PERSONAL DATA PROCESSING AGREEMENT

See October 2018 version

 

Version 3: May 2019

Preamble

This Agreement applies to the processing of personal data by the Customer, acting as data controller (hereinafter the “Controller”) and the Service Provider, acting as data processor (hereinafter the “Processor”) in the context of the provision of a digital-analytics solution. This Agreement is an independent document aiming to define the obligations of each Party to ensure compliance with the current legislation on processing personal data and respecting personal privacy. It does not include the business provisions also agreed between the Parties in separate business agreements.

 

Article 1. Definitions

For the purposes of this agreement, the terms “personal data”, “processing”, “restriction of processing”, “filing system”, “controller”, “processor”, “recipient”, “third party”, “consent”, “personal data breach” and “supervisory authority” have the same meaning as in EU Regulation 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”).

“Data” means all the data defined below:

    • Raw Data: means the data collected, before being enriched and restructured by AT Internet. It comprises the hit* and the http header containing the IP address, the User Agent, the cookie ID and the URL of the page that generated the hit. It is stored in secured log files on the AT Internet file servers, for a period of six (6) months. This data is not accessible to the Customer.
    • Processed Data: is data accessible to the Customer in the secured web interface or in exports (in all their formats: Excel, CSV, Word or via the API) after restructuring and enrichment by AT Internet (geolocation, robot exclusion, etc.).

    *The “hit” is the request made to the AT Internet HTTP (or HTTPS, depending on the Controller configuration) servers for the JavaScript file as supplied by AT Internet. The hit contains the user’s raw browsing data.

 

Article 2. Compliance with European principles

Each Party undertakes to comply with the legislation applicable to personal data and respect for private life, in particular with EU Regulation 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and with Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

 

Article 3. Purpose

The objective of this Agreement is to determine the terms & conditions under which the Processor undertakes on behalf of the Controller to process the personal data defined below to provide a digital-analytics solution.

 

Article 4. Compliance with instructions

The Processor undertakes to process the data in compliance with the Controller’s instructions as defined in this Agreement.

The Controller benefits from a digital-analytics SaaS solution developed by the Processor for all its customers. Any special instruction particular to the Controller shall therefore be subject to the Processor’s prior approval, and the Processor reserves the right to invoice or to refuse to follow the instruction based on the resources necessary to implement it and/or the feasibility of integrating it into the solution’s technical platform.

If the Processor considers that an instruction constitutes a violation of the regulations in force, he/she shall immediately inform the Controller.

 

Article 5. Description of the processing to be sub-contracted

 

5.1 Scope of the processing

In providing a digital-analytics SaaS solution to the Controller, the Processor collects and processes data based on the tagging effected by the Controller in order to measure the audience for its internet, intranet and mobile sites, and for its mobile applications; the Controller may also measure the audiences for third-party sites and mobile applications, if this is duly authorized by the owner of the third-party site and/or third-party application (the Controller shall provide proof of this authorization at the Processor’s first request).

5.2 Purpose of the processing

The solution designed by the Processor is intended to produce data and analyses relating to audience statistics and digital intelligence, and to deliver them via a secured web interface available to the Controller, or via data exports (in all formats: Excel, CSV, Word or API).

In addition to the main purpose set out above, the Controller may wish to use the digital-analytics solution for other ancillary purposes, in particular related to the Controller’s activity sector and/or to the digital strategic objectives that it is pursuing.

5.3 Period of processing

Notwithstanding the data retention period defined in Article 14 of the Agreement, the collection and processing of personal data shall continue throughout the duration of the business relationship between the Parties.

5.4 Persons concerned

The personal data relates to the following categories of persons concerned:

  • Authorized personnel of the Controller. “Authorized personnel” means the Controller’s employees and any other natural person appointed by the Controller to use the digital-analytics solution or to conduct the business relationship with the Processor (purchasing, project management, invoicing, etc.).
  • Users of web sites, mobile sites and mobile applications audited using the Processor’s digital-analytics solution.

5.5 Type of personal data

The personal data belongs to one of the following categories of data:

  • Authorized personnel of the Controller: surname, first name, job title, business email address, business phone number, photograph, identifier/password (hashed) for connecting to the solution.
  • Users of web sites, mobile sites and mobile applications
  • Data necessarily collected by the tag to achieve the main purpose:
    • IP address of visitor to the audited web or mobile site;
    • ID generated by the AT Internet cookie when activated in the web browser used by the visitor to the audited web site;
    • Mobile Identifier;
    • All browsing data related to these identifiers.
  • Data created by the Processor to achieve the main purpose:
    • Unique visitor ID;
    • All digital analytics data restructured by the Processor that relates to this identifier.
  • Any data collected by the tag for the Controller’s ancillary purposes:
    • GPS coordinates of the visitor to the audited site or mobile application (collected not systematically but depending on the Controller’s implementation of the solution);
    • Identified visitor ID (collected not systematically but depending on the Controller’s implementation of the solution);
    • Customer ID (collected not systematically but depending on the Controller’s implementation of the solution);
    • Email recipient ID (collected not systematically but depending on the Controller’s implementation of the solution);
    • Other personal data collected via the Controller’s particular implementation of the solution;
    • Any digital-analytics data associated with such an identifier or such personal data.
  • Any data imported into the solution by the Controller for the Controller’s ancillary purposes:
    • Any personal data held by the Controller that it imports into the digital-analytics solution, and any digital-analytics data associated with this personal data.

5.6 Nature of processing

  • Authorized personnel of the Controller:

The personal data of the Controller’s authorized personnel is collected and used by the Processor in order to conduct the contractual relationship (access to the solution’s secured web interfaces, orders, project monitoring, invoicing, etc.).

 

The Processor also monitors how the Customer’s authorized personnel use the solution in order to improve the services and best advise the Controller on using the solution.

This data is retained for up to six (6) months after termination of the business relationship between the Controller and the Processor or in compliance with the legal retention periods where applicable.

  • Digital-analytics solution:

The Processor, in supplying the digital-analytics SaaS solution, implements the processing in the following way:

  1. The Controller defines the sites and applications for which it wishes to implement the solution, and the objectives it expects to achieve by using the Processor’s digital-analytics solution. It nominates an administrator from among its authorized personnel.
  2. The Processor informs the designated administrator of the access rights and makes the AT Internet tag available to him/her in its secured web interface.
  3. The Controller, either the designated administrator or any other person authorized by him/her and to whom he/she has given corresponding access rights, sets the AT Internet tag in the pages of its web and mobile sites and its mobile applications.
  4. A cookie with a unique alphanumeric identifier is placed on the hard disk of the person using the Controller’s web site during his/her visit, either by the Controller’s web-site server or by AT Internet depending on the technology chosen, and if the web-site user consents or in cases when no consent is required.
  5. The tags implemented by the Controller automatically prompt the sending of Raw Data to the Processor’s collection servers. The Controller has no access to these. The Raw Data is temporarily stored in the servers’ secured filing system. It contains various data items about logins (number and duration of visits, number of clicks, pages viewed, etc.). The Raw Data also contains personal data relating to the users of the web sites and mobile applications. The data items are listed below, with details of the default processing carried out by the Processor:

 

A. Types of data collected by default by the AT Internet tag

In order to determine if the same web-site user has made several visits, the Processor uses the visitor’s IP address and/or the Cookie ID and/or the Mobile Identifier (depending on the platform visited) to automatically generate a numerical identifier, the Unique Visitor ID. In no circumstances will this identifier allow the web-site user to be identified by name. It is also not reversible: once it is determined, the Processor cannot track back to the IP address, Cookie ID or Mobile Identifier from which it came.

.

B. Types of data that may be collected by the AT Internet tag at the initiative of the Controller and for its own ancillary purposes

In addition to the data collected for ancillary purposes as listed above, the Controller is technically capable of setting up an AT Internet tag to collect other personal data, such as data from forms completed by the user of the web site or the audited application. Data collected in this way will thus form part of the Raw Data, and may also be contained in the Processed Data and hence accessible from the solution.

All audience data that is linked to one of the identifiers listed above must be considered as personal data. The data is retained in the database as Processed Data in accordance with the provisions of Article 14. It can be accessed via the solution and is purged in accordance with the provisions of Article 14.

6. The Processor performs initial processing on the Raw Data to put it in a form usable by a database. The Processed Data results from this conversion

7. The Controller may, if it wishes, and to pursue its own purposes, enrich the Processed Data with other files it has in its possession.

8. The Processor allows the analyses and audience data to be recovered via a secured web interface accessible only to the Controller’s administrator and persons authorized by him/her. The Controller accesses the Processed Data in this way. The only recipient of Processed Data is the Controller and more specifically its authorized staff with access rights to the solution.

The Data is not transferred to any third party unless the Controller expressly requests it in writing beforehand, for instance if technology partnerships are available as part of the solution and are adopted by the Controller.

 

Article 6. Impact assessment and prior consultation

The Processor undertakes to provide any necessary assistance to the Controller if the Controller is required to carry out an impact assessment on a processing operation covered by this agreement. If this impact assessment indicates that the processing presents a high risk to the rights and freedoms of data subjects, the Processor shall also provide assistance to the Controller so that he/she can respond to the information requested by the competent supervisory authority in the event of consultation prior to the implementation of the processing operation.

 

Article 7. Point of contact: Data Protection Officer (DPO)

The Processor undertakes to designate a Data Protection Officer (DPO) for the term of the contractual relationship between the Controller and the Processor, and to give the Controller his/her contact details.

The Controller undertakes to do likewise if it meets the criteria listed in the GDPR that require a Data Protection Officer (DPO) to be designated. Otherwise, it shall give the contact details of the person responsible for dealing with issues related to protecting personal data and respecting privacy.

 

The Processor designate the following persons to act as the contact points for all information and notifications related to the processing subject to this Agreement:

 

Nicolas Boudillon – Data Protection Officer

AT Internet SAS

85 avenue J F Kennedy 33700 Mérignac France

+33 (0)1 56 54 14 30 – dpo@atinternet.com

 

The Controller will appoint a contact point for data privacy matters by sending a notification to the Support Center of the Processor. In the case where the Controller did not appoint a specific contact point, the account administrator shall be the contact point.

 

Each Party undertakes to notify the other immediately of any change to the named contact person.

 

Article 8. Lawfulness of processing

The Controller alone guarantees that the processing carried out by the Processor is lawful. In this respect, the Controller undertakes firstly to inform the users of its web and mobile sites and mobile applications of the digital-analytics service; and secondly to validly collect the consent of the persons concerned, when consent is required, and to inform them of their right to withdraw their consent at any time.

 

When the Controller uses third-party cookies from AT Internet, the Processor undertakes to provide the Controller with the technical means allowing the persons concerned to oppose the collection and processing of their personal data (an opt-out), it being understood that making such a technical solution available to the persons concerned remains the responsibility of the Controller.

When the Controller uses a first-party cookie for the digital-analytics solution, it undertakes to provide the persons concerned with its own opt-out system.

 

Article 9. Obligation to inform

The Controller undertakes to inform visitors to audited sites and applications of the data processing and of their resulting rights in a concise, transparent, comprehensible and easily accessible way, under the terms and conditions set out in Articles 13 and 14 of the GDPR.

The Processor undertakes to cooperate with the Controller in order to help it fulfill its obligation to inform the persons concerned and to respond to requests for information from the Controller as quickly as possible.

In the same way, the Processor shall inform its internet site’s audience of any processing it may carry out for its Controllers in the course of providing its digital-analytics solution.

 

Article 10. Exercise of rights by the persons concerned

It is understood that the persons concerned are free to exercise the rights that the processing confers on them as regards and against the Controller. The Parties undertake to cooperate mutually in order to deal with all requests quickly and efficiently, and to be capable of responding to the person concerned within the legal period of one (1) month from the date the request is received.

 

When the request is made to the Controller, if it cannot take the matter further without the Processor’s support, the Controller undertakes to approach the Processor’s contact person as soon as possible and at most within five (5) working days of receiving the request, by emailing dpo@atinternet.com or the AT Internet Support Center. The Controller shall supply the Processor with all that is required to understand and review the request. The Processor shall supply the Controller with the information required within a time allowing the Controller to respond to the person concerned within the legal period of one (1) month. If the Processor cannot supply the Controller with the information required in time, and/or if it proves impossible to supply the information, the Processor shall inform the Controller that it must obtain additional time, or that it is not possible to fulfill the request of the person concerned.

 

When the request is made to the Processor and relates only to processing carried out on behalf of the Controller, the Processor undertakes to inform the Controller in writing of the request as quickly as possible and at most within five (5) working days of receiving it. The Processor shall supply the Controller with the information required within a time allowing the Controller to respond to the person concerned within the legal period of one (1) month. If the Processor cannot supply the Controller with the information required in time, and/or if it proves impossible to supply the information, the Processor shall inform the Controller that it must obtain additional time, or that it is not possible to fulfill the request of the person concerned.

 

When the request is made to the Processor and does not relate specifically to processing carried out on behalf of the Controller, the Processor shall respond directly to the person concerned, and need not inform the Controller.

 

Article 11. Limitation on purposes

The main purpose of the processing implemented by the Processor is to provide the Controller with a digital-analytics SaaS solution allowing it to measure the audience for its internet and mobile sites and for its mobile applications. The solution collects statistical audience data on these digital platforms, which is later replicated in a secured web interface. This data enables the Controller to improve in particular the ease-of-use of its digital platforms, its offering and also the quality of its products and services.

 

Technically, the Controller is able to use the solution for its own ancillary purposes. If it does so, the Processor shall not be responsible for any use of the solution or the data by the Controller for purposes other than the statistical analysis of the audience for its sites, and in particular if non-essential personal data is collected, if personal data is imported into the solution, or if data from the solution is triangulated with the Controller’s own data or systems. Thus if the Controller goes beyond the main purpose, it alone shall be liable to any third party or any supervisory authority.

 

Article 12. Minimizing the data

The Controller can install tags on the sites and applications it wishes to audit and can import data into the solution. It thus has full technical control over the scope of the data.

 

The personal data listed in Article 5.6, “Nature of processing, A. Types of data collected by default by the AT Internet tag” is the only data collected by the tags that is strictly necessary to provide the digital-analytics solution. Collection of this data alone is relevant and appropriate to the main purpose of the processing.

In any event, the collection or importation of special categories of personal data (Article 9 of the GDPR, so-called “sensitive” data) or of data relating to criminal convictions and offences (Article 10 of the GDPR) is strictly prohibited.

 

The Processor reserves the right to carry out ad-hoc checks and to ask the Controller for the purposes and reasons that in its view justify the collection or importation of personal data. If the Processor recognizes that the data collected and/or imported is not in proportion to the Controller’s stated purpose, or that the supply of a digital-analytics solution is irrelevant to the Controller’s stated purpose, or that the Controller does not comply with the restrictions related to special categories of personal data or to data relating to criminal convictions or offences, the Processor reserves the right to ask the Controller to end such processing immediately, to suspend the Controller’s access rights to the solution and/or to terminate the quote between the Processor and the Controller for fault of the Controller.

 

Article 13. Accuracy of the data

The Controller undertakes to take all reasonable steps to ensure that inaccurate personal data is corrected or deleted. The Processor undertakes to cooperate with the Controller and to process requests for correction or deletion issued by the Controller and/or by users of its web and mobile sites and mobile applications.

 

Article 14. Limit on retention

Raw Data is conserved by the Processor for six (6) months after its collection. The sole purpose of this retention period is to regenerate Processed Data if an incident occurs during the initial processing carried out on the Raw Data.

Processed Data is conserved for up to six (6) months after termination of the business relationship between the Controller and the Processor. However, the Controller remains free to determine how long Processed Data shall be conserved. In any event, the retention period selected by the Controller cannot be longer than six (6) months after termination of the of the business relationship.

The Controller’s administrator shall send a written request to the Processor’s Support Centre to enable the Processor to customise the retention period of Processed Data.

The Processor also undertakes to destroy the Controller’s data and keep no copy of it beyond a date of six (6) months after the end of the business relationship between the Controller and the Processor, if there is no dispute with the Controller. The Controller also remains free to request immediate destruction of all data upon the end of the business relationship.

 

Article 15. Data integrity, confidentiality and security

The Processor undertakes to ensure the security of personal data, and more generally, the security of the Controller’s data, and to safeguard its integrity and confidentiality. In this regard, it undertakes to design and implement all appropriate technical and organizational measures to keep the data secure and to protect it against any accidental or unlawful destruction, accidental loss, distortion, diffusion or unauthorized access.

 

The technical and organizational measures must at minimum include:

  • Designating a Data Protection Officer, raising the awareness of its staff as to the confidentiality of personal data, and imposing a strict confidentiality obligation on its staff;
  • Having an IS security policy and updating it regularly;
  • Having a disaster recovery plan so that service can continue should an incident occur;
  • Carrying out regular intrusion tests and, should a weakness or vulnerability be identified, implementing any corrective measures quickly.

 

The Processor undertakes to restrict access to personal data just to those staff who need to know it, and the Processor reiterates that the Controller alone is responsible for and manages the access rights to the solution.

 

The Controller retains the right to carry out an annual audit of the solution in order to check that the technical and organizational measures implemented by the Processor are adequate. This right is subject to its giving reasonable notice (not less than 10 working days beforehand) of its intention to carry out such an audit during the Processor’s working hours. The Controller bears the cost of the audit and the Processor shall invoice the Controller for any resources, human or machine, that the Controller calls on during the audit. Both Parties shall be subject to an obligation of confidentiality as regards the results of these audits.

 

Article 16.Data protection by design and by default

The Processor undertakes to protect personal data by default from the time the processing is designed and the solution functionality developed. The methods used to achieve this include in particular nominating a Data Protection Officer with the required technical skills, raising employees’ awareness of data protection, and imposing on employees a strict confidentiality obligation.

 

Article 17. Subcontracting

The Processor may ask another subcontractor (hereinafter the “Sub-processor”) to carry out specific processing.

 

The Processor states that on the date this Agreement is signed, and with the agreement of the Controller, the Sub-processors listed on following link: https://atinternet.com/en/processor-sub-processor-information-parent-company/  shall be involved.

 

In all circumstances, the Processor shall alone remain responsible to the Controller for all the obligations following from this Agreement. It is the initial Processor’s responsibility to ensure that the Sub-processor offers adequate guarantees that it has implemented technical and organizational measures such that the processing complies with the requirements of the GDPR. If the Sub-processor does not fulfill its obligations to protect data, the initial Processor shall remain fully accountable to the Controller for the execution by the Sub-processor of its obligations.

 

The Processor is free to change the list of Sub-processors. It must however inform the Controller beforehand of any planned change involving adding or replacing Sub-processors. The information must state clearly the subcontracted processing activities and the identity and contact details of the Sub-processor. The Controller shall have eight (8) calendar days from the day it receives the information to present its objections. The subcontracting cannot be finalized unless the Controller has made no objection during the agreed period.

 

Article 18. Competent supervisory authority

The competent supervisory authority as regards the activities and processing carried out by the Processor is the authority supervising the Controller.

The Parties undertake to cooperate with the competent supervisory authority and to provide it without delay with any information it requires to carry out its work.

 

Article 19. Notification should personal data be compromised

If a personal data breach occurs, the Processor undertakes to notify the Controller of the breach without undue delay after having become aware of it. The notification shall have the form and content required by the GDPR so that the Controller can report the breach to the competent supervisory authority.

 

The Controller is responsible for informing the persons concerned without undue delay, for instance by publishing a notice on the web and mobile sites and mobile applications from which the compromised data has come.

 

Article 20. Liability

If the Controller is being held liable to a third party or to any supervisory authority by a final decision for a breach of the clauses of this Agreement and/or of the legal or regulatory provisions in force, and if this breach was solely committed by the Processor, the Processor shall indemnify the Controller for all direct damages incurred and for the costs of legal proceedings, excluding all indirect damages such as operational losses, business damages, loss of customers, loss of orders, loss of profits or damage to corporate image. Total cumulated liability of the Processor shall not exceed the lower value of the following: (i) the yearly value of the subscription invoiced to the Controller and paid by the Controller or (ii) 100,000 (one hundred thousand) euros.

 

Indemnification is contingent upon:

  • the Controller promptly notifying the Processor of a claim no later than one (1) month after the Controller receives the claim; and
  • the Processor being given the possibility to cooperate with the Controller in the defense and settlement of the claim.

 

If the breach of the clauses of this Agreement or of the data protection legal provisions in force is committed by the Controller, the Controller shall be liable to any third party or supervisory authority and the Processor’s liability shall not be engaged.

 

Article 21. Transfer outside the European Union

The Controller’s audience data, i.e. that relating to visitors to sites and applications audited by the AT Internet solution, is stored in the European Union. As the solution is SaaS, the Processed Data nevertheless remains accessible to all authorized staff with the necessary access rights and an internet connection, irrespective of their location.

 

However, for data pertaining to the Controller’s Authorised Personnel, the Processor is authorised by the Controller to use processing facilities located in a third country within the meaning of the GDPR if the Processor complies with one of the following guarantees:

  • the legislation of the third country concerned provides an adequate level of protection for personal data and is recognised as such by a decision of the European Commission;
  • the Processor has concluded with a Sub-processor outside Europe a contract for the transfer of personal data in accordance with the model clauses drawn up by the European Commission;
  • the Processor’s subsequent non-European Sub-Processor has subscribed to an authorised transfer mechanism for personal data validated by the European Union institutions, such as the “E.U.- U.S. Privacy Shield Arrangement”;
  • the Processor’s non-European Sub-processor has adopted “Binding Corporate Rules” validated by a competent supervisory authority.

 

Article 22. Documentation and register of processing operations

The Processor states that it keeps a register of the processing carried out on behalf of the Controller. The register has the content and form required by the GDPR. The Processor shall also make available to the Controller the documentation necessary to demonstrate compliance with all its obligations and to enable the Controller to perform audits.

Download our PERSONAL DATA PROCESSING AGREEMENT
Newsletter
Receive our 100% digital analytics content (guides, webinars, customer successes) and our latest blog articles by email!
Top