This Data Protection Agreement (hereinafter referred to as the “DPA”) is concluded between LoneLine and the Client who has accepted the LoneScale General Terms and Conditions (hereinafter referred to as the“General Conditions”), by subscribing to LoneScale.
The DPA will come into force on the same date as the General Conditions, and for the duration of the General Conditions.
LoneLine and the Client are hereafter collectively referred to as the “Parties” and individually as a “Party”.
In the course of the execution of the General Conditions, each of the Parties is required to process personal data in various ways.
By means of the DPA, the Parties wish to identify the said processing, the rules applicable to the latter and their respective roles with regard to the law applicable to the protection of personal data.
Personal Data”, “Data Subjects”, “DataController”, “Data Processor”, “Processing” and “Personal Data Breach” shall have the meaning provided for in the Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”).
In addition, it is stated that terms used in the DPA with a capital letter shall have the same meaning as in the General Conditions.
In addition, the following terms will have the following definitions in the DPA:
1.1 “Applicable Law on the Protection of Personal Data” shall mean all national, European and international laws, regulations and other standards applicable to the Processing concerned, including in particular the GDPR and any national laws of the Member States of the European Union adopted in addition to or in application of the provisions of the GDPR, as well as, where applicable, the national,European and international laws, regulations and other standards applicable to the Processing concerned;
1.2 “Data Transfer” shall mean any transfer of Personal Data to a person, entity or service of any kind located in a third country that does not benefit from an adequacy decision of the European Commission within the meaning of Article 45 of the GDPR, and/or any access to Personal Data by a person, entity or service of any kind located in such country.
Unless otherwise expressly stated in the DPA, the terms “
The purpose of the DPA is to define the terms and conditions applicable to the Processing implemented during the execution of the General Conditions. This Processing is related to the use by the Client of LoneScale.
During the execution by the Client of the General Conditions, the following Processing may take place:
For the sole purpose of the execution of the General Conditions, the Client - as Data Controller - authorises LoneLine - as Data Processor - to carry out the Processing on his behalf, the modalities of which are more precisely described in Exhibit A.
5.1 Obligation of each Party
Each of the Parties undertakes to comply with all the legal obligations imposed on it pursuant to the Applicable Law on the Protection of Personal Data.
5.2 Obligations of the Client
As the person responsible for the Processing(s), the Client undertakes to ensure that the Processing(s)implemented is/are:
(i) carried out in a fair and lawful manner;
(ii) carried out for specific, explicit and legitimate purposes;
(iii) respecting the need to collect Personal Data that is (a) adequate, relevant and not excessive in relationto the purposes of the Processing(s), (b) accurate, complete and, where applicable, up to date;
(iv) on an adequate legal basis within the meaning of the GDPR.
In addition, the Client undertakes to comply with its obligation to inform the Data Subjects.
5.3 Obligations of LoneLine
5.3.1 Processing on documented instructions from the Client
LoneLine undertakes to process Personal Data only on the documented instructions of the Client, including in relation to Data Transfers, unless LoneLine is required to process such Personal Data under the law of the European Union or the law of a Member State of the European Union to which it is subject. In such a situation, LoneLine undertakes to inform the Client of this obligation to process Personal Data before proceeding with this Processing, unless the relevant law prohibits such information for important reasons of public interest.
The Parties expressly agree that the DPA, as well as the General Conditions, constitute documented instructions from the Client in the sense of the previous paragraph.
5.3.2 Assistance provided for the Client
In accordance with the Applicable Law on the Protection of Personal Data, LoneLine undertakes to fulfil its obligation(s):
(i) to assist the Client in responding to requests to exercise the rights of the Data Subjects and to comply, where appropriate, with such requests;
(ii) relating to the security of the Processing(s) implemented and the confidentiality of the Personal Data collected and processed; (iii) to notify Personal Data Breaches;
(iv) to carry out prior impact studies and to consult, where necessary, the Supervisory Authorities prior to the implementation of a Processing.
5.3.3 Processing’s security
LoneLine commits itself to take and maintain all appropriate technical and organisational measures with regard to the risks presented by the concerned Processing in order to ensure an adequate level of security of the concerned Processing and to protect the Personal Data collected and processed in the framework of the implementation of the said Processing.
5.3.4 Confidentiality of Personal Data
LoneLine undertakes to implement procedures to ensure that any third-party to whom it allows access, to the extent permitted by the DPA, to the relevant Personal Data, including its employees, subcontractors and other partners, is bound by appropriate obligations of confidentiality in relation to the relevant Personal Data.
5.3.5 Right to audit
Within the limit of one (1) per year, the Client may carry out or have carried out, at his own expense, an audit of LoneLine in order to ensure that the latter complies with the stipulations of the DPA, in the situation where the Client notices that LoneLine does not comply with its commitments.
If the Client wishes to call upon a third-party to carry out the audit, this third-party shall not be a competitor of LoneLine and shall (i) be subject to confidentiality obligations at least as restrictive as those mentioned in the DPA or in the General Conditions; and (ii) respect the hygiene and security measures of LoneLine. The Client shall ensure that its auditors comply with the provisions of this article. The Client shall notify LoneLine in writing, with a minimum of fifteen (15) working days beforehand, of his decision to proceed with an audit, specifying its scope and its methods. The Client will try to conduct the audits in such a way as to cause the minimum of disturbances and interruptions to the activities of LoneLine. The audits can only be conducted during the working hours of LoneLine’s offices. LoneLine will endeavour to cooperate in the audit. If the duration and/or conduct of the audit affects the activities of LoneLine by extending beyond one (1) day, LoneLine may charge the Client for the costs incurred by LoneLine on the basis of the time spent by its employees and/or service providers to participate in the audit. If the audit affects the provision of the services, LoneLine will not be liable for any credit or responsibility whatsoever. The audit can only concern the last twelve (12) months of activity before the beginning of the audit. During the audit, the Client will not have access to (i) data or information about other clients and prospects of LoneLine, (ii) any internal data that LoneLine considers to be proprietary (e.g., cost structure, financial data, accounting information), or (iii) any other Confidential Information of LoneLine that is not directly and strictly relevant to the purpose of the audit.
All information disclosed or exchanged in the course of conducting an audit, as well as the results thereof, constitutes Confidential Information.
LoneLine can call upon another sub-processor to carry out specific processing activities. In this case, it shall inform the Client in advance and in writing of any changes envisaged concerning the addition or replacement of other sub-processors. The Client has a maximum of seven (7) days from the date of receipt of this information to present its objections.
5.3.7 Deletion/restitution of Personal Data
LoneLine commits itself, at the end of the General Conditions, to proceed to the definitive and irreversible deletion of all the Personal Data still in its possession or to return all the Personal Data to the Client.
In the absence of documented instructions from the Client, LoneLine will prioritize the deletion of the Personal Data concerned, according to the previous paragraph.
5.3.8 Warning to the Client
In case LoneLine considers that a documented instruction of the Client concerning the entrusted Processing could be considered as illicit with regard to the Applicable Law on the Protection of Personal Data, or could lead to a breach or violation of the latter, LoneLine undertakes to inform the Client.
In the event of a conflict between the provisions of the DPA and the General Conditions, the Parties agree that the former shall prevail.