Appendices General Terms and Conditions of Sale

APPENDIX TO THE GENERAL TERMS AND CONDITIONS 

This document is an appendix to JERING's General Terms and Conditions (the "Appendix") available at the following URL: https://www.episto.fr/annexeconditionsgenerales.

‍

The Appendix provides provisions regarding the processing of personal data collected during Campaigns and concerning the personnel of the Parties, in accordance with the provisions of Law No. 78-17 of January 6, 1978, relating to data processing, files, and freedoms.

‍

All terms not defined in the Appendix shall have the meaning ascribed to them in the General Terms and Conditions. Article 1 – Definitions

"Respondent Personal Data" refers to all information relating to identified or identifiable Respondents collected by JERING for the CLIENT within the scope of Campaigns for the CLIENT, including via a user account on a social network, notably, without limitation, their first name, last name, gender, profile picture on the said social network, their socio-professional category, their social network identifier, excluding Campaign Data, whether such data is aggregated or not with other data, and regardless of the medium on which it is transmitted and/or stored.

‍

"JERING Personal Data" refers to any data relating to JERING's personnel, whether identified or identifiable, that is transmitted by JERING to the CLIENT in connection with the execution of the Purchase Order, including, but not limited to, their names, email and postal addresses, identification numbers, personal and/or professional phone numbers, whether or not such data is aggregated with other data, and regardless of the medium on which it is transmitted and/or stored.

‍

"CLIENT Personal Data" refers to any data relating to the CLIENT's personnel, whether identified or identifiable, that is transmitted by the CLIENT to JERING in connection with the execution of the Purchase Order, including, but not limited to, their names, email and postal addresses, identification numbers, username and password for accessing their user account, personal and/or professional phone numbers, whether or not such data is aggregated with other data, and regardless of the medium on which it is transmitted and/or stored.

‍

"Personal Data" collectively refers to Respondent, JERING, and CLIENT Personal Data, and Campaign Data.

‍

"Applicable Law" refers to French regulations applicable to personal data, including, but not limited to, Law No. 78-17 of January 6, 1978, relating to data processing, files, and freedoms. 

‍

"Data Controller" means the person who determines the purposes and means of the processing of Personal Data.

‍

"Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.

‍

"Processing" means any operation or set of operations, whether or not performed by automated means, applied to Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

‍

Article 2 - Description of Processing Activities

2.1. Campaign Data. The Parties agree that they act as joint Data Controllers with respect to Campaign Data, and that this data belongs to the CLIENT.

2.1.1. Processing by JERING. JERING collects Respondent Personal Data during the organization of Campaigns and then makes the Campaign Data available to the CLIENT for processing as intended by the CLIENT. Exceptionally, JERING may transfer the Personal Data of Respondents who have consented to such transfer, to the CLIENT for the purposes specified in the Purchase Order.

It is understood between the Parties that JERING may carry out, or subcontract to third parties, the processing of Respondent Personal Data and Campaign Data to provide the Services, analyze Campaign Data, and for statistical purposes related to Campaigns and Services provided by JERING, whether anonymized and aggregated with other Campaigns or not.

The Parties agree that JERING is responsible for implementing the right to access, rectification, objection, and portability of Respondent Personal Data. In this regard, JERING shall transfer any request for the exercise of said rights to the CLIENT, and the CLIENT undertakes to process such requests within the timeframes stipulated by the Applicable Law.

2.1.2. Processing by the CLIENT. The CLIENT receives the Campaign Data, and Respondent Personal Data where applicable, through the means made available by JERING for Processing in accordance with the Applicable Law, the purposes of which are strictly defined and stipulated in the Purchase Order. The CLIENT acknowledges and accepts that Respondent consents are collected by JERING; therefore, the purpose of the Processing carried out by the CLIENT must be strictly defined in the Purchase Order. The Parties acknowledge and accept that Personal Data of Respondents who have not consented to the Processing will not be transmitted to the CLIENT. The CLIENT guarantees JERING not to use the Campaign Data for any purpose other than that stipulated in the Purchase Order and not to transfer them to unauthorized third parties.

Under no circumstances shall JERING be responsible for Respondent Personal Data that may have been collected directly by the CLIENT, and/or sent directly to the CLIENT by a third party, and JERING's liability cannot be invoked in this respect.

2.2. JERING Personal Data. JERING determines the purposes and means of processing JERING Personal Data as a Data Controller. JERING grants the CLIENT a limited, non-exclusive right, for the territory and duration specified in the Purchase Order, to use the Personal Data of JERING's personnel to fulfill its obligations under the Purchase Order. This use is strictly limited to communication purposes with JERING's personnel in connection with the use of the Service and the execution of the Purchase Order.

2.3. CLIENT Personal Data. The CLIENT determines the purposes and means of processing CLIENT Personal Data as a Data Controller. The CLIENT grants JERING a limited, non-exclusive right, for the territory and duration specified in the Purchase Order, to use the CLIENT Personal Data to fulfill its obligations under the Purchase Order, including communicating with the CLIENT's personnel to provide the Services and to connect to JERING's platform via the CLIENT's dedicated account, where applicable.

2.4. Notwithstanding the foregoing, the Parties agree that a change in circumstances and/or Applicable Law could imply that the qualification of a Party's role might evolve. In all cases, each Party undertakes to comply with the current regulations applicable to the processing of Personal Data and, in particular, the Applicable Law. Each Party shall be responsible, under this legislation, for any act resulting in a violation of the current legislation.

Article 3 - Obligations of the Parties

3.1. Common Obligations. Each Party undertakes to process Personal Data solely for the purposes defined in Article 2 of the Annex, in accordance with the instructions provided by the Data Controller and the provisions of the Applicable Law, and guarantees the other Party in this respect. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons posed by the Processing, each Party shall implement appropriate technical and organizational measures, both at the time of determining the means of Processing and at the time of the Processing itself, including (i) limiting access to Personal Data to only those employees who strictly need access to Personal Data, who have committed in writing to respect the confidentiality and security of Personal Data, and who have received adequate training to process data of this nature, (ii) implementing technical means to ensure the integrity and security of the systems and services operated for the Processing of Personal Data, and (iii) ensuring, where necessary, the pseudonymization and encryption of Personal Data. The CLIENT undertakes to transmit to JERING the identity of the CLIENT's data protection officer upon signing the Purchase Order and/or upon request, and who can be contacted at any time. The CLIENT declares to maintain a written record of all categories of Processing activities carried out under the Purchase Order, including all mandatory information as provided by the Applicable Law.

3.2. CLIENT Obligations. By way of exception to the Applicable Law, JERING acknowledges that the CLIENT may subcontract all or part of the Processing of JERING Personal Data to third parties (the "Third Party") without its authorization. The Third Parties' services are limited to online communication services, including email and telephone. Under no circumstances shall the CLIENT make copies of JERING Personal Data without its authorization.

The CLIENT undertakes to subcontract Processing only with trusted Third Parties, to ensure that the contract concluded with the Third Party concerning the Processing contains provisions regarding the protection of Personal Data identical to those contained in the General Terms and Conditions and compliant with the Applicable Law, and that the Third Party acts strictly under its instructions.

The CLIENT undertakes and guarantees to JERING that under no circumstances will Personal Data be transferred outside the European Union.

3.3. Rights of Data Subjects. The CLIENT declares to have made available to the data subjects concerned by the Processing activities for which it acts as Data Controller, a document informing them (i) of the Processing activities they are subject to under the Purchase Order, (ii) of the existence of Personal Data transfers and Processing activities carried out by the other Party within the framework of the General Terms and Conditions, and (iii) of the conditions for exercising their rights as per the applicable legislation.

When a member of JERING's personnel and/or a Respondent submits a request to exercise their rights to the CLIENT, the CLIENT must immediately forward such requests by email to JERING at the address communicated by JERING and process such requests within the timeframes stipulated by the Applicable Law. The CLIENT must inform JERING's personnel and/or the User that their request has been transmitted to JERING, where applicable.

3.4. Notification of Personal Data Breaches. The CLIENT undertakes to notify JERING within a maximum period of forty-eight hours, by email and registered letter with acknowledgment of receipt, of any potential or actual breach of Personal Data belonging to it. This notification shall be accompanied by all useful information to enable JERING, if acting as a Data Controller, where necessary, to notify this breach to the competent supervisory authority and/or the data subjects concerned.

3.5. Destruction of Personal Data. The CLIENT undertakes to delete Personal Data from its archives within the deadlines prescribed by Applicable Law or at any time upon JERING's request following the receipt of a data subject's request in accordance with Applicable Law. The CLIENT performing the deletion undertakes to transmit to JERING, as soon as possible upon JERING's written request, a written certificate confirming that this deletion was carried out within that period. Article 4 – Indemnification The CLIENT undertakes to indemnify JERING against all damages, claims, necessary costs, and expenses, including attorney's fees, resulting from any complaint and/or proceedings initiated by a third party due to any breach by the CLIENT of its obligations and warranties defined in the Appendix.

‍