Last updated: January 2021
Article 1 - Prior formalities
Each party is responsible for carrying out the formalities it is required to carry out under personal data protection laws and regulations, in particular the French Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (“French Data Protection Act”) and the European General Data Protection Regulation (GDPR) of 27 April 2017.
Article 2 - Warranty
Each party warrants to the other the compliance with its obligations under personal data protection laws and regulations, in particular in relation to transborder flows outside the European Union
Article 3 - Rights of data subjects
Pursuant to the French Data Protection Act No. 78-17 of 6 January 1978, the natural persons whose names are used by each of the parties have a right to be informed about, access, modify and rectify their data with each party concerned by sending a request to the address of their respective registered offices, if no other specific address appear in the documents used to collect personal data.
Article 4 - Use
1. Each party grants the other party the possibility to use the personal data exchanged for professional purposes and for purposes of direct marketing by electronic means, both for itself and for its contractual partners.
2. The parties are required to comply with the laws and regulations in force applicable to the processing of personal data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ( “General Data Protection Regulation” or “GDPR”) and French Law No 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, as amended (hereinafter the “applicable data protection law”).
3. In accordance with the applicable data protection laws, the International Institute of Refrigeration is acting as the “controller” and the Provider, who process data on behalf and on instructions from the customer, is acting as the “processor”.
5. The Provider may only act on written instructions from the customer and, unless otherwise instructed by the customer, shall take all necessary measures for compliance by itself and by its personnel with these obligations, including:
- not processing or consulting the data or files or contents for purposes other than the performance of the services for the customer hereunder;
- not inserting external data into the files;
- not consulting or processing data other than the data related to the services, even though accessing such data is technically possible;
- not disclosing, in any form whatsoever, all or part of the data concerned;
- not copying or storing, in any form and for any purpose, all or part of the information or data contained in the media or documents delivered to or obtained by the Provider in the course of the performance of this agreement;
- immediately informing the customer if, in its opinion, an instruction infringes the personal data protection laws.
6. The parties agree that an instruction shall be deemed to be given where the Provider acts within the framework of this agreement.
7. The Provider shall take all appropriate steps to ensure that natural persons acting under its authority and who have access to personal data do not process them except on instructions from the customer, unless they are required to do so by a mandatory rule resulting from Union law or Member State law applicable to the processing referred to herein. The Provider shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
9. The Provider shall maintain the data security and confidentiality measures throughout the performance of the agreement. In any event, in case of a change in these measures, it shall replace them with measures of equivalent performance and inform the customer immediately.
10. The Provider shall notify the customer without undue delay and not later than 48 hours after becoming aware of a personal data breach, namely a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
11. This notification must describe, where possible, the nature and consequences of the personal data breach, and the measures already taken or proposed to be taken to address the personal data breach. The Provider shall actively collaborate with the customer to ensure that they are able to meet their regulatory and contractual obligations. As the controller, the customer is solely responsible for notifying the data breach to the competent supervisory authority and, where applicable, to the data subjects.
13. The Provider shall ensure that the same data protection obligations as set out in this agreement shall be imposed on those sub-processors by way of a contract. Where its sub-processors fail to fulfil their data protection obligations, the Provider shall remain fully liable to the client for the performance of such sub-processors’ obligations.
14. At no additional cost to the customer, the Provider shall assist the customer in:
- managing requests related to the exercise of data subjects’ rights;
- carrying out of any impact assessment that the customer would decide to carry out, in order to assess the risks of the processing to the rights and freedoms of natural persons and to identify the measures to be implemented to deal with these risks, and consulting with the supervisory authority;
- more generally, complying with the obligations imposed on the customer by the personal data protection laws, such as notably its obligation to notify the supervisory authority and to communicate a personal data breach to data subjects.
15. At the end of the Agreement, unless otherwise required by a mandatory rule resulting from European Union or EU Member State law applicable to the processing operations hereunder, the Provider shall destroy all manual or computerised files that store the information collected, after first checking with the customer that the customer is in possession of such information.
16. Where applicable, at the request of the customer, the Provider undertakes to return all personal data to the customer or to any processor designated by the customer.
17. In case of transfer to a country that is outside the European Union or that is not recognised as ensuring an adequate level of protection, the parties will rely on the standard contractual clauses for the transfer of personal data to processors established in third countries dated 5 February 2010 (2010/87/EU) such as they may be amended from time to time.
Article 5 Security
The International Institute of Refrigeration acknowledges that all personal data are subject to compliance with the French Data Protection Act.
The International Institute of Refrigeration shall take the necessary measures required by the customer to ensure the security of the processing of personal data in compliance with article 35 of the French Data Protection Act No. 78-17 of 6 January 1978 and the General Data Protection Regulation (GDPR) of 27 April 2017.
Article 6 Licence
The customer grants the International Institute of Refrigeration a non-exclusive, royalty-free licence to use the personal data exchanged for professional purposes and for purposes of direct marketing by electronic means, both for itself and for its contractual partners.
Article 7 Cookies
Cookies record some information that is stored in a memory of the customer’s device.
Customers can delete cookies at any time by using their browser. This deletion may result in the loss or securing of certain features.