DATA PROCESSING AGREEMENT (DPA)

You have entered into a contract with (RE)SET to provide you with a service (the "Contract"). In the event that it results from the Appendix "Processing of personal data" that (RE)SET processes personal data on your behalf, as a subcontractor, this Data Processing Agreement (DPA) applies in accordance with Article 28 of the RGPD.

***

The obligations defined in this DPA apply to processing operations for which (RE)SET acts as a Subcontractor as defined in the Appendix "Processing of personal data".

When (RE)SET acts as Subcontractor, the Customer acts as Data Controller.

The Parties undertake to comply with all the obligations set out in this DPA in order to comply with the provisions of Article 28 of the GDPR.

All terms and concepts used in connection with the protection of Personal Data have the meaning given to them by the Personal Data Regulation.

1. Description of the Personal Data Processing for which (RE)SET acts as Subcontractor.

Details of the processing of Personal Data carried out by (RE)SET in its capacity as Subcontractor on behalf of the Customer, and in particular the object, duration, nature and purposes of the Processing of Personal Data, the categories of Personal Data, the categories of persons concerned, and the purposes are specified in the Appendix "Processing of Personal Data".

2. Compliance with documented customer instructions

(RE)SET only processes Personal Data on the documented instruction of the Customer, acting in its capacity as Data Controller, including with regard to transfers of Personal Data outside the European Economic Area, unless it is required to do so by virtue of an obligation under French law to which (RE)SET is subject. In this case, (RE)SET will inform the Customer of this legal obligation prior to processing, unless prohibited by law for important reasons of public interest. Instructions may also be given subsequently by the Customer throughout the duration of the processing of Personal Data, provided that they are provided in writing and that they do not contradict the initial instructions, unless the Parties have previously agreed in writing to the change of instructions.

(RE)SET shall immediately inform the Customer if, in its opinion, an instruction given by the Customer constitutes a breach of the Personal Data Regulations.

3. Purpose limitation

(RE)SET processes Personal Data solely for the purposes of processing as defined in the Appendix "Processing of Personal Data", unless further documented instructions are provided by the Customer.

4. Duration of treatment

(RE)SET will process Personal Data for the duration of the Contract.

5. Treatment safety

(RE)SET implements the technical and organizational measures specified in the Appendix "Processing of Personal Data" to ensure the security of Personal Data and which include measures to protect Personal Data against any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data (Personal Data Breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to data subjects.

(RE)SET grants its staff members access to Personal Data subject to processing only to the extent strictly necessary for the execution, management and monitoring of the DPA.

(RE)SET ensures that the persons authorized to process Personal Data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.

6. Use of subcontractors

(RE)SET has the Customer's general authorization to engage Subcontractors on the basis of an agreed list of Subcontractors listed in the Appendix "Processing of personal data".

(RE)SET will inform the Customer in writing of any plans to modify this list by adding or replacing Subsequent Subcontractors at least fifteen (15) days in advance, thus giving the Customer sufficient time to object to these changes before the recruitment of the Subsequent Subcontractor(s) concerned. This information will be communicated to the contact address provided at the time of contracting.

(RE)SET provides the Customer with the information necessary to enable him to exercise his right to object, namely the name of the Third-Party Processor, its location and the processing activities entrusted to it.

If the Customer does not raise any objections within fifteen (15) days of receipt of the aforementioned information, it will be deemed to have accepted the new Subsequent Subcontractor.

If the Customer objects within the aforementioned period, the Parties agree to meet in order to find a solution that will satisfy the interests of all Parties. If no mutually acceptable solution is found, the Customer is entitled to terminate the Contract by giving thirty (30) days' prior written notice. In this case, the Customer must pay all sums due in respect of the Services performed by (RE)SET on the date of effective termination of the Contract.

Where (RE)SET recruits a Subsequent Subcontractor to carry out processing activities on behalf of the Customer, it does so by means of a contract that imposes on the Subsequent Subcontractor, in substance, the same data protection obligations as those imposed on (RE)SET under this DPA. (RE)SET shall ensure that the Subsequent Subcontractor complies with the obligations to which it is itself subject under the GDPR.

(RE)SET remains fully responsible to the Customer for the performance of the obligations of the Subcontractor in accordance with the contract concluded with the Subcontractor.

7. International transfers

The Customer authorizes (RE)SET to transfer Personal Data outside the European Economic Area in connection with the performance of its Services, which constitutes a documented instruction within the meaning of Article 28 of the RGPD.

Where applicable, (RE)SET undertakes to ensure that transfers of Personal Data are made in compliance with Chapter V of the RGPD, and to conclude where legally required standard contractual clauses within the meaning of Article 46 of the RGPD.

8. Requests to exercise rights

The Customer is fully responsible for informing the persons concerned about the Processing of their Personal Data and for responding to their requests to exercise their rights.

(RE)SET, taking into account the nature of the Processing, assists the Customer, through appropriate technical and organizational measures, to the fullest extent possible, in fulfilling its obligation to comply with requests made to it by Data Subjects with a view to exercising their rights under Chapter III of the RGPD.

In the event that (RE)SET receives a request from a Data Subject concerning the Processing of his/her Personal Data or the exercise of a right, (RE)SET undertakes to inform the Customer as soon as possible and not to follow up the request itself.

(RE)SET shall assist the Customer, to the extent possible, in fulfilling its obligation to respond to Data Subjects' requests to exercise their rights, taking into account the nature of the Processing. In performing its obligations under this DPA, (RE)SET shall comply with the Customer's documented instructions.

The Customer acknowledges and accepts that, should (RE)SET's assistance require significant resources on its part, the cost of its assistance may be invoiced to the Customer. (RE)SET will then inform the Customer in advance in order to obtain its prior agreement. If the Customer does not agree, (RE)SET will provide the Customer with reasonable assistance.

9. Violation of Personal Data

(RE)SET assists the Customer in ensuring compliance with its obligations under Article 33 of the RGPD, taking into account the nature of the Processing and the information available to (RE)SET.

If (RE)SET becomes aware of a Violation of Personal Data, (RE)SET undertakes to inform the Customer as soon as possible after becoming aware of it.

The information to be provided by (RE)SET will include, to the extent possible and subject to the information available to (RE)SET, the nature of the Personal Data Breach, the likely consequences of the Personal Data Breach, the approximate number of persons affected, as well as, if applicable, the measures taken or proposed by (RE)SET in response to the Personal Data Breach.

10. Obligation to assist the Customer

(RE)SET reasonably assists the Customer in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to (RE)SET:

1) the obligation to carry out a data protection impact assessment when a type of Personal Data Processing is likely to present a high risk for the rights and freedoms of data subjects;

2) the obligation to consult the competent supervisory authority(ies) prior to Processing Personal Data where a data protection impact assessment indicates that the Processing would present a high risk if Client did not take steps to mitigate the risk;

3) the obligation to ensure that Personal Data is accurate and up-to-date.

(RE)SET makes available to the Customer, at its request, all the information necessary to demonstrate compliance with the obligations to which it is bound under Article 28 of the RGPD.

If the information provided is not sufficient to demonstrate compliance with (RE)SET's obligations, and at the Customer's written request, (RE)SET will also allow and contribute to audits of Personal Data processing that has been subcontracted.

If the Customer wishes to carry out an audit, it must inform (RE)SET by letter with acknowledgement of receipt sixty (60) working days before the audit is due to take place. The Parties must agree on the terms and conditions of the audit in advance, it being specified that the audit may only be carried out once a year, on working days between 9:00 am and 6:00 pm, for a maximum duration of two (2) days, and that it must in no way disrupt (RE)SET's normal activities.

If the Customer uses an external auditor, the Customer undertakes to ensure that the said auditor is subject to confidentiality obligations concerning (RE)SET's activities. The Customer undertakes not to use a service provider who is a competitor of (RE)SET.

(RE)SET reserves the right not to disclose information protected by business secrecy, intellectual property law or confidentiality agreements.

The Customer acknowledges and agrees that, in the event that (RE)SET's assistance in carrying out an audit requires significant resources on its part, the cost of its assistance may be invoiced to the Customer. (RE)SET will then inform the Customer in advance in order to obtain its prior agreement. If the Customer does not agree, (RE)SET will provide the Customer with reasonable assistance.

11. Deletion and return of Personal Data

At the Customer's option, (RE)SET will delete or return all Personal Data to the Customer within 6 months of completion of the Services provided to the Customer, and destroy existing copies, unless (RE)SET is required to retain the Personal Data to fulfil a legal obligation.

12. Customer's obligations

The Customer undertakes to provide (RE)SET with all the Personal Data required to perform the Services.

The Customer undertakes to comply with all the obligations incumbent upon it in its capacity as data controller under the Personal Data Regulations.

***