PERSONAL DATA PROCESSING AGREEMENT

See V4 – October 2021 version

Version 5: October 2021

 

Preamble

This Agreement applies to the processing of personal data by the Customer, acting as data controller (hereinafter the “Controller”) and the Service Provider, acting as data processor (hereinafter the “Processor”) in the context of the provision of a digital-analytics solution. This Agreement is an independent document aiming to define the obligations of each Party to ensure compliance with the current legislation on processing personal data and respecting personal privacy. It does not include the business provisions also agreed between the Parties in separate business agreements.

 

• Article 1. Definitions

For the purposes of this agreement, the terms “personal data”, “processing”, “restriction of processing”, “filing system”, “controller”, “processor”, “recipient”, “third party”, “consent”, “personal data breach” and “supervisory authority” have the same meaning as in EU Regulation 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”).

 

“Data” means all the data defined below:

• Available Raw Data means a part of the Raw Data accessible in real time to allow the Data Controller to check the implementation and the tagging.
• Processed Data: is all data accessible to the Controller in the secured web interface , via API or in exports (in all their formats: Excel, CSV, Word, etc.) after restructuring and enrichment by the Processor (geolocation, device detection, robot exclusion, etc.).
• Raw Data: means all data collected, before being enriched by the Processor. It comprises the hit and the http header containing the IP address, the User Agent, the device ID (cookie ID, mobile ID, etc.) and the URL of the page that generated the hit (web mode). This data is not accessible to the Controller.

“Authorised personnel” means any natural person authorised by the Controller to access the Solution and which was granted access rights by the Controller (or where applicable the Processor upon request of the Controller). Authorised Personnel may include for example, employees, consultants, self-employed persons and agents of the Controller, as well as third parties having commercial relations with the Controller.

The “hit” is the HTTP request (or HTTPS request, depending on the Controller configuration) to the Processor’s servers that generally comes from the JavaScript Tag of the mobile SDK as supplied by the Processor and containing the user’s raw browsing data.

• Article 2. Compliance with European principles

Each Party undertakes to comply with the legislation applicable to personal data and respect for private life, in particular with EU Regulation 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and with Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

 

• Article 3. Purpose

The objective of this Agreement is to determine the terms & conditions under which the Processor undertakes on behalf of the Controller to process the personal data defined below to provide a digital-analytics solution.

 

• Article 4. Compliance with instructions

The Processor undertakes to process the data in compliance with the Controller’s instructions as defined in this Agreement.

The Controller benefits from a digital-analytics SaaS solution developed by the Processor for all its customers. Any special instruction particular to the Controller shall therefore be subject to the Processor’s prior approval, and the Processor reserves the right to accept or to refuse to follow the instruction based on the resources necessary to implement it, their costs and/or the feasibility of integrating it into the solution’s technical platform. Specific instructions shall only be implemented after the signature of a written agreement between the Controller and the Processor, which will set forth, where applicable, the related fees to be paid by the Controller.

If the Processor considers that an instruction shared by the Controller or r any Authorised Personnel’s usage of the Solution constitutes a violation of the regulations in force, he/she shall immediately inform the Controller.

• Article 5. Lawfulness of processing

The Controller alone guarantees that the processing carried out by the Processor is lawful. In this respect, the Controller undertakes firstly to inform the users of its web and mobile sites and mobile applications of the digital-analytics service; and secondly to validly collect the consent of the persons concerned, when consent is required, and to inform them of their right to withdraw their consent at any time. The Controller undertakes to gather and preserve evidence related to the consent obtained to prove its obtention.

When the Controller uses third-party cookies from AT Internet, the Processor undertakes to provide the Controller with the technical means allowing the persons concerned to oppose the collection and processing of their personal data (an opt-out), it being understood that making such a technical solution available to the persons concerned remains the responsibility of the Controller.

When the Controller uses a first-party cookie for the digital-analytics solution, it undertakes to provide the persons concerned with its own opt-out system.

 

Specific provision open to data controllers under the authority of the CNIL (‘CNIL Exemption’)

In accordance with CNIL deliberation n° 2020-091 of 17 September 2020 (guidelines), audience measurement trackers may be exempted from obtaining consent. The provisions of the implementation of this exemption and its consequences on processing carried out by the Sub-contractor are specified in the ‘CNIL Exemption’ Annex.

 

• Article 6. Description of the processing to be sub-contracted

• Scope of the processing

In providing a digital-analytics SaaS solution to the Controller, the Processor collects and processes data based on the tagging effected by the Controller in order to measure the audience for its internet, intranet and mobile sites, and for its mobile applications; the Controller may also measure the audiences for third-party sites and mobile applications, if this is duly authorised by the owner of the third-party site and/or third-party application (the Controller shall provide proof of this authorization at the Processor’s first request).

• Purpose of the processing

The solution designed by the Processor is intended to produce data and analyses relating to audience statistics and digital intelligence, and to deliver them via the solution ( web interface available to the Controller, data exports, API, etc.)

In addition to the main purpose set out above, the Controller may wish to use the digital-analytics solution for other ancillary purposes, in particular related to the Controller’s activity sector and/or to the digital strategic objectives that it is pursuing.

Furthermore, the accessibility of the Available Raw Data is only permitted to allow the Data Controller to verify the implementation and the tagging.

• Period of processing

Notwithstanding the data retention period defined in Article 11 of the Agreement, the collection and processing of personal data shall continue throughout the duration of the business relationship between the Parties.

• Persons concerned

The personal data relates to the following categories of persons concerned:

• Authorised personnel of the Controller.
• Users of web sites, mobile sites and mobile applications audited using the Processor’s digital-analytics solution.
• Type of personal data

The personal data belongs to one of the following categories of data:

• Authorised personnel of the Controller: surname, first name, job title, business email address, business phone number, photograph, identifier/password (hashed) for connecting to the solution.
• Users of web sites, mobile sites and mobile applications:
• Data necessarily collected by the tag to achieve the main purpose:
  • IP address of visitor to the audited web or mobile site;
  • Cookie ID, identifier generated by the AT Internet cookie when activated in the web browser used by the visitor to the audited web site;
  • Mobile ID;
  • All browsing data related to these identifiers.
• Data created by the Processor to achieve the main purpose:
  • Visitor ID;
  • All digital analytics data restructured by the Processor that relates to this identifier.
• Any data collected by the tag for the Controller’s ancillary purposes (collected not systematically but depending on the Controller’s implementation of the solution):
  • GPS coordinates of the visitor to the audited site or mobile application;
  • User ID, an identifier that enables an identified user (logged user) to be identified;
  • Transaction ID, an identifier enabling an order to be identified when using the e-commerce module;
  • Emailing recipient ID;
  • Other personal data collected via the Controller’s particular implementation of the solution;
  • Any digital-analytics data associated with such an identifier or such personal data.
• Any data imported into the solution by the Controller for the Controller’s ancillary purposes:
  • Any personal data held by the Controller that it imports into the digital-analytics solution, and any digital-analytics data associated with this personal data.
• Nature of processing
• Authorised personnel of the Controller:

The personal data of the Controller’s authorised personnel is collected and used by the Processor in order to conduct the contractual relationship (access to the solution’s secured web interfaces, orders, project monitoring, invoicing, etc.).

The Processor also monitors how the Customer’s authorised personnel use the solution in order to improve the services and best advise the Controller on using the solution.

This data is retained for up to one  (1) month after termination of the business relationship between the Controller and the Processor or in compliance with the legal retention periods where applicable.

• Digital-analytics solution:

 

		Personal Data included in Raw Data and not available in the Solution	Personal data included in the Accessible Raw Data	Personal Data included in Processed Data and available in the Solution
Types of data collected by default by the AT Internet tag and necessary to achieve the main purpose	IP Address	Yes + anonymisation option upon Controller’s request (last byte)	No	No
	Cookie ID	Yes (depending on the platform visited)		Visitor ID
	Mobile ID	Yes (depending on the platform visited)
	Analytics Data related to one of these identifiers	Yes		Yes (enriched)
Types of data that may be collected by the AT Internet tag at the initiative of the Controller and for its own ancillary purposes:	GPS	Yes (if used with SDK and implemented by the Data Controller) 2 decimal truncation *		Yes (if collected)
	User ID	Yes (if tracking is implemented by the Data Controller)		Yes (if collected)
	Transaction ID	Yes (if tracking is implemented by the Data Controller)		Yes (if collected)
	Emailing recipient ID	Yes (if tracking is implemented by the Data Controller		Yes (if collected)
	Other personal data	Yes (if tracking is implemented by the Data Controller)		Yes (if collected)

The Processor, in supplying the digital-analytics SaaS solution, implements the processing in the following way:

1. The Controller defines the sites, applications and connected devices for which it wishes to implement the solution, and the objectives it expects to achieve by using the Processor’s digital-analytics solution. It nominates one or more administrator(s) from among its Authorised personnel.
2. The Processor informs the designated administrator(s) of the access rights and makes the AT Internet tag available to them in its secured web interface.
3. The Controller, either the designated administrator or any other person authorised by him/her and to whom he/she has given corresponding access rights, sets the AT Internet tag in the pages of its web and mobile sites and its mobile applications.
4. Depending on the technology chosen, and if the user consents or in cases when no consent is required, a tracer (cookie ID, mobile ID, etc.) is used during the user’s visit for the audited perimeter.

 In order to determine if the same user has made several visits, the Processor uses the visitor’s IP address and/or the Cookie ID and/or the Mobile Identifier ) to automatically generate a numerical identifier, the Visitor ID. In no circumstances will this identifier allow the user to be identified by name. It is also not reversible: once it is determined, the Processor cannot track back to the IP address, Cookie ID or Mobile Identifier from which it came.

5. The tags implemented by the Controller automatically prompt the sending of Raw Data to the Processor’s collection servers. The Controller has no access to these. In addition to various data items about logins, the Raw Data also contains personal data relating to the users of the audited perimeters. However, the Data Controller may have access to the Available Raw Data.
6. The Processor performs initial processing on the Raw Data to put it in a form usable by a database. The Processed Data results from this conversion The Controller may, if it wishes, and to pursue its own purposes, enrich the Processed Data with other files it has in its possession. In addition to the data collected for ancillary purposes as listed above, the Controller is technically capable of setting up an AT Internet tag to collect other personal data, such as data from forms completed by the user of the web site or the audited application. Data collected in this way will thus form part of the Raw Data and may also be contained in the Processed Data and hence accessible from the solution.
7. The Processor allows the analyses and audience data to be recovered via the solution accessible only to the Controller’s Authorised personnel. The Controller accesses the Processed Data in this way. The Data is not transferred to any third party unless the Controller expressly requests it in writing beforehand, for instance if technology partnerships are available as part of the solution and are adopted by the Controller.

 

• Article 7. Obligation to inform

The Controller undertakes to inform visitors to audited sites and applications of the data processing and of their resulting rights in a concise, transparent, comprehensible and easily accessible way, under the terms and conditions set out in Articles 13 and 14 of the GDPR.

The Processor undertakes to cooperate with the Controller in order to help it fulfill its obligation to inform the persons concerned and to respond to requests for information from the Controller as quickly as possible.

 

• Article 8. Limitation on purposes

The main purpose of the processing implemented by the Processor is to provide the Controller with a digital-analytics SaaS solution allowing it to measure the audience for its internet and mobile sites and for its mobile applications. The solution collects statistical audience data on these digital platforms, which is later replicated in a secured web interface. This data enables the Controller to improve in particular the ease-of-use of its digital platforms, its offering and also the quality of its products and services.

 

Technically, the Controller is able to use the solution for its own ancillary purposes. If it does so, the Processor shall not be responsible for any use of the solution or the data by the Controller for purposes other than the statistical analysis of the audience for its sites, and in particular if non-essential personal data is collected, if personal data is imported into the solution, or if data from the solution is triangulated with the Controller’s own data or systems. Thus, if the Controller goes beyond the main purpose, it alone shall be liable to any third party or any supervisory authority.

 

The Processor shall refrain from any use of the Data other than that strictly necessary to provide the Solution to the Controller.

 

• Article 9. Minimizing the data

The Controller can install tags on the sites and applications it wishes to audit and can import data into the solution. It thus has full technical control over the scope of the data.

 

The personal data collected for the main purpose (see the first part of the table inserted in Article 6.6) is the only data collected by the tags that is strictly necessary to provide the digital-analytics solution. Collection of this data alone is relevant and appropriate to the main purpose of the processing. Collection of this data alone is relevant and appropriate to the main purpose of the processing.

 

 

In any event, the Controller shall refrain from collecting or importing so-called “sensitive data” (Article 9 of the GDPR, special categories of personal data) or data relating to criminal convictions and offences (Article 10 of the GDPR).

 

• Article 10. Accuracy of the data

The Controller undertakes to take all reasonable steps to ensure that inaccurate personal data is corrected or deleted. The Processor undertakes to cooperate with the Controller and to process requests for correction or deletion issued by the Controller and/or by users of its web and mobile sites and mobile applications.

 

• Article 11. Limit on retention

11.1 Retention during the business agreement

• Standard retention

Raw and Processed Data is conserved by the Processor for twenty-five (25) months after collection.

• Customized retention

The Controller remains free to determine another retention time, provided storage time is shorter than twenty-five (25) months. The Controller’s administrator shall send a written request to the Processor’s Support Centre to enable the Processor to customise the retention period of Raw and Processed Data.

Any storage time longer that the standard period must be subject to a specific agreement (billable option)

11.2 Purge at the end of the business agreement

The Processor undertakes to destroy the Controller’s Data and keep no copy of it beyond a date of one (1) month after the end of the business relationship between the Controller and the Processor, if there is no dispute with the Controller. The Controller also remains free to request immediate destruction of all Data upon the end of the business relationship.

 

• Article 12. Exercise of rights by the persons concerned

It is understood that the persons concerned are free to exercise the rights that the processing confers on them as regards and against the Controller. The Parties undertake to cooperate mutually in order to deal with all requests quickly and efficiently, and to be capable of responding to the person concerned within the legal period of one (1) month from the date the request is received.

 

When the request is made to the Controller, if it cannot take the matter further without the Processor’s support, the Controller undertakes to approach the Processor’s contact person as soon as possible and at most within five (5) working days of receiving the request, by emailing dpo@atinternet.com or the AT Internet Support Center. The Controller shall supply the Processor with all that is required to understand and review the request. The Processor shall supply the Controller with the information required within a time allowing the Controller to respond to the person concerned within the legal period of one (1) month. If the Processor cannot supply the Controller with the information required in time, and/or if it proves impossible to supply the information, the Processor shall inform the Controller that it must obtain additional time, or that it is not possible to fulfill the request of the person concerned.

 

When the request is made to the Processor and relates only to processing carried out on behalf of the Controller, the Processor undertakes to inform the Controller in writing of the request as quickly as possible and at most within five (5) working days of receiving it. The Processor shall supply the Controller with the information required within a time allowing the Controller to respond to the person concerned within the legal period of one (1) month. If the Processor cannot supply the Controller with the information required in time, and/or if it proves impossible to supply the information, the Processor shall inform the Controller that it must obtain additional time, or that it is not possible to fulfill the request of the person concerned.

 

• Article 13. Data integrity, confidentiality and security

The Processor undertakes to ensure the security of personal data, and more generally, the security of the Controller’s data, and to safeguard its integrity and confidentiality. In this regard, it undertakes to design and implement all appropriate technical and organizational measures to keep the data secure and to protect it against any accidental or unlawful destruction, accidental loss, distortion, diffusion or unauthorised access.

 

The technical and organizational measures must at minimum include:

• Designating a Data Protection Officer, raising the awareness of its staff as to the confidentiality of personal data, and imposing a strict confidentiality obligation on its staff;
• Having an IS security policy and updating it regularly;
• Having a disaster recovery plan so that service can continue should an incident occur;
• Carrying out regular intrusion tests and, should a weakness or vulnerability be identified, implementing any corrective measures quickly.

 

The Processor undertakes to restrict access to personal data just to those staff who need to know it, and the Processor reiterates that the Controller alone is responsible for and manages the access rights to the solution.

 

The Controller retains the right to carry out an annual audit of the solution in order to check that the technical and organizational measures implemented by the Processor are adequate. This right is subject to its giving reasonable notice (not less than 10 working days beforehand) of its intention to carry out such an audit during the Processor’s working hours. The Controller bears the cost of the audit and the Processor shall invoice the Controller for any resources, human or machine, that the Controller calls on during the audit. Both Parties shall be subject to an obligation of confidentiality as regards the results of these audits.

 

• Article 14. Data protection by design and by default

The Processor undertakes to protect personal data by default from the time the processing is designed and the solution functionality developed. The methods used to achieve this include in particular nominating a Data Protection Officer with the required technical skills, raising employees’ awareness of data protection, and imposing on employees a strict confidentiality obligation.

• Article 15. Subcontracting

The Processor may ask another subcontractor (hereinafter the “Sub-processor”) to carry out specific processing.

 

The Processor states that on the date this Agreement is signed, and with the agreement of the Controller, the Sub-processors listed on following link: https://www.atinternet.com/en/processor-sub-processor-information-parent-company/  shall be involved.

 

In all circumstances, the Processor shall alone remain responsible to the Controller for all the obligations following from this Agreement. It is the initial Processor’s responsibility to ensure that the Sub-processor offers adequate guarantees that it has implemented technical and organizational measures such that the processing complies with the requirements of the GDPR. If the Sub-processor does not fulfill its obligations to protect data, the initial Processor shall remain fully accountable to the Controller for the execution by the Sub-processor of its obligations.

 

The Processor is free to change the list of Sub-processors. It must however inform the Controller beforehand of any planned change involving adding or replacing Sub-processors. The information must state clearly the subcontracted processing activities and the identity and contact details of the Sub-processor. The Controller shall have eight (8) calendar days from the day it receives the information to present its objections. The subcontracting cannot be finalized unless the Controller has made no objection during the agreed period.

 

• Article 16. Transfer outside the European Union

The Controller’s audience data, i.e. that relating to visitors to sites and applications audited by the AT Internet solution, is stored in the European Union. As the solution is SaaS, the Processed Data nevertheless remains accessible to all authorised staff with the necessary access rights and an internet connection, irrespective of their location.

 

However, for data pertaining to the Controller’s Authorised Personnel, the Processor is authorised by the Controller to use processing facilities located in a third country within the meaning of the GDPR if the Processor complies with one of the following guarantees:

• the legislation of the third country concerned provides an adequate level of protection for personal data and is recognised as such by a decision of the European Commission;
• the Processor has concluded with a Sub-processor outside Europe a contract for the transfer of personal data in accordance with the model clauses drawn up by the European Commission;
• the Processor’s subsequent non-European Sub-Processor has subscribed to an authorised transfer mechanism for personal data validated by the European Union institutions;
• the Processor’s non-European Sub-processor has adopted “Binding Corporate Rules” validated by a competent supervisory authority.

 

• Article 17. Liability

17.1 Towards the Controller

In the event of a breach of this Agreement, the Processor shall indemnify the Controller for all direct damages incurred, excluding all indirect damages. Total cumulated liability of the Processor shall not exceed the yearly value of the subscription invoiced to the Controller and paid by the Controller.

The Processor’s liability may in no case be limited in respect of any damage caused by the Processor’s wilful intent, fraud, gross negligence, wilful misconduct or gross fault

 

17.2 Towards a supervisory authority (Art. 82 par. 2 and 3 of the GDPR)

The Controller shall be solely liable to any supervisory authority if the breach of this Agreement or the failure to comply with the legal and regulatory provisions on the protection of personal data is attributable to the Controller alone.

 

The Processor shall only be liable 1/ if it has acted outside or contrary to the lawful instructions of the Controller, 2/ in the event of non-compliance with the legal and regulatory provisions on the protection of personal data which are specifically incumbent on the Processor.

 

17.3 Towards a data subject (Art. 82 par. 4 and 5 of the GDPR)

Where the Controller and the Processor are liable for damage caused by the processing, each Party is held responsible for the damage in its entirety in order to guarantee the data subject effective compensation.

Where one of the Parties has made full reparation for the damage suffered, it shall be entitled to claim from the other Party the share of the reparation corresponding to the other Party’s share of responsibility for the damage, being understood that the Processor’s liability vis-à-vis the Controller is limited in accordance with Article 17.1 of this Agreement. 

 

• Article 18. Competent supervisory authority

The competent supervisory authority as regards the activities and processing carried out by the Processor is the authority supervising the Controller.

The Parties undertake to cooperate with the competent supervisory authority and to provide it without delay with any information it requires to carry out its work.

 

• Article 19. Notification should personal data be compromised

If a personal data breach occurs, the Processor undertakes to notify the Controller of the breach without undue delay after having become aware of it. The notification shall have the form and content required by the GDPR so that the Controller can report the breach to the competent supervisory authority.

 

The Controller is responsible for informing the persons concerned without undue delay, for instance by publishing a notice on the web and mobile sites and mobile applications from which the compromised data has come.

 

• Article 20. Documentation and register of processing operations

The Processor states that it keeps a register of the processing carried out on behalf of the Controller. The register has the content and form required by the GDPR. The Processor shall also make available to the Controller the documentation necessary to demonstrate compliance with all its obligations and to enable the Controller to perform audits.

 

• Article 21. Impact assessment and prior consultation

The Processor undertakes to provide any necessary assistance to the Controller if the Controller is required to carry out an impact assessment on a processing operation covered by this agreement. If this impact assessment indicates that the processing presents a high risk to the rights and freedoms of data subjects, the Processor shall also provide assistance to the Controller so that he/she can respond to the information requested by the competent supervisory authority in the event of consultation prior to the implementation of the processing operation.

 

• Article 22. Point of contact: Data Protection Officer (DPO)

The Processor undertakes to designate a Data Protection Officer (DPO) for the term of the contractual relationship between the Controller and the Processor, and to give the Controller his/her contact details.

The Controller undertakes to do likewise if it meets the criteria listed in the GDPR that require a Data Protection Officer (DPO) to be designated. Otherwise, it shall give the contact details of the person responsible for dealing with issues related to protecting personal data and respecting privacy.

 

The Processor designate the following persons to act as the contact points for all information and notifications related to the processing subject to this Agreement:

 

Louis-Marie Guérif – Data Protection Officer

AT Internet SAS

85 avenue J F Kennedy 33700 Mérignac France

+33 (0)1 56 54 14 30 – dpo@atinternet.com

 

The Controller will appoint a contact point for data privacy matters by sending a notification to the Support Center of the Processor. In the case where the Controller did not appoint a specific contact point, the account administrator(s) shall be the contact point.

 

Each Party undertakes to notify the other immediately of any change to the named contact person.

 

 

Annex – CNIL EXEMPTION

The French supervisory authority Comission Nationale de l’Informatique et des Libertés (CNIL) has set out the conditions for the exemption from consent of audience measurement trackers via Article 5 of CNIL deliberation n° 2020-091 of 17 September 2020 (guidelines). The CNIL also provides recommendations in Article 5 of CNIL deliberation n° 2020-92 of 17 September 2020

 

1. The scope of exemption

 

• Strictly necessary nature (§ 50 and 51 of deliberation n° 2020-091)

The first condition for the use of audience measurement trackers without consent is to ensure they are strictly necessary to the provision of an online communication service expressly requested by the user, in accordance with Article 82 of the French data protection act (Loi Informatique et Libertés).

In order to limit such use to the strict requirement of service provision, the CNIL emphasises that these trackers must:

• Have an end purpose limited strictly and solely to site or application audience measurement (performance measurement, detection of browsing issues, optimisation of technical performance or ergonomics, estimation of the server power required, analysis of visited content), on exclusive behalf of the publisher;
• Not enable global monitoring of the person’s browsing using different applications or on other websites;
• Serve only to produce anonymous statistics;
• Not lead to cross-referencing of data from other processing or to the transmission of the data to a third party.

 

• Other recommendations by the CNIL (§ 50 of deliberation n°2020-92)

The CNIL also recommends that

• Users are informed of the implementation of these trackers, for example via the website or mobile application confidentiality policy;
• The life-span of trackers is limited to a period enabling an adequate comparison of audiences over time, as is the case with a 13-month life-span, and that it is not automatically extended during new visits;
• Data collected via these trackers is stored for a maximum duration of twenty-five months;
• The above-mentioned life-span and storage duration is subject to periodical revision in order to ensure its limitation to strict necessity.

 

• Compliance with the GDPR (§ 52 of deliberation n° 2020-091)

Audience measurement processing is considered to be personal data processing. The GDPR therefore applies.

 

2. Evaluation of the strictly necessary nature under the responsibility of the Data Controller

 

The Data Controller is the sole person responsible for assessing whether this processing is strictly necessary.

The Data Controller must document, and justify in the event of inspection, that the collection and use of analytic data meet the needs which are strictly necessary to the operation of the exempted scope.

 

3. Sub-contractor guidelines

 

In order to help the Data Controller to comply with the strict necessity of processing exempted from consent, the Sub-contractor provides the following options/settings:

Options activated on instructions from the Data Controller

• Default masking of following properties (compulsory setting): visitor ID, postcode, internet service provider, converted visit. The Data Controller is able to deactivate masking directly in the data model.
• The deletion of data after 25 rolling months or another period defined by the Data Controller.
• The anonymisation of the final byte (deletion of the last 3 digits) of the IP address. (compulsory setting)

 

All these options are to be activated under the technical organisation of the Data Controller. Thus, all the websites attached to the organisation will benefit from the setting chosen by the Data Controller.

In the event of option activation (partial or total), a document is to be signed between Parties to justify the implementation of the Data Controller’s instructions.

Settings at the disposal of the Data Controller

• To use adequate marking methods for the management of the CNIL Exemption, in particular to limit data collection to its strict necessity.
• To set the data model so as not to display undesired properties in the Solution.

 

Furthermore, the Sub-contractor recommends that the Data Controller should:

• Carry out audience measurement on the website or application exclusively; off-site measurements such as banner impressions, external videos, email openings or iframes are not possible without prior consent.
• Collect and use data within the Solution in such a way as to disable visitor/user recognition: data collected must serve solely for the use of anonymous statistics or cohorts.
• Not import or export data for cross-referencing purposes (e.g. AT Connect, CRM import, API calls for partners, API or export Data Flow export for CRM)
• Set the life-span of your trackers (cookie or mobile ID) to a 13-month limit.
• Check the level of geo-tracking strictly necessary for the use of your service. By default, AT Internet offers the ‘city’ level at the most.
• Notify your users of the presence of this exempted tracker and implement an opt-out setting.

 

The Sub-contractor will not be held liable under any circumstances:

• In the event of an erroneous assessment on the part of the Data Controller of the strictly necessary nature of processing implemented and exempt from consent.
• In the event of non-compliance with obligations and/or recommendations under the responsibility of the Data Controller.
• For compliance with instructions transmitted by the Data Controller.