General
Condition of Services
______
This agreement applies to all order of the
Solution and Service made with the Technical and Commercial Offer unless the
Provider and Beneficiary (as defined below) have entered into a separate
written agreement that applies to the Beneficiary’s order, in which case, the
separate written agreement governs the Beneficiary’s purchase order.
The Provider and the Beneficiary may
collectively be referred to as the “Parties”
or individually as a “Party”.
As a member of the Engie Group, the
Provider is dedicated to assisting private and public organizations with
digital transformation, notably but not exclusively through the development of
solutions, including software solutions (including solution on a Software as a
Service mode), and the performance of specific services. ENGIE Digital is a
secondary establishment of Engie Information & Technologies.
The present Agreement specifies the
general terms of sale which apply to order of the Solution and Service.
Beneficiary will also be bound by Particular Conditions of Services depending
on the Solution and Service designated in the Technical and Commercial Offer. Particular Conditions of Services will describe all the
specific terms of the platform and its associated services.
The Beneficiary acknowledges and declares
having received from the Provider, read and understood in due time, all the
relevant information regarding the solution and Services covered by this
Agreement, and being fully informed of his obligations regarding the
performance of this Agreement and any applicable sectoral regulation.
This Agreement, including its Appendixes
and Schedules, is effective as of the date specified in the first applicable Technical
and Commercial Offer.
As used in this Agreement, the following
terms shall have the respective meanings indicated below:
“Affiliates”
means any entity controlled by Engie SA as defined by articles L. 233-1 et
seq. of the French Commercial Code.
“Agreement” means in aggregate, the
present General Conditions of Service, the Particular Conditions of Services,
the Technical and Commercial Offer proposed by the Provider and validated by
the Beneficiary.
“Data Protection Laws” means any present
or future EU or local data protection or privacy laws or regulation that might
be applicable to the Parties in the course of
performance of the present Agreement (including the GDPR and the French Data
Protection Act). In this Agreement, the terms in relation with privacy laws not
defined shall have the meanings and otherwise be interpreted in accordance with
applicable Data Protection Laws.
“Beneficiary” means the legal entity
designated in the Technical and Commercial Offer and which will benefit from
the Provider’s Solution and/or Service.
“Business Day” means, except otherwise
provided on the Agreement, any day other than Saturday, Sunday or a bank or
public holiday.
“Confidential Information” means any and all non-public information of whatever nature,
whether technical, legal, commercial or financial to be treated as confidential
in accordance with the terms of Clause 9 hereafter.
“Data” means any and all
data (including Beneficiary’s clients Data), information or material collected,
processed or interoperated with the Solution or in the course of performance of
the Service. Such data may be raw or derived, may be comprised of proprietary,
purchased or licensed-in data, including text, audio, video, photography and
other graphics or imagery, and any other information, and data produced or used
within the Solution or for the purpose of the Service.
“Data processing description” means the
template in annex to the Particular Conditions of Services that describe the
data processing operations performed in relation to the Agreement, Solution, or
Services.
“Duration” means the term of the
Agreement, as set forth below in Clause 5, including the initial period and the
subsequent renewal periods.
“Effective
Date” means the date upon which the Agreement is effective between the Parties,
as stated in the applicable Technical and Commercial Offer.
“Group” means the Engie Group.
“Intellectual Property Rights” mean any
copyright and neighboring rights, trademarks, tradenames or denominations,
patents, utility models, inventions, business names and domain names, goodwill,
design rights, logos, database rights, know-how and trade secrets (including
algorithms), documentation, code (source and object), software components, tree
structure and all or any other intellectual property rights, in each case
whether registered or unregistered and including all applications and rights to
apply for and be granted, renewals or extensions of, and rights to claim
priority from, such rights and all similar or equivalent rights or forms of
protection which subsist or will subsist now or in the future worldwide.
“Particular Conditions of Services” means
the particular terms and conditions governing the relationship between the Parties, and related to the provisions of the Solution and
Service.
“Provider”
means the legal entity designated in the Purchase Order and the Technical and
Commercial Offer and providing the Solution and/or Service to the Beneficiary.
The Provider refers to ENGIE Digital, secondary establishment of ENGIE
Information & Technologies a société anonyme, with a capital of 5 025 000
Euros, registered with the Companies and Commercial Registry of Bobigny, under the number 340 793 959, having its
registered office 14-16 rue Touzet Gaillard, 93400
Saint-Ouen, France.
“Purchase
Order” means the documents for placing orders pursuant to this Agreement that
are entered into between the Parties from time to time, including addenda and
supplements thereto. This Purchase Order have to reference the Technical and Commercial Offer of
the Provider. The Purchase Order will only be informative.
“Remuneration” mean
the compensation paid by the Beneficiary to the Provider in exchange for the
Solution and Services. The amount, calculation method and details of the
Remuneration are provided within the Technical and Commercial Offer, the
Particular Conditions of Services.
“Solution” and/or “Service” whether
together or separately means the Solution(s) and Service(s) designated in the
Technical and Commercial Offer and selected by the Beneficiary among the whole
of Engie Digital’s Hardware and/or Software solutions and services offering.
The functions and legal terms applicable to the purchase of such solution(s)
and service(s) by the Beneficiary will be specified in the Particular
Conditions of Services.
“Specific Development” refers to any works
made by the Provider and/or subcontracted by the Provider specially for the
Beneficiary (excluding e.g the Solution and Service),
carried out in the context of and for the requirements of the Agreement,
involving the development and/or the implementation of computer programs for
the requirements of the Solution and any associated documentation (including
the preparatory design material).
“Technical
and Commercial Offer” or “Offer” : means the documents referencing the financial and
technical proposal of the Provider which will be deemed to reference the
Agreement.
“Third
Party Materials” means any third party solutions,
products, services or component part thereof provided by third party entities
or individuals other than the Provider (including but not limited to online
applications, offline software products and related services) and that
interoperate with the Solution or Service. For the sake of clarity, the term
Third Party Materials does not refer to third-party software components, if
any, incorporated into the Solution by the Provider.
The present Agreement aims at describing
the legal and financial conditions by which the Provider provides the Solution
and Service to the Beneficiary, and Beneficiary hereby accepts, in exchange for
valuable considerations as defined in Clause 6 and including Remuneration.
The Provider’s duties include the
provision of the Solution and Service as the Beneficiary may select in the
Purchase Order referencing a Technical and Commercial Offer issue by the
Provider and in accordance with the provisions of the Particular Conditions of
Services. The issue of a Purchase Order is a condition for the issue of the
invoice and the start of the corresponding Service.
The nature and technical details of the
Solution and Service designated in the Technical and Commercial Offer are
specified in the Particular Conditions of Services.
The Agreement takes effect from the
Effective Date for an initial period specified in the Technical and Commercial
Offer (hereinafter referred to as “Initial
Period”) and be tacitly renewed
(hereinafter referred to as “Renewal
Period”) for one year each year except otherwise stipulated on the
Agreement.
In consideration of the Solution and
Service provided by the Provider pursuant to the present Agreement, the
Beneficiary agrees to pay the Provider Remuneration in the amount provided in
the Particular Conditions of Services. The Provider Remuneration could be
modified unilaterally by the Provider for the duration of the Agreement after
prior notice to the Beneficiary thirty (30) days before this modification. During
this period the Beneficiary may object this modification and find an agreement
with the Provider. At the end of this thirty (30) days
period, the Beneficiary will have the possibility to terminate the Agreement
within thirty (30) days after the entering into force of the Remuneration
modification.
The Subscription Remuneration detailed
under the Particular Conditions of Services are the same for all
of the Affiliates for the Services provided by the Provider for
comparable situation and transaction.
The Beneficiary agrees to pay the Remuneration
agreed between the Parties as set out above.
Conditions for the issuance of Invoice(s)
will be specified in the Particular Conditions of Services duly taking into account the regulation of the relevant
jurisdiction and the relation between Provider and Beneficiary. All invoices
for any charges under this Agreement including the Remuneration are due and
payable within sixty (60) days of the date of the invoice.
All amount to be paid by the Beneficiary
pursuant to this Agreement shall be paid in the currency in which it is
invoiced depending on the regulations of the relevant jurisdictions. Unless
otherwise agreed by the Parties, the invoicing currency will be euros (EUR)
excluding VAT or any other taxes.
The Beneficiary shall pay the
consideration due, by way of bank transfer or by whichever other means approved
by the Provider and in compliance with the relevant fiscal regulations in force
at the time, within the terms agreed with the Provider.
All payments to be made under this
Agreement shall be made in cleared funds, without any deduction or set-off and
free and clear of and without deduction for or on account of any taxes (e.g.
VAT, GST, Corporate Income Tax, etc.), levies, imports, duties, charges, fees
and withholdings of any nature now or hereafter imposed by any governmental,
fiscal or other authority save as required by law. If the Beneficiary to this
Agreement is compelled to make any such deduction, it will pay to the
Beneficiary such additional amounts as are necessary to ensure receipt by the
Beneficiary of the full amount which that party would have received but for the
deduction.
All withholding taxes and other taxes
applicable on the Remuneration payment and required to be withheld from such
payment shall be withheld and paid by the Beneficiary to the appropriate tax
authorities. Promptly after each such tax payment, the Beneficiary shall
forward to the Provider the official tax receipts or other evidences
issued by the pertinent tax authority so as to enable the Provider to support a
claim for tax credit, where possible.
All of the relevant expenses and taxes,
including registration, shall be to the charge of the Party with intention of
use.
If the Beneficiary believes that any
specific charge under this Agreement is incorrect, the Beneficiary shall first
pay the non-contestable amount, and notify the
Provider in writing within a reasonable time and no more than ten (10) days of
invoice date (unless otherwise specified in the Purchase Order or under
applicable public policy and mandatory rules) setting forth the nature and
amount of the requested correction. Following expiry of this delay of notice,
invoices will be considered final.
Should the Service require mobility and
travel on the part of Provider’s employee, any incurred expenses (including
living expenses and housing) will be charged according to the ENGIE Group
Travel Policy.
Where the case may be and in addition to
other applicable remedies, the Provider reserves its right to suspend and/or
terminate the Beneficiary’s access to the Solution, to terminate the
performance of the Service and/or the Agreement, upon reasonable notice, if
Beneficiary’s account falls into arrears.
The Beneficiary will be charged all
applicable Remuneration, during any period of suspension.
Unpaid invoices are subject, for the
defaulting Party to:
I.
the
legal fixed indemnity of 40 Euros for recovery costs, in accordance with
Articles L. 441-6 and D441-5 of the French Commercial Code or any other legal
fixed indemnity under applicable public policy and mandatory rules.
II.
Where
the recovery costs incurred exceed the amount of this fixed indemnity, the
creditor may request additional compensation, upon justification;
III.
additional
costs that would be necessary for the recovery of the claim;
IV.
Where
applicable depending on local regulation, a non-dischargeable late payment
interest at a rate equal to 3 times (three times) the French legal interest
rate in force, recorded in days from the first day of delay on the due date of
the invoice until the date of actual payment.
V.
The
possibility to suspend the related Services by the Provider until unpaid
invoices are fully paid..
Payment obligations listed in Clause 6 are non-cancellable and Remuneration paid
by the Beneficiary to the Provider are non-refundable, except expressly
provided in this Agreement or otherwise agreed between the Parties.
The provisions of this Clause 8 shall survive the termination of the Agreement in respect of the Provider’s accrued rights.
The Provider’s name, logo, and the product
names associated with the Solution and Service are denomination, trademarks
and/or copyrighted material of the Provider, and may not be used without
Provider’s prior written consent.
Each Party shall remain the owner or
holder of rights over any document as well as intellectual property rights and
particularly patents, trademarks, literary and artistic property, including any
expertise and knowledge that it possesses at the time when the Technical and
Commercial Offer is signed or approved via a valid Purchase Order or for which
it has a user subscription.
The Provider is the sole owner of the
Solution and/or has full power and authority to grant the rights to use and/or
distribute all Intellectual Property Rights over (i)
the Solution, and (ii) Intellectual Property necessary to the performance of
the Service. The specifications about
these rights will be specified under the Particular Conditions of Services.
Except otherwise stipulated on the Technical and Commercial Offer, the Provider
will have all ownership rights and title over the Specific Development.
The Provider encourages the Beneficiary to
provide suggestions, ideas, recommendations, or other feedback regarding
improvements to the Solution. To the extent the Beneficiary provides such
feedback, it grants to the Provider a royalty-free, fully paid, sub-licensable,
transferable, non-exclusive, irrevocable, worldwide right and license to make,
use, sell, offer for sale, import, and otherwise exploit feedback without
restriction, for the whole duration of the intellectual property rights on such
feedback.
Terms governing the property and
restriction of use of any Intellectual Property related to (i)
the use of the Solution or generated hereby, such as data analysis
functionalities, aggregated and statistical Data derived from the use of the
Solution, and (iii) any Intellectual Property generated during the performance
of this Agreement will be specified in the Particular Conditions of Services on
a case by case basis.
The Intellectual Property Rights used by
the Provider may include, at its own discretion, open source
software module from third-party suppliers. These third party
modules are distributed with the Solution and may be an integral part of it or
may be relied on for the performance of the Service.
The Provider will deliver at the earlier
of a date requested by Beneficiary or prior to its first access of the Solution
and/or the performance of the Service all documentation owned or licensable by
the Provider that is required to provide and/or operate the Solution and
Service. This include, by way of example, a list of any third
party software module subject to open source licenses and the licences under which they are distributed.
The means of communication of such
document will be specified in the Particular Conditions of Services. The
Provider will promptly deliver any and all updates to
the Beneficiary.
The Beneficiary shall comply with the licences and distribution terms applicable to those third party software modules. Any use of the latter made
available by the Provider, whether independently or via the Solution and
Service, implies unconditional acceptance of the terms of the applicable
license terms.
The Beneficiary undertakes not to contest
the validity or the ownership of all or part of the Intellectual Property
Rights, and undertakes not to infringe in any way whatsoever, directly or
indirectly, any of these Intellectual Property Rights.
The Beneficiary shall not copy (except for
electronic distribution), adapt, translate, reverse engineer or modify
Provider’s Intellectual Property Rights on the Solution without its prior
written consent and shall not use Provider’s Intellectual Property Rights for
any other purpose not specifically described in the present Agreement, as well
as the Particular
Conditions of Services.
It is expressly understood that no title
to, or ownership of the Intellectual Property Rights in the Solution and
Service or any part thereof is hereby transferred to the Beneficiary.
Unless otherwise specified in the
Particular Conditions of Services the Beneficiary may not directly or
indirectly: (i) design or build a competitive
Solution and Service, (ii) design or build a solution or service using similar
features, functions or graphics as that of the Solution and Service, (iii) copy
any features, functions or graphics of the Solution and Service for commercial
purposes, except as otherwise provided in this Agreement.
The Beneficiary shall not delete any
markings or declaration relating to any Intellectual Property Rights vested in
the Provider or any other notices, legends, or information relating to the
protection and/or ownership of the Intellectual Property Rights in the Solution or the related documentation provided by the
Provider.
The Beneficiary undertakes to ensure that
equivalent obligations to those imposed on the Beneficiary with regards to the
Intellectual Property Rights within this paragraph will be included in the
Agreement with a final client.
The Beneficiary or third parties may from
time to time make available to its Beneficiaries into or with the Solution
third-party products or services, including but not limited to Third Party
Materials and implementation, customization and other consulting services.
The Provider does not warrant or support
Third Party Materials except as clearly stated in the Commercial and Technical
Offer.
Where installing or enabling Third Party
Materials with or into the Solution, the Beneficiary acknowledges that the
Provider may have to use third party intellectual property right and allow
suppliers of those Third Party Materials to access its
Beneficiary’s Data as required for the interoperation of such Third Party
Materials with the Solution. Therefore, the Beneficiary agrees:
I.
to
obtain appropriate royalty-free license to interoperate, process, and use Third
Party Materials as part of the Solution, in the extent necessary to serve the
Services.
II.
that
the Provider shall not be responsible for any disclosure, modification or
deletion of any Data
(including Beneficiary Data) resulting from any such access by Third Party
Materials. [The User Environment shall allow Beneficiaries to restrict such
access by restricting Beneficiaries users from installing or enabling such Third Party Materials for use into the Solution].
The Provider shall have the limited right
to use the Data to provide and improve the Solution or the Services in
accordance with this Agreement and to transmit such Data to any entity of the
Engie Group for statistical and analytical purposes. The Beneficiary shall obtain such rights regarding the Data for the
Provider.
In this regard, the Beneficiary undertakes to arrange all consents and
approvals that are necessary for the Provider to access the Data, use the Data
and information about the Beneficiary, about Beneficiary’s clients plant and
equipment and about Beneficiary’s end users use of the Solution to generate anonymised or aggregated statistical and analytical data
(hereinafter referred in this Clause as “Analytical Data”), use Analytical Data
for the Provider’s internal research and product development purposes (except
otherwise stipulated on the Particular Conditions of Services), to conduct
statistical analysis and identify trends and insights and to deliver the
Solution or Services,
The Provider’s rights under this Clause 8.5 shall survive termination of expiry of
the Agreement, and all potential Intellectual Property Rights in Analytical
Data is and remains the Provider’s property
Each Party (the “Receiving Party”) shall neither
disclose to third parties, nor use for any purpose other than for the proper
fulfilment of the purpose of the Agreement any and all information of whatever
nature, data, processes, management rules, whether of a technical, legal,
commercial, business or financial nature belonging to, or received from, the
other Party (the “Disclosing Party”),
in whatever form under or in connection with the Agreement without the
prior written permission of the Disclosing Party.
Shall not be considered as
Confidential Information, any information which:
I.
now
or hereafter enters the public domain through no fault of the Receiving Party;
II.
has
been possessed by the Receiving Party prior to the disclosure and which has not
been obtained directly or indirectly under a confidentiality obligation;
III.
has
been communicated lawfully and without restriction to the Receiving Party by
third party that is not under any obligation to keep such information confidential ;
IV.
are
Analytical Data except if these Data are listed as confidential by the Parties
on the Technical and Commercial Offer.
Each Party shall further be
entitled to disclose Confidential Information, to the extent reasonably
required, to:
I.
its
employees, Affiliates, subcontractors and clients (provided that they are
themselves bound by and comply with obligations of confidentiality no less
stringent than those set out in this Agreement) needing the Confidential
Information of relation to the provision and improvement of the Solution and Service ;
II.
its lawyers, accountants, advisors, directors, investors, owners
(provided that they are themselves bound by and comply with obligations of
confidentiality no less stringent than those set out in this Agreement);
III.
to judicial or regulatory body (provided always that, where
reasonably practicable and without breaching any legal or regulatory
requirements, the Party disclosing the Confidential Information of the other
Party shall inform such other Party of such disclosure in a reasonable period of time before such disclosure actually takes place).
Without prejudice to the
above, each Party shall limit access to Confidential Information to those of
its employees for whom such access is strictly necessary for the proper
performance and improvement of the Solution and Service (except otherwise
stipulated under the Agreement and particularly under 8.6) and shall keep such
Confidential Information confidential, using at the very least, the same degree
of care (but no less than a reasonable degree of care) as it applies with
respect to the protection of its own Confidential Information.
Each Party’s employees must
only use the Confidential Information for the purpose of and during
the course of their employment. Each Party shall (without limiting
either Party’s rights under this Agreement or at law) promptly notify the other
Party of any unauthorized possession, use or knowledge, or attempt thereof, of
the other Party’s Confidential Information by any third party of which it
becomes aware.
The Parties’ obligations under
this Clause 9 shall remain in force for the
duration of the Service mentioned in the Technical and Commercial
Offer and three years after the termination or expiration of the Technical and
Commercial Offers.
Each Party warrants to the other Party
that:
I.
such
Party is a business duly incorporated, validly existing, and in good standing
under the laws of its jurisdiction of incorporation;
II.
such
Party has all requisite corporate power, financial capacity, and authority to
execute, deliver, and perform its obligations under this Agreement;
III.
the
execution, delivery, and performance of this Agreement constitutes the legal,
valid, and binding agreement of such party;
IV.
no
consent, approval or withholding of objection is required from any entity,
including any governmental authority, with respect to such party’s entering
into this Agreement.
The Provider shall have no liability of
any kind whatsoever with respect to any claim, action or proceeding of
infringement of Intellectual Property Rights to the extent that such claim,
action or proceeding (in whole or in part) exclusively arise out of or in
connection with:
I.
the
combination by Beneficiary of any or all of Provider’s Solution and Service
with any Third Party Materials not edited nor supplied
by Provider;
II.
the
incorporation of any content or intelligence information acquired by
Beneficiary, into the infringing element provided such claim, action or
proceeding is directly related to such incorporation and such claim, action or
proceeding would not have been made but for such incorporation.
The Beneficiary shall (i)
be responsible for the use of the Provider’s Solution and Service; (ii) be
responsible for the accuracy, quality and legality of the Data processed in the course of performance of this Agreement and of the
means by which it was acquired.
The Beneficiary hereby guarantees the
Provider against all violations of the present Agreement, arising from any act
or omission of any advisor, consultant or freelancer engaged by the
Beneficiary. Any such advisor, consultant or freelancer may only use the
Solution and Service in accordance with the terms of the Agreement.
Except as otherwise specifically set forth
in this Agreement, the Solution and the Service are provided “as is” and
without any representations, warranties and/or conditions of any kind.
Each Party and its clients and/or
subcontractors make no other representations and give no other warranties or
conditions, express, implied, statutory, or otherwise regarding the solution
and services provided under this Agreement and each party specifically
disclaims any and all implied representations, warranties and/or conditions of
merchantability, merchantable quality, non-infringement, durability, title and
fitness for a particular purpose (including that the use of the solution and
service will fulfill or meet any statutory role or responsibility of the
beneficiary).
Additionally, to the maximum extent
permitted by law, the Beneficiary acknowledges that the provider does not
provide concerning the Solution, the documentation or the service, any
guarantee regarding the absence of errors or malfunctions, or work without
interruption.
Notwithstanding, the Provider guarantees
that the access to the solution and the performance of the Service shall not
substantially differ from the material features detailed in the particular conditions
of services.
In no event shall the Provider be liable
to Beneficiary for more than the higher of the two amount below
: the annual amount of the Technical and Commercial Offer or 1,000
€, regardless of the cause and whether
arising in contract, tort (including negligence) or otherwise.
Neither party shall be liable to the other
Party for exemplary, punitive, special, incidental, indirect or consequential
damages including without limitation, interruption of business, lost profits,
lost or corrupted data or content, consequences of the use of the data by the
beneficiary, lost revenue arising out of this agreement (including without
limitation the solution and service, the use of the solution and service or the
inability to use the solution and service), even if the party has been advised
of the possibility of such damages.
In any case, each party must take
reasonable steps to mitigate any loss or damage, cost or expense it may suffer
or incur arising out of anything done or not done by the other party under or
in connection with the agreement.
The Parties agree that the limitations of indemnisation set forth in this clause represent reasonable
allocations of risk, and recognize that the price of
the solution and service was calculated in consideration of these latter.
Unless otherwise stipulated under the
Particular Conditions of Services or commercial and technical offer, the
Provider is subject to a general obligation of best efforts.
The limitations set forth in clause 11.1 (ie “general
provisions”) do not apply to any infringement or misappropriation by the
beneficiary, wilful misconduct or “dol” (a form of
fraud by deceit under french civil law)
The Provider is allowed to subcontract any
one or all of its obligations under this Agreement to
any subcontractor of its choosing.
The Provider will keep an up-to-date list
of all appointed subcontractors, which may be consulted by the Beneficiary at
any one time upon request.
The Beneficiary formally undertakes not to
interfere with the licensing and/or exploitation of the Solution and Service by
the Provider, and not to make any declarations, by any means whatsoever, which
could in any way be detrimental to such exploitation.
Without prejudice to the terms of the
Agreement, the Beneficiary shall not develop or sell, directly or indirectly,
solution, products and service with identical features and functionalities to
those of the Solution and Service during the performance of this Agreement and
for a period of 5 (five) years from the termination of the Agreement.
The Provider may require audits of
compliance with the terms and conditions of the present Agreement on at least
an annual basis.
The Provider shall give the Beneficiary
thirty (30) Business Days’ notice prior to conducting any audit and shall take
reasonable steps to avoid causing (or, if it cannot avoid, to minimize) any
disruption to the operations during such audit. In the event of an emergency
related to a major contractual breach, the prior notice requirement shall be
reduced to five (5) Business Days.
Such audits shall be performed by the
Provider or by any independent auditor during working hours of the Beneficiary.
The Beneficiary shall make available to
the Provider, or any independent auditor appointed by the Provider, all
information necessary to demonstrate compliance with the present Agreement as
well as the provision of the Particular Conditions of Services, and agrees to
cooperate during the audits. The Beneficiary and its sub-processor shall make
available personnel and systems when required to facilitate the audit
activities. The costs of the audit shall be borne by the Provider except if the
audit demonstrates that Beneficiary is not complying with its obligation
according to this Agreement.
If an audit reveals that the Beneficiary
has underpaid Remuneration to the Provider, the Beneficiary will be invoiced
for such underpaid Remuneration. If the underpaid Remuneration are in excess of
five percent (5%) of the amount due then Beneficiary
will pay the Provider's reasonable costs of conducting the audit. If
discrepancies in
Beneficiary’s favor of more than fifteen percent (15%) for the
audited period are found, the Provider may, at its option, terminate this
Agreement.
Following the Initial Period, the
Agreement automatic renewal may be explicitly denounced without penalties by
express written notification of either Party at least one (1) month in advance
of the end of the
Initial or Renewal Period.
Unless otherwise specified, if either
Party fails to comply with any of the terms and conditions of this Agreement,
the other Party may terminate this Agreement upon sixty (60) Business Days
after written notice to the breaching Party specifying any such breach, and
this without prejudice to any damages the Party could claim under this
Agreement, unless the breach specified therein has been remedied within such sixty
(60) - Business Day period.
The Parties expressly agree that this
Agreement shall be terminated by right and automatically should one of the
following circumstances occur:
I.
the
Beneficiary does not pay the Remuneration pursuant to and in accordance with
the provision of Clause 6
of this Agreement and, in any case, without prejudice to the right of the
Provider to the payment of compensation for damages;
II.
loss
by the Provider, for any reason or circumstance, of the right to use the
Solution or perform the Service;
III.
alteration
or abusive use of the Solution, Service or parts of the same, of the Provider’s
trademarks and/or Intellectual Property Rights by the Beneficiary;
IV.
actions
or conduct of the Beneficiary that prejudice in any way the image or commercial
relations of the Provider or discredit the Provider and/or the Solution and/or
the Service;
V.
the
Beneficiary and/or any third party appointed by the Beneficiary, infringe one
of the provisions in force relevant to the processing of Personal Data and the
terms and conditions set forth in Appendix A.
Any assignment or transfer of all or part
of the Agreement by a Party to a third party is only possible (a) with the
prior written agreement of the other Party, or resulting from a decision of the
mother company of the Provider to the extent that the Agreement is not reached intuitu personae, and (b) when it results from or is in
the context of:
-
The demerger of one of the Party's company;
-
The merger of one of the Party's company
with another company;
-
The takeover of one of the Party’s company
by another company;
-
A partial contribution of assets regarding the activity relating
to the Agreement by a Party to this third party;
-
The transfer of this Party’s business to this third party.
Should the other Party not be in agreement, the latter may terminate the Agreement
automatically, with no legal formalities required, with no payment of any
compensation to the other Party.
Upon termination, all outstanding Remuneration
and all other outstanding payment obligations will be immediately due and
payable. The Beneficiary will cease to benefit from the Solution and Service
and will cease any copying, use, or distribution of the Solution.
Termination of the Agreement will
immediately relieve the Provider of his obligations related to the Solution and
Service.
Reversibility and recovery of the Data
shall then be governed by Clause 16.
Those rights and obligations that by their
nature extend beyond the Duration of the Agreement will survive its termination
or expiration.
Without prejudice to the provision of 0 – Data protection and except otherwise
provided on the Particular Condition of Services, upon expiration or
termination of this Agreement, the Beneficiary shall cease all use of the
Solution and Service, and shall promptly return all copies of the documentation
related to the Solution and Service or else destroy those copies and provide assurances
(signed by an entitled and empowered representative of the Beneficiary) to the
Provider that it has done so. When the Beneficiary request to have access to a
copy of the Data recorded in the Solution over the duration of the Services,
The Parties may agree a data recovery Service pursuant to a Technical and
Commercial offer to be ordered in accordance with the Particular Conditions of
Services.
Security
requirements are integrated to the digital platform since the beginning of the
project following security by design. This approach gather specific control
related to cloud environment and ENGIE Group security guidelines such as ( encryption ; identity management and internet exposure …)
The Provider follow a pedagogical methodology based on security
awareness and explanation of all the necessary rules to implement before going
on production. The Provider also proceed to vulnerability scan proactively and
continuously.
Additional requirements are added to the security framework, such as
incident REX (Return of Experience), new security products and implemented
throughout the project.
In case of specific security measures for a platform, these are
implemented under the Particular Conditions of Services.
The Solution and Service that Provider
makes available to Beneficiary may be subject to export laws and regulations of
the European Union and/or other jurisdictions. Each Party shall comply with the
export laws and regulations of France, European Union and any other applicable
jurisdictions in providing and using the Solution and Service.
Without limiting the generality of the
foregoing the Solution and the Service will not be made available to any person
or entity, that (i) is located in a country that is
subject to a European Union restriction or embargo, including being identified
as prohibited or restricted parties on a European Union list; or (ii) is
engaged in activities directly or indirectly related to the proliferation of
weapons of mass destruction.
The Beneficiary will, at its own expense,
obtain and arrange for the maintenance in full force and effect of all
government approvals, consents, licenses, authorizations, declarations,
filings, and registrations as may be necessary for the performance of the terms
and conditions of this Agreement, including without limitation under all
applicable laws and regulations.
The Provider is committed to conducting
business ethically, transparently and in compliance with the applicable
anti-bribery and anti-corruption laws (such as Law n°2016-1691 of 9 December
2016) and has in place, maintains and enforces adequate written procedures that
are intended to prevent any offence, including, without limitation, the Group’s
Ethical Charter, Practical Ethical Guide, Referential and Guides of conduct. It
is a condition of this Agreement that each Party (i)
conducts its business ethically, transparently and in compliance with
applicable laws and Group policies; and (ii) has in place, maintains, complies
with and enforces the appropriate anti bribery policies, measures and policies.
Each Party will provide timely assistance
and co-operation as the other Party may reasonably require in relation to the
investigation and prosecution of any actual or alleged bribery.
Breach of this Clause by either Party
shall be deemed a breach of this Agreement that is incapable of remedy.
The Beneficiary warrants and represents
that it complies with the provisions of the applicable labour
laws and regulations, in particular regarding illicit
employment in general.
Where the case may be, the Beneficiary
undertakes to obtain from its sub-contractors legal
representatives, a certificate attesting its compliance with applicable tax and
labour law, to the extent that provision of the
certificate is mandatory.
The Provider also expects from its
Beneficiary that it comply with the Group Ethic
Charter provisions and notably that the latter:
VI.
respect
employee rights regardless of the country in which they operate.
VII.
refrain,
even if permitted under applicable local legislation, from resorting to any
forced or compulsory labor or to any child labor, either directly or indirectly
or through sub-contractors,
in the course of their production processes or when providing
services or when intervening on Group sites.
VIII.
provide
their employees with the best possible conditions of health and safety and to
observe all applicable health and safety rules.
The Provider shall be solely responsible
for the allocation of tasks, scheduling of tasks and acceptance of tasks
performed by its personnel, including any sub-contractors it may have
contracted with.
This Agreement, together with any
applicable Appendix(es), comprises the entire agreement between the Provider
and the Beneficiary and supersedes all prior or contemporaneous negotiations,
discussions or agreements, whether written or oral, between the Parties
regarding the subject matter contained herein. The General and Particular
Conditions of Services could be modified unilaterally by the
Provider for the duration of the Agreement after prior notice to the
Beneficiary thirty (30) days before this modification. Except in case of minor
modification, the Beneficiary will have thirty (30) days after the notification
to terminate the Agreement.
A translation of the General Terms and
Condition will only have an informative value.
In the
event of a conflict between the Agreement together with any applicable
Appendix(es) and Schedule(s) and any additional operational documentation
issued by either Party, the Agreement will take precedence.
In the
event of a conflict between the operative provisions of the Agreement and its
Appendix(es) and Schedule(s), the latter’s provisions will take precedence.
In the
event of a conflict between the documents of the Agreement, contradiction or
inconsistencies, the performance of the Solution and Service will be governed
by the set of documents hereunder stated in an order of precedence beginning
with the document with the lowest priority:
a)
the
Technical and Commercial Offer,
b)
the
Particular Conditions of Services
c)
The
General Conditions of Services.
Except as otherwise provided in this
Agreement, any notice required or permitted under the terms of this Agreement
or required by law must be in writing and must be (a) delivered in person, (b)
sent by registered or certified mail return receipt requested, (c) sent by
overnight courier, (d) by email whose receipt is acknowledged by an officer of
the receiving Party as designated in the Technical and Commercial Offer.
Notices shall be considered to have been
given at the time of actual delivery in person, five Business Days after
posting if by mail, one Business Day if by overnight courier service, or upon
receipt of machine confirmation of successful transmission by email as
described herein.
If any provision of this Agreement is held
by a court of competent jurisdiction to be invalid or unenforceable, then such
provision(s) will be construed, as nearly as possible, to reflect the
intentions of the invalid or unenforceable provision(s), with all other
provisions remaining in full force and effect.
No joint venture, partnership, employment,
or agency relationship exists between the Provider and the Beneficiary as a result of this Agreement or use of the Solution and
Service. The Parties are independent contractors and will so represent
themselves in all regards. Neither Party is the agent of the other, and neither may make commitments on the other’s behalf
unless expressly authorized to do so by the other Party in writing.
Failure by the Provider to enforce any of
its right or provision under this Agreement, whether by lapse of time or by any
statement or representation other than by an authorized representative in an
explicit written waiver, will not constitute a waiver of such right or
provision.
In the event of technical, commercial and/or statutory developments
rendering the fulfilment of the Agreement impossible or ruinous for either Party,
the Parties expressly agree to negotiate a bona fide revision of the Particular
Conditions of Services that will take the form of an amendment.
Each Party shall subscribe and maintain,
at its own cost, appropriate insurance policies with a reputably solvent
insurance company, for amounts commensurate with the exposure of the Solution
and Service to be provided under this Agreement.
Where the case may be, amount and type of
policies (notably potential requirement for policies covering cyber liability
and/or data breach related risks) will be mutually agreed upon by the Party in
the Particular
Conditions of Services.
Upon request, either Party agree to
deliver to the other Party a certificate(s) of insurance evidencing the
coverage specified in this Clause 19.7 (Insurance), including evidence of
renewal of insurance. Notwithstanding, the required insurance coverage and
limits of liability set forth therein shall not be construed as a limitation or
waiver of any potential liability of satisfaction of any indemnification/hold
harmless obligation of Provider.
Neither Party will be deemed in default of
this Agreement to the extent that performance of their obligations or attempts
to cure any breach are prevented, hindered, delayed or otherwise made
impracticable by reason of flood, riot, fire, industrial, judicial or
governmental action, major strikes, act of God, civil unrest, acts of terror,
computer attacks or malicious related acts (such as attacks on or through the
internet or telecommunications providers), electrical blackout, IT major
failure, breakdown of the global supply chain for any component that is key to
the Solution or to the provision of the Service, or any other causes beyond the
control of the Parties resulting from a force majeure event as defined by the
French Civil Code and the current case law of the French courts (“Force
Majeure”); provided and to the extent that the non-performing Party is without
fault in causing the event qualified as a force majeure and/or that this event
could not have been prevented by reasonable measures and cannot reasonably be
foreseen and circumvented through the use of alternate sources (such as
disaster recovery plan).
Any Party prevented from carrying out its
obligations hereunder (i) shall give formal notice in
a form of registered letter with acknowledgement of receipt to the other Party
of an event of Force Majeure upon it being foreseen by, or becoming known to,
the affected Party, and (ii) shall use all reasonable endeavors to mitigate the
effect of the Force Majeure event on the performance of its obligations.
Dates by which performance obligations are
scheduled to be met will be extended for a period of time
equal to the time lost due to any delay so caused or for the amount of time
necessary in order to ensure execution of the delayed contractual obligations.
In the case where the event giving rise to
the force majeure continues for more than thirty (30) consecutive days, the
Parties shall open discussions, in order to adopt
appropriate measures under the circumstances. If they could not agree after a
period of thirty (30) Business Days from the registered letter (or other form
of notifications specified on Article 19.2 of this General Conditions of
Services) notifying the force majeure provided for above, the non -affected
Party may decide to terminate the Agreement without indemnification to the
other Party by registered letter with acknowledgment of receipt.
In the event that a change in economic
circumstances makes performance of the whole Agreement significantly less
profitable for either Party, the Parties agree to negotiate in good faith with
the objective to either review the terms of the Agreement and restore the
general economic balance of the Agreement, or to terminate the Agreement in
accordance with its present terms and any other provision as may be agreed
between the Parties in an effort to assist in an agreeable termination.
The Parties freely and unequivocally
accept the risk of hardship and hereby explicitly exclude the provisions of
Article 1195 of the French Civil code from the scope of the present Agreement.
The Parties acknowledge and accept
expressly that electronic copies will have equivalent probative value to that
of an original paper and will benefit as such from an assumption of validity.
This is notably true of the simple letters, the fax, or the electronic messages
processed between the Parties for the performance of this Agreement. The
Parties acknowledge and accept that the data recorded by the automated
processing systems of Provider’s Solution and Service, in particular log files
or accounting reports, allow to base and provide legitimate grounds to
Provider’s claims, such as calls to invoicing or evidence of contractual
breaches by the Beneficiary.
The Parties will use their reasonable best
effort to reach an amicable agreement in relation to any dispute arising from
the interpretation or performance of the Agreement.
Where applicable, the Parties agrees to
the Group’s Amicable Dispute Resolution Policy between Affiliates.
This Agreement will be interpreted fairly
in accordance with its terms and the intention of the Parties’
at the time it was concluded, without any strict construction in favor of or
against either Party and in accordance with the laws of the France. Except as
provided in the Dispute Resolution clause, the Commercial Court of Paris
(Tribunal de Commerce de Paris), will have exclusive jurisdiction and venue
over any dispute or controversy arising from or relating to this Agreement or
its subject matter, except for intellectual property matters for which
exclusive power is attributed to the High Court of Paris (Tribunal de Grande
Instance de Paris).
In accordance with Personal
Data Protection Laws, the Beneficiary shall act as the Data Controller and the
Provider shall solely act on the Beneficiary’s behalf as the Data Processor for
the data processing.
The Provider guarantees the
Beneficiary that the Agreement describes the Personal Data processing including
the description of the Technical and Organizational Data Protection Measures,
for the purpose of performing the Services.
If necessary, the Beneficiary
may formulate, at the level of the Service Agreement or the quote concerned,
specific or additional instructions to the Provider whose technical or
financial impacts on the Service concerned must be approved between the Parties.
1 – Definitions
Terms beginning with a capital
letter in this article/clause shall have the meaning assigned to them in the
definitions below:
EEA means
the European Economic Area.
Beneficiary means
ENGIE and/or an Affiliated Entity having placed an order under this Agreement.
Binding Corporate
Rules or BCRs means
personal data protection policies which are adhered to by a Data Controller or a Data Processor established on the territory
of a member state of EEA for transfers or a set of transfers of Personal Data
to a Data Controller or a Data Processor in one or more third countries within
a group of undertakings, or group of enterprises engaged in a joint economic
activity.
Data Controller
means any entity that
determines the
purpose and methods of the data processing that has been implemented or is to
be implemented.
Data Processor
refers a natural or a legal person, public authority, agency or other body
which processes personal data on behalf of the Data Controller. The Provider
acts as Data Processor within this Agreement.
Data Processing means
any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated
means, such as collection, recording, organization, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
Personal Data means
any information relating to an identified or identifiable natural person
(hereinafter referred to as 'Data Subject”); an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference
to an identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person.
Personal Data Protection Law(s) refers to the Regulation (EU) 2016/679 of the European Parliament and of
the Council of 27th April 2016 on the protection of individuals with regard to the processing of personal data and on the
free movement of such data (hereinafter the “European Regulation” or
“Regulation 2016/679 ") as any national laws or regulations relating to the protection of
Personal Data.
Standard Contractual Clauses are models of personal data transfer agreements adopted by the European
Commission.
Sub-Processor(s) means
any subcontractor(s) of the Provider, who must have been expressly approved
beforehand by the Beneficiary.
Transfer of Personal Data refers
to any processing, disclosure, accessing, copying or moving of Personal Data
that are to be processed in a non-EU country.
2 – Provider
obligations as a Data Processor
The Provider undertakes to:
1)
Process Personal Data for the sole purpose of
providing Services to the Beneficiary object of the Agreement and only on
documented instructions from the Beneficiary, including with regard to
transfers of personal data to a third country or an international organisation, , unless required to do so by Union or Member
State law to which the Provider is subject; in such a case, the Provider shall
inform the Beneficiary of that legal requirement before processing, unless that
law prohibits such information on important grounds of public interest.
2)
Where applicable, not to collect particular categories
of Personal Data, as defined in Regulation 2016/679 without the prior written
consent of the Data Subject;
3)
not to disclose, transfer, rent, assign or exploit,
whether commercially or not, the Personal Data without the Beneficiary’s prior
written consent.
4)
Supply the Beneficiary with all the information it
requires to fulfil its obligations regarding the protection of Personal Data
(especially information on use, storage, elements necessary for the realization
of an DPIA ...). When the Services are subject to the obligation to prepare an
DPIA, to accompany the Data Controller in compliance with its obligations under
Article 35 of the European Regulation concerning the development of an DPIA, taking into account the nature of the Processing and the
information available to the Processor. This support may be subject to a
specific invoicing by the Subcontractor in the event that this requires means
not initially planned for by the Parties (a request of more than 2 working days
for the Provider);
5)
Immediately
notify the Beneficiary if the processing instruction constitutes a violation of
a Personal Data Protection Law(s);
6)
Cooperate particularly, If the Beneficiary is
inspected by a relevant supervisory authority, and ensure that its
Sub-Processors cooperate, fully and without delay with the Beneficiary and the
supervisory authority concerned, specifically by providing any information that
is requested and granting access to all equipment, software, data, files,
information systems (etc.) used to provide Services, especially processing of
Personal Data, where such information and access is necessary for the
supervisory authority concerned to carry out its inspection;
7)
Upon the expiry of this Agreement, to delete all
Personal Data in particular on the servers that host the Service,,
unless the applicable law or the Agreement requires that they be kept for a set
period. The confidentiality provisions contained in the Agreement shall apply
to the stored data;
8)
Keep a Register of the processing operations a record
of all categories of Data Processing performed on the Beneficiary’s behalf, as
per Article 30(2) of Regulation (EU) 2016/679. This record must be made
available to the Data Controller or the relevant Data Protection Authority,
upon simple request.
3– Security of
Personal Data:
The Provider undertakes to:
1)
Set up and maintain, throughout the entire term of
this Agreement, all the necessary Technical and Organisational
Measures, that are appropriate given the nature of the Personal Data processed
and the risks inherent in processing, with a view to:
(i)
ensuring the implementation of confidentiality and
security measures for Personal Data
(ii)
guaranteeing the ongoing confidentiality,
availability, resilience and integrity of the Personal Data processing systems
and Services;
(iii)
restoring, if provided for in the description of the
Services, the availability of and access to Personal Data within appropriate
time frames and at most within a period agreed in the Service Levels (SLA) in
the event of a technical incident or unavailability;
(iv)
regularly testing, analysing
and assessing the effectiveness of the technical and organisational
measures in place to ensure secure processing
(v)
protecting the Personal Data from any form of
destruction, loss, alteration, disclosure or unauthorised
access, especially where the Personal Data processing activities involve
sharing of data in a network, and any form of unlawful processing or
communication to unauthorised persons;
2)
Ensure proper management of physical and logical
access authorisations and networks in accordance with
the Beneficiary’s instructions;
3)
Ensure, if it is part of the Technical and
Organizational Measures provided for in this Agreement, the implementation and
maintenance of the necessary traceability elements in order
to control and verify the identity of any person who has accessed and
processed the Personal Data and carry out the necessary security access
controls.
4)
These measures, described in the technical and
organizational measures, must guarantee an appropriate level of security for
the Personal Data, bearing in mind the risks inherent in their Data processing
and the nature of the Personal Data being protected, and must comply with the
provisions of the Agreement.
The technical and organizational measures (“TOM”)
taken by the Provider are described in detail in the quote or Service Agreement
level.
Technical and organizational measures are subject to
technological advance and development. For the duration of this Agreement, the
technical and organizational measures taken shall be continuously adjusted to
the requirements of this assignment and shall be perfected further by the
Provider in accordance with the technological progress. The level of security
must not fall below the technical and organizational measures specified in the
Agreement.
The Provider is obligated to document in writing,
including in electronic form, changes to the technical and organizational
measures that have a substantial impact on the guaranteed level of security as
added to the Agreement and to inform the Beneficiary accordingly.
4
–Subcontracting chain
The Data Processor undertakes to:
1)
In the event that it needs a Sub-processor, to inform the Data
Controller in advance and in writing of any addition or replacement. This
information must clearly indicate the Processing activities that are being
subcontracted, the identity and contact details of the Sub-Processor and the
dates of the subcontract. The Data Controller has a period of thirty (30) days
from the date of receipt of this information to submit its objections if the
new Sub-Processor does not comply with the security and confidentiality
measures initially agreed between the Controller and the Provider;
2)
in the event that sub-processing is to take place, sign a contract with
each of its Sub-Processors to place them under the same data protection
obligations as are set out in this Agreement. The Provider shall bear sole
responsibility, toward the Beneficiary, for the fulfilment of its own
obligations and those of its Sub-Processors;
3)
Provide the Beneficiary without delay and with all the
information requested about the Sub-Processor(s) having access to Personal Data
(e.g. name, country of establishment and country where the sub-processing is
being performed – and more specifically, the Personal Data processing site(s),….). A list of Sub-Processors is attached at the level of
the Annex "Description of The Data processing" provided for at the
level of the relevant quote or the Service Agreement:
4)
Ensure that all employees, agents, Sub-Processors or
persons acting on its behalf who have access to the Personal Data are duly authorised, have a legal or contractual obligation of
confidentiality, adhere to the Provider’s obligations as per the Agreement, and
are aware of and receive training on the rules on the protection of Personal
Data and process these data in accordance with the Agreement;
5)
Ensure that authorised
persons have access to the Personal Data within the limits of the execution of
their services and undertakes to respect the confidentiality related to the
Agreement.
5 – Rights of
Data Subjects
The
Provider undertakes to (without replying directly to Data Subjects):
1)
assist the Beneficiary by appropriate technical and
organizational measures for the fulfilment of the Beneficiary's obligation to
respond to requests for exercising the data subject's rights laid down in
Chapter III of the GDPR and will observe respective instructions by the Beneficiary;
2)
share with the Beneficiary, within a reasonable
timeframe not exceeding 72 (seventy two)) hours all requests, complaints,
applications, and/or notifications from Data Subjects or their representative
wishing to exercise their rights under the applicable Personal Data Protection
Laws (e.g. right of access, right of rectification, right to object, right to
restriction of processing, right to be forgotten, right to digital succession,
right to data portability);
3)
from the information referred to above, cooperate
reasonably with the Beneficiary and provide it, within a reasonable timeframe
not exceeding 8 (eight) days, with the necessary information to enable the
Beneficiary to reply, including in relation to any relevant or necessary
information from its Sub-Processors;
4)
in all cases, implement and have implemented by
Sub-Processors within an appropriate period not exceeding 8 (eight) days, any
request of the Beneficiary concerning the rights of the Data Subjects..
The deadline may be extended due to technical constraints encountered by one of
the Sub-Processors. . The Beneficiary will be informed
of this extension and a new deadline must be indicated to him without being
able to exceed a period of 15 (fifteen) days in order to
meet his own legal obligations.
The obligations of this article will be performed by
the Provider on the basis of the Written Instructions
of the Beneficiary. Their achievements will be the subject of a quote in all
cases where the Provider does not collect itself, in the performance of its
Services, personal Data, or in the event that the
Beneficiary has the technical capacity to access personal data.
6– Transfer of Personal Data outside the European
Union:
In the event that a transfer of Personal Data to a
country that does not provide an adequate level of protection as defined by the
Personal Data Protection Laws, the Provider undertakes to inform the Data
Controller in advance and in writing of any new Transfer to an unsuitable
country, which has not been previously listed in the Description of the
processing of Personal Data of this Agreement. The Beneficiary acknowledges
having expressly given his consent, at the signing of this Agreement, for the
transfers of Personal Data listed in the description of the Data Processing of
Personal Data of this Agreement.
The Data Controller has a period of thirty (30) days
from the date of receipt of this information to submit its objections if this
transfer does not meet the security and confidentiality measures initially
agreed between the Data Controller and the Provider or does not have the
necessary guarantees as listed below.
For all Personal Data transfers to a third party (affiliate of the
Provider or Sub-Processor(s)) located in a third country that does not benefit
from an adequacy decision from the European Commission, the Provider shall put
in place the necessary safeguards according to the applicable Personal Data
Protection Laws. In particular, the Provider undertakes to:
• When
established in a third country, sign with the Beneficiary the standard
contractual clauses of the European Commission of 4 June 2021. These clauses
will be attached to the Service Agreement or the quote
concerned
• When
established within the EEA, to sign with any internal or external
Sub-Processor(s) located in a third country or carrying out a Processing of
Personal Data in a third country, the 3rd module made available in the Standard
Contractual Clauses of the European Commission of 4 June 2021, to comply with
all the obligations resulting from it and to provide a copy of the
aforementioned clauses to Beneficiary,
on request. ; ;
In the event that the Provider or any of its Sub-Processor(s) cannot
reasonably comply with these provisions, the Provider shall notify the
Beneficiary without undue delay.
The Beneficiary reserves the right to suspend the
transfer of Personal Data to the Provider until such time as the Provider is able to remedy such inability.
In the event that compliance is not restored within a
reasonable period of time, not exceeding two (2) months (or another period
stipulated in the description of the Treatment) from the date of suspension,
the Beneficiary reserves the right to terminate the Agreement..
7–
Personal Data breach
In the event of a personal data breach, the Provider
must notify the Beneficiary within a maximum of 72 (seventy-two) hours after
becoming aware of it.
The Provider also undertakes to provide the
Beneficiary, no later than 72 (seventy-two) hours of the notification referred
to above, an impact assessment including:
(i) a description of the
Personal Data breach and its nature, including, if possible, the categories and
approximate number of Data Subjects affected by the breach and the categories
and approximate number of Personal Data records affected;
(ii) the name and contact details of the Data
Protection Officer or another person who may be contacted for additional information;
(iii) a description of the likely consequences of the
Personal Data breach;
(iv) a description of the measures that the Provider
has taken or plans to take to remedy the Personal Data breach, including, where
appropriate, measures to mitigate any negative consequences.
The Provider undertakes to cooperate in order to allow the Beneficiary to notify the personal
data breach to any competent supervisory authority in accordance with the
Personal Data Protection Laws
8–
Inspections and audits:
The Beneficiary
reserves the right to carry out, at its sole discretion, subject to a notice
period of eight working days and under the conditions defined in the Agreement,
any audit that would seem useful to it to establish compliance by the Provider
and its Sub-Processors with their obligations concerning Personal Data as
defined in this Agreement.
The Provider
makes available to the Beneficiary all information necessary to demonstrate
compliance with the obligations laid down in Article 28 GDPR and in this Agreement
upon request, including any contracts with other processors and contributes to
audits - including inspections - to be carried out by the Beneficiary or
another auditor mandated by the Beneficiary.
9 –
Restitution of Data
Upon the expiry of this Agreement, or if
it is terminated early for any reason whatsoever, or at any time if so
requested by the Beneficiary, the Provider and its approved Sub-Processors
shall return to the Beneficiary, Beneficiary within an appropriate period and
not exceeding 1 (one) month, all of the Personal Data that they may have
processed in any form, under this Agreement.
Personal Data shall be returned to the
Beneficiary in the same format in which the Beneficiary supplied the Personal
Data to the Provider or, failing that, in a format indicated by the
Beneficiary, Beneficiary, where technically possible .
This restitution will be the subject of a report signed between the Parties and
an agreement relating to the associated financial conditions.
Once the return
has been made, the Provider will destroy the copies of the Personal Data held
in its systems and must provide proof to the Beneficiary at the same time as
the signature of the return report.
10 – Lead
supervisory authority
The CNIL, as the Beneficiary's lead
supervisory authority, is competent as regards to cross-border processing of
Personal Data carried out by the Beneficiary, the Provider and its
Sub-Processors.