Wisepops logo

Wisepops Data Processing Agreement

Between:

The User/Subscriber, as defined by Wisepops’ Terms and Conditions, to which the present Data Processing Agreement is attached (the “Controller”, or the “Client”);

And:

Wisepops, as defined by Wisepops’ Terms and Conditions, to which the present Data Processing Agreement is attached (the “Processor”).

For the purpose of this Data Processing Agreement, the Controller and the Processor may also be collectively referred to as the “Parties”, or individually as a “Party”.

1. Definitions

For the purpose of this Data Processing Agreement, the following terms shall have the meaning attributed to them by Regulation (EU) 2016/679 of April 27th, 2016 (the “General Data Protection Regulation”, also referred to as the “GDPR”): Personal Data, Processing, Data Controller, Data Processor, Recipient. 

The term “Data Subject” refers to any natural person whose Personal Data is processed. 

The term “Sub-processor” refers to any natural or legal person engaged by the Processor to carry out specific processing activities on behalf of the Controller.

The term “Services” shall have the meaning attributed to it by Wisepops’ Terms and Conditions.

2. Purpose

The purpose of this Data Processing Agreement is to ensure the compliance of the Processing of Personal Data with the GDPR and Law no. 78/17 of January 6th, 1978 (“loi Informatique et Libertés”) as modified, together referred to as the “Personal Data Regulations”. 

Pursuant to Article 28.3 of the GDPR, the Parties wish to formalise their rights and obligations regarding the Processing of certain Personal Data by the Processor on behalf of the Controller, in connection to Wisepops’ Terms and Conditions. 

3. Authorized processing

The following table describes the Processing carried by the Processor: 

Subject-matter of the ProcessingOperations necessary for Wisepops to provide the Services to the Client.
Purposes of the ProcessingTo provide the Services to the Client in accordance with the Terms and Conditions.
Categories of Personal DataData collected by the Client (and transmitted to Wisepops): Any Personal Data collected by the Client when using the Services, which is determined by the Client in its capacity of Controller. These data are the following: identification and contact data such as first name, surname, email address and phone number. [Additional categories of data processed according to Client]. -Data collected by Wisepops (via its cookies implemented on the Client website): Browsing history: the visitor’s last visit to the Client’s website; the campaigns the visitor has interacted with; any additional information attached to the visitor’s visit by the Client (e.g., last purchase date). Visitor’s IP address.
Categories of Data SubjectsVisitors of the Client’s website.
Duration of the ProcessingThe Personal Data is retained for the duration of the subscription to the Services unless otherwise indicated by the Client.

4. Obligations of the Processor

a. Processing operations

The Processor shall process the Personal Data only for the purposes documented by the Controller unless it is required to do so by any law of the European Union or a Member State.

If the Processor is required to process Personal Data by any such law, it shall inform the Controller in advance, unless that law prohibits such information.

The Processor shall inform without delay the Controller if it considers that a documented instruction constitutes a violation of the GDPR or any other provision of EU law or the law of a Member State to which the Processor is subject.

b. Assistance to the Controller

The Processor shall respond, to the best of its ability, to any request of the Controller aimed at fulfilling the Controller's obligations under Articles 32 to 36 of the GDPR.

Wisepops makes its Security Policy available to the Client here. Wisepops may update this Security Policy from time to time.

The Processor shall provide to the Controller, on its request, any information necessary to demonstrate compliance with the Processor's obligations under this Data Processing Agreement.

The Processor shall allow for and contribute to any audit or inspection mandated by the Controller, being understood that the Controller shall (i) conduct a maximum of one audit or inspection per year, (ii) respect a five working days’ written notice and (iii) support the exclusive costs of the audit or inspection.

c. Confidentiality and security

The Processor shall take any security measure required by Article 32 of the GDPR.

The Processor shall enter into a confidentiality agreement with any person that it authorizes to process the Personal Data unless that person is under an appropriate statutory obligation of confidentiality.

5. Obligations of the Controller

The Controller acknowledges and guarantees that the Processing is fully carried out in accordance with the provisions of the GDPR as well as Law no. 78/17 of January 6th, 1978 (“loi Informatique et Libertés”) as modified, and generally all applicable regulations related to the protection of personal data.

The Controller shall document in writing all instructions given to the Processor in connection to the Processing of Personal Data detailed in Article 3 and ensure that the Processor can access all Personal Data that it processes on its behalf. 

6. Notification of Personal Data breaches

The Processor shall notify the Controller of any Personal Data breach as soon as possible, and in any case within a 72-hour period, after becoming aware of it. Such notification must be accompanied with any relevant documentation to allow the Controller, if necessary, to notify the competent supervisory authority of the breach and, where applicable, to communicate the breach to the Data Subjects.

7. Sub-processing and data transfers

To this date, Wisepops’ Sub-processors are: 

NameHead office address PurposeData transfer
Google Ireland Limited Gordon House, Barrow Street – Dublin 4, Ireland Provision of cloud hosting services N/A NB. Google LLC (parent company) is listed as participant to the Data Privacy Framework
Amazon Web Services EMEA SARL 38 John F. Kennedy Avenue, L-1855, Luxembourg Provision of cloud hosting services N/A NB. Amazon.com, Inc (parent company) is listed as participant to the Data Privacy Framework
Cloudflare, Inc. 101 Townsend St, San Francisco, CA 94107, USA Content delivery network Adequacy decision Cloudflare, Inc. is listed as a participant to the Data Privacy Framework
SingleStore, Inc. 534 4th Street, San Francisco, CA 94107 Data hosting and processing Standard Contractual Clauses, as incorporated in sub-processor’s DPA

The Controller gives the Processor general authorization to engage other Sub-processors. 

The Controller will be informed of any change, addition, or replacement of Sub-processors. Such information is aimed at allowing the Controller to object to the change and terminate the Services within a 15-day period from the date of the information update. Absence of objection from the Controller following this 15-day period will be considered acceptance of the change. 

The Processor shall impose the same data protection obligations as this Data Processing Agreement on any Sub-processor by way of a contract or other legal act. This act shall provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. 

If a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-processor’s obligations.

8. Individual rights of Data Subjects

The Controller shall inform the Data Subjects (its website visitors) of all information required by the Personal Data Regulations, notably their individual rights pertaining to their Personal Data, the purpose of the Processing and the Recipients of their Personal Data. 

The Controller shall respond in due time to any request from any supervisory authority or from any Data Subject. 

The Processor shall take all appropriate technical and organisational measures to assist the Controller in responding to Data Subjects’ requests regarding the exercise of their GDPR individual rights. 

9. Termination of the Processing

Upon termination of the Processing, the Processor shall:

  • At the choice of the Controller, delete or return the Personal Data to the Controller, and

  • Delete any existing copy of the Personal Data, except as required to keep by the laws of the European Union or any Member State.

The Processor shall confirm in writing the compliance to this obligation within a 30-day period following termination of the Terms and Conditions to which this Data Processing Agreement is attached.

10. General

Article 9 (Liability) and Article 13 (Dispute settlement) of Wisepops’ Terms and Conditions shall apply to this Data Processing Agreement.  

11. Contact

The Controller may contact Wisepops regarding data protection issues by sending an email to the following address: [email protected]

Help