Personal Data Protection Policy for SaaS Service - Semji
This personal data protection policy (the “PDPP”) applies to the processing of Personal Data in the context of the Agreement. It is hereby agreed that the PDPP is incorporated into the terms of the Agreement.
CLAUSE 1. Definitions
Any term not defined in the PDPP has the meaning given to it in the Agreement. The terms “process”, “processing”, “processor”, “transfer”, “controller” shall have the meaning given to them under the Applicable Regulations.
CLAUSE 2. General Principles:
2.1. Principles
Pursuant to the Applicable Regulations and in the context of the Agreement:
- The Client is data controller of the Personal Data or, when applicable, data processor of its own clients;
- Semji is data processor of the Personal Data, processing exclusively on behalf and only on documented instructions from the Client.
The Parties recognize that the Agreement, as well as the use of the Service and its functionalities, in accordance with the Agreement, form the documented instructions of the Client.
Any additional instruction concerning the processing of Personal Data by Semji shall be provided by the Client in written form. The instruction specifies the purpose of processing and the operation to be performed by Semji, provided that the Client agrees beforehand on the estimate from Semji for the additional instruction.
Semji shall inform the Client in a period of five (5) days from the date of the receipt from Semji of the instruction by any means, if, in its opinion, an instruction infringes the Applicable Regulations.
The Client recognizes that it has the exclusive control and knowledge, and notably, of the origin of the Personal Data processed for the specific purpose of the Agreement. Consequently, the Client shall fulfil its obligations as data controller.
Semji will delete the Personal Data and copies thereof in accordance with the Agreement, unless any applicable law or the Applicable Regulations require storage of the Personal Data.
The Client shall inform Semji, when signing the Agreement, of the person to contact for all information, communications, notifications, or requests made in respect of the PDPP. If the Client does not provide Semji with this information, the signatory will be considered as the relevant contact person.
2.2. Transfert
If it is strictly necessary for the performance of the Agreement, Semji may transfer Personal Data provided that the Client is informed beforehand of such transfer. In any case, Semji shall not transfer Personal Data, without implementing the appropriate safeguards in application of article 46 of the GDPR, outside:
- the European Union
- the European Economic Area
- a third country or territory recognized by the European Commission as ensuring an adequate level of protection.
In any case, the Personal Data entrusted to Semji is localized at one or more sites in the European Union.
CLAUSE 3. Security of Personal Data
In accordance with article 32(1) of the GDPR, the Client and Semji shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The measures taken by Semji are listed in a security measures document, an updated version of which is available to the Client upon request.
Semji is exclusively responsible for the security aspects of the Service falling under its control. The Client is responsible for the security and the confidentiality of its respective systems and the access it grants to the Service. The Client shall ensure that the use and the configuration of the Service meet the security requirements of the Applicable Regulations. Semji is not bound by any obligation to protect Personal Data which is (i) stored outside of the Service; (ii) transferred out of the Service by the Client; or (iii) transferred out of the Service by Semji under instruction of the Client.
Semji ensures that persons authorized to process the Personal Data have committed themselves to confidentiality.
CLAUSE 4. Cooperation with the Client
Semji shall communicate to the Client without undue delay after receiving any request, notice of investigation or complaint from any data subject concerning the processing of Personal Data under the Agreement (“Data Subject Requests”).
Acting as data controller, the Client shall remain solely responsible for the answer to be provided to Data Subject Requests and Semji shall not answer any Data Subject Requests. Notwithstanding the foregoing, and taking into account the nature of the processing of the Personal Data, Semji shall upon request assist the Client in the fulfillment of the Client’s obligations in responding to Data Subject Requests. Client acknowledges that Semji will use appropriate technical and organizational measures in providing any such assistance, insofar as this is reasonably possible.
Upon written request from the Client, Semji shall provide the Client, at the expenses of the latter, with all the useful information in its possession for the purpose of assisting the Client, as data controller, to satisfy the privacy impact assessment requirements of the Applicable Regulations. Any such privacy impact assessment shall be carried out by and under the sole responsibility of the Client.
CLAUSE 5. Notification of Data Breach
Semji shall notify the Client without undue delay after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed (“Data Breach”).
Semji shall provide the Client without undue delay after the notification of the Data Breach and insofar as this is possible, the following information:
- the categories and approximate number of data subjects concerned
- the categories and approximate number of Personal Data records concerned;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by Semji to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
CLAUSE 6. Processor
Semji may engage a sub-processor for the processing of Personal Data that is, in Semji’s sole discretion, strictly necessary for the performance of the Agreement.
Semji shall only engage sub-processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Regulations.
Semji shall by way of written agreement impose obligations substantively equivalent to those set out in the Agreement and in the Applicable Regulations on its sub-processors. Semji shall remain fully liable to the Client for the performance of that sub-processor’s obligations.
Semji may only engage a sub-processor which:
- is established in one of the member states of the European Union or the European Economic Area, or;
- is established in a third country or territory recognized by the European Commission as ensuring an adequate level of protection, or;
- proposes one of the appropriate safeguards pursuant to article 46 of the GDPR.
The list of the sub-processors of Semji shall be provided on written request. Semji shall inform the Client of any addition or replacement of sub-processors as soon as possible. This information constitutes the information to the Client as specified in article 2.2. of the PDPP.
The Client may object in writing to such addition or replacement within a period of ten (10) business days from receipt of the information. The absence of objection from the Client after this period shall be considered acceptance of the sub-processor.
In case of objection from the Client, Semji may provide the Client with elements that could lift its objections. If the Client maintains its objections, the Parties shall discuss in good faith of the continuation of the Agreement.
CLAUSE 7. Compliance and audit
On request, Semji will send to the Client any document reasonably necessary to demonstrate Semji’s compliance with its obligations as a processor under the Agreement by e-mail. Any other method for sending these documents will be at the Client’s expense.
The Client may request additional verification from Semji if the documents provided do not enable it to verify Semji’s compliance with its obligations as a processor under the Agreement. In such a case, the Client should make a written request to Semji, by registered letter with acknowledgement of receipt, in which Client justifies its request for further information. Semji shall answer the Client as soon as possible.
If, despite Semji’s answer, the Client questions the veracity or completeness of the information provided or, in the event of imminent risks to the security of Personal Data, the Client may carry out an on-site audit subject to compliance with the following conditions (“Audit”):
- the Client makes a written request for an on-site Audit to Semji, by registered letter with acknowledgement of receipt, by justifying and documenting its request;
- Semji shall provide a response to the Client specifying the scope and conditions of the on-site Audit. Since the security of Semji’s information system and data centers is subject to restricted access, the scope of an on site Audit will be limited to the operations and systems Semji uses for the processing of Personal Data entrusted to Semji by the Client under the Agreement;
- The Audit shall not exceed two (2) business days which will be invoiced by Semji to the Client at the rates in effect at the time the Audit is carried out;
- This Audit may be carried out by the Client’s internal auditors or may be entrusted to any service provider chosen by the Client, that is not a competitor of Semji;
- Auditors must make a formal commitment not to disclose information collected at Semji regardless of how it is obtained. A non-disclosure agreement must be signed by the auditors and communicated to Semji before the Audit takes place.
As part of the Audit, Semji will provide access to its premises, and to the documents and persons reasonably necessary for the auditors to conduct the Audit in satisfactory conditions. The Client and/or the Auditors (as the case may be) must make reasonable endeavors to minimize any disruption to Semji’s business operations including the operation of the Service.
The Audit report must be made available to Semji by the auditors before being finalized, so that Semji can submit any comments, and the final report must take into account and respond to these comments. The Audit report will then be sent to Semji and discussed at a meeting between the Parties.
In the event that the final Audit report reveals any breach of the commitments made in relation to the Service, Semji shall propose a corrective action plan within twenty (20) business days of the meeting between the Parties.
For the purposes of this clause, “business day” means a day between Monday and Friday which is not a public holiday in metropolitan France.
Subject to material changes of circumstances and events which justify the implementation of an Audit at shorter notice, Audits may be carried out by the Client on Semji’s site only once during the Initial Service Period of the Agreement, and subsequently only once per Extended Service Period.
CLAUSE 8. Description of the processing
The nature of the Personal Data processing, the purpose of the processing, the Personal Data processed, the category of data subject concerned and the duration of the processing are described in the dedicated document available on the online client portal.