Contrat de Sous-Traitance de Données à Caractère Personnel (DPA) - Version précedente
Il s'agit d'une page archivée de notre DPA d'Avril 2024 qui est remplacé à compter du 11 octobre 2024.
BETWEEN :
Le présent Contrat de sous-traitance de données à caractère personnel (ci-après "DPA") est applicable aux relations commerciales entre la société RINGO (exerçant sous le nom de MODJO), société par actions simplifiée au capital de 38.666,31 euros immatriculée au registre du commerce et des sociétés de Nanterre sous le numéro 879 606 283, et dont le siège social est situé au 59, avenue Sainte-Foy - 92200 Neuilly-sur-Seine, France (ci-après " RINGO ") et son Client (ci-après le " Client ") tel qu’identifié dans le Bon de Commande.
Préambule :
In the context of the performance of the Order Form(s) and the attached Modjo General Terms and Conditions of Sales (T&Cs) concluded between RINGO and the Client, the Client, in its capacity as Controller, entrusts RINGO, in its capacity as Processor, with the processing of Personal Data.
This Data Protection Agreement is an integral part of the Modjo General Terms and Conditions of Sales.
The Parties intend to comply with all applicable regulations regarding the Processing of Personal Data, and in particular the Law n°78-17 of January 6, 1978 (known as "Informatique et Libertés") as amended and the General Regulation on the Protection of Personal Data n°2016-679 dated April 27, 2016 ("GDPR").
The Parties have agreed to this Agreement in order to comply with the provisions of Article 28, in particular paragraphs 3 and 4, of the GDPR. This Agreement applies to the processing of personal data as specified in Article 1.
It is expressly agreed that the terms used in this Agreement with a capital letter (e.g. Controller, Personal Data, Service...) correspond to the definitions contained in the GDPR and in the T&Cs. This Agreement shall be read and interpreted in light of the provisions of the GDPR.
It is agreed as follows:
1. Description des traitements
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal is processed on behalf of the Client, in its quality of Controller, are :
● Catégories de personnes concernées par le traitement de leurs données à caractère personnel : le personnel du Client et les employés utilisant les services fournis par RINGO ainsi que les contacts, prospects et clients du Client.
● Catégories de données à caractère personnel traitées : les données relatives à l'identification des personnes concernées (nom, prénom, coordonnées et email), les données relatives aux enregistrements des appels téléphoniques et des visioconférences, les données relatives à l'utilisation des services tels que les commentaires, les revues, les traductions, résumés et le scoring intelligents réalisés à partir des services, les données relatives aux emails échangés entre les personnes concernées, les données relatives aux emails de rappels de meeting et les données relatives aux réseaux.
● Objet du traitement : la fourniture par RINGO des services convenus avec le Client, et leur usage par le Client, conformément au(x) Bon(s) de Commande et aux CGV jointes conclus entre RINGO et le Client.
● Nature du traitement : la collecte et l'analyse de données, y compris de Données Personnelles, pour le compte du Client.
● Finalités du traitement : la fourniture par RINGO, pour le compte du Client, du Service, principalement la collecte, l’enregistrement et l'analyse d'enregistrements d'appels téléphoniques, de vidéoconférences et de mails et le remplissage du logiciel de gestion de la relation client, ainsi que les services d'assistance, de back-up, de sécurité et de maintenance liés au Service.
● Durée du traitement : Les Données Personnelles sont traitées par RINGO pendant la durée de la relation contractuelle du Client. La durée de conservation des appels peut être paramétrée par le client. Les logs sont conservés pendant une période d'un (1) an. Lorsque la fonctionnalité AI Assistant est activée par le Client, les données sont conservées par Open AI pour une durée maximale de 30 jours aux fins de modération des contenus et de prévention des abus.
2. Instructions
RINGO ne traite les données personnelles que sur instruction documentée du Client et conformément aux dispositions ci-dessus, à moins qu’il ne soit tenu d’y procéder en vertu du droit de l’Union ou du droit de l’État membre auquel il est soumis. Dans ce cas, RINGO informe le Client de cette obligation juridique avant le traitement, sauf si la loi le lui interdit pour des motifs importants d’intérêt public. Des instructions peuvent également être données ultérieurement par le Client pendant toute la durée du traitement des données à caractère personnel. Ces instructions doivent toujours être documentées.
Si RINGO estime qu'une instruction du Client constitue une violation de la réglementation applicable en matière de protection des données à caractère personnel, il en informe immédiatement le Client. RINGO n’est en aucun cas responsable des instructions et décisions du Client et de leurs éventuelles conséquences.
Les dispositions du présent Contrat, ainsi que l’activation par le Client, ses Administrateurs ou Utilisateurs des fonctionnalités de traduction et de AI Assistant constituent des instructions documentées du Client à RINGO.
3. Limitation des finalités
RINGO shall process the Personal Data only for the purposes of the processing, as set out in Article 1, unless it receives further instructions from the Client.
4. Durée de traitement
RINGO traite les données personnelles que pour la durée définie au sein de l’article 1 du présent contrat, à moins que RINGO ne reçoive d’autres instructions documentées du Client.
5. Mesures de sécurité
RINGO undertakes to put in place appropriate technical and organisational security measures to ensure the security of the Personal Data it processes against any destruction, loss, alteration, unauthorised disclosure of, or access to, or any other form of unauthorised processing. In assessing the appropriate level of security, RINGO takes due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
A description of these measures has been drawn up by RINGO in accordance with Article 32 of the GDPR and is available upon written request.
When the AI Assistant functionality is activated by the Customer, he accepts that the security measures implemented are those of the OpenAI security policy.
RINGO grants access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring the Service. RINGO ensures that persons authorised to process the personal data received are under an appropriate contractual obligation of confidentiality.
6. Documentation et conformité
RINGO shall make available to the Client all information necessary to demonstrate compliance with the obligations that are set out in this Contract and stem directly from GDPR.
At the request of the Client, RINGO shall also permit and contribute to audits of the processing activities covered by this Contract, at reasonable intervals or if there are indications of non-compliance.
The reasonable intervals mean that an audit may be carried out at the rate of one (1) time per calendar year, and with sixty (60) days' written notice to RINGO.
This audit must be conducted in a manner that respects the security and confidentiality of RINGO's documentation and procedures. It will last no more than one (1) day and will be held during normal business hours at RINGO's location.
The Controller may decide to carry out the audit itself or to appoint an independent auditor, chosen by mutual agreement between the parties and subject to an obligation of confidentiality.
Notwithstanding anything to the contrary, Client shall be responsible for all costs and/or expenses incurred as a result of such visit.
The parties shall make available to the competent supervisory authority(ies), upon request, the information set forth in this clause, including the results of any audit.
7. Sous-traitants ultérieurs
RINGO has the Client’s general authorisation for the engagement of sub-processors enumerated in the agreed list (Annex 1).
RINGO undertakes to provide an updated list of its subcontractors and their processing activities upon request by the Client.
RINGO shall inform the Client of any intended changes of that list through the addition or replacement of sub-processors at least eight (8) days prior to the addition or the replacement date of the concerned sub-processor.
The Client may object to RINGO use of a new sub-processor by notifying RINGO promptly in writing (e.g., via email) and before the addition or the replacement date of the concerned sub-processor. In the event the Client objects, RINGO will use reasonable efforts to make available to the Client a change in the Service or recommend a commercially reasonable change to Client’s configuration or use of the Service to avoid process of Personal Data by the objected-to new sub-processor If RINGO is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, the Client may terminate the applicable Order Form with respect only to those services which cannot be provided by RINGO without the use of the objected-to new sub-processor by providing written notice to RINGO, with return receipt requested.
The absence of Client’s objections will be deemed as the Client’s acceptance of the changes affecting the sub-processors list.
Where RINGO engages a sub-processor for carrying out specific processing activities on behalf of the Client, the sub-processor of RINGO is obliged to fulfil, in substance, the same data protection obligations as the ones imposed on RINGO in accordance with this Contract It is the responsibility of RINGO to ensure that the sub-processor presents sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the processing meets the requirements of GDPR.
RINGO remains fully responsible to the Client for the performance by its sub-processors of its obligations.
Some sub-processors only process Client data when the feature for which they are acting is activated by the Administrator or the Client's User.
Ainsi, le sous-traitant ultérieur OpenAI ne traite les données du Client que lorsque l’Administrateur a activé la fonctionnalité AI Assistant. Lorsque cette fonctionnalité est activée, OpenAI est amené à traiter les données du Client pour la fourniture de résumés, chapitres et scoring intelligents.
Similarly, the sub-processor Deepl only processes Customer data when the User activates the translation feature for a specific record. When this feature is activated, Deepl will process the Client's data related to this record in order to provide a translation.
8. Assistance au Client
The Client shall inform Data Subjects of the processing of their data and of their rights under the “Loi Informatique et Libertés” and GDPR (rights of access, information, opposition, etc.). In particular, the Client must inform its own employees and their correspondents of the recording of their telephone and video conversation and of the fact that they can at any time object to such recording. RINGO may not be held responsible for this obligation under any circumstances.
RINGO notifie sans délai au Client toute demande, y compris d’exercice des droits, qu'il reçoit de la part de la personne concernée. Le Client s'engage à répondre aux demandes des Personnes concernées dans un délai d'un (1) mois.
En tant que sous-traitant, RINGO assiste le Client dans l’accomplissement de son obligation de donner suite aux demandes dont les personnes concernées le saisissent en vue d'exercer leurs droits, compte tenu de la nature du traitement et des instructions du Client.
As a Processor, RINGO shall assist the Client in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing and the Client’s instructions. RINGO shall also assist the Client in ensuring its compliance with its following obligations, taking into account the nature of the data processing and the information available to RINGO :
- l’obligation de procéder à une évaluation de l’incidence des opérations de traitement envisagées sur la protection des données à caractère personnel («analyse d’impact relative à la protection des données») lorsqu’un type de traitement est susceptible de présenter un risque élevé pour les droits et libertés des personnes physiques et, le cas échéant, l'obligation de consulter l'autorité de contrôle compétente avant le traitement
- les obligations énoncées à l’article 32 du RGPD.
9. Inspections, contrôle ou audits par les autorités publiques
In the event of an inspection, control or audit by a public authority, including a Control Authority, each Party undertakes to provide all necessary assistance to the other.
If the public authority considers that the processing carried out violates the applicable regulations on the protection of Personal Data, the Parties undertake to communicate and take the necessary measures immediately to remedy the violation.
10. Notification des violations de Données à caractère personnel
In the event of a personal data breach, RINGO shall cooperate with and assist the Client in complying with the Client's obligations under Articles 33 and 34 of the GDPR, taking into account the nature of the processing and the information available to RINGO.
In the event of a breach of personal data not caused by the Client, RINGO undertakes to take immediate remedial action.
RINGO shall notify the Client of any breach as soon as possible after its discovery, by e-mail addressed to the Client.
Such notification shall contain all relevant information about the breach, in order to enable the Client, if necessary, to notify the relevant Supervisory Authority and/or the data subjects of the breach, in accordance with its obligations as a Controller.
The Parties undertake to cooperate fully to bring the breach to an end as soon as possible.
11. Hébergement des données et transferts
Personal data processed by RINGO on behalf of the Client and RINGO’s websites and databases are hosted by Amazon Web Services on servers located in the European Economic Area (“EEA”).
Any transfer of data to a third country or an international organisation by RINGO shall be done only on the basis of this Contract or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of GDPR.
Préalablement à un transfert autorisé par le Client, RINGO s'engage à mettre en place les mesures nécessaires pour que le destinataire situé dans le pays hors de l'Espace économique européen présente un niveau de protection adéquat. Lorsque le Client a activé la fonctionnalité AI Assistant, il accepte que ses données soient traitées par OpenAI en accord avec ses conditions de traitement et qu’elles soient transférées aux Etats-Unis en application des clauses contractuelles types adoptées par la Commission européenne.
RINGO might transfer personal data to the permitted sub-processors identified in Annex 1 “List of Permitted sub-processor”. Such sub-processors might be located outside the European Union. In such a case, RINGO makes sure the sub-processor can ensure compliance with Chapter V of GDPR by presenting an adequate level of protection, such as using standard contractual clauses adopted by the Commissions or approved BCR.
A complete list and information on our subsequent subcontractors is provided in Appendix 1.
12. Modifications et mises à jour
RINGO reserves the right to modify this PAD at any time. Customer will be notified of such changes by email (sent to the Modjo Administrator's email address) or at www.modjo.ai or on the Modjo conversational analytics business platform, as RINGO may decide.
Except for the use of sub-processors, as stated in Article 7 of this DPA, changes to this DPA will apply to the Client, even if it has registered before the change, eight (8) days after the information has been given to them. In the event the updated DPA would be of material detriment to the Client and the change is not required by applicable laws, regulations, directive, guidance or decision of an european data protection authority or a court order, the Client informs RINGO of the Client’s objection and its reason within eight (8) days of the information. If the Parties cannot reach an agreement within thirty (30) days following the receipt of the Client’s objection, the Client may terminate the Service affected by the change without penalty by written notice to RINGO. Any use of the Service after the information of the Client will be deemed as the Client’s acceptance of the updated DPA.
13. Sort des données
Following termination of the Contract, the Client will have a period of one (1) month to request in writing the return, in a raw file format and under its own responsibility, of its recordings; failing such a request within this period, RINGO may proceed with the definitive destruction of all data, including logs and back-ups.
14. Délégué à la protection des données
RINGO dispose d’un délégué à la protection des données, joignable par courrier électronique à l’adresse suivante : dpo@modjo.ai
15. Registre des activités de Traitement
RINGO undertakes to keep an up-to-date Register of processing activities carried out in its capacity as a Subcontractor and including the following:
● le nom et les coordonnées du Responsable de traitement, des éventuels sous-traitants ultérieurs et du Référent à la protection des données
● les catégories de Traitements effectués pour le compte du Responsable de traitement
● les éventuels transferts des données à caractère personnel vers des pays tiers à l’Union Européenne et les éléments attestant de l’existence de garanties appropriées
● une description générale des mesures de sécurité techniques et organisationnelles mises en place
16. Engagements de RINGO
During the term of the Contract between RINGO and the Client :
● RINGO garantit la confidentialité des Données à caractère personnel traitées en sa qualité de Sous-traitant et s’assure que les membres de son personnel, autorisés à traiter les Données à caractère personnel, respectent ce principe de confidentialité et ont reçu la formation nécessaire en la matière
● RINGO s’engage à tenir compte du principe de protection des Données à caractère personnel dès la conception et par défaut, s’agissant des outils, produits, applications ou services qu’il utilise.
●
17. Engagements du Client
Le Client s'engage à collecter et à traiter les Données Personnelles dans le respect de la réglementation applicable en droit du travail et en matière de protection des données, notamment en ce qui concerne les méthodes, la base et les finalités du traitement, la durée de conservation des Données Personnelles,les droits des Personnes concernées et l'information qui leur est donnée.
In particular, the Client undertakes to comply with all regulations and obligations applicable to the Processing of employees’ data and to the processing of special categories of Personal Data (such as health data, religious beliefs, sexual orientation, etc.) and to carry out, prior to their Processing, the necessary verifications, studies and impact analyses, to inform Data Subjects according to articles 12, 13 and 14 of GDPR and to obtain, where applicable, the consent of the Data Subjects with regard to the collection and processing of their personal data and, in particular, the recording of their voice.
The Client undertakes to provide RINGO with all information necessary to carry out the intended processing activities in compliance with the applicable regulations and to document any instructions regarding the processing.
The Client undertakes to provide to RINGO the Personal Data identified in Article 1 of this Contract and to guarantee the lawfulness and the accuracy of the data. The Client also undertakes to ensure the effectiveness of the rights of the Data Subjects.
The Client indemnifies RINGO against any claim or action in this regard.
The Client undertakes to supervise the Processing, including carrying out at its own expense the necessary audits and inspections of RINGO or to ensure at its own expense the conduct or defence of the interests of the parties in the context of any action, procedure or control.
Annexe 1
List of sub-processors
