Wisepops Data Processing Agreement
Between:
The User/Subscriber, as defined by Wisepops’ Terms and Conditions, to which the present Data Processing Agreement is attached (the “Controller”, or the “Client”);
And:
Wisepops, as defined by Wisepops’ Terms and Conditions, to which the present Data Processing Agreement is attached (the “Processor”).
For the purpose of this Data Processing Agreement, the Controller and the Processor may also be collectively referred to as the “Parties”, or individually as a “Party”.
1. Definitions
For the purpose of this Data Processing Agreement, the following terms shall have the meaning attributed to them by Regulation (EU) 2016/679 of April 27th, 2016 (the “General Data Protection Regulation”, also referred to as the “GDPR”): Personal Data, Processing, Data Controller, Data Processor, Recipient.
The term “Data Subject” refers to any natural person whose Personal Data is processed.
The term “Sub-processor” refers to any natural or legal person engaged by the Processor to carry out specific processing activities on behalf of the Controller.
The term “Services” shall have the meaning attributed to it by Wisepops’ Terms and Conditions.
2. Purpose
The purpose of this Data Processing Agreement is to ensure the compliance of the Processing of Personal Data with the GDPR and Law no. 78/17 of January 6th, 1978 (“loi Informatique et Libertés”) as modified, together referred to as the “Personal Data Regulations”.
Pursuant to Article 28.3 of the GDPR, the Parties wish to formalise their rights and obligations regarding the Processing of certain Personal Data by the Processor on behalf of the Controller, in connection to Wisepops’ Terms and Conditions.
3. Authorized processing
The following table describes the Processing carried by the Processor:
Subject-matter of the Processing | Operations necessary for Wisepops to provide the Services to the Client. |
Purposes of the Processing | To provide the Services to the Client in accordance with the Terms and Conditions. |
Categories of Personal Data | Data collected by the Client (and transmitted to Wisepops): Any Personal Data collected by the Client when using the Services, which is determined by the Client in its capacity of Controller. These data are the following: identification and contact data such as first name, surname, email address and phone number. [Additional categories of data processed according to Client]. -Data collected by Wisepops (via its cookies implemented on the Client website): Browsing history: the visitor’s last visit to the Client’s website; the campaigns the visitor has interacted with; any additional information attached to the visitor’s visit by the Client (e.g., last purchase date). Visitor’s IP address. |
Categories of Data Subjects | Visitors of the Client’s website. |
Duration of the Processing | The Personal Data is retained for the duration of the subscription to the Services unless otherwise indicated by the Client. |
4. Obligations of the Processor
a. Processing operations
The Processor shall process the Personal Data only for the purposes documented by the Controller unless it is required to do so by any law of the European Union or a Member State.
If the Processor is required to process Personal Data by any such law, it shall inform the Controller in advance, unless that law prohibits such information.
The Processor shall inform without delay the Controller if it considers that a documented instruction constitutes a violation of the GDPR or any other provision of EU law or the law of a Member State to which the Processor is subject.
b. Assistance to the Controller
The Processor shall respond, to the best of its ability, to any request of the Controller aimed at fulfilling the Controller's obligations under Articles 32 to 36 of the GDPR.
Wisepops makes its Security Policy available to the Client here. Wisepops may update this Security Policy from time to time.
The Processor shall provide to the Controller, on its request, any information necessary to demonstrate compliance with the Processor's obligations under this Data Processing Agreement.
The Processor shall allow for and contribute to any audit or inspection mandated by the Controller, being understood that the Controller shall (i) conduct a maximum of one audit or inspection per year, (ii) respect a five working days’ written notice and (iii) support the exclusive costs of the audit or inspection.
c. Confidentiality and security
The Processor shall take any security measure required by Article 32 of the GDPR.
The Processor shall enter into a confidentiality agreement with any person that it authorizes to process the Personal Data unless that person is under an appropriate statutory obligation of confidentiality.
5. Obligations of the Controller
The Controller acknowledges and guarantees that the Processing is fully carried out in accordance with the provisions of the GDPR as well as Law no. 78/17 of January 6th, 1978 (“loi Informatique et Libertés”) as modified, and generally all applicable regulations related to the protection of personal data.
The Controller shall document in writing all instructions given to the Processor in connection to the Processing of Personal Data detailed in Article 3 and ensure that the Processor can access all Personal Data that it processes on its behalf.
6. Notification of Personal Data breaches
The Processor shall notify the Controller of any Personal Data breach as soon as possible, and in any case within a 72-hour period, after becoming aware of it. Such notification must be accompanied with any relevant documentation to allow the Controller, if necessary, to notify the competent supervisory authority of the breach and, where applicable, to communicate the breach to the Data Subjects.
7. Sub-processing and data transfers
To this date, Wisepops’ Sub-processors are:
Name | Head office address | Purpose | Data transfer |
---|---|---|---|
Google Ireland Limited | Gordon House, Barrow Street – Dublin 4, Ireland | Provision of cloud hosting services | N/A NB. Google LLC (parent company) is listed as participant to the Data Privacy Framework |
Amazon Web Services EMEA SARL | 38 John F. Kennedy Avenue, L-1855, Luxembourg | Provision of cloud hosting services | N/A NB. Amazon.com, Inc (parent company) is listed as participant to the Data Privacy Framework |
Cloudflare, Inc. | 101 Townsend St, San Francisco, CA 94107, USA | Content delivery network | Adequacy decision Cloudflare, Inc. is listed as a participant to the Data Privacy Framework |
SingleStore, Inc. | 534 4th Street, San Francisco, CA 94107 | Data hosting and processing | Standard Contractual Clauses, as incorporated in sub-processor’s DPA |
The Controller gives the Processor general authorization to engage other Sub-processors.
The Controller will be informed of any change, addition, or replacement of Sub-processors. Such information is aimed at allowing the Controller to object to the change and terminate the Services within a 15-day period from the date of the information update. Absence of objection from the Controller following this 15-day period will be considered acceptance of the change.
The Processor shall impose the same data protection obligations as this Data Processing Agreement on any Sub-processor by way of a contract or other legal act. This act shall provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
If a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-processor’s obligations.
8. Individual rights of Data Subjects
The Controller shall inform the Data Subjects (its website visitors) of all information required by the Personal Data Regulations, notably their individual rights pertaining to their Personal Data, the purpose of the Processing and the Recipients of their Personal Data.
The Controller shall respond in due time to any request from any supervisory authority or from any Data Subject.
The Processor shall take all appropriate technical and organisational measures to assist the Controller in responding to Data Subjects’ requests regarding the exercise of their GDPR individual rights.
9. Termination of the Processing
Upon termination of the Processing, the Processor shall:
At the choice of the Controller, delete or return the Personal Data to the Controller, and
Delete any existing copy of the Personal Data, except as required to keep by the laws of the European Union or any Member State.
The Processor shall confirm in writing the compliance to this obligation within a 30-day period following termination of the Terms and Conditions to which this Data Processing Agreement is attached.
10. General
Article 9 (Liability) and Article 13 (Dispute settlement) of Wisepops’ Terms and Conditions shall apply to this Data Processing Agreement.
11. Contact
The Controller may contact Wisepops regarding data protection issues by sending an email to the following address: [email protected]