Annexes General Terms and Conditions of Sale
APPENDIX TO THE GENERAL CONDITIONS
This document is a schedule to JERING's General Terms and Conditions (the "Schedule") available at the following URL: https://www.episto.fr/annexeconditionsgenerales.
The Annex contains provisions relating to the processing of personal data collected during the Campaigns and of the Parties' personnel in accordance with the provisions of Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms.
All terms not defined in the Appendix shall have the meaning assigned to them in the General Conditions. Article 1 - Definitions
"Respondents' Personal Data" means all information relating to identified or identifiable Respondents that is collected by JERING from the CLIENT in the context of Campaigns for the CLIENT, including via a user account on a social network, including, without limitation, their surname, first name, gender, profile photograph on said social network, their socio-professional category, their identifier on the social network, excluding Campaign Data, whether or not such data is aggregated with other data, and regardless of the medium on which it is transmitted and/or stored.
"JERING's Personal Data" means any data relating to JERING's personnel, whether identified or identifiable, which are transmitted by JERING to the CLIENT in the context of the execution of the Purchase Order, including, without limitation, their names, e-mail and postal addresses, identification numbers, personal and/or professional telephone numbers, whether or not such data are aggregated with other data, and regardless of the medium on which they are transmitted and/or stored.
"CUSTOMER Personal Data" means any data relating to the CUSTOMER's personnel, whether identified or identifiable, which is transmitted by the CUSTOMER to JERING in the context of the execution of the Purchase Order, including, without limitation, their names, e-mail and postal addresses, identification numbers, user name and password for access to their user account, personal and/or professional telephone numbers, whether or not such data is aggregated with other data, and regardless of the medium on which it is transmitted and/or stored.
"Personal Data" refers collectively to Respondents', JERING's and CLIENT's Personal Data and Campaign Data.
"Applicable Law" means the French regulations applicable to personal data and in particular the law n°78-17 of January 6, 1978 relating to data processing, files and freedoms.
"Controller" means the person who determines the purposes and means of processing Personal Data.
"Subprocessor" means the entity that processes Personal Data on behalf of the Processor.
"Processing" means any operation or set of operations carried out or not by means of automated processes and applied to Personal Data, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, erasure or destruction.
Article 2 - Description of the Treatments
2.1. Campaign Data. The Parties agree that they act as joint Processors with respect to the Campaign Data, and that the same belong to the CLIENT.
2.1.1. Processing by JERING. JERING collects Respondents' Personal Data during the organization of Campaigns, and then makes the Campaign Data available to the CLIENT for the Processing provided by the CLIENT. Exceptionally, JERING may transfer the Personal Data of Respondents who have consented to this transfer to the CLIENT for the purposes set out in the Order Form.
It is agreed between the Parties that JERING may process, or subcontract to third parties, Respondent Personal Data and Campaign Data to provide the Services, analyze Campaign Data and for statistical purposes of the Campaigns and Services provided by JERING in an anonymized manner and whether or not aggregated with other Campaigns.
The Parties agree that JERING is responsible for implementing the right of access, rectification, opposition and portability of Respondents' Personal Data. In this respect, JERING will transfer any request for the implementation of said rights to the CLIENT, and the CLIENT undertakes to process the requests within the deadlines set forth in Applicable Law.
2.1.2. Processing by the CLIENT. The CLIENT receives the Campaign Data, and the Personal Data of the Respondents where applicable, via the means made available by JERING for Processing in accordance with Applicable Law, the purposes of which are strictly determined and set out in the Order Form. The CUSTOMER acknowledges and accepts that the Respondents' consents are collected by JERING, and that the purpose of the Processing implemented by the CUSTOMER must be strictly determined in the Order Form. The Parties acknowledge and accept that the Personal Data of Respondents who have not consented to the Processing will not be transmitted to the CLIENT. The CUSTOMER guarantees JERING that it will not use the Campaign Data for any purpose other than that set out in the Order Form and will not transfer it to unauthorized third parties.
Under no circumstances will JERING be responsible for Respondents' Personal Data that has been collected directly by the CLIENT and/or sent directly to the CLIENT by a third party.
2.2. JERING's Personal Data. JERING determines the purposes and means of the processing of JERING's Personal Data in its capacity as Data Controller. JERING grants the CUSTOMER the limited, non-exclusive right, for the territory and duration specified in the Purchase Order, to use the Personal Data of JERING's Personnel in order to fulfill its obligations under the Purchase Order. This use is strictly limited to communicating with JERING personnel in connection with the use of the Service and the performance of the Purchase Order.
2.3. Personal Data of the CLIENT. The CLIENT determines the purposes and means of the processing of the CLIENT's Personal Data as the Data Controller. The CLIENT grants JERING the limited, non-exclusive right, for the territory and duration set forth in the Purchase Order, to use the CLIENT's Personal Data in order to fulfill its obligations under the Purchase Order, in particular to communicate with the CLIENT's personnel to provide the Services and to connect to the JERING platform via the CLIENT's dedicated account, if applicable.
2.4. Notwithstanding the foregoing, the Parties agree that a change of situation and/or of Applicable Law could imply that the qualification of a Party's role could evolve. In all cases, each Party undertakes to comply with the regulations in force applicable to the processing of Personal Data and, in particular, the Applicable Law. Each Party will be liable, under such legislation, for any act that results in a violation of the applicable legislation.
Article 3 - Obligation of the Parties
3.1 Common obligations. Each Party undertakes to process Personal Data only for the purposes defined in Article 2 of the Annex, in accordance with the instructions provided by the Controller and the provisions of Applicable Law, and guarantees the other Party in this respect. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risks, the degree of probability and seriousness of which varies, that the Processing presents for the rights and freedoms of natural persons, each Party shall implement, both at the time of determining the means of Processing and at the time of the Processing itself, appropriate technical and organizational measures, in particular by (i) limiting access to Personal Data to its employees who strictly need to have access to Personal Data, who have committed themselves in writing to respect the confidentiality and security of the Personal Data and who have received adequate training to handle data of this nature, (ii) implementing technical means to ensure the integrity and security of the systems and services operated to process the Personal Data and (iii) ensuring, when necessary, the pseudonymization and encryption of the Personal Data. The CLIENT undertakes to provide JERING with the identity of the CLIENT's personal data protection officer upon signature of the Order Form and/or upon request, and who may be contacted at any time. The CLIENT declares that it will keep a written record of all categories of Processing activities carried out under the Purchase Order, including all mandatory information as provided for by Applicable Law.
3.2 Obligations of the CLIENT. As an exception to Applicable Law, JERING acknowledges that the CLIENT may subcontract all or part of JERING's Personal Data Processing to third parties (the "Third Party") without its authorization. The services of the Third Parties are limited to online communication services such as e-mail and telephone. Under no circumstances shall the CLIENT make copies of JERING's Personal Data without its authorization.
The CUSTOMER undertakes to subcontract the Processing only to trusted Third Parties, that the contract concluded with the Third Party relating to the Processing contains provisions concerning the protection of Personal Data identical to those contained in the General Conditions and in accordance with Applicable Law, and that the Third Party acts strictly under its instructions.
The CLIENT undertakes and guarantees to JERING that under no circumstances will Personal Data be transferred outside the European Union.
3.3. Rights of the persons concerned. The CUSTOMER declares that it has made available to the persons concerned by the Processing for which it acts as Data Controller, a document informing them (i) of the Processing to which they are subject under the Order Form, (ii) of the existence of the transfers of Personal Data and the Processing carried out by the other Party under the General Conditions, and (iii) of the conditions for exercising their rights under the applicable legislation.
When a JERING staff member and/or Respondent makes a request to the CUSTOMER to exercise their rights, the CUSTOMER shall immediately send such requests by e-mail to JERING at the address provided by JERING and process such requests within the time limits set forth in the Applicable Law. The CUSTOMER shall inform JERING's staff and/or the User that their request has been forwarded to JERING, if applicable.
3.4. Notification of Personal Data breaches. The CLIENT undertakes to notify JERING within a maximum of forty-eight hours by e-mail and by registered letter with acknowledgement of receipt, of any potential or proven breach of Personal Data belonging to it. This notification will be accompanied by any useful information to enable JERING, if it is acting as a Data Controller, if necessary, to notify the competent supervisory authority and/or the persons concerned of this violation.
3.5. Destruction of Personal Data. The CUSTOMER undertakes to delete the Personal Data from its archives within the time limits prescribed by Applicable Law or at any time upon request by JERING following receipt of a request from a data subject in accordance with Applicable Law. The CUSTOMER shall promptly provide JERING with a written certificate confirming that the deletion has been carried out within this period upon written request by JERING. Article 4 - Indemnification The CUSTOMER undertakes to indemnify JERING against all damages, claims, costs and expenses, including attorney's fees, resulting from any claims and/or proceedings brought by a third party due to any breach by the CUSTOMER of its obligations and warranties as set out in the Annex.