1. Processing by NoDataNoBusiness as Data Controller
NoDataNoBusiness, in its relationship with the Client, is required to process, on its own behalf, personal data of employees, managers, subcontractors, agents and/or service providers of the Client.
In this context, these people will benefit from a right of access, rectification, deletion, portability, limitation, and opposition, by contacting NoDataNoBusiness directly. Client undertakes to inform its employees, managers, subcontractors, agents and/or service providers of the said rights.
2. Processing of End user data by NoDataNoBusiness
As part of the performance of the Agreement, NoDataNoBusiness is required to process End Users’ and third parties’ data.
NoDataNoBusiness acts in this capacity as a data processor, with the Client acting as the data controller for the collection and processing of said personal data.
As part of their contractual relationship, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, with the provisions of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms (hereinafter referred to as “Law No. 78-17“) as well as Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR“).
Unless the consent of the relevant persons is obtained under the conditions provided for in accordance with the applicable law, these operations must not lead to the establishment of profiles likely to reveal sensitive data (racial or ethnic origins, philosophical, political, trade union or religious opinions, sex life or health of persons).Upon request of the Client, NoDataNoBusiness performs collection and analysis of personal data of third parties (natural persons meeting the criteria defined by the Client for the purpose of performing the requested analysis) (hereinafter “Third Party“).
2.1. Description of the processing
NoDataNoBusiness is authorized to process on behalf of the Client the personal data of End Users and Third Parties necessary to provide the Services, for the following purposes:
- ensure the performance of the Agreement between NoDataNoBusiness and the Client;
- provide the Services to Client;
- allow End Users to access the Modules;
- allow End Users to use the features of the Modules;
- develop statistics;
- manage data subjects’ requests for rights such as the right of access, rectification, deletion, opposition, erasure, limitation, portability, and concerning the fate of personal data after the death of individuals.
In any case, the Client is required to inform NoDataNoBusiness in advance of any other processing envisaged and to ensure compliance with the regulations in force. In particular, the Client is required to conduct, if necessary, a privacy impact assessment of the planned processing on data protection in accordance with the conditions set out in Article 35 of the GDPR.
The personal data processed are or may be the following, if necessary for the purpose of the relevant processing:
For the End Users
- identification data(e.g., first name, last name, e-mail address);
- economic and financial information (e.g., billing address, company’s name, VAT number, bank account details);
- connection data (e.g., IP address, logs);
For the Third Parties
- identification data (e.g., last name(s), first name(s), date of birth, e-mail address);
- economic and financial information (e.g., income, financial situation, tax situation, bank account details);
- work-related data (e.g., education, career, location of employment, disciplinary measures);
- connection data (e.g., IP address, logs);
For the execution of the Services, the Client provides NoDataNoBusiness with the information guaranteeing compliance with the legal provisions in force and in particular the GDPR.
2.2 Commitments of the Client with regard to End Users’ data and Third Parties’ data
The Client undertakes, in the context of the performance of the Agreement, to:
- transmit via the Modules only data strictly necessary for the performance of the Services;
- provide all information required for the processing of the data to End Users and Third Parties (e.g., obligation to inform data subjects);
- document in writing any instruction concerning the processing of personal data by NoDataNoBusiness;
- comply with the provisions of the Law n° 78-17, the GDPR and more generally with the regulations applicable in France;
- supervise the processing of personal data, including by conducting audits according to the modalities previously defined by mutual agreement with NoDataNoBusiness;
- obtain the consent of the persons concerned to the processing and/or transfer of their personal data;
- provide all relevant information to data subjects at the time of collection of the data.
NoDataNoBusiness shall not be liable for any breach by the Client of the applicable legislation except where the law expressly provides otherwise.
2.3. NoDataNoBusiness’ commitments regarding End User Data and Third Parties’ data
In accordance with Articles 28 and 32 of the GDPR, NoDataNoBusiness undertakes to:
- implement and maintain all useful measures and in particular appropriate technical and organizational measures, to preserve the security and confidentiality of the personal data entrusted to it by the Client for the provision of the Services, in order to prevent them from being distorted, altered, damaged, distributed or accessed by unauthorized persons;
- ensure that persons authorized to process personal data on its behalf, in addition to having received the necessary training in the protection of personal data, respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
- comply with the applicable legal provisions relating to the conditions of processing and/or the destination of the data communicated to it by the Client or to which it will have access in the context of the provision of the Services;
- act only on the documented instruction of the Client to perform the processing of the personal data concerned;
- use the personal information collected or to which it may have had access for the sole purpose of providing the Client with the Services;
- not to use for purposes contrary to the Agreement the personal information collected or to which it may have had access in the context of the performance of the Agreement in accordance with the applicable legal provisions, and to transfer it only to a third party indicated or authorized by the Client;
- not to resell or transfer data that is strictly confidential;
- to assist the Client, to the extent possible, through the implementation of appropriate technical and organizational measures, as well as to fulfil its obligation to comply with requests made by data subjects to exercise their rights of access, rectification, erasure, objection, limitation, and portability of data;
- assist the Client, to the extent possible and taking into account the information provided to it by the Client, in fulfilling its obligation to: (a) notify the supervisory authority of a personal data breach; (b) communicate a personal data breach to the data subject; (c) conduct a data protection impact assessment.
NoDataNoBusiness may use one or several subprocessors to conduct specific processing activities. In this case, it shall inform the Client in advance and in writing of any change envisaged concerning the addition or replacement of other subcontractors. The Client has a maximum of seven (7) days from the date of receipt of this information to present its observations.
The list of second-tier subcontractors as of the date of execution here of is as follows: