When you sign up for our services and during the provision of those services, we collect the following categories of data:
We use your data to perform and manage your contract. This includes managing your Customer account and our contractual relationship, installing, maintaining, providing and managing the service purchased or the product ordered, providing support services and processing your requests, billing the service or product, handling complaints and disputes and debt recovery procedures, which may involve third parties.
These data are retained for the time needed to manage the contract and/or for the time imposed by law. Without these data, we would not be able to provide the services you have purchased.
We may also use your data in our legitimate interests. For example, we may use your data to assess and improve our services and develop new services, and to implement loyalty, direct marketing, customer satisfaction and promotional campaigns.
Unless you opt out, you may receive offers from us or our commercial partners, by post or telephone, and emails promoting services similar to those we offer. With your express consent, we may email you commercial information on other different types of services. Your data may also be used to protect the security of the network and prevent fraud or as part of a merger, asset sale or transfer of all or part of our business, by transferring your Customer personal data to the one or more third parties involved for the purposes of the transaction. These data will be retained for the time needed to achieve those purposes and for no more than three years after the end of the contractual relationship, as regards direct marketing purposes.
We may also use your data to fulfil our statutory obligations (including under anti-fraud and money-laundering laws and the legislation on late payments and payment defaults by customers) and/or to reply to requests submitted by public and governmental bodies.
You may access your data, rectify it, request its erasure, object to processing on legitimate grounds relating to your particular situation and exercise your right to data portability, at any time, via your Account Management Console or by emailing your request along with proof of your identity to our Personal Data Protection Officer at: firstname.lastname@example.org
However, we are not under any obligation to erase the data we need for the purpose for which it was collected, required to ensure compliance with a statutory obligation and/or to confirm, exercise or defend rights before a court of law.
You may also give instructions to our Personal Data Protection Officer on the use of your personal data after your death.
You may register with a free telephone preference service to prevent unsolicited marketing calls from third-party companies on www.bloctel.gouv.fr.
If you are not happy with our handling of a complaint, you may contact the French Data Protection Agency (Commission Nationale de l’Informatique et des Libertés or “CNIL”), in charge of regulating compliance with personal data obligations.
We take all steps required to protect the personal data we process. Your data is processed electronically and/or manually and, in both cases, we ensure an appropriate level of security, protection and confidentiality based on the sensitivity of your data, using administrative, technical and physical measures preventing any loss or theft or any unauthorised use, disclosure or alteration of your data.
Your personal data is processed by us, companies belonging to the Iliad Group and our subcontractors, data processors and partners, to manage the contract and provide the services you have requested or authorised.
Your data may also be transferred to third parties, providing services or support and advice to us.
On request, it may also be transferred to the persons and authorities granted access to personal data under applicable laws or regulations or provisions adopted by legally competent authorities.
Our subcontractors, data processors and partners may be located outside the European Union. If they are located in a country that has not been recognised as providing an adequate level of protection, they must comply with our security and confidentiality requirements for your personal data and are only authorised to process your data for the purposes we determine. These subcontractors, data processors and partners must first sign the standard contractual clauses published by the European Commission.
AGREEMENT TO SUBCONTRACT THE PROCESSING OF PERSONAL DATA
This Subcontracting Agreement forms an integral part of the Service agreement between the Client and AltınSoft Information Technologies. (“Agreement”).
For the purposes of the fulfilment and performance of the Agreement, Personal Data (as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("GDPR")) may be disclosed to and/or accessed by Online.
The purpose of this Subcontracting Agreement is to define the conditions under which Online undertakes to carry out Personal Data Processing operations, for the sole purpose of the performance of the Agreement and only for the duration of the Agreement, exclusively on behalf of the Client. The Parties hereby undertake to comply with the Data Protection Regulations.
Within the framework of the Agreement, the Client acts as data controller with regard to Personal Data as defined in the GDPR and Online acts as data processor as defined in the GDPR.
The Client has ascertained, on the basis of the information provided by Online and the other information at its disposal, that Online presents sufficient guarantees, in particular in terms of experience, resources, capacities and reliability, for the purpose of implementing the technical and organisational measures necessary to ensure that the Personal Data Processing provided for in the Agreement is carried out in compliance with the Data Protection Regulations.
Online represents and warrants that it has implemented all the necessary technical and organisational measures to ensure that the Personal Data Processing is carried out in accordance with the Data Protection Regulations, including the GDPR.
In addition to the terms and expressions defined in this Subcontracting Agreement ("Subcontracting Agreement"), the terms and expressions "International Organisation", "Data Protection Officer" and "Personal Data Breach" shall have the same meaning as assigned to them in the GDPR. In addition, the following terms and expressions have the meanings given below, regardless of whether they are used in the singular or plural:
"Personal Data" means any information relating to any natural person who is directly or indirectly identified or identifiable, in particular through the use of identifying information such as a name, an identification number, location data, an online username, or one or more elements specific to the person's physical, physiological, genetic, mental, economic, cultural or social identity that may be disclosed or made available in the context of the fulfilment and performance of the Agreement;
“Security Measures” means the security measures provided for by the Data Protection Regulations and any other obligation provided for by the said Regulation to guarantee the security and confidentiality of Personal Data, including the activities to be carried out in the event of a Personal Data Breach, in particular in order to avoid or reduce the harmful effects of the Personal Data Breach on the Data Subjects;
"Agent" means the employees, authorised persons or any other natural person empowered to carry out Processing Operations for any Personal Data transmitted or made available by Online and/or its possible Sub-processors;
"Data Subject" means the identified or identifiable natural persons to whom the Personal Data refers;
"Data Protection Regulations" means the GDPR, the French Data Protection Act no. 78-17 of 6 January 1978 and its successive amendments ("French Data Protection Act"), Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector of 12 July 2002, as well as all legislative provisions, regulations, guidelines, opinions, certifications, approvals, recommendations or final judicial decisions relating to the protection of personal data applicable to the Processing of Personal Data, already in force or which will enter into force during the term of this Subcontracting Agreement, including the measures, guidelines and opinions of the Working Party referred to in Article 29 of Directive 95/46/EC of the European Committee on Data Protection referred to in Articles 63 and seq. of the GDPR and of any other competent authority. In the event of a conflict between
the French Data Protection Act, the GDPR and/or the measures adopted by the competent authorities to implement them, the provisions of the GDPR and the measures adopted to implement it shall take precedence.
"Processing" means the processing of Personal Data as defined in the GDPR entrusted to Online under the Agreement and described in this Subcontracting Agreement.
2. Processing operation(s) to be Subcontracted
2.1. The Processing carried out by Online for the purposes of this Subcontracting Agreement shall relate solely to the types of Personal Data and the categories of Data Subjects defined by the Client.
2.2. Online undertakes to guarantee the confidentiality of the Personal Data and to ensure that any Subsequent Agents and Data Processors authorised to process the Personal Data under this Subcontracting Agreement observe the confidentiality of the Personal Data. The confidentiality obligation in respect of the Personal Data will remain in force for five years from the expiry of the Agreement.
3. Nature, aims and methods of the Processing
3.1. Online, in its capacity as Data Processor for the Data Processing, undertakes, at its own expense:
- to process the Personal Data for the exclusive purpose of performing the Agreement within the limits and according to the terms stipulated in said Agreement, this Subcontracting Agreement and the Data Protection Regulations;
- not to independently define the methods for the Processing of Personal Data and not to act as an independent data controller in relation to said data;
- to scrupulously comply with the written instructions issued by the Client and notify the Client if it considers that any instruction is in violation of the Data Protection Regulations or more generally of any applicable legislation;
- to process only such Personal Data as is strictly necessary for the performance of the Agreement or to comply with legal obligations;
- to process the Personal Data in a lawful manner and in accordance with the Agreement and this Subcontracting Agreement and with the requirements laid down by the Data Protection Regulations;
- notify the Client of any requirements to modify, update, correct or delete the Personal Data and undertake to update, modify, correct or delete the Personal Data at the request of the Client;
- to assist the Client and cooperate with it in the event of a request made by the competent authorities, the Data Subjects and in order to comply with the obligations arising from the Data Protection Regulations; and
- to provide the Client with all the information in its possession that is necessary to demonstrate that the Client is in compliance with the obligations set out in the Data Protection Regulations.
3.2. Online is expressly prohibited from using all or part of the Personal Data, for any purpose whatsoever, on its own account or on behalf of a third party, whether during the term of the Agreement or after the end thereof.
4. Processing Activity Record
4.1. In accordance with Article 30, paragraph 2, of the GDPR, Online undertakes to keep a separate, constantly updated record concerning all categories of activities relating to the Processing of Personal Data carried out on behalf of the Client. This shall include:
- the name and contact details of Online and its Sub-processors, those of the Client and, where applicable, the Client’s and Data Processor’s Data Protection Officer;
- the categories of Data Processing carried out on behalf of the Client;
- any transfers of Personal Data to a third country or to an International Organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documents proving the existence of the appropriate safeguards required by Article 49 of the GDPR; and
- a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR including, inter alia, as required:
- pseudonymisation and encryption of the Personal Data;
- means making it possible to safeguard the ongoing confidentiality, integrity, availability and resilience of the processing systems and services;
- means making it possible to restore the availability of and access to the Personal Data within appropriate time limits in the event of a physical or technical incident;
- a procedure for the regular testing, analysis and evaluation of the effectiveness of the technical and organisational measures safeguarding the security of the data processing.
4.2. Online undertakes to promptly provide the Client with a copy of the record referred to in clause 4.1 at the request of the Client and/or the competent authorities.
4.3. Online undertakes to provide the Client with all the information relating to the Processing of Personal Data that it needs in order to be able to establish its own record of processing operations referred to in Article 30(1) of the GDPR.
5. Obligations relating to Agents
5.1. Online undertakes to ensure that Agents have access only to the Personal Data that is strictly necessary for the performance of the Contract or in order to fulfil the legal obligations and that Agents exclusively Process such Personal Data, in all cases, within the limits and under the terms of this Subcontracting Agreement, the Agreement and the Data Protection Regulations.
5.2. Online also undertakes to allow Personal Data Processing to be carried out only by Employees who:
- through their experience, skills and training, have proven that they are able to comply with the Data Protection Regulations and who must have access to such Personal Data in order to perform the Agreement;
- have attended at least one training course per year on the obligations laid down by the Data Protection Regulations;
- have been designated in writing as Agents authorised to carry out Processing Operations;
- have committed in writing to strictly observe the confidentiality obligations during the Processing of Personal Data;
and to scrupulously ensure that the Agents properly carry out the instructions received and fulfil the obligations incumbent upon them.
5.3. The Contractor agrees to establish physical, technical and organisational measures to ensure that:
- each Agent may only access Personal Data that may be Processed pursuant to the Agent's authorisation, taking into account the activity that the Agent must perform within the framework of the Agreement;
- any Processing of Personal Data constituting a breach of this Subcontracting Agreement, the Agreement and/or the Data Protection Regulations is immediately identified and reported to the Client in accordance with the procedure and within the time limits set out in Article 8 in the event of a Personal Data Breach; and
- upon termination of the Agreement or the mission entrusted to the Agent, the Agent shall immediately discontinue the Processing of the Personal Data and shall refrain from keeping any copies of the Personal Data in any form whatsoever, in particular in electronic or paper format.
6.1. Online may only use another subcontractor ("Sub-processor") to carry out specific Processing activities. At the request of the Client, Online will send a list of Sub-processor and will notify the Client in case of modification of these Sub-processor.
6.2. Online ensure that each Sub-processor offers adequate guarantees with regard to the Data Protection Regulations in terms of the technical and organisational measures adopted for the Processing of the Personal Data and ensure that each Sub-processor immediately discontinues any Processing of the Personal Data in the absence of such guarantees, including on the basis of information obtained from the Compliance Checklist referred to in paragraphs c) and e) of clause 6.2 above. If the Sub-processor fails to fulfil its obligations regarding the protection of the Personal Data, Online shall remain fully liable vis-a-vis the Client with regard to the Sub-processor's performance of its obligations.
6.3. Online ensure that each Sub-processor is bound by adequate confidentiality obligations and that it undertakes to comply with the obligations of this Subcontracting Agreement on behalf of and according to the instructions of the Client, through a written agreement similar in content to that of the Subcontracting Agreement.
7. Security Measures
7.1. Online undertakes to adopt Security Measures in accordance with the provisions of the Data Protection Regulations and this Subcontracting Agreement.
7.2. More specifically, Online, taking into account the current situation and implementation costs and the nature, purpose, context and aims of the Processing of the Personal Data, as well as the risk that the Processing poses to the rights and freedoms of natural persons and the probability and gravity of said risk, undertakes to take appropriate technical and operational measures to guarantee a level of security commensurate with the risk associated with the Processing of the Personal Data, including, where appropriate, the measures provided for in Article 32, paragraph 1, of the GDPR. In any event, Online undertakes to:
- adopt, as a minimum requirement, all the technical and organisational measures required by the Data Protection Regulations;
- keep Personal Data separate from other data processed on its behalf or on behalf of third parties, only in the locations indicated by the Client; and
- send, at the request of the Client informations relating in particular to the physical, organisational and technical measures adopted for Online's Processing of the Personal Data and its own Sub-processors, if any, as well as any other additional information that may be requested by the Client in relation to the physical, technical and organisational measures implemented in connection with the Processing of the Personal Data.
8. Personal Data Breaches
8.1. In the event of any Personal Data Breaches or incidents which may compromise the security of the Personal Data (e.g. loss, damage or destruction of the Personal Data, regardless of the medium or format [paper, electronic or other], unauthorised access by third parties to the Personal Data or any other Personal Data Breaches), including Personal Data Breaches resulting from the conduct of any Sub-processors and/or Online's Agents, Online shall:
- immediately notify the Client upon becoming aware of such Breach by notifying the Client by e-mail at the Client’s contact addresses and providing the Client with the relevant information in order to enable the Client, if necessary, to notify this breach to the competent supervisory authority; and
- in collaboration with the Client, immediately and, in any event, without undue delay, take all necessary measures to minimise the risks of any kind to the Personal Data arising from the Breach thereof and implement any operation that may be necessary to remedy the Breach of Personal Data in order to mitigate its possible harmful effects and investigate its cause.
8.2. For the purposes of this Subcontracting Agreement, the Contractor represents and warrants that it and any of its Sub-processors have adopted technical and organisational measures making it unlikely that a possible Personal Data Breach could jeopardise the rights and freedoms of the relevant Data Subjects, including through the use of technologies such as encryption which render the Personal Data incomprehensible to any person not authorised to access it.
8.3. Online undertakes to keep a record listing the Personal Data Breaches relating to the Personal Data covered by this Subcontracting Agreement, the circumstances surrounding them, the consequences of such Breaches, the measures adopted to remedy them and any failures committed in respect of this Subcontracting Agreement.
9. Rights of the Data Subjects
9.1. Online undertakes to reasonably cooperate with the Client in order to guarantee that requests from Data Subjects provided for under Data Protection Regulations to exercise their rights are met within the time limits and in accordance with the procedures laid down by law and, more generally, in order to ensure full compliance with the Data Protection Regulations. In this respect, Online undertakes to notify the Client of any request by a Data Subject it received.
10. Disclosure and transfer of Personal Data
Online undertakes, in the context of the Processing covered by this Subcontracting Agreement, to:
- refrain from disseminating or disclosing the Personal Data to third parties, including possible Sub-processors, unless the applicable Regulations or the Agreement expressly provide for said dissemination or disclosure or unless the Client authorises it to do so in writing; and
- refrain from transmitting, disseminating or storing Personal Data to or in a non-EU country without the Client’s prior and express consent. In the event that Online is required to transfer Personal Data to a third country or international organisation under EU law or the law of the Member State to which it is subject, it must notify the Client of this prior to processing and provide proof of the mandatory nature of this obligation, unless the applicable law prohibits such notification for important reasons in the public interest.
11.1. Online shall provide the Client, at the latter's request, with any reasonably necessary documents so as to ensure that it is in compliance with the obligations arising from this Subcontracting Agreement.
11.2. Online acknowledges and accepts that the Client may, at its expense, have a trusted third party, recognised as an independent auditor of the Parties and appointed by Online, evaluate the organisational, technical and security measures adopted by Online in the context of the Processing of Personal Data under conditions to be defined by the parties and within the limits of maintaining the services and the confidentiality and the safety of the other customers.
The Client expressly acknowledges and accepts that Online will be compensated for Online's Processing activities carried out by it and its Sub-processors under this Subcontracting Agreement.
13. End of the Agreement
At the end of the Agreement for any reason whatsoever, Online shall immediately discontinue all Processing of the Personal Data and delete the Personal Data and any copies thereof, whether in electronic or paper format, from the computer systems, archives or any other place or device where they are stored, within ten days, except in cases where the storage of the Personal Data is required by applicable legislation, in which case such storage shall only be subject to the limits strictly laid down by such legislation. It is therefore the responsibility of the Client to ensure the retention of Personal Data prior the termination of the Contract.