Privacy policy

Last updated: January 2021

 

 

Article 1 - Prior formalities

Each party is responsible for carrying out the formalities it is required to carry out under personal data protection laws and regulations, in particular the French Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (“French Data Protection Act”) and the European General Data Protection Regulation (GDPR) of 27 April 2017.

 

Article 2 - Warranty

Each party warrants to the other the compliance with its obligations under personal data protection laws and regulations, in particular in relation to transborder flows outside the European Union

 

Article 3 - Rights of data subjects

Pursuant to the French Data Protection Act No. 78-17 of 6 January 1978, the natural persons whose names are used by each of the parties have a right to be informed about, access, modify and rectify their data with each party concerned by sending a request to the address of their respective registered offices, if no other specific address appear in the documents used to collect personal data.

 

Article 4 - Use

1. Each party grants the other party the possibility to use the personal data exchanged for professional purposes and for purposes of direct marketing by electronic means, both for itself and for its contractual partners.

2. The parties are required to comply with the laws and regulations in force applicable to the processing of personal data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ( “General Data Protection Regulation” or “GDPR”) and French Law No 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, as amended (hereinafter the “applicable data protection law”).

3. In accordance with the applicable data protection laws, the International Institute of Refrigeration is acting as the “controller” and the Provider, who process data on behalf and on instructions from the customer, is acting as the “processor”.

4. The Annex “Privacy Policy” (Annex 1) to this agreement sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data processed and the categories of data subjects concerned by the processing carried out by the Provider on behalf of the customer.

5. The Provider may only act on written instructions from the customer and, unless otherwise instructed by the customer, shall take all necessary measures for compliance by itself and by its personnel with these obligations, including:

  • not processing or consulting the data or files or contents for purposes other than the performance of the services for the customer hereunder;
  • not inserting external data into the files;
  • not consulting or processing data other than the data related to the services, even though accessing such data is technically possible;
  • not disclosing, in any form whatsoever, all or part of the data concerned;
  • not copying or storing, in any form and for any purpose, all or part of the information or data contained in the media or documents delivered to or obtained by the Provider in the course of the performance of this agreement;
  • immediately informing the customer if, in its opinion, an instruction infringes the personal data protection laws.

6. The parties agree that an instruction shall be deemed to be given where the Provider acts within the framework of this agreement.

7. The Provider shall take all appropriate steps to ensure that natural persons acting under its authority and who have access to personal data do not process them except on instructions from the customer, unless they are required to do so by a mandatory rule resulting from Union law or Member State law applicable to the processing referred to herein. The Provider shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8. With regard to the nature of the data and the risks posed by the processing, and taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks for rights and freedoms of natural persons, the Provider shall implement appropriate technical and organisational measures to protect the security of the data and files and in particular prevent their distortion, alteration, damage, accidental or unlawful destruction, loss, disclosure and/or access by third parties not previously authorised. These measures are set out in Annex “Privacy Policy” (Annex 1) hereto.

9. The Provider shall maintain the data security and confidentiality measures throughout the performance of the agreement. In any event, in case of a change in these measures, it shall replace them with measures of equivalent performance and inform the customer immediately.

10. The Provider shall notify the customer without undue delay and not later than 48 hours after becoming aware of a personal data breach, namely a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

11. This notification must describe, where possible, the nature and consequences of the personal data breach, and the measures already taken or proposed to be taken to address the personal data breach. The Provider shall actively collaborate with the customer to ensure that they are able to meet their regulatory and contractual obligations. As the controller, the customer is solely responsible for notifying the data breach to the competent supervisory authority and, where applicable, to the data subjects.

12. The Provider shall not engage another processor (“sub-processor”), within the meaning of the personal data protection laws, for all or part of the services, especially to a country which is not a Member of the European Union, without prior express written authorisation of the customer. The customer hereby authorises the sub-processors identified in Annex “Privacy Policy” (Annex 1) to process personal data. The Provider shall notify the customer in writing of any intended changes to the list of authorised sub-processors. The customer shall notify the Provider in writing of any objections to such changes without undue delay and in any event within a maximum of 5 working days.

13. The Provider shall ensure that the same data protection obligations as set out in this agreement shall be imposed on those sub-processors by way of a contract. Where its sub-processors fail to fulfil their data protection obligations, the Provider shall remain fully liable to the client for the performance of such sub-processors’ obligations.

14. At no additional cost to the customer, the Provider shall assist the customer in:

  • managing requests related to the exercise of data subjects’ rights;
  • carrying out of any impact assessment that the customer would decide to carry out, in order to assess the risks of the processing to the rights and freedoms of natural persons and to identify the measures to be implemented to deal with these risks, and consulting with the supervisory authority;
  • more generally, complying with the obligations imposed on the customer by the personal data protection laws, such as notably its obligation to notify the supervisory authority and to communicate a personal data breach to data subjects.

15. At the end of the Agreement, unless otherwise required by a mandatory rule resulting from European Union or EU Member State law applicable to the processing operations hereunder, the Provider shall destroy all manual or computerised files that store the information collected, after first checking with the customer that the customer is in possession of such information.

16. Where applicable, at the request of the customer, the Provider undertakes to return all personal data to the customer or to any processor designated by the customer.

17. In case of transfer to a country that is outside the European Union or that is not recognised as ensuring an adequate level of protection, the parties will rely on the standard contractual clauses for the transfer of personal data to processors established in third countries dated 5 February 2010 (2010/87/EU) such as they may be amended from time to time.

 

Article 5 Security

The International Institute of Refrigeration acknowledges that all personal data are subject to compliance with the French Data Protection Act.

The International Institute of Refrigeration shall take the necessary measures required by the customer to ensure the security of the processing of personal data in compliance with article 35 of the French Data Protection Act No. 78-17 of 6 January 1978 and the General Data Protection Regulation (GDPR) of 27 April 2017.

 

 

Article 6 Licence

The customer grants the International Institute of Refrigeration a non-exclusive, royalty-free licence to use the personal data exchanged for professional purposes and for purposes of direct marketing by electronic means, both for itself and for its contractual partners.

 

Article 7 Cookies

 

Customers acknowledge and agree that the International Institute of Refrigeration may use cookies or any other similar technique to keep track of and collect data about navigation on the website.

Cookies record some information that is stored in a memory of the customer’s device.

Customers can delete cookies at any time by using their browser. This deletion may result in the loss or securing of certain features.