These General Conditions involve the contractual provisions related to the subcontracting of personal data, provided by EVALANDGO, a simplified joint-stock company with a share capital of € 75,614 registered at the RCS of MONTPELLIER under the number 528 723 703 00013, and which head office is at Business Plaza, Bat 3, 159 rue de Thor, 34000 Montpellier for the benefit of the Customers and Users of the EVALANDGO Online Survey Solution (hereinafter referred to as "the Services").
The Services are provided via a survey platform accessible through the website https://app.evalandgo.com (hereinafter referred to as "EVALANDGO Platform").
Within the Services, Customers and Users could, through their personal and secured access to the Services (hereinafter referred to as "Account"), create and publish digital questionnaires (hereinafter referred to as "Questionnaires"), to which persons surveyed (hereinafter referred to as "Respondents") could respond. The answers of the Respondents are collected through the Services. These answers may contain Personal Data and are processed for Customers and Users as part of the Services by EVALANDGO.
As a result, among the Services, the Clients and Users may be responsible for processing, and EVALANDGO may be a subcontractor for the processing of the personal data.
These provisions are, in addition to those of the Regulation and the Confidentiality policy of the services, valid for the entire contractual period of the Services.
In this context, EVALANDGO is designated as "the Subcontractor" or "EVALANDGO" and the Customer or the User will be designated "the Manager". Together, they are referred to as "the Parties".
In these Subcontract General Conditions, the terms or expressions mentioned below will have the following meaning if their first letter is capitalised.
Personal data: any information identifying a natural person directly or indirectly (eg name, registration number, phone number, photo, date of birth, city of residence, IP address...).
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
The purpose of these Subcontract General Conditions is to define the conditions under which the Subcontractor undertakes, within the Services, to perform Processing on behalf of the Processing Manager. These Subcontract General Conditions are also meant to define the rights and obligations of the Parties with regard to the subcontracting of Processing.
In their contractual relations, the Parties undertake to respect, in addition to these Subcontract General Conditions, the regulations in force applicable to the personal data processing and, more specifically, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable from 25 May 2018, European General Data Protection Regulation (hereinafter "GDPR").
III. DESCRIPTION OF THE PROCESSING SUBJECT TO SUBCONTRACT
The Subcontractor is authorised to process on behalf of the Data Manager the Personal Data necessary for the Services.
The nature of the operations performed on the Personal Data is as follows: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
The purpose(s) of the Processing may be as follows: customer surveys, execution of a contract, quality control of products or services, customer or user satisfaction survey, research and development, market, pre-market research for a product or service, management of human resources, consultation of providers or potential providers, search for partners. When creating a Questionnaire, the Data Manager should specify the exact purpose of the Questionnaire. The purpose of the Treatment cannot benefit the Subcontractor.
The personal data that may be processed in the context of the Services are: any type of Personal Data within the meaning of the GDPR, with the exception of (i) sensitive data, and (ii) data relating to offenses, convictions and security measures. The social security number can only be processed in the context of a Treatment whose purpose is the management of human resources.
The categories of respondents can be: major natural and legal persons, customers, service users, prospects, employees, candidates for employment, partners or potential partners, contractors, service providers or potential providers, persons concerned by the object of the research and development activity of the client.
The Subcontractor undertakes:
- that they respect confidentiality or an appropriate legal obligation of confidentiality,
- that they receive the information necessary about the protection of personal data
When the persons contact the Subcontractor to exercise their rights, the Subcontractor must send these requests as soon as they are received by e-mail to the Data Manager.
The Subcontractor supports the Data Manager to prepare the prior consultation of the supervisory authority.
- A secure access to the EVALANDGO online questionnaire platform through a user account with password.
- Ciphering of Personal Data to ensure confidentiality while transfers are made.
- Not using the data for purposes that do not concern the reason of the collection.
- Keeping personal data for a set amount of time.
- Not transferring this data to third parties, other that EVALANDGO service providers involved in the execution of the contract of EVALANDGO online questionnaires.
- Implementing high security standards in order to provide a high level of security for the Services.
- Applying methods to ensure the ongoing confidentiality, integrity, availability and resilience of Treatment systems and services;
- Ensuring the means to restore the availability of data and access to them quickly in case of physical or technical accident,
- Applying a procedure to test, analyse and evaluate the effectiveness of technical and physical organisational measures properly for security of the treatment
- Using of one or more personal data hosting provider(s) who made reliable commitments about compliance with the GRPD, more specifically:
- Physical security measures for unauthorised persons to prevent access to the infrastructure on which EVALANDGO data are stored,
- Security staff responsible for ensuring the physical security of the data hosting structure, 24/24 hours, 7/7 days
- A system managing authorisations to limit access to data only to those who need to be in contact with data, only because of their professional duties.
- A system of physical and/or logical isolation (per service) of customers.
- Strong authentication processes for users and administrators through a password management policy and, in some cases, a double-authentication measure.
- Processes and devices to keep a trace of actions carried out on the information system in order to report, as established by the regulations, the event of an incident affecting the customer's data
Access to personal information is strictly reserved to the employees, corporate officers and subcontractors of EVALANDGO that need to access on behalf of EVALANDGO. Every access will be made following this obligation and may be subject to disciplinary sanctions, up to and including the end of employment or the service contract in case of breach of these obligations.
- The name and contact details of the Manager on whose behalf he acts, any subcontractors and, where applicable, the Data Protection Manager;
- Categories of Treatments performed on behalf of the Manager;
- Transfers of data to a third country or to an international organization, when needed, including the identification of that third country or international organisation and, in case of transfers referred to in Article 49 (1), second subparagraph of the European Data Protection Regulation, documents proving the existence of appropriate security measures;
- A general description of the technical and organisational security measures, including, as far as possible, as follows:
Ciphering of Personal Data to ensure confidentiality while transfers are made.
Means to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services of treatments;
Means to ensure the restoring of the availability of data and access to them quickly in case of physical or technical accident,
A procedure to test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the safety of processing regularly.
The Manager is committed to: