Version 26.07.2022

As part of the performance of the LENGOW AGREEMENT-SOLUTION, LENGOW may be required to process personal data of INTERNET USERS and USERS on behalf of the CLIENT. In this context, LENGOW acknowledges that it acts as Processor and the CLIENT acknowledges that it acts as Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

The PARTIES acknowledge that the protection of personal data is paramount and therefore undertake to comply with the relevant legislation in force.

Pursuant to Article 28.3 of the GDPR, according to which the processing carried out by a processor is governed by a contract setting out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data processed, categories of data subjects and the obligations and rights of the controller, the PARTIES have come together to agree on the following.

ARTICLE I. DEFINITIONS

In this Agreement (“Agreement”), capitalized words and phrases are defined in the AGREEMENT-SOLUTION or have the meanings set out in the Agreement.

The terms “Personal Data”, “ Controller”, “Processor”, “Data Subject(s)”, “Personal data breach”, “Processing”, “Supervisory Authority” and “Data Protection Officer” have the same meaning as that provided for in the GDPR and their related terms must be interpreted accordingly.

ARTICLE II. PURPOSE OF THE AGREEMENT

II.1 The purpose of the Agreement is to determine the conditions under which LENGOW carries out the Processing of Personal Data on behalf of the CLIENT, as well as the respective obligations of the PARTIES.

The Processing of Personal Data carried out by LENGOW on behalf of the CLIENT is detailed in the Appendix of the Agreement (“DESCRIPTION OF THE PROCESSING”).

II.2 The PARTIES agree that they will provide each other with all relevant information to comply with the obligations under the Agreement.

ARTICLE III. DURATION OF DATA PROCESSING

The duration of the Processing of Personal Data corresponds to the duration as determined in the Appendix.

ARTICLE IV. OBLIGATIONS OF THE PARTIES

IV.1. Processor’s obligations

LENGOW agrees to:

  • process Personal Data solely for the purposes provided for in the AGREEMENT-SOLUTION as well as in the Appendix to this Agreement;
  • process Personal Data in accordance with the instructions documented and sent by the CLIENT. All options, instructions and actions of the CLIENT in the context of its use of the LENGOW SOLUTION, which involve, in order to be executed by LENGOW, Processing of Personal Data, will be considered as having been granted the CLIENT’s consent for the Processing of such Personal Data by LENGOW as Processor. If LENGOW considers that an instruction constitutes a breach of the GDPR or any other provision of EU or Member State law relating to data protection, it shall inform the CLIENT promptly. In addition, if LENGOW is required to transfer data to a third country or an international organisation, by virtue of Union or Member State law to which it is subject, it must inform the Controller of that legal requirement before processing, unless the law concerned prohibits such information on significant grounds of public interest;
  • ensure the confidentiality of Personal Data processed in connection with this AGREEMENT-SOLUTION;
  • ensure that persons authorised to process Personal Data under this AGREEMENT-SOLUTION:
    • undertake to observe confidentiality or are subject to an appropriate statutory confidentiality obligation,
    • receive the necessary training on the protection of personal data;
  • assist the CLIENT in carrying out data protection impact assessments and prior consultations of the competent Supervisory Authority;
  • maintain a record of the Processing activities they carry out for the CLIENT, in accordance with the provisions of the GDPR, and keep said Processing activities confidential with respect to its other CLIENTs,
  • maintain and make available to the CLIENT all the documentation necessary to demonstrate compliance with its various obligations;

IV.2 Obligations of the Controller

The CLIENT undertakes to send and document in writing any additional instructions concerning the processing of Personal Data by LENGOW.

The CLIENT makes the following necessary information available to LENGOW:

  • the name and contact details of the CLIENT’s Personal Data Controller(s);
  • the name and contact details of the CLIENT’s Personal Data Protection Officer, if appointed, or failing that, of the CLIENT’s contact person in charge of Personal Data for the purposes of this Agreement;

The CLIENT warrants that the Personal Data processed through the LENGOW SOLUTION are collected and processed in accordance with the GDPR.

In accordance with European and French legislation on the protection of personal data, and in particular the GDPR, before any use of the LENGOW SOLUTION by the CLIENT and throughout the term of the CONTRACT, the CLIENT ensures LENGOW that:

  1. the CLIENT has collected and processed the Personal Data in a lawful, fair and transparent manner, for specified, explicit and legitimate purposes that LENGOW cannot know and of which the CLIENT declares to have duly informed the Data Subjects before the collection of their Personal Data, in accordance with the GDPR. Any prior obligations to make declarations related to the processing of Personal Data to a Supervisory Authority shall be the sole responsibility of the CLIENT, which ensures LENGOW that it has done so;
  2. the CLIENT is solely responsible for the processing of Personal Data which it collects, enters or processes during the course of its use of the LENGOW SOLUTION and which LENGOW is not authorised to process for its own needs;
  3. the CLIENT alone determines the purposes and methods of processing the Personal Data carried out in particular by the use of the LENGOW SOLUTION offered by LENGOW.

The guarantees given by the CLIENT to LENGOW under this article are all essential conditions of the AGREEMENT-SOLUTION, without which LENGOW would not have contracted.

ARTICLE V. SUB-PROCESSING

LENGOW is authorised to use another processor (hereinafter the “LENGOW Sub-Processor”) to carry out specific processing activities.

The CLIENT acknowledges and agrees that for the purposes of the AGREEMENT-SOLUTION, LENGOW regularly uses other technical service providers which may have the capacity of LENGOW Sub-Processor and process Personal Data on behalf of LENGOW. The CLIENT can access the updated list of LENGOW Sub-Processors by clicking here. The CLIENT shall have fifteen (15) calendar days from the date of receipt of such information to object, provided that such objection shall be based on objective and reasonable grounds.

LENGOW Sub-Processors are required to comply with the obligations of this Agreement on behalf of and in accordance with the CLIENT’s instructions. It is LENGOW’s responsibility to ensure that LENGOW Sub-Processors provide the same adequate guarantees for implementing appropriate technical and organisational measures such that the processing will meet the requirements of the GDPR.

If the LENGOW Sub-Processor fails to fulfil its Personal Data protection obligations, LENGOW shall remain fully liable towards the CLIENT for the performance by the LENGOW Sub-Processor of its obligations.

ARTICLE VI. EXERCISE OF THE RIGHTS OF DATA SUBJECTS

All the rights that the Data Subjects have over their Personal Data, namely the rights of access, rectification, erasure and opposition, the right to restrict processing, the right to data portability, the right not to be the subject of automated individual decision-making (including profiling), must be exercised by said Data Subjects directly and exclusively with the CLIENT, LENGOW undertaking to comply with any written and lawful instructions from the CLIENT in this regard.

When Data Subjects exercise their rights concerning their Personal Data with LENGOW, unless otherwise agreed by LENGOW in writing, LENGOW will promptly send such requests by email to the CLIENT.

ARTICLE VII. NOTIFICATION OF PERSONAL DATA BREACHES

LENGOW undertakes to inform the CLIENT, as soon as possible after becoming aware of it, of any Breach of Personal Data when this breach results, accidentally or unlawfully, in the unauthorised access or disclosure, alteration, loss or destruction of Personal Data. It will then be the responsibility of the CLIENT to inform, if applicable, (i) the Supervisory Authority to which it reports and (ii) the Data Subjects.

At the first request of the CLIENT, LENGOW will provide in writing all the elements necessary for the notification of the Personal Data Breach by the CLIENT to the competent supervisory authority in its possession, namely:

  • the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • the name and contact details of the Data Protection Officer of LENGOW or other contact point where more information can be obtained;
  • the likely consequences of the Personal Data Breach;
  • the measures taken or that LENGOW proposes to take to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible for LENGOW to provide the CLIENT with all this information at the same time, LENGOW agrees to provide this information to the CLIENT in stages as soon as possible.

ARTICLE VIII. COOPERATION

In the event of reporting and notification obligations to the competent supervisory authorities and/or Data Subjects resulting from a Personal Data Breach, the PARTIES shall, upon request, provide support and information to the other PARTY

The PARTIES shall cooperate, insofar as necessary, in carrying out data protection impact assessments and prior consultations of the competent supervisory authority; If a supervisory authority communicates with a PARTY regarding the Processing carried out by either PARTY of the CLIENT’s Personal Data under the Agreement or this CONTRACT, the PARTY having communicated with the supervisory authority shall inform the other PARTY as soon as possible. The PARTIES shall cooperate to the extent reasonably necessary to comply with their obligations to respond to requests from the Supervisory Authority. The PARTIES shall each bear the respective reasonable costs relating to the fulfilment of these obligations, it being specified that in the event of enhanced assistance from one or other of the PARTIES, the latter shall discuss in good faith the sharing of the costs relating thereto.

ARTICLE IX. SECURITY MEASURES

LENGOW undertakes to implement appropriate security measures in order to secure the Personal Data and ensure its integrity, availability and confidentiality. As such, LENGOW has formalised a Security Policy describing the security measures put in place. This Security Policy is available on request from LENGOW.

ARTICLE X. OUTCOME OF DATA

X.1 Data of INTERNET USERS

During the performance of the AGREEMENT-SOLUTION, LENGOW will delete or, in any event, automatically anonymize all the Personal Data of INTERNET USERS in its possession within a maximum period of six (6) months from their collection via the LENGOW SOLUTION.

At the end of the AGREEMENT-SOLUTION, LENGOW undertakes to destroy or, in any case, anonymize all the Personal Data of INTERNET USERS which remain in its possession within two (2) months after the end of the CONTRACT, unless Union or Member State law requires storage of the Personal Data.

X.2 Data of USERS:

At the end of the AGREEMENT-SOLUTION, LENGOW will delete, or anonymize the Personal Data of USERS from its information systems within 30 days of the end of the AGREEMENT-SOLUTION, unless administrative or legal obligations otherwise require.

ARTICLE XI. AUDIT

LENGOW makes available to the CLIENT the documentation necessary to demonstrate compliance with all its obligations and to allow, within the limit of one audit per contractual year, for audits to be carried out by the CLIENT, or another independent auditor appointed by it and which must have been subject to prior and written validation by LENGOW, and to contribute to these audits. These audits will be carried out remotely on the basis of the information requested by the CLIENT from LENGOW in order to demonstrate the procedures and documentation put in place by LENGOW to comply with the GDPR. All costs incurred by the CLIENT in connection with such audit shall be borne exclusively by the CLIENT.

The CLIENT shall communicate to LENGOW in advance, and at least two (2) months in advance, any request for an audit, the date of the audit and the name and contact details of the persons in charge of the audit. This period may be reduced to fifteen (15) days in the event of a Personal Data Breach.
As the audit is carried out remotely, LENGOW will work in good faith with the auditor and will provide it with any information, documents or explanations necessary for carrying out the audit in connection with the processing operations carried out within the framework of the performance of the CONTRACT. Under no circumstances may the audit have as its direct or indirect purpose or effect, disrupting the activities of LENGOW or accessing or affecting in any way whatsoever, the elements, property of LENGOW, protected under intellectual property or business secrecy.

ARTICLE XII. INTERNATIONAL TRANSFERS

The CLIENT acknowledges and agrees that LENGOW may transfer Personal Data outside the EEA or to an international organisation on the sole condition that one of the appropriate protection measures as provided for in Chapter V of the GDPR are effectively put in place.

These measures include:

  • The transfer of data to a third country that has been the subject of an adequacy decision by the European Commission remaining in force;
  • The supervision of data transfer by signing the appropriate module of the standard contractual clauses in force adopted by the European Commission (as of: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX: 32021D0914 &locale=en) and the implementation, where appropriate, of additional measures to ensure a level of data protection substantially equivalent to that provided for by the GDPR;
  • The use of one of the specific derogations provided for in Article 49 of the GDPR when the transfer strictly complies with the conditions of application specific to the exemption selected.

ARTICLE XIII. MISCELLANEOUS PROVISIONS

The Agreement and any underlying instrument constitute the entire agreement between the PARTIES with respect to the subject matter of this Agreement and supersede all previous agreements or representations, oral or written, relating to that subject matter.

In the event of discrepancies between the Agreement, the AGREEMENT-SOLUTION and any other agreement between the PARTIES, the provisions of the Agreement shall prevail, if they are related to the Processing of Personal Data.

The Agreement and all disputes arising out of or relating to it shall be construed, governed by and executed in accordance with French law. Each PARTY irrevocably consents to the exclusive jurisdiction of the Nantes courts (44200) over all disputes and claims under the Agreement and all actions to enforce such claims or to obtain damages or other remedies in connection with such claims, except to the extent otherwise required by applicable data protection law.

The description of the processing of Personal Data carried out by LENGOW under the CONTRACT is presented in the table below: 

Processing of Personal Data of USERS

Processing of Personal Data of INTERNET USERS in the event of management of orders

Processing of Personal Data of INTERNET USERS in the event of activation of the TRACKING option

Processing carried out 

  • Collection, 
  • Storage, 
  • Registration, 
  • Transfer.
  • Collection, 
  • Storage, 
  • Registration,
  • Transfer.
  • Collection, 
  • Storage, 
  • Registration
  • Transfer.

Categories of personal data processed

  • Title,
  • First name, last name,
  • Work postal address,
  • Work telephone number,
  • Work e-mail address,
  • Facsimile number
  • Nature of the PRODUCTS ordered and quantity,
  • Amount of the order for PRODUCTS ordered,
  • Type of means of payment used,
  • User identifier,
  • Parcel number,
  • Parcel tracking URL,
  • CLIENT message on order,
  • Title,
  • First name, last name,
  • Postal address,
  • Telephone number,
  • E-mail address
  • IP address,
  • Click history.

Purposes for which Personal Data are processed on behalf of the CLIENT

Management of the INDIVIDUAL ACCOUNT of the USERS  

Transfer of Personal Data from INTERNET USERS to the CLIENT as part of the management of orders for the CLIENT’s PRODUCTS

Production of STATISTICS on behalf of the CLIENT, including the number of visits to the CLIENT’s Site, the number of PRODUCT purchases, the number of views and/or clicks of INTERNET USERS.

Storage of Personal Data

Duration of performance of the CONTRACT increased by 30 days

Maximum 6 months from the collection of Personal Data via the LENGOW SOLUTION 

Maximum 6 months from the collection of Personal Data via the LENGOW SOLUTION