1.1 “Agreement” means the master services agreement, purchase order terms and conditions or other contract under which Service Provider is providing services to Customer.
1.2 “Customer” means SAFI SALONS FRANÇAIS ET INTERNATIONAUX (RCS Paris n° 388.424.129) receiving the services provided under the Agreement.
1.3 “Data Protection Laws” means all privacy and data protection laws, rules, regulations, decrees, orders and other government requirements applicable to the Processing of Personal Information.
1.4 “Personal Information” means the personal data that Service Provider is Processing under the Agreement.
1.5 “Processing” means any processing or other access to or operation or set of operations performed on Personal Information, and “Process” and “Processed” shall have corresponding meanings.
1.6 “Service Provider” means the service provider or supplier that is providing the services under the Agreement.
1.7 The lowercase terms “personal data”, “data subject”, “processing”, “controller”, “joint controller,” “processor”, “personal data breach” and “supervisory authority” shall have the same meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as “personal information” instead of “personal data,” they shall be read herein as the same.
1.8 Capitalised terms used but not defined herein shall have the meanings set out in the Agreement.
2.1 The nature and purpose of the Processing activities carried out by Service Provider on behalf ofCustomer are in connection with providing the services under the Agreement.
2.2 The duration of the Processing is for the duration of Customer’s right to receive or use the services until disposal of the Personal Information in accordance with the Agreement.
2.3 The categories of data subjects are individuals about whom Personal Information is provided to Service Provider by or at the direction of Customer as part of the services.
2.4 The types of Personal Information are types of personal data provided to Service Provider by or at the direction of Customer as part of the services.
2.5 With respect to any Personal Information included in any Customer account data, usage data, and other data that Service Provider processes as a controller as necessary to provide, manage or secure the services, Customer and Service Provider are each an independent controller and not a joint controller.
2.6 With respect to any Personal Information that Service Provider independently collects as a controller and supplies to Customer as part of the services, Service Provider and Customer are each an independent controller and not a joint controller. Service Provider is responsible for ensuring the legality of the Personal Information that it supplies to Customer for processing.
2.7 Any additional details about the Processing activities carried out by Service Provider on behalf of Customer and Customer’s Processing instructions for Service Provider are set out in the Agreement.
3.1 Service Provider shall Process the Personal Information in compliance with its obligations under the Data Protection Laws and only as necessary for the purposes of performing under the Agreement.
3.2 To the extent that Service Provider is Processing any Personal Information on behalf of Customer, Service Provider shall Process the Personal Information only on documented instructions from Customer, unless required to do so by applicable law to which Service Provider is subject; in such a case, Service Provider shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Service Provider shall immediately inform Customer if, in its opinion, an instruction infringes the Data Protection Laws.
Service Provider shall ensure that persons authorised to Process the Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and will not Process the Personal Information except on instructions from Customer, unless required to do so by applicable law.
Service Provider shall implement and maintain appropriate technical and organisational measures, including those specified in the Agreement, in such a manner that its Processing of Personal Information will meet the requirements of the Data Protection Laws, ensure the protection of the rights of the data subjects, and provide a standard of protection that is at least the same level of protection as is required under the Data Protection Laws.
Service Provider shall, to the extent legally permitted, promptly notify Customer in writing of any request from a data subject, supervisory authority or other third party or any subpoena or other judicial or administrative order or request by a government authority or proceedings that Service Provider receives seeking access to or disclosure of Personal Information. Customer shall have the right to oppose or intervene in such action or deal with such request at its own costs in lieu of and on behalf of Service Provider, unless prohibited by law. Service Provider shall reasonably cooperate with Customer in such proceedings.
7.1 Taking into account the nature of the Processing, Service Provider shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject's rights laid down in the Data Protection Laws (including rights of access, correction, objection and erasure, as applicable).
7.2 Service Provider shall assist Customer in ensuring compliance with data security, personal data breach notification and other obligations pursuant to the Data Protection Laws taking into account the nature of Processing and the information available to Service Provider.
Service Provider shall notify Customer as specified in the Agreement, without undue delay and in all cases within the time period required under the Data Protection Laws after becoming aware of a personal data breach in respect of Personal Information and shall make reasonable efforts to assist Customer in the investigation and remediation of such personal data breach.
To the extent that Service Provider is Processing any Personal Information on behalf of Customer,
Service Provider shall make available to Customer all information necessary to demonstrate compliance with the Data Protection Laws and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to appropriate confidentiality undertakings.
10.1 To the extent that Service Provider is Processing any Personal Information on behalf of Customer,
Customer hereby provides general written authorisation to Service Provider to engage other processors to Process the Personal Information. Service Provider shall inform Customer of any intended changes concerning the addition or replacement of such other processors, thereby giving Customer the opportunity to reasonably object to such changes.
10.2 Where Service Provider engages another processor for carrying out specific Processing activities on behalf of Customer, the same data protection obligations as set out herein and the Agreement or other legal act between the Parties shall be imposed on that other processor by way of a contract or other legal act under applicable law. Where that other processor fails to fulfil its data protection obligations, Service Provider shall remain fully liable for the performance of that other processor's obligations.
Personal Information may be transferred to any country where Service Provider and the processors it engages maintain facilities subject to appropriate safeguards as described in the Data Protection Laws, including any applicable transfer mechanism.
Service Provider shall perform appropriate privacy training (including as may be required by the Data Protection Laws) for personnel who are Processing any Personal Information.
Where Customer faces an actual or potential claim arising out of or related to violation of the Data Protection Laws concerning the services provided by Service Provider under the Agreement, Service Provider shall promptly provide all materials and information that are relevant to the defence of such claim and the underlying circumstances concerning the claim.
Promptly after the end of the provision of services relating to the Processing of Personal Information by Service Provider on behalf of Customer, or such earlier time as Customer requests, Service Provider shall, at the choice of Customer, delete or return to Customer or its designee (in such data format as Customer may reasonably specify) all Personal Information and delete existing copies, unless applicable law requires storage of the Personal Information. At the request of Customer, Service Provider shall certify such disposal in writing.
To the extent that Service Provider is Processing any Personal Information originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed in the annex herein, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms.
Jurisdiction-Specific Terms
1.1 To the extent that Customer transfers Personal Information from the European Economic Area (“EEA”) or Switzerland to Service Provider located outside the EEA or Switzerland, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“2021 EU SCCs”) in respect of such transfer, whereby Customer is the “data exporter,” Service Provider is the “data importer,” the “competent supervisory authority” is that in the country where the data exporter is established, the footnotes, Clause 11(a) Option and Clause 17 Option 1 are omitted, the content of the applicable annexes corresponds to the respective content of the Agreement, and (i) to the extent that each Party acts as a controller, Module One applies and Modules Two, Three and Four are omitted, (ii) to the extent that Customer acts as a controller and Service Provider acts as a processor, Module Two applies, Modules One, Three and Four are omitted, Clause 9(a) Option 1 is omitted and the time period in Option 2 is 14 days, and (iii) to the extent that each Party acts as a processor, Module Three applies, Modules One, Two and Four are omitted; Clause 9(a) Option 1 is omitted and the time period in Option 2 is 14 days.
1.2 To the extent that Customer located outside the EEA or Switzerland is acting as a controller and receives Personal Information from Service Provider located in the EEA or Switzerland, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the 2021 EU SCCs in respect of such transfer, whereby Service Provider is the “data exporter,” Customer is the “data importer,” the content of the applicable annexes corresponds to the respective content of the Agreement, and (i) to the extent that Service Provider is acting as a controller, Module One applies, Modules Two, Three and Four, the footnotes, Clause 11(a) Option and Clause 17 Option 1 are omitted, and the “competent supervisory authority” is that in the country where the data exporter is established, and (ii) to the extent that Service Provider is acting as a processor, Module Four applies and Modules One, Two and Three and the footnotes are omitted.
1.3 The 2021 EU SCCs are governed by the law of the country where the data exporter is established.
1.4 Any dispute arising from the 2021 EU SCCs shall be resolved by the courts of the country where the data exporter is established.
1.5 If there is any conflict between any of the terms of the Agreement and the 2021 EU SCCs, the 2021 EU SCCs will prevail.
2.1 To the extent that Customer transfers Personal Information from the United Kingdom (“UK”) to Service Provider located outside the UK, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Decision 2004/915/EC of 27 December 2004 available at http://data.europa.eu/eli/dec/2004/915/oj (“2004 SCCs”) and/or Commission Decision 2010/87/EC of 5 February 2010 available athttp://data.europa.eu/eli/dec/2010/87/oj (“2010 SCCs”), as applicable, in respect of such transfer, whereby Customer is the “data exporter,” Service Provider is the “data importer,” any optional clauses are omitted, and the content of the appendices corresponds to the respective content of the Agreement.
2.1 To the extent that Customer located outside the UK receives Personal Information as a controller from Service Provider located in the UK as a controller, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the 2004 SCCs in respect of such transfer, whereby Service Provider is the “data exporter,” Customer is the “data importer,” any optional clauses are omitted, and the content of the appendices corresponds to the respective content of the Agreement.
2.2 The 2004 SCCs and 2010 SCCs (collectively, the Clauses) are governed by the laws of England and Wales. All references in the Clauses to “Union,” “EU,” “Member State” and their laws are replaced with “UK” and the equivalent laws of the UK.
2.3 Any dispute arising from the Clauses shall be resolved by the courts of England and Wales.
2.4 If there is any conflict between any of the terms of the Agreement and the Clauses, the Clauses will prevail.
To the extent that Customer transfers Personal Information from Brazil to Service Provider located outside Brazil, Service Provider guarantees compliance with the principles and the rights of the data subject and the regime of data protection provided under the Brazilian General Data Protection Law, nº 13.709 of 2018 (Lei Geral de Proteção de Dados Pessoais) (LGPD).
4.1 To the extent that Service Provider is Processing any Personal Information in scope of the California Consumer Privacy Act of 2018 (CCPA) on behalf of Customer, Service Provider is prohibited from retaining, using or disclosing the Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement for Customer, or as otherwise permitted by the CCPA, including retaining, using or disclosing the Personal Information for a commercial purpose (as that term is defined in the CCPA) other than providing the services specified in the Agreement.
4.2 To the extent that Customer otherwise discloses to Service Provider any Personal Information in scope of the CCPA for a business purpose (as that term is defined in the CCPA), Service Provider is prohibited from (a) selling (as that term is defined in the CCPA) the Personal Information; (b) retaining, using, or disclosing the Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the services specified in the Agreement; and (c) retaining, using, or disclosing the information outside of the direct business relationship between the Parties, and Service Provider certifies it understands these restrictions and will comply with them.
5.1 To the extent that Service Provider is Processing any Personal Information in scope of the South African Protection of Personal Information Act, No. 4 of 2013 (POPIA) for Customer, Service Provider must establish and maintain the security measures referred to in section 19 of POPIA.
5.2 Service Provider will notify Customer immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.