Updated on November 14, 2023 💡 Data processing is governed by the General Data Protection Regulation of the European Union and is also accessible on the CNIL website

Preamble

This agreement applies to the processing of personal data carried out by the Client, in its capacity as Data Controller, and Nonli, in its capacity as processor, in the context of providing a solution for analyzing the client's website audience, analyzing trends and publishing on social networks. This agreement constitutes an independent document aimed at defining the respective obligations of the Parties to ensure compliance with current legislation regarding the processing of personal data and respect for privacy.

Personal Data is used only so that the client can authenticate with two-factor authentication and thus use the platform. We undertake to guarantee the confidentiality of personal data, to ensure that persons authorized to process this personal data respect confidentiality or are subject to a legal obligation of confidentiality and that they receive the necessary training on the protection of personal data.

The Parties undertake to comply with the principles of article 25 of the Regulation concerning "Data protection by design and by default".

The anonymous data collected by the SDK is used only on order and for the benefit of our client.

We undertake not to use our clients' data for our own purposes.

Technical and organizational measures

We undertake to implement all the security measures specified below:

Subcontracting

We do not subcontract any processing of personal data; if this were the case, we would inform our client and ensure the confidentiality of the data with the subcontractor.

We will ensure that the subcontractor provides the same sufficient guarantees regarding the implementation of the technical and organizational measures required by the Regulation.

Transfer outside the European Union (EU)

In case of transfer of personal data outside the EU, we guarantee compliance with the obligations provided for in CHAPTER V "Transfers of personal data to third countries or international organizations" of the Regulation.

We will be able to provide all guarantees that our client is entitled to require to ensure the compliance of data transfers outside the EU.

Right to information of data subjects

It is the responsibility of the client to provide information to the persons concerned by the processing operations at the time of data collection.

Exercise of data subjects' rights

We undertake to help our client fulfill their obligation to respond to requests from data subjects to exercise their rights: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling). When data subjects make requests to exercise their rights, we forward these requests to our client.

Notification of personal data breaches

We will notify our client by email of any personal data breach as soon as possible after becoming aware of it, and in any event within timeframes allowing our client to comply with the deadlines imposed by the general data protection regulation. This notification will be accompanied by any useful documentation to enable the client to notify the breach to the competent supervisory authority and to the data subjects when such notifications are required by the Personal Data Regulations.

Data Protection Officer

In accordance with article 37, we are not required to appoint a DPO as we are not a public body and our activity does not consist of personal data processing operations.

Fate of Personal Data

In accordance with article 28.3.g of the Regulation, at the end of the provision of services relating to the processing of this data, we undertake to return the personal data to the client or to any processor designated by them — in the most technically appropriate form, in a non-proprietary, structured and consolidated format — and to destroy all existing copies in our information systems.

Customer/supplier account management

This processing is intended for the management of the customer and supplier account of each of the Parties, such as the commercial relationship, administrative management, billing, the processing of technical incidents, and the management of complaints. This processing is implemented by each of the Parties as a separate Data Controller. This processing is necessary for the execution of the Contract; it also responds to the legitimate interests of each of the Parties as well as the legitimate interest of each Party in providing means of communication to their personnel.

The persons concerned by these processing operations are the employees of each party.

The Personal Data concerned are the identity data of the Contacts: Last Name – First Name – Phone Number – Email. The retention period for the aforementioned personal data is limited to three (3) years from the end of the commercial relationship between the Parties, and may be deleted immediately if the client so requests.

Q&A

Do you ensure compliance with legal data retention periods? Retention periods and justification.

Yes, we undertake to comply with legal data retention periods. The retention periods depend on the type of data and the purpose of the processing. We retain personal data for as long as necessary to achieve the purposes for which it was collected, in accordance with applicable legal and regulatory requirements. The retention periods are justified by compliance with legal and regulatory obligations as well as by the legitimate interests of our client.