When you sign up for our services and during the provision of those services, we collect the following categories of data:
We use your data to perform and manage your contract. This includes managing your Customer account and our contractual relationship, installing, maintaining, providing and managing the service purchased or the product ordered, providing support services and processing your requests, billing the service or product, handling complaints and disputes and debt recovery procedures, which may involve third parties. These data are retained for the time needed to manage the contract and/or for the time imposed by law. Without these data, we would not be able to provide the services you have purchased.
We may also use your data in our legitimate interests. For example, we may use your data to assess and improve our services and develop new services, and to implement loyalty, direct marketing, customer satisfaction and promotional campaigns. Unless you opt out, you may receive offers from us or our commercial partners, by post or telephone, and emails promoting services similar to those we offer. With your express consent, we may email you commercial information on other different types of services. Your data may also be used to protect the security of the network and prevent fraud or as part of a merger, asset sale or transfer of all or part of our business, by transferring your Customer personal data to the one or more third parties involved for the purposes of the transaction. These data will be retained for the time needed to achieve those purposes and for no more than three years after the end of the contractual relationship, as regards direct marketing purposes.
We may also use your data to fulfil our statutory obligations (including under anti-fraud and money-laundering laws and the legislation on late payments and payment defaults by customers) and/or to reply to requests submitted by public and governmental bodies.
You may access your data, rectify it, request its erasure, object to processing on legitimate grounds relating to your particular situation and exercise your right to data portability, at any time, via your Account Management Console or by emailing your request along with proof of your identity to our Personal Data Protection Officer at: firstname.lastname@example.org
However, we are not under any obligation to erase the data we need for the purpose for which it was collected, required to ensure compliance with a statutory obligation and/or to confirm, exercise or defend rights before a court of law. You may also give instructions to our Personal Data Protection Officer on the use of your personal data after your death.
You may register with a free telephone preference service to prevent unsolicited marketing calls from third-party companies on www.bloctel.gouv.fr. If you are not happy with our handling of a complaint, you may contact the French Data Protection Agency (Commission Nationale de l’Informatique et des Libertés or “CNIL”), in charge of regulating compliance with personal data obligations.
We take all steps required to protect the personal data we process. Your data is processed electronically and/or manually and, in both cases, we ensure an appropriate level of security, protection and confidentiality based on the sensitivity of your data, using administrative, technical and physical measures preventing any loss or theft or any unauthorised use, disclosure or alteration of your data.
Your personal data is processed by us, companies belonging to the Iliad Group and our subcontractors, data processors and partners, to manage the contract and provide the services you have requested or authorised. Your data may also be transferred to third parties, providing services or support and advice to us. On request, it may also be transferred to the persons and authorities granted access to personal data under applicable laws or regulations or provisions adopted by legally competent authorities.
Our subcontractors, data processors and partners may be located outside the European Union. If they are located in a country that has not been recognised as providing an adequate level of protection, they must comply with our security and confidentiality requirements for your personal data and are only authorised to process your data for the purposes we determine. These subcontractors, data processors and partners must first sign the standard contractual clauses published by the European Commission.
This Subcontracting Agreement forms an integral part of the Service agreement between the Client and Online S.A.S. (“Agreement”).
For the purposes of the fulfilment and performance of the Agreement, Personal Data (as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”)) may be disclosed to and/or accessed by Online.
The purpose of this Subcontracting Agreement is to define the conditions under which Online undertakes to carry out Personal Data Processing operations, for the sole purpose of the performance of the Agreement and only for the duration of the Agreement, exclusively on behalf of the Client. The Parties hereby undertake to comply with the Data Protection Regulations.
Within the framework of the Agreement, the Client acts as data controller with regard to Personal Data as defined in the GDPR and Online acts as data processor as defined in the GDPR.
The Client has ascertained, on the basis of the information provided by Online and the other information at its disposal, that Online presents sufficient guarantees, in particular in terms of experience, resources, capacities and reliability, for the purpose of implementing the technical and organisational measures necessary to ensure that the Personal Data Processing provided for in the Agreement is carried out in compliance with the Data Protection Regulations.
Online represents and warrants that it has implemented all the necessary technical and organisational measures to ensure that the Personal Data Processing is carried out in accordance with the Data Protection Regulations, including the GDPR.
In addition to the terms and expressions defined in this Subcontracting Agreement (“Subcontracting Agreement”), the terms and expressions “International Organisation”, “Data Protection Officer” and “Personal Data Breach” shall have the same meaning as assigned to them in the GDPR. In addition, the following terms and expressions have the meanings given below, regardless of whether they are used in the singular or plural:
“Personal Data” means any information relating to any natural person who is directly or indirectly identified or identifiable, in particular through the use of identifying information such as a name, an identification number, location data, an online username, or one or more elements specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity that may be disclosed or made available in the context of the fulfilment and performance of the Agreement;
“Security Measures” means the security measures provided for by the Data Protection Regulations and any other obligation provided for by the said Regulation to guarantee the security and confidentiality of Personal Data, including the activities to be carried out in the event of a Personal Data Breach, in particular in order to avoid or reduce the harmful effects of the Personal Data Breach on the Data Subjects;
“Agent” means the employees, authorised persons or any other natural person empowered to carry out Processing Operations for any Personal Data transmitted or made available by Online and/or its possible Sub-processors;
“Data Subject” means the identified or identifiable natural persons to whom the Personal Data refers;
“Data Protection Regulations” means the GDPR, the French Data Protection Act no. 78-17 of 6 January 1978 and its successive amendments (“French Data Protection Act”), Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector of 12 July 2002, as well as all legislative provisions, regulations, guidelines, opinions, certifications, approvals, recommendations or final judicial decisions relating to the protection of personal data applicable to the Processing of Personal Data, already in force or which will enter into force during the term of this Subcontracting Agreement, including the measures, guidelines and opinions of the Working Party referred to in Article 29 of Directive 95/46/EC of the European Committee on Data Protection referred to in Articles 63 and seq. of the GDPR and of any other competent authority. In the event of a conflict between the French Data Protection Act, the GDPR and/or the measures adopted by the competent authorities to implement them, the provisions of the GDPR and the measures adopted to implement it shall take precedence.
“Processing” means the processing of Personal Data as defined in the GDPR entrusted to Online under the Agreement and described in this Subcontracting Agreement.
2.1. The Processing carried out by Online for the purposes of this Subcontracting Agreement shall relate solely to the types of Personal Data and the categories of Data Subjects defined by the Client.
2.2. Online undertakes to guarantee the confidentiality of the Personal Data and to ensure that any Subsequent Agents and Data Processors authorised to process the Personal Data under this Subcontracting Agreement observe the confidentiality of the Personal Data. The confidentiality obligation in respect of the Personal Data will remain in force for five years from the expiry of the Agreement.
3.1. Online, in its capacity as Data Processor for the Data Processing, undertakes, at its own expense:
3.2. Online is expressly prohibited from using all or part of the Personal Data, for any purpose whatsoever, on its own account or on behalf of a third party, whether during the term of the Agreement or after the end thereof.
4.1. In accordance with Article 30, paragraph 2, of the GDPR, Online undertakes to keep a separate, constantly updated record concerning all categories of activities relating to the Processing of Personal Data carried out on behalf of the Client. This shall include:
4.2. Online undertakes to promptly provide the Client with a copy of the record referred to in clause 4.1 at the request of the Client and/or the competent authorities.
4.3. Online undertakes to provide the Client with all the information relating to the Processing of Personal Data that it needs in order to be able to establish its own record of processing operations referred to in Article 30(1) of the GDPR.
5.1. Online undertakes to ensure that Agents have access only to the Personal Data that is strictly necessary for the performance of the Contract or in order to fulfil the legal obligations and that Agents exclusively Process such Personal Data, in all cases, within the limits and under the terms of this Subcontracting Agreement, the Agreement and the Data Protection Regulations. 5.2. Online also undertakes to allow Personal Data Processing to be carried out only by Employees who:
and to scrupulously ensure that the Agents properly carry out the instructions received and fulfil the obligations incumbent upon them.
5.3. The Contractor agrees to establish physical, technical and organisational measures to ensure that:
6.1. Online may only use another subcontractor (“Sub-processor”) to carry out specific Processing activities. At the request of the Client, Online will send a list of Sub-processor and will notify the Client in case of modification of these Sub-processor.
6.2. Online ensure that each Sub-processor offers adequate guarantees with regard to the Data Protection Regulations in terms of the technical and organisational measures adopted for the Processing of the Personal Data and ensure that each Sub-processor immediately discontinues any Processing of the Personal Data in the absence of such guarantees, including on the basis of information obtained from the Compliance Checklist referred to in paragraphs c) and e) of clause 6.2 above. If the Sub-processor fails to fulfil its obligations regarding the protection of the Personal Data, Online shall remain fully liable vis-a-vis the Client with regard to the Sub-processor’s performance of its obligations. 6.3. Online ensure that each Sub-processor is bound by adequate confidentiality obligations and that it undertakes to comply with the obligations of this Subcontracting Agreement on behalf of and according to the instructions of the Client, through a written agreement similar in content to that of the Subcontracting Agreement.
7.1. Online undertakes to adopt Security Measures in accordance with the provisions of the Data Protection Regulations and this Subcontracting Agreement.
7.2. More specifically, Online, taking into account the current situation and implementation costs and the nature, purpose, context and aims of the Processing of the Personal Data, as well as the risk that the Processing poses to the rights and freedoms of natural persons and the probability and gravity of said risk, undertakes to take appropriate technical and operational measures to guarantee a level of security commensurate with the risk associated with the Processing of the Personal Data, including, where appropriate, the measures provided for in Article 32, paragraph 1, of the GDPR. In any event, Online undertakes to:
8.1. In the event of any Personal Data Breaches or incidents which may compromise the security of the Personal Data (e.g. loss, damage or destruction of the Personal Data, regardless of the medium or format [paper, electronic or other], unauthorised access by third parties to the Personal Data or any other Personal Data Breaches), including Personal Data Breaches resulting from the conduct of any Sub-processors and/or Online’s Agents, Online shall:
8.2. For the purposes of this Subcontracting Agreement, the Contractor represents and warrants that it and any of its Sub-processors have adopted technical and organisational measures making it unlikely that a possible Personal Data Breach could jeopardise the rights and freedoms of the relevant Data Subjects, including through the use of technologies such as encryption which render the Personal Data incomprehensible to any person not authorised to access it.
8.3. Online undertakes to keep a record listing the Personal Data Breaches relating to the Personal Data covered by this Subcontracting Agreement, the circumstances surrounding them, the consequences of such Breaches, the measures adopted to remedy them and any failures committed in respect of this Subcontracting Agreement.
9.1. Online undertakes to reasonably cooperate with the Client in order to guarantee that requests from Data Subjects provided for under Data Protection Regulations to exercise their rights are met within the time limits and in accordance with the procedures laid down by law and, more generally, in order to ensure full compliance with the Data Protection Regulations. In this respect, Online undertakes to notify the Client of any request by a Data Subject it received.
Online undertakes, in the context of the Processing covered by this Subcontracting Agreement, to:
11.1. Online shall provide the Client, at the latter’s request, with any reasonably necessary documents so as to ensure that it is in compliance with the obligations arising from this Subcontracting Agreement.
11.2. Online acknowledges and accepts that the Client may, at its expense, have a trusted third party, recognised as an independent auditor of the Parties and appointed by Online, evaluate the organisational, technical and security measures adopted by Online in the context of the Processing of Personal Data under conditions to be defined by the parties and within the limits of maintaining the services and the confidentiality and the safety of the other customers.
The Client expressly acknowledges and accepts that Online will be compensated for Online’s Processing activities carried out by it and its Sub-processors under this Subcontracting Agreement.
At the end of the Agreement for any reason whatsoever, Online shall immediately discontinue all Processing of the Personal Data and delete the Personal Data and any copies thereof, whether in electronic or paper format, from the computer systems, archives or any other place or device where they are stored, within ten days, except in cases where the storage of the Personal Data is required by applicable legislation, in which case such storage shall only be subject to the limits strictly laid down by such legislation. It is therefore the responsibility of the Client to ensure the retention of Personal Data prior the termination of the Contract.
ONLINE, a simplified stock corporation (Société anonyme par actions simplifiée) with a working capital of €214.410,50, headquartered at 8 rue de la ville l’Evêque – 75008 Paris, FRANCE, registered with the Paris Corporate and Trade Register number RCS PARIS B 433 115 904, VAT number FR35433115904, reachable via its Internet site http//www.scaleway.com/ as well as by telephone at +33 (0) 184 130 042”, or by fax at +33 (0) 899 193 775 (€1.35 per call plus €0.34/min.)