Version in force on May 25, 2018
The purpose of this agreement is to define the conditions under which Sarbacane Software (hereinafter "Sarbacane Software" or the "Subcontractor") undertakes to perform on behalf of the user (hereinafter "User" or the "Data Controller "), the personal data processing operations defined below. Sarbacane Software and the User together are referred to as the "Parties" and individually as the "Party". This agreement terminates and replaces all conditions and prior agreements between the Parties with the same purpose.
In the context of this agreement, the User acts as a Data Controller and Sarbacane Software acts as a Subcontractor within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable as of 25 May, 2018 (hereinafter the "European Data Protection Regulation").
Sarbacane Software qualifies as a controller when it determines the purposes and means of its processing of personal data. This is particularly the case when it processes the contact details of a natural person (interlocutor of the user company) as part of a request for assistance. The measures implemented by Sarbacane Software in this context are detailed in a charter on the Jackmail website.
The Parties undertake to respect the regulations in force and applicable to the processing of personal data and, in particular, the European Data Protection Regulation.
Personal Data(s): refers to any information relating to an identified or identifiable natural person within the meaning of the European Data Protection Regulation, which the Subcontractor processes on behalf of the Data Controller. Personal Data Violation: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access to Personal Data transmitted, stored or otherwise processed. Processing: means any operation or set of operations performed on or to Personal Data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, broadcast or combination, restriction or deletion of Personal Data.
a. Types of Personal Data: Contact information, including email addresses,phone numbers, last name, first name, profession, gender, demographicinformation, preferences, location data, login details and any other type of datadetermined and controlled by the User in their sole discretion, in the context of itsuse and setting up services of Sarbacane Software.
b. Categories of data subjects: All categories of data subjects (naturalpersons) determined and controlled by the User in their sole discretion, namely:- Any person (customers, prospects, employees, subcontractors, suppliers, etc.)whose email address and/or telephone number is/are included in the Usersdistribution list; or recipient of any emailing/sms communication; or whoseinformation is stored or collected via the Services
c. Purpose and nature of the Processing: The subject of the Processing of Personal Data by the Subcontractor is the provision of the Services to the Data Controller, which involves the Processing of Personal Data and the performance of the Subcontractors obligations within the framework of the agreement, and of all conditions agreed between the Parties. The Subcontractor provides software for the creation, sending, automation and analysis of email and/or SMS campaigns, and supporting services. The services can include: the processing of recipient databases for sending electronic campaigns (email and/or SMS), the analysis of the behavior of recipients, the definition and implementation of a marketing communication strategy etc. Personal Data will be subject to processing activities as specified in the general conditions, the information agreed upon at the time of any order and if applicable, under any particular conditions.
d. Duration of Processing: Personal Data will be processed for the duration of the contractual relationship between the Parties.
3.1. Obligations of the User
The User is responsible for the Treatments made under the services subscribed. They are therefore solely responsible for the Personal Data that they use, provide and store through the services of Sarbacane Software. As such, the User is solely responsible for the obligations incumbent upon them as the Data Controller in view of the regulations in force applicable to the Processing of Personal Data and, in particular, the European Data Protection Regulation.
The User agrees to:
1. Provide Sarbacane Software with the personal data necessary to perform the services underwritten. They must be careful not to provide so-called sensitive data as defined by the regulations on the protection of personal data;
2. Document any instructions regarding the processing of Personal Data by Sarbacane Software. It is understood that the modalities of use of the services and the present agreement will be worth instruction addressed to Sarbacane Software as for the Treatment to be implemented. Additional or derogatory instructions require written agreement between the Parties. They must initially be specified in writing when ordering services and may, at any time, with the prior written consent of Sarbacane Software, be modified, supplemented or replaced at the request of the User, in separate written instructions;
3. Ensure, in advance and throughout the duration of the Processing, that Sarbacane Software complies with the requirements of the European Data Protection Regulation;
4. Supervise the Processing, including performing audits, inspections with
Sarbacane Software. As part of the performance of audits and inspections, the
User undertakes to inform Sarbacane Software of its decision to carry out an
audit or inspection with a minimum notice period of 15 days;
With regard to these audits/inspections, they undertake to (i) call on a qualified
staff or service provider; (ii) bear only the full costs of the audits/inspections; (iii)
perform audits/inspections only during working days and hours; (iv) confirm that
the purpose of these audits/inspections is: an analysis of compliance with this
Agreement and the regulations on the protection of personal data.
5. Take the necessary security measures for the protection of the Personal Dataincumbent on them in their capacity as the Data Controller and in particular toensure the confidentiality of their login and password of their access to theservices, to use passwords respecting the rules of good practice; to ensure thesecurity of the workstations and equipment from which its personnel and anyperson authorized by it, access the services notably by authenticating the usersby name, by revising the authorizations periodically, by ensuring the application ofthe patches and updates of systems, with anti-virus and firewall or the like keptup-to-date, favoring Wi-Fi networks using WPA2, WPA2_PSK or similarencryption, by favoring backups of its users data in adequate locations; byprotecting its premises, in particular by having anti-intrusion systems andperiodically tested access controls, differentiating the areas of premisesaccording to the risks (e.g. computer room), granting access to staff according tothe operational requirements according to the principle of least privilege; to usepeople trained and aware of the protection of personal data; etc.
6. To collect, in accordance with the European Data Protection Regulation and other applicable data protection rules, where necessary, any consent of the persons concerned by the proposed processing operations, and in any case, to ensure that the Treatment remains lawful.
It is also the responsibility of the User to provide the information to the persons concerned by the processing operations at the time of the collection of the Personal Data.
7. To respond to requests for the exercise of the rights of data subjects (right of access, rectification, deletion and opposition, limitation of processing, portability of data, not to be subject to an automated individual decision). And more generally, to respect their obligations imposed by the regulations in force and applicable to the processing of personal data and, in particular, the European Data Protection Regulation.
3.2 Obligations of the Subcontractor Sarbacane Software processes Personal Data only on the Users documented instructions in accordance with Article 3.1.2, unless obliged to do so by EU law or French law. If Sarbacane Software considers that an instruction constitutes a violation of the European Data Protection Regulation or any other provision of EU law or data protection law of the Member States, it shall immediately inform the User.
Sarbacane Software agrees to: - process Personal Data only for the purposes that are subcontracted. - take into account, with regard to its tools, products, applications orservices, the principles of data protection by design stage and data protection bydefault.
- not to transfer Personal Data to any country outside the EU/EEA or to anythird country not recognized by the European Commission as ensuring asufficient level of protection of personal data, without prior consent of the User."
In general, the Data Controller can, at any time, via the services, delete andexport any Personal Data. In all cases and unless otherwise instructed by theData Controller, the Personal Data will not be retained by the Subcontractor formore than six months from the termination, expiry, or early cancellation of theservice relating to the Processing of Personal Data, except or data to be retainedto meet a legal or regulatory obligation."
Security / Confidentiality / Data breach
Sarbacane Software implements the appropriate technical and organizationalmeasures to ensure that the Processing meets the requirements of the DataProtection Regulations. Sarbacane Software undertakes, among other things, totake all necessary measures to ensure the preservation and integrity of thePersonal Data and in order to avoid any misuse or fraudulent use of PersonalData, within the limits of its scope of intervention and the means under its controlfor and during the contractual relations. The User may, at any time, take note ofthese measures on the website.
Sarbacane Software undertakes to maintain the confidentiality of Personal Data,not to disclose it, in any form whatsoever, except (i) for the purposes of theexecution of the Services and the present agreement; (ii) pursuant to a legal orregulatory provision; (iii) to respond to requests for communications from judicialand/or administrative authorities; (iv) with the prior agreement or request of theUser. In this respect, Sarbacane Software ensures that the persons authorized toprocess Personal Data (personnel, partners, Sub-Subcontractors, etc.) undertaketo respect the confidentiality of the Personal Data or are subject to an appropriatelegal obligation to confidentiality.Sarbacane Software notifies the User of any Personal Data Violation within 48hours of becoming aware of it. This notification is accompanied by any usefuldocumentation to enable the User to fulfill their obligations.
Assistance
Whenever possible, given the nature of the Processing and the information at itsdisposal, Sarbacane Software commits to the User, and at the Users request:- to assist them in fulfilling their obligation to respond to requests for the exerciseof the rights of the persons concerned by the Processing, insofar as the Userdoes not have the information or the tools via the services. The User remainssolely responsible for the response provided to the persons concerned. In theevent of requests for the exercise of rights or complaints by persons concernedcoming directly to Sarbacane Software, Sarbacane Software undertakes toforward such requests as soon as possible to the User;
- assisting them to carry out impact assessments relating to the protection ofpersonal data, where the processing of this data is likely to create a high risk forthe rights and freedoms of the persons concerned, and for the realization of priorconsultation of the supervisory authority;
- assisting them in carrying out the notification to the supervisory authority, and if necessary to the data subject, in case of Personal Data Infringement in accordance with the section "Security, Confidentiality, Data breach »;
- to make available to the User all the information necessary to demonstratecompliance with the obligations provided for in the European Data ProtectionRegulation and to enable audits to be carried out, including inspections. Auditswill be conducted in accordance with the provisions of Article 3.1.4.
Subcontracting
"Sarbacane Software may use another subcontractor to conduct specific processing activities (hereinafter, ""Subcontractor(s)""), which the Data Controller agrees to. The list of current Subcontractors is available on the website.
Sarbacane Software undertakes to inform the User in advance and in writing,including electronic, of any change envisaged concerning the addition orreplacement of other Subcontractors. The User has a maximum of 15 calendardays from the date of sending this information to terminate the service or servicesin case of opposition. Failing to terminate within that period, the User will bedeemed to have accepted any change regarding the addition or replacement ofSubcontractors. In the event of termination, the User will receive a refund ofexpenses paid in advance but not used for the remaining period following theeffective date of termination, the latter acting upon receipt of notification bySarbacane Software. Any notice of termination in this context must be made tothe following address: dpo[at]jackmail.com »
- to make available to the User all the information necessary to demonstratecompliance with the obligations provided for in the European Data ProtectionRegulation and to enable audits to be carried out, including inspections. Auditswill be conducted in accordance with the provisions of Article 3.1.4.
"Sarbacane Software agrees to enter into a contract with each of itsSubcontractors, with the same obligations as those to which it is subject to inaccordance with the agreement. If the Subcontractor processes services outsidethe EU/EEA, this information is specified in the list above. Sarbacane Softwaremust ensure that the transfer is made in accordance with the standard contractualclauses approved by the European Commission for the transfer of Personal Data,that the User authorizes Sarbacane Software to conclude on its behalf and for itsaccount, or that other appropriate mechanisms for legal data transfer are applied.If the Subcontractor does not fulfill its data protection obligations, SarbacaneSoftware remains fully liable to the User.
If the Subcontractor Subsequent does not fulfill its data protection obligations,Sarbacane Software remains fully liable to the User." Processing Activity Categories Register Sarbacane Software declares to keep a written register of all categories ofprocessing activities performed on behalf of the User.
4. Supervisory authorities The Parties undertake to cooperate with the competent data protection authorities, particularly in the event of a request for information which may be sent to them, or in case of control.
5. Data Protection OfficerSarbacane Software declares that it has appointed a data protection officer whocan be reached at the following email address: dpo[at]jackmail.com or by mail atSarbacane Softwares head office. As soon as the User has a data protection officer, they undertake to send these details to Sarbacane Software Data Protection Officer.
6. Application of the general conditions This agreement supplements the general conditions applicable to the Services subscribed by the User. In the event of contradictions, this agreement takes precedence over these general conditions.
7. Modifications This Agreement may be amended at any time. All changes are published on the website of Sarbacane Software and are brought to the attention of the User through the website. It is the responsibility of the User to check the Site regularly
The User may terminate the Services without charge by registered letter with acknowledgment of receipt from Sarbacane Software within thirty days of theentry into force of these changes. Beyond this period, the User will be deemed to have accepted the changes. However, any modification resulting from the law or the regulations can not be considered as giving right to cancellation
