Skip to content

Data Protection Policy

Data Processing Agreement — Appendix to the General Terms and Conditions

1. Introduction

The Data Protection Agreement (hereinafter the "Agreement") aims to govern the use of Personal Data of clients (hereinafter the "Client") of Videas SAS (hereinafter the "Processor" or "Videas SAS") when they use its services (hereinafter the "Service").

2. Definitions

The terms "adequacy decision", "technical and organizational measures", "data subjects", "data protection by design", "data protection by default", "records", "joint controller(s)", "controller", "processor", "processing", "personal data breach" used in this Agreement have the meanings described in Articles 4 et seq. of the GDPR.

Other terms are defined below:

  • "Agreement": refers to the appendix to the Contract governing the use of the Client's Personal Data in accordance with the provisions of Article 28 of the GDPR, also referred to as "Data Processing Addendum" ("DPA")
  • "DPIA": refers to a Data Protection Impact Assessment used to verify the proportionality of Personal Data processing and to prevent risks associated with Personal Data processing
  • "Anonymization": refers to processing aimed at making it impossible to identify the data subjects concerned by the processing carried out within the scope of the Service, in an irreversible manner
  • "Supervisory Authority": refers to the competent GDPR supervisory authority for the Service provided by the Processor
  • "Client": refers to the entity that has subscribed to the Service provided by the Processor
  • "Client's Employees": refers to the natural persons (e.g., employees) working on behalf of the Client and using the Service in that capacity
  • "Contract": refers to the contract concluded between the Processor and the Client for the use of the Service to which this Agreement is appended
  • "Rights Request(s)": refers to the fundamental right(s) created by the GDPR in Articles 15 et seq. (e.g., right of access, right of erasure, etc.)
  • "Client's Personal Data": refers to any data relating to an identified or identifiable natural person transmitted to the Processor and processed by the Processor on behalf of the Client within the scope of the Service, the detailed list of which is presented in the appendix
  • "White Label": refers to the unbranded Service provided by the Processor that allows the Client to customize and market said Service under its own brand
  • "Party(ies)": refers jointly to the Client and the Processor
  • "GDPR": refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the "General Data Protection Regulation"
  • "Applicable Data Protection Legislation": refers collectively to French Law No. 78-17 of 6 January 1978 on information technology, files and civil liberties, and the GDPR
  • "Reversibility": refers to the operation aimed at enabling the transfer and integration, in a usable and recognized format, of the Client's Personal Data from the Processor's Service to an equivalent service offered by another provider
  • "SaaS Service": refers to software hosted by the Processor that can be used simultaneously by an unlimited number of clients
  • "Sub-processor": refers to subcontractors recruited by the Processor to process the Client's Personal Data exclusively within the scope of the Service
  • "End Users": refers to the Client's customers who use the Service under white label

3. Contractual relationships and duration

The Agreement is an indivisible appendix to the Contract signed between the Client and the Processor for the use of the Service.

In the event of a conflict between the Contract concluded for the use of the Service and the Agreement, the obligations set out in the Agreement shall prevail over the Contract with regard to the GDPR as a whole.

The Agreement is applicable for the entire duration of the Contract concluded for the use of the Service and may continue beyond as long as all obligations provided herein remain applicable.

4. Role of the Parties and scope of application

The Client acts, within the scope of the Agreement, as data controller and Videas SAS acts as processor within the meaning of Article 28 of the GDPR.

Under no circumstances may the Parties be considered as joint controllers within the scope of the Service. However, the Parties agree that in the event of an error or change in their qualification, the Parties shall meet as soon as possible to amend the Agreement and take all measures relating to such a situation to comply with the requirements of the Applicable Data Protection Legislation.

The Agreement exclusively governs the processing of the Client's Personal Data carried out within the scope of the Service as Processor within the meaning of Article 28 of the GDPR, excluding processing carried out as data controller by Videas SAS, which is governed by the Contract.

5. Instructions and commitments

The Processor undertakes to use the Client's Personal Data within the scope of the Service only on documented instructions appended to the Agreement. The Processor shall immediately inform the Client if it considers that an instruction provided by the Client is unlawful under the Applicable Data Protection Legislation. The Processor's liability shall not be engaged in cases where, despite the Processor's notification regarding the illegality of the instruction, the Client maintains and applies such instruction through the Service.

The Processor undertakes to comply with the provisions of the GDPR and, in particular, to maintain a record of processing activities specific to the Service and to develop its Service in compliance with the rules of "Data Protection by Design" and "Data Protection by Default".

The Processor undertakes never to transfer the Client's Personal Data for reasons other than the provision of the Service and undertakes never to use the Client's Personal Data for its own interest as data controller.

The Processor declares that all internal or external personnel likely to process the Client's Personal Data are bound by one or more binding legal instruments and regularly receive training and awareness sessions.

The Processor undertakes to guarantee the security of the Client's Personal Data and to implement all necessary technical and organizational measures for its Service, the details of which are presented in the appendix to the Agreement.

However, the Processor is never responsible for the Client's failures regarding the Applicable Data Protection Legislation when using the Service as data controller.

6. Assistance for conducting DPIAs

DPIAs must be carried out by the Client, in accordance with the provisions of the GDPR. Nevertheless, the Processor undertakes to communicate, upon written request from the Client, all necessary and required information for the Client to carry out a DPIA.

The Processor is, however, not required to carry out DPIAs on behalf of the Client. Any request beyond the communication of information may be refused.

7. Assistance for Rights Requests

Rights Requests sent by End Users are forwarded to the Client as soon as possible. The Processor is not required to maintain an inventory of Rights Requests on behalf of the Client and is not responsible for the Client's failures in managing Rights Requests.

The Processor shall execute, upon written request from the Client, the technical actions required for the Client to fulfill its obligation to respond to data subjects' requests.

The Client accepts and understands that the Processor is not required to manage data subjects' Rights Requests made within the scope of the Service on behalf of the Client. Any additional request to ensure such management will be refused.

Rights Requests sent to the Processor as data controller are processed exclusively by the Processor and are not forwarded to the Client.

8. Assistance on security measures

The Processor undertakes to communicate all necessary and required information on the technical and organizational security measures to be implemented to guarantee the security of the Client's Personal Data within the scope of the Service provision.

9. Personal Data breaches

The Processor undertakes to notify the Client, as soon as possible and no later than 48 business hours after becoming aware, of any personal data breach related to the Service that may concern the Client's Personal Data, as well as all necessary and required information in its possession to reduce the effects of the personal data breach. The Client accepts and acknowledges that the 72-hour period applicable to it only starts from the time of awareness of the personal data breach and that, as such, the 48 business hour period complies with the GDPR.

The Processor is not authorized to handle notifications of personal data breaches to the Supervisory Authority or to inform End Users on behalf of the Client. Any such request from the Client will be refused.

10. Sub-processors

The Client grants the Processor general authorization to recruit Sub-processors, provided that the Client is informed of any changes regarding these Sub-processors as soon as possible to allow the Client to raise objections. The Client accepts and acknowledges that specific authorization for a SaaS tool is not applicable and could lead to a blocking of the Service.

In the absence of objections raised by the Client within eight (8) days from notification, the new Sub-processor is definitively recruited without the Client being able to object, claim damages or request termination of the Contract. If the objection raised within the deadline is considered admissible by the Processor, the Processor may offer the Client one of the following solutions: i) withdrawal of the Sub-processor, ii) implementation of additional measures to guarantee the security of the Client's Personal Data, iii) termination of the Service without the Client being able to claim damages.

To be considered admissible by the Processor, objections must be objective and serious and duly demonstrated. The Parties accept that the following situations shall, by default, be considered admissible: i) the proposed Sub-processor is a direct competitor of the Client, ii) the Sub-processor is in a dispute with the Client, iii) the Sub-processor has been sanctioned by a Supervisory Authority within the 12 months preceding its recruitment, and iv) the Sub-processor does not comply, if applicable, with the applicable rules regarding transfers outside the European Union.

The Processor undertakes to recruit only Sub-processors that, after verification, present the necessary and sufficient guarantees to ensure the security and confidentiality of the Client's Personal Data. The relationship between the Processor and the Sub-processor must be governed by an agreement presenting obligations similar to this Agreement.

The Processor remains responsible, within the limits of liability provided in the Contract, for any GDPR breaches that its Sub-processors may commit within the scope of the Service.

11. Hosting and transfers outside the European Union

a) Data hosting

The Processor undertakes to make every effort to host the Client's Personal Data exclusively within a Member State of the European Union. The Client grants the Processor authorization to choose the EU Member State of its choice. In the event of hosting Personal Data in a country located outside the European Union, the Processor undertakes to obtain the Client's prior authorization and to implement all required mechanisms to govern this transfer, such as concluding Standard Contractual Clauses and, where applicable, implementing additional technical measures to strengthen the security of the Client's Personal Data.

b) Data transfers

The Client grants the Processor a general authorization for transfers outside the European Union if, cumulatively, i) transfers are made exclusively to GDPR-compliant Sub-processors and ii) transfers are made exclusively to a country benefiting from an adequacy decision or are governed by appropriate safeguards such as, in particular, Standard Contractual Clauses. If these conditions are not met, transfers outside the European Union are only authorized with the Client's prior consent. Additional technical security measures to strengthen the security of the Client's Personal Data must be mandatorily implemented in cases where Personal Data is transferred to a non-democratic country.

12. Retention periods and fate of the Client's Personal Data

The Processor undertakes to retain the Client's Personal Data only for the duration of the use of the Service, in accordance with the detailed instructions in the appendix, and to delete them at the end of the Contract. The Processor certifies, upon written request, the deletion of Personal Data and all existing copies.

The Client is informed that they must retrieve their Personal Data before the end of the Agreement. Failing this, the Client can no longer retrieve their Personal Data, as the deletion of personal data is irreversible and permanent. The Processor cannot be held responsible for any loss of Personal Data after their deletion, with the Client assuming full responsibility. The Client accepts that the complete, irreversible and permanent anonymization of the Client's Personal Data may be used as a means of deletion and that the Processor may retain anonymized data for the improvement of the Service, as accepted by Supervisory Authorities.

The Processor informs the Client that the restitution of Personal Data provided for in the GDPR does not constitute Reversibility of data to a new processor and that any request to this effect will always be refused by the Processor.

13. Audits

The Client has the right to conduct an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire has the force of a sworn statement binding the Processor. The questionnaire may be communicated in any form to the Processor, who undertakes to respond as soon as possible upon receipt.

The Client also has the right to conduct, once a year and at its own expense, an on-site audit, where applicable at the Processor's premises, in the event of a data breach due to a proven and demonstrated failure by the Processor that has caused duly justified harm to the Client. An audit at the Processor's premises may be conducted either by the Client or by an independent third party designated by the Client and must be notified in writing to the Processor at least thirty (30) days before the audit is conducted. The Processor has the right to refuse the choice of independent third party if the latter is i) a direct or indirect competitor of the Processor, ii) in a conflict of interest with the Processor (e.g., advisor to a competitor of the Processor), or iii) in pre-litigation or litigation with the Processor. In such case, the Client undertakes to choose a new independent third party to conduct the audit. The Processor may refuse access to certain areas for confidentiality or security reasons. In such case, the Processor conducts the audit in those areas and communicates the results to the Client.

In the event of a discrepancy identified during the audit, the Processor undertakes to implement, without delay and at its own expense, the necessary measures to comply with this Agreement. Discrepancies may only relate to the Applicable Data Protection Legislation regarding the Client's Personal Data and may not concern internal procedures or measures implemented by the Client on a specific basis. Discrepancies must be duly demonstrated, justified and documented.

In the event of a dispute by the Processor regarding identified discrepancies, the Processor may, at its choice and upon the Client's prior written acceptance, propose to i) meet to find an amicable solution and compromise, ii) refer the matter to the Supervisory Authority for arbitration on the dispute, or iii) appoint an independent expert to arbitrate the dispute.

14. Cooperation with authorities

The Processor undertakes to cooperate with the CNIL, the competent Supervisory Authority, in the event of an inspection concerning the processing carried out within the scope of the Service and undertakes to notify the Client as soon as possible in the event of requests concerning its Personal Data made by the Supervisory Authority or by an administrative, judicial or law enforcement authority.

15. Contact

The Client and the Processor each designate a contact person responsible for this Agreement who will be the recipient of the various notifications and communications to be made within the scope of the Agreement.

The Processor informs the Client that it has appointed Dipeeo SAS as Data Protection Officer, who can be contacted at the following details:

  • Email address: [email protected]
  • Postal address: Société Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France
  • Phone number: +33 1 59 06 81 85

16. Revisions

The Processor reserves the right to amend this Agreement in the event of changes to the applicable rules on Personal Data protection or in the event of modifications to the Service that would have the effect of amending any of its provisions.

Certified compliant by Dipeeo ®