In the event of contradiction, the French version always takes precedence over the version translated into another language.
This Agreement is an integral part of the General Terms and Conditions of Sale ("General Terms and Conditions") or any other agreement (the General Terms and Conditions of Sale, the Special Terms and Conditions or any other agreement are hereinafter referred to as "the Agreement") concluded between SMSFactor as defined in the respective agreement ("SMSFactor" or "Processor") and you ("Partner" or "Data Controller"). This Agreement supplements the terms of the Agreement between SMSFactor and the Partner. In the event of a conflict between the Agreement and this Addendum, this Addendum shall prevail, unless the parties explicitly agree in writing to specific waivers of this Addendum in the Agreement.
This Agreement defines the conditions under which the Processor carries out personal data processing operations on behalf of the Data Controller, in accordance with the regulations applicable to the processing of personal data applicable in France (hereinafter the "Applicable Regulations"), mainly composed of Regulation 2016/679 of 27 April 2016 (General Data Protection Regulation or "GDPR") and Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms.
2.1. Definitions
Where terms defined in the Applicable Regulations are included in this Agreement (e.g. supervisory authority, personal data, data subject or violation) they shall be construed as in the Applicable Regulations.
2.2. Contact details of DPOs
The Processor has appointed a DPO, who can be contacted at the following contact details: dpo@smsfactor.com
The communications provided for in this Agreement must be made as a priority to the DPOs and the privileged interlocutor.
3.1. Description of the processing(s)
This Agreement applies to the following processing operations:
| Nature of Processing | The nature of the operations carried out on the data is: collection of connection information, automated analysis of messages, transfer of data (message, telephone number) to operators, historization with a duration configurable by the customer. |
| Purpose(s) of the Processing | The personal data processing services provided by the Processor are operated to ensure security, anti-fraud analysis, sending the SMS to the end user's operator, analysis of delivery rates. |
| Object of Processing | The Processor is authorised to process on behalf of the Controller the personal data necessary to provide the following service(s): sending text messages. |
| Category(ies) of personal data | The personal data processed will be: the telephone number and any other personal data contained in the SMS messages sent at the request of the Data Controller.
Reminder: if the Data Controller integrates other data, and more specifically sensitive data into the SMS message, it must take appropriate measures and give adequate instructions to the Data Processor. Reminder: If the Controller integrates sensitive data into the SMS message, it must take appropriate measures and give adequate instructions to the Processor. |
| Category(ies) of data subjects / persons whose personal data is processed | The persons concerned by the processing are: the contacts transmitted by the Data Controller in order to send the requested message. |
| Retention period | The Data Controller directly determines the retention period for each purpose within the management tool on the Processor's platform. |
3.2. Responsibilities
The Processor processes data on behalf of the Controller, in accordance with this Agreement, its annexes, or any other instructions given by the Controller.
The Data Controller undertakes to:
a. Process personal data in accordance with the requirements of data protection legislation. The partner is solely responsible for the accuracy, quality and legality of the personal data and the means by which it has acquired it. In particular, the Data Controller undertakes to ensure compliance with its obligations, such as the information provided to the data subjects relating to the processing of their data and, where applicable, the collection of their consent;
b. Provide the Processor with the personal data subject to the processing (in particular by uploading the data within the Processor's platform or by API transfer);
c. Document any instructions regarding the processing of personal data by the Processor.
5.1. Detailed instructions
The Processor only processes personal data on the documented instructions of the Controller. The Processor informs the Controller of this legal obligation prior to processing, unless prohibited by law for important reasons of public interest. Instructions may also be given subsequently by the Data Controller throughout the duration of the processing of personal data. These instructions should always be documented.
Where the Processor reasonably believes that an instruction from the Controller is contrary to: (a) applicable laws and regulations or (b) the provisions of the Agreement, the Processor shall endeavour to inform the Partner, and is entitled to defer the relevant instruction until it has been amended by the Controller to enable the Processor to ensure the legality of such instruction, or until the Controller and the Processor have mutually agreed on the legality of this instruction.
5.2. Documentation and audit
The Processor shall make available to the Controller, within 15 days after request, all the information necessary to demonstrate compliance with the obligations set out in this Agreement.
The Controller may conduct an audit to verify that the Processor complies with its obligations set out in Article 28 of the GDPR and in this Agreement. The Processor authorizes the Controller to carry out the audit under the following conditions:
a. The Controller shall request the Processor to carry out the audit by means of written notice at least 30 (thirty) days in advance;
b. The Controller shall specify the modalities of the audit in the notification referred to in point (a);
c. The audit will only take place once a year, maximum;
d. All costs and expenses associated with the audit shall be borne by the Controller and reimbursed to the Processor upon request;
e. The audit may not last more than the equivalent of one working day (8 hours) of the Subcontractor's representative.
In the event that the Controller requests the audit through an independent third party (approved external auditor), the Processor may object to an approved external auditor appointed by the partner to carry out the audit if the auditor is not, in the reasonable opinion of the Processor, sufficiently qualified or independent, if it is a competitor of the Processor, or if it is manifestly unsuitable for other reasons. Such an objection will require the Controller to appoint another auditor. If the Controller requires more than one audit in a calendar year, it shall obtain the prior written consent of the Processor, bear the costs related to such audits and reimburse the Processor for all costs reasonably incurred for such audits.
The Processor implements appropriate technical and organisational measures to guarantee a level of security of the processing subject to this Agreement adapted to the risk.
When assessing the appropriate level of security, Parties shall take due account of the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to data subjects.
The security measures are detailed in Annex I to this Agreement.
The Processor shall ensure that its Employees in charge of the processing of personal data are informed of their obligations and responsibilities under the Personal Data Protection Regulations, that they have received appropriate training and that they are informed of the confidential nature of the personal data. "Collaborators" means employees, agents, consultants, subcontractors or other third parties:
a. Who are engaged by the Processor in order for it to perform its obligations to the Controller under this Agreement; and
b. Who are subject to confidentiality obligations to substantially the same extent as provided for in this Agreement.
The Data Processor shall ensure that the Employees' access to personal data is limited to those who perform the services contracted by the Data Controller.
The Processor may only allow a third party (Sub-Processor) to process personal data with the prior consent of the Controller and provided that the provisions relating to processing and data protection in the Sub-Processor's contract regarding the personal data are drafted in terms that are substantially the same as those set out in this Agreement. For the purposes hereof, the following entities are approved by the Controller by signing this Agreement: (i) the Sub- Processors listed in Appendix II hereto and (ii) the affiliates of the Processor.
The Processor may, during the term of the Agreement, involve new Processors in the Processing, provided that such Processors only access and use the Personal Data for the purposes necessary for the performance of the obligations subcontracted to them.
The Controller may object to the Processor's use of a Sub-Processor by notifying SMSFactor in writing within 60 (sixty) business days of receipt of the notification and specifying the deficiencies. If the Partner objects to a new subprocessor, the Subprocessor will endeavour to add additional safeguards covering the specified deficiencies or to change the subprocessor; if the Subprocessor is unable to do so within a reasonable period of time, which shall not exceed thirty
(30) days, the Partner may terminate only the part of the services that cannot be provided by the Subprocessor without the use of the new sub-processor in opposition, by giving written notice to the Subcontractor. The Subprocessor shall reimburse the Partner for all prepaid fees covering the remainder of the contract term after the effective date of termination with respect to the terminated portion of the Services, which shall be the Partner's sole and exclusive remedy with respect to the introduction of the new Subcontractor.
Any transfer of data to a third country or an international organization by the Processor is only carried out on the basis of documented instructions from the Controller or in order to comply with a specific requirement of Union law or the law of the Member State to which the Processor is subject and is carried out in accordance with the Applicable Regulations.
The Controller agrees that where the Processor engages a sub-processor to carry out specific processing activities (on behalf of the Controller) and such processing activities involve a transfer of personal data, the Processor and the sub-processor may ensure compliance with the Applicable Regulations in particular by using the standard contractual clauses adopted by the Commission, provided that the conditions for the use of these standard contractual clauses are met.
10.1. Rights of data subjects
a. Notification of requests: The Processor undertakes to notify the Controller in writing, within a reasonable and commercially acceptable period of time, of any request received directly from a person concerning:
10.2. Data breaches
In the event of a personal data breach, the Data Controller:
a. Notifies the personal data breach to the CNIL without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless the personal data breach is not likely to result in a risk to the rights and freedoms of natural persons;
b. Communicates the personal data breach to the data subject without undue delay, where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
The Processor notifies the Data Controller, without undue delay after becoming aware of it, of such violation. The notification of the Processor to the Controller shall take place, if possible, within 24 hours after the Processor became aware of the personal data breach in order to enable the Controller to comply with the Controller's obligation to notify the personal data breach to the CNIL, cf. Article 33 of the GDPR.
In accordance with clause 9(2)(a), the Processor must assist the Controller in notifying the Controller of the personal data breach to the CNIL, which means that the Processor is obliged to assist in obtaining the information listed below which, in accordance with Article 33(3) of the GDPR, must be mentioned in the Controller's notification to the CNIL:
10.3. Assistance
In the event of a personal data breach, the Controller:
The Processor shall assist the Controller in fulfilling its obligations to:
a. Carry out an assessment of the impact of the proposed processing operations on the protection of personal data ("data protection impact assessment") where a type of processing is likely to present a high risk to the Controllers. rights and freedoms of natural persons, in accordance with Article 35 of the GDPR.
b. Consult the competent supervisory authority(ies) prior to processing where a data protection impact assessment indicates that the processing would pose a high risk if the Controller did not take measures to mitigate the risk, in accordance with Article 36 of the GDPR.
c. Submit to the various compliance control operations carried out by the competent supervisory authority(ies).
Following the termination of the contract, the Processor shall, at the request of the Controller, delete all personal data processed on behalf of the Controller, or return all personal data to the Controller and destroy existing copies, unless Union or national law requires them to be retained for a longer period of time.
Description of the technical and organisational measures implemented by the Processor (including any relevant certification) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.
SMSFactor implements security measures equivalent to those required under the Agreement and any ancillary documents entered into pursuant to the Agreement. The security measures implemented are available on request at the following address: dpo@smsfactor.com
The list of SMSFactor's authorized subcontractors is available on request at the following address: dpo@smsfactor.com