication by the Client, the signatory of the Agreement will automatically and by operation of law be designated as the contact person.
SHIPZZER may transfer the Personal Data for the strict purposes of the execution of the Agreement, subject to prior notification to the Client. In any case, SHIPZZER shall refrain from transferring Personal Data without putting in place the adequate tools to supervise these transfers in application of Article 46 of the GDPR, outside:
the European Union, or
the European Economic Area, or
countries recognised as having an adequate level of security by the European Commission, including
companies established in the United States of America certified as “Privacy Shield”.
Pursuant to Article 32.1 of the GDPR, the Client and SHIPZZER acknowledge to implement the appropriate technical and organisational measures in order to guarantee a level of security adapted to the risks.
It is understood that SHIPZZER is responsible for the security of the Service only for the aspects under its control. Thus, the Client remains responsible for the security and confidentiality of its systems and its access policy to the Service. It is the Client's responsibility to ensure that the uses and configuration choices of the Service at its disposal meet the requirements of the Applicable Regulations.
It is understood that SHIPZZER has no obligation to protect personal data which are stored or transferred outside the Service by the Client, or by SHIPZZER on the Client's instructions.
SHIPZZER shall communicate to the Client, as soon as possible after receipt, any request, query or complaint addressed to it by any natural data subject concerning the processing of its Personal Data carried out as part of the performance of the Agreement.
In its capacity as data controller, the Client remains responsible for the response to be given to the natural data subject; SHIPZZER will not respond to such requests.
However, given the nature of the processing of Personal Data, SHIPZZER shall, as far as possible, assist the Client in responding to such requests.
Upon the Client's express request, SHIPZZER will provide it, at the Client's expense, with any useful information in its possession, in order to enable the Client to meet, if necessary, the requirements of the Applicable Regulations which are incumbent upon it in its capacity as data controller concerning the impact analyses relating to the protection of Personal Data carried out by and under its sole responsibility as well as the prior consultations with the CNIL which could result therefrom.
SHIPZZER will notify the Client as soon as possible after becoming aware of any breach of the security of the Personal Data leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed in any other way, or unauthorised access to such Personal Data.
SHIPZZER will provide the Client as soon as possible after the notification of the Personal Data security breach and to the extent possible with the following information:
the categories and approximate number of data subjects concerned by the breach;
the categories and approximate number of Personal Data records involved;
a description of the likely consequences of the Personal Data breach;
- a description of the measures taken, or that SHIPZZER intends to take, to remedy the personal data breach, including, where appropriate, measures to mitigate any negative consequences.
The Client authorises SHIPZZER to use subcontractors to carry out processing activities on behalf of the Client that are strictly necessary for the performance of the Agreement.
SHIPZZER shall use sub-processors with sufficient guarantees that they implement appropriate technical and organisational measures in order to meet the requirements of the Applicable Regulations.
SHIPZZER shall contractually impose on its sub-processors a level of obligation at least as equivalent in terms of protection of Personal Data to that set out in this Agreement and in the Applicable Regulations. SHIPZZER will remain liable to the Client for the performance by the said sub-processor of its obligations.
SHIPZZER shall only use a sub-processor:
established in a country of the European Union or the European Economic Area, or
established in a country with a sufficient level of protection by decision of the European Commission under the Applicable Regulation, or
with the appropriate safeguards pursuant to Article 46 of the GDPR.
The list of SHIPZZER's sub-processors can be provided upon the Client's express request.
SHIPZZER will make available to the Client, by e-mail and at the Client's request, any document necessary to demonstrate that SHIPZZER has complied with its obligations as a processor under the Agreement. Any other means of transmission of these documents will be at the Client's expense.
The Client may request additional explanations from SHIPZZER if the documents provided do not allow the Client to verify the compliance with SHIPZZER's obligations as a processor under the Agreement. The Client will then formulate a written request to SHIPZZER, by registered letter with acknowledgement of receipt, in which it will justify its request for further explanation. SHIPZZER shall provide an answer to the Client as soon as possible in view of the nature of the request.
P a g e 5 | 5
SHIPZZER - SAS au capital de 142 140 €, dont le siège est à Marseille (13002), Euromed Center Calypso, 48 Quai du Lazaret, inscrite au registre du commerce et des sociétés de Marseille sous le n° 851 804 062. TVA intracommunautaire : FR 851 804 062