Contact Us

Confidentiality โ—

WordPress maintenance

1 โ€“ Scope of application

These specific conditions (hereinafter "SC") are intended to set out the conditions for the processing of Personal Data that the Provider may carry out within the framework of the Contract and its relationship with the Client.

These are made in accordance with the provisions of Law No. 78-17 of 6 January 1978 (known as the "Data Protection Act" or "LIL") and the General Data Protection Regulation ("GDPR") No. 2016/679.

Each Party undertakes to comply with its obligations under these regulations and these Special Conditions.

2 โ€“ Definitions

-Personal data or Data : refers to any information relating to an identified or identifiable person. A person is considered identifiable if they can be identified directly or indirectly, in particular by reference to an identifier or to one or more factors specific to their identity.

-Regulation : refers to the regulations applicable to the Provider and the Client on the day of the Processing in question, in particular, Law No. 78-17 of 6 January 1978 (known as the "Data Protection Act" or "LIL") and the General Data Protection Regulation ("GDPR") 2016/679 of the European Parliament and of the Council of 27 April 2016.

-Treatment : means any operation or series of operations performed on Personal Data, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as blocking, erasure or destruction, regardless of whether this operation is carried out automatically or not.

-Processing manager : refers to the Party which, alone or jointly, determines the purposes and means of a Processing.

-Subcontracting : refers to any natural or legal person required to process Personal Data on behalf of the Data Controller.

-Person(s) concerned : refers to any natural person whose Personal Data is likely to be subject to Processing.

3. -Personal data processed by the Service Provider as Rprocessing manager

The Provider may be required to process the Client's Personal Data as the Data Controller.

3.1 Characteristics of the Treatments carried out by the Service Provider

These processing operations may relate to the personal data of the Client himself, when he is a natural person, as well as to those of his employees or non-employees (managers, sales, finance, purchasing, legal, etc.) who are in contact with the Provider.

The purposes of the processing are:

  • managing the contractual relationship with the Client (negotiation, contract signing, exchanges, invoicing, etc.)
  • website management, and in particular online orders
  • managing the execution of services (collaboration around the project, ticket management, etc.)
  • electronic communication management
  • customer loyalty and sales prospecting

The types of data concerned may be:

  • Identification data (name, surname, email address, telephone number),
  • Data on professional function, SIRET number
  • Economic and financial data
  • Connection data (IP address, logs)
  • Data relating to projects and the content of exchanges (nature of the need, exchanges, etc.)

Treatments may consist of:

  • the consultation,
  • extraction,
  • the record,
  • the modification (update),
  • accommodation,
  • the structuring,
  • the organization,
  • the rapprochement / the interconnection,
  • preservation / archiving,
  • transmission, / dissemination,
  • erasure / destruction

The legal bases for the Processing are the performance of the Contract concluded with the Client or legitimate interest.

Customer loyalty and sales prospecting with a former Client whose contract ended 3 years ago requires consent.

The Service Provider retains the collected Data for the duration of the business relationship and then for 10 years. Connection data is retained for a maximum of a few months. Emails exchanged with the Client are retained for 5 years.

3.2 Conditions relating to Processing

The data collected is transmitted directly by the Client or its employees.

The data collected is mandatory to achieve the purposes of processing.

The Data Controller uses subcontractors to carry out certain processing activities, particularly for managing the contractual relationship and the provision of Services. The Service Provider, in particular, uses various collaborative tools to facilitate communication with the Client.

The Client is informed and hereby gives explicit consent to the fact that certain subcontractors of the Provider may be required to transfer Personal Data outside the European Union, in particular to the United States.

In such cases, the Provider undertakes to ensure that transfers carried out by its subcontractors are done in accordance with the Regulations. When Data transfers are carried out pursuant to Article 46, the Provider ensures that these transfers are subject to appropriate safeguards and are documented in accordance with the provisions of Article 30(2) of the GDPR. In this respect, the Client grants full power and authorizes the Provider to sign Standard Contractual Clauses (SCCs) with the relevant subcontractors.

European) relating to Data and, more broadly mandates the Provider to take all measures to protect the Data.

The Provider implements appropriate technical and organizational measures to ensure a level of security commensurate with the risk. It takes steps to ensure that any natural person acting under its authority or that of a Subcontractor, who has access to Personal Data, does not process it except on the Provider's instructions, unless legally obligated to do so.

The data subject may define guidelines regarding the retention, erasure, and communication of their personal data after their death. These guidelines may be general or specific.

The data subject also has the right to access, object to, rectify, erase, and, under certain conditions, transfer their personal data. The data subject has the right to withdraw their consent at any time if consent constitutes the legal basis for the processing.

The request must include the full name, email or postal address of the person concerned, and be signed and accompanied, if in doubt, by a valid proof of identity.

She can exercise these rights by contacting: Julien Guiard โ€“ julien@maintenance-wp.fr

When the Processing concerns the Client's employees, it is the Client's responsibility to inform them directly of their rights.

4 โ€“ Personal data processed by the Service Provider as a Subcontractor

Under the Contract, the Service Provider may be required to process personal data as a subcontractor, for

the Client's account, which alone defines the purposes and means of the Processing.

4.1 Characteristics of the Treatments

The Client's instructions to the Provider regarding the Data Processing are those contained in these Special Conditions.

However, they may be supplemented, modified or updated by the Client at any time in writing.

The purposes of these treatments may be:

  • website redesign, website audit
  • Client site maintenance (Onboarding, preventive, corrective, evolutionary, service support, ad-hoc support, reversibility)

The treatment instructions may be as follows:

  • log in to the website's administration interface
  • connect to the server to copy the site and data to the development server
  • connect to the client's third-party tools
  • conduct an audit of the existing situation
  • to ensure migrations on servers (development and production)
  • perform backups
  • store usernames and passwords for accessing the site, server, and third-party tools of the client
  • perform tests
  • make the necessary corrections
  • to perform the necessary preventive maintenance operations (backups, cleaning, updates, security monitoring, testing)
  • assist the client in using the site
  • provide support service
  • Installing/uninstalling, configuring third-party software and technologies (cookies, plugins), which may sometimes result in data transfers to third-party recipients, including outside the EU
  • setting up connectors or APIs between the client's website/software and other software used by the client, which may sometimes result in data transfers to third-party recipients, including outside the EU
  • install and configure the client's website
  • set up server access
  • set up databases
  • configure an email address
  • subscribe to and install an SSL certificate on behalf of the client.
  • delete the data (e.g., spam)
  • transfer the Data to third-party recipients, including outside the EU
  • granting access to Data to third-party recipients, including those outside the EU
  • Carry out development (improvement) on the site
  • ensure data reversibility (including data exports)

Treatments may consist of:

  • consultation, extraction, recording, modification (updating), hosting, structuring, organization, reconciliation / interconnection, preservation / archiving, transmission, / dissemination, erasure / destruction.

The people concerned may be:

  • internet users, the Client's customers, the Client's employees, its subscribers or even the Client's prospects.

The types of data processed may include:

Data stored on the Client's software. This may also include data stored on the Client's server and any other software used by the Client. This data may include the following:

  • Civil status, identity, identification data, images (surname, first name, address, photograph, date and place of birth, etc.)
  • Connection data (IP addresses, logs, device identifiers, login credentials, timestamp information, etc.)
  • Location data (movements, GPS data, GSM, โ€ฆ)
  • Economic and financial information (income, financial situation, bank details, etc.)
  • Professional life (CV, professional situation, education, training, awards, diplomas, etc.)
  • Personal life (lifestyle habits, family situationโ€ฆ)
  • Potentially Sensitive Data

The data retention periods are as follows:

  • Backup data is kept for a maximum of 90 days.
  • Other data is kept for the duration of the contractual relationship and then for 5 years.

The Client is informed that the person in charge of personal data protection is Julien Guiard โ€“ julien@maintenance-wp.fr

4.2 Client Obligations

The Client, in its capacity as Data Controller, undertakes to comply with all obligations incumbent upon it under the Regulations on the protection of Personal Data, such as in particular the obligations to inform the Persons concerned, any requests for authorization, the existence of legal bases for the Processing, etc.

When the Client instructs the Provider to install, uninstall, or configure software, technologies, or APIs, or to communicate Data that may result in Data transfers to third-party recipients, including those outside the EU, the Client undertakes to verify beforehand that the planned transfers comply with the Regulations. The Client also ensures that these transfers are subject to appropriate safeguards and additional measures to guarantee a level of protection essentially equivalent to that provided within the European Economic Area.

The Data Controller shall hold the Subcontractor harmless from any judgment and any financial consequences to which the latter may be exposed due to non-compliance with its obligations.

4.3 Obligations of the Service Provider

The Service Provider, in its capacity as a Subcontractor, undertakes to strictly comply with all obligations incumbent upon it under the Regulations on the Protection of Personal Data. The Service Provider's obligations are specified below.

Compliance with treatment instructions

The Service Provider undertakes to strictly comply with the Client's written instructions regarding the use of Personal Data. In particular, the Service Provider is prohibited from carrying out any Processing of Personal Data that is not expressly requested by the Client in the context of a written instruction.

Use of cascading subcontracting

The Client is informed and agrees, within the framework of a general authorization, that the Subcontractor may use subcontractors in a cascade within the framework of this Contract.

When the Sub-processor uses another sub-processor to carry out specific Processing activities on behalf of the Data Controller, equivalent Data Protection obligations to those set forth in this Agreement shall be contractually imposed on that other sub-processor. If that other sub-processor fails to fulfill its Data Protection obligations, the Sub-processor remains liable to the Data Controller for the other sub-processor's performance of its obligations.

The list of subcontractors in the chain of subcontractors is available to the Client upon written request. The Subcontractor undertakes to inform the Data Controller of any addition or change of subcontractor by email as soon as possible if this change has a negative impact on the Processing of its Data.

The Data Controller will submit any observations or objections in writing within fifteen days of receiving this information. If no response is received within this period, the Data Controller will be deemed to have accepted the new data processor and the change to the processing of its data. The data processor will provide the Data Controller with all information necessary to establish the data processor's compliance with the requirements of the Regulations.

Obligation of aid and assistance of the Subcontractor

The Subcontractor shall take into account the nature of the Processing and assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to requests from Data Subjects to exercise their rights under Chapter III of the GDPR.

The Subcontractor assists the Data Controller in ensuring compliance with the obligations set out in Articles 32 to 36, taking into account the nature of the Processing and the information available to it.

The Subcontractor shall provide the Data Controller with all the information necessary to demonstrate compliance with the obligations set out in this article.

Audit 

The Client may, at its own expense, carry out or have carried out by any service provider of its choice subject to professional secrecy, during the execution of this agreement, audits relating to the compliance of the Provider with obligations, in matters of processing of Personal Data, under this Agreement.

The Client undertakes to notify the Provider in writing of any audit mission with a minimum notice period of ten (10) calendar days, communicating the purpose of the mission, the envisaged duration of the mission, it being specified that this may not exceed 4 days, and the names of the experts appointed.

The Parties will mutually agree on the planning of the audit, with the auditor undertaking to cause minimal disruption to the performance of the Services.

A copy of the audit report prepared by the auditor will be given to each party and will be reviewed jointly by the Parties, who undertake to meet for this purpose.

If this audit confirms a breach of the Provider's obligations, the Provider shall bear the audit costs and implement, at its own expense, the necessary corrective measures within thirty (30) business days of receiving the audit report. Except as provided above, the Client shall bear all costs incurred by it for the audits. If the breach is not remedied within this period, the Client may terminate this agreement and the initial Contract for cause under the conditions stipulated in the initial Contract.

Obligation of confidentiality

The Subcontractor is bound by an obligation of confidentiality and is prohibited from communicating, whether free of charge or for payment, the Personal Data to any third party whatsoever, except for the purposes of the Contract and on the instructions of the Data Controller.

The Subcontractor ensures that persons authorized to process Personal Data undertake to respect the confidentiality of Personal Data or are subject to an appropriate legal obligation of confidentiality.

Notification in case of a personal data breach

The Subcontractor undertakes to notify the Data Controller as soon as possible and as soon as it becomes aware of any breach or security vulnerability affecting Personal Data and to provide the Data Controller with the information necessary to enable it to inform the supervisory authority and, if necessary, the Data Subjects.

Authorization for transfers of personal data outside the European Union

The Client hereby gives express instruction to the Provider to carry out or have carried out, through a cascading subcontractor, transfers of Personal Data outside the European Union, including to the United States.

The Provider undertakes to ensure that transfers are made in accordance with the Regulations.

When data transfers are carried out pursuant to Article 46, the Provider ensures that these transfers are subject to appropriate safeguards and are documented in accordance with Article 30(2) of the GDPR. In this respect, and where necessary, the Client authorizes the Provider to sign Standard Contractual Clauses (SCCs) relating to data on its behalf and for its account with subcontractors.

Security measures

The Subcontractor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in order to prevent any loss, damage, alteration or unauthorized access to the Data.

The Subcontractor shall take measures to ensure that any natural person acting under its authority, who has access to Personal Data, does not process it, except on the instructions of the Client, unless obliged to do so by Union law or the law of a Member State.

Processing register

The Subcontractor keeps the register of Processing activities available to the Client and/or the supervisory authority and communicates it upon simple request.

Last updated on 31/03/2024