The Parties

OneUp a limited liability company incorporated under the laws of France with company number 399838101, having its registered office at 124 RUE REAUMUR 75002 PARIS 2,

is hereinafter referred to as "the Processor".

And

All users making use of the OneUp Platform, is hereinafter referred to as "Client" or "Controller", which parties are individually also referred to as “Party” and collectively as “Parties”.

By making use of the OneUp Platform and Services, Parties have agreed on the following contractual clauses in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject(s),

 

Definitions

The following definitions shall apply in this Agreement:

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

"DPA" means this Data Processing Agreement;

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

"Personal Data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"Third Party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

"Subprocessor" means any entity appointed by or on behalf of the Processor for the processing of personal data on behalf of the Controller under this Data Processing Agreement;

"EEA" the European Economic Area including, for the purposes of this Agreement;

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

"GDPR" means The General Data Protection Regulation (Regulation (EU) 2016/679, abbreviated GDPR) is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU an EEA.

 

Considering the following:

  • The Parties have entered into an Agreement (the "Agreement"), the main purpose of which is to provide the Client with the agreed services.
  • Under that Agreement, the Processor is entrusted with the processing and collection of certain personal data in accordance with the Controller's instructions.
  • The Controller has defined both the purpose and the methods of processing and collecting personal data and has set specific conditions for these activities.
  • Considering the provisions of Article 28(3) of the GDPR, the parties intend to formalise their respective rights and obligations by entering into this DPA . This DPA forms an integral part of the overarching Agreement.

The Parties have agreed as follows:

Article 1 - Processing Objectives

Within the framework of this DPA:

  • The Processor undertakes to process Personal Data on behalf of the Controller.
  • The specific personal data processed by the Processor on behalf of the Controller is set out in Schedule 1, which also sets out the relevant data subjects, the purpose of the processing, duration of processing and the relevant contact details.
  • The processing of Personal Data by the Processor shall be carried out only on the basis of written instructions from the Controller, unless otherwise required by law.
  • Any changes to the processing of Personal Data or to the types of Personal Data processed will only be implemented following prior written instructions from the Controller. Such instructions must be officially confirmed in writing by the Controller.
  • The Personal Data processed under the Controller's instructions shall remain the property of the Data Subjects.
  • The Processor assures that the handling of Personal Data will consistently align with the General Data Protection Regulation (“GDPR”).
  • The Processor will endeavour to assist the Controller in meeting its legal obligations related to data protection impact assessments.
  • The Controller guarantees compliance with the GDPR and other applicable data protection laws and regulations, ensuring that the nature, use and processing of Personal Data are lawful and do not infringe the rights of third parties.
  • Administrative fines imposed on the Controller by a relevant data protection authority are not recoverable from the Data Processor, unless such fines result from a breach of the Data Processor's obligations under this DPA that causes the Controller to be unable to fulfil its obligations under the GDPR.

Article 2 - Duration and Termination

2.1 This Data Processing Agreement shall remain in force for the duration of the Services Agreement. In the event of termination of the Agreement, this Data Processing Agreement shall terminate automatically without any further legal action being required.

2.2 Upon termination of the Data Processing Agreement, the Processor shall delete all Personal Data currently in its possession and acquired from the Controller within 60 days. This deletion process is subject to any legal restrictions that may prevent the complete or partial deletion of Personal Data, which may be imposed by law.

Article 3 - Provision of data to third parties

3.1. The Processor may disclose Personal Data to third parties in the following cases: (i) upon written request of the Controller; (ii) when required by law or court order; (iii) to protect and defend the rights of the Processor or the parties involved in the execution of the Services Agreement; and (iv) with the express consent of the Data Subject.

3.2. Data Processor processes the Personal Data exclusively within the EEA, unless Controller agreed to transfer to countries outside the EEA and one of the measures has been taken to ensure an adequate level of protection for these Personal Data.

3.3 The Processor reserves the right to share with third parties, for any purpose whatsoever, aggregated information (excluding personal data) obtained during the provision of services to the Client.

Article 4 - Sub-Processors

4.1 The Controller hereby authorises the Processor to appoint Sub-processors.

4.2 In respect of any sub-processor designated by the Processor, the Processor shall: (i) carry out thorough due diligence before allowing the sub-processor to process personal data to ensure that it can maintain the level of protection of personal data required by the terms and conditions set out in this Data Processing Agreement, (ii) enter into a written agreement with the Sub-processor that contains terms that are substantially similar to, and no less stringent than, those set out in this Agreement, and that meets the requirements set out in Article 28(3) of the GDPR.

4.2 The Processor is entitled to substitute a sub-processor, provided that the intended sub-processor agrees to adhere to the same level of protection of personal data, including substantially similar technical and organisational measures as the Processor. The Processor shall inform the Controller timely of its intention to add or substitute a sub-processor via email or the website. The Controller shall be entitled to raise reasonable and detailed objections against such intended subprocessor. Parties shall try to resolve such objections together in good faith.

Article 5 - Data breach

5.1 In the event of a data breach, the Processor shall promptly notify the Data Protection Officer of the Controller and shall ensure that the notification is made without delay and no later than within 24 hours. The Processor undertakes to provide complete, correct, and accurate information in the notification, regardless of the severity of the breach.

5.2 If required by applicable laws and/or regulations, the Processor will support Controller in notifying relevant authorities and/or data subjects.

Article 6 - Security

6.1 The Processor is committed to diligently adopting and implementing technical and organizational measures, aligned with the prevailing state of technology. These measures are deemed necessary to safeguard the Personal Data entrusted to the Processor, preventing accidental or unlawful destruction, inadvertent loss, unintended modification, unauthorized disclosure, or any other form of unlawful processing.

6.2 The Data Processor shall have the right to modify the technical and organisational security measures it has implemented if, in its sole discretion, such modifications are deemed necessary to maintain an adequate level of security on an ongoing basis.

Article 7 - Audit

7.1 In order to ensure compliance with all obligations set forth in this Data Processing Agreement and related matters, the Controller shall have the authority to conduct audits or to engage an independent third party for this purpose, subject to confidentiality obligations. The audit date shall be mutually agreed by the parties.

7.2 The Processor shall actively cooperate with audits by providing timely access to all relevant personnel and information, including supporting data such as system logs.

7.3 Audit findings shall be jointly assessed by the Parties through mutual consultation and decisions on their implementation shall be jointly taken.

7.4 Reasonable costs associated with the audit shall be borne by the party incurring them. However, if a third party is engaged, the Controller will bear the costs associated with their services.

Article 8 - Data Protection Impact Assessments and Prior Consultation

8.1 The Processor is obliged to assist the Controller by providing reasonable assistance in carrying out data protection (or privacy) impact assessments and prior consultation with any supervisory authority or other competent authorities, as deemed necessary by the Controller in accordance with Articles 35 and 36 of the GDPR. The Processor's involvement in these processes shall be limited to the processing of personal data specifically related to this Data Processing Agreement.

Article 9 - Confidentiality

9.1 The Processor is obliged to keep all Personal Data received from the Controller and collected within the scope of the Agreement confidential from third parties.

9.2 However, this confidentiality obligation does not apply when data is disclosed to third parties in accordance with Article 3 of this Data Processing Agreement. In cases where the Processor is required by law or court order to disclose data to third parties, the Processor shall promptly inform the Controller, preferably before the data is disclosed.

Article 10 - Data Subjects Requests

10.1 If a Data Subject wishes to exercise his/her legal rights and submits a request to the Processor, the Processor shall forward the request to the Controller without undue delay. The Controller shall then process the request and the Processor may notify the Data Subject accordingly.

10.2 If a Data Subject submits a request directly to the Controller in order to exercise one of his or her legal rights, the Processor shall, at the request of the Controller, cooperate to the extent possible and reasonable.

10.3 The Processor shall be entitled to charge the Controller for reasonable costs incurred in connection with the processing of requests from Data Subjects.

Article 11 - Governing Law

11.1 The terms of this Data Processing Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with French Laws.

11.2 This Data Processing Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Data Processing Agreement or its subject matter or formation shall be governed by and construed in accordance with the laws of France. Each party irrevocably agrees that the courts of France shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Data Processing Agreement or its subject matter or formation.

Article 12 - Final provisions

12.1 If the Processor is unable to perform its obligations under this Data Processing Agreement due to force majeure, the Processor shall immediately notify the Controller of such circumstances.

12.2 The parties may not transfer the rights and/or obligations under this Data Processing Agreement to a third party without the prior written consent of the other party.

 12.3 The invalidity of any provision of this Data Processing Agreement shall not affect the validity of the other provisions.

12.4 Provisions of this Data Processing Agreement which by their nature are intended to be continued shall remain in force after termination.

12.5 In the event of a conflict between the provisions of this Data Processing Agreement and the Agreement concluded with the Client, the provisions of this Data Processing Agreement shall prevail, unless expressly agreed otherwise.

Was this article helpful?
0 out of 0 found this helpful

Need more help? Ask an expert!

Click here to submit a support request to a ONE UP expert.