The purpose of this Data Processing Addendum (“DPA”) is to set out Woosmap and Client obligations relating to the personal data processed by the parties pursuant to the agreement entered into between them and to which this DPA is attached and incorporated
Data Processing Addendum
In the context of the provision of Woosmap Services under the Agreement, the Parties acknowledge and agree that several types of Processing of Personal Data are implemented for which the roles, obligations and responsibilities of the Parties are different:
- Processing relating to the management of the contractual relationship between WGS and the Client, in the context of which WGS is acting as a Data Controller and Client, its representatives, employees and directors are Data Subjects. For such Processing, the information relating to the nature and characteristics of the Processing is set out in Article 2 of this DPA;
- Processing relating to the hosting of Woosmap Platform, the hosting of Client Databases and the provision of certain Woosmap APIs as listed in Woosmap APIs Specifications Table as updated from time to time and available in its latest version online, as well as the provision of Associated Services, in the context of which WGS is acting as a Processor and the Client is acting as a Controller. For such Processing, the respective obligations of the Parties are set out in Article 3 of this DPA;
- Processing relating to the provision of certain Woosmap APIs as listed in Woosmap APIs Specifications Table as updated from time to time and available in its latest version online in the context of which WGS and the Client are acting as Separate Controllers. For such Processing, the respective obligations of the Parties are set out in Article 4 of this DPA.
For the purposes of this Data Processing Addendum (hereinafter the “DPA”) and more generally the performance of the Woosmap Services under the Agreement, the terms with a capital letter, whether used in the singular or plural, shall have the following meanings:
“Applicable Regulations” shall mean the GDPR and any applicable national law implementing the GDPR, as regularly updated, amended and/or superseded, notably the French Act No. 78-17 dated 6 January 1978, the so-called French Data Protection Act, as well as any applicable national law enacting the EU Directive 2002/058/EC dated 12 July 2002, the so-called e-Privacy Directive, as regularly updated, amended and/or superseded from time to time.
"Controller" shall have the meaning prescribed to this term in Article 4 of the GDPR.
"Data Subject" shall have the meaning prescribed to this term in Article 4 of the GDPR.
“GDPR” shall mean the European Regulation No. 2016/679 dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Personal Data" shall have the meaning prescribed to this term in Article 4 of the GDPR.
"Personal Data Breach" shall have the meaning prescribed to this term in Article 4 of the GDPR.
"Processing" shall have the meaning prescribed to this term in Article 4 of the GDPR.
"Processor" shall have the meaning prescribed to this term in Article 4 of the GDPR.
"Supervisory Authority" shall have the meaning prescribed to this term in Article 4 of the GDPR.
Other capitalized terms used in this DPA shall have the meaning prescribed to them in the Agreement.
2. INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA IMPLEMENTED BY WGS TO MANAGE THE CONTRACTUAL RELATIONSHIP WITH THE CLIENT
In the context of the performance of the Agreement, WGS is required to collect and process Personal Data regarding the Client, the Client's employees, representatives and/or directors in order to enable it to manage the contractual relationship.
In this respect, WGS, as a Controller, implements a Processing, in compliance with Applicable Regulations whose purposes are :
- the management of its Clients, including contract management, invoices and monitoring of Credits Volume consumption, accounting, monitoring of the proper performance of the contractual relationship, claims management, running of commercial and financial statistics, etc.
- the management of operations enabling WGS to communicate with the Client
- the management of direct marketing communications
- the enforcement of its Agreement in case of breach or non-compliance as well as to ensure compliance with its legal obligations.
The Processing implemented is based:
- for the following purposes on the performance of the Agreement: management of its Clients, i.e. contract management, invoicing and monitoring of Credits Volume consumption, monitoring of the proper performance of the contractual relationship, claims management, etc.; management of operations enabling WGS to communicate with the Client; enforcement of the obligations set forth in the Agreement;
- for the following purposes on the legitimate interest of WGS: direct marketing operations, running of commercial and financial statistics;
- for the following purposes on compliance with a legal obligation: accounting; enforcement of legal obligations including the ones set forth by Applicable Regulations.
The Personal Data collected and Processed in this context as well as the entire file associated with the Client will be retained for the term of the contractual relationship between the Parties. Personal Data that could be necessary in case of disputes and/or litigations arising out between the Parties will be retained for the applicable statute of limitation.
The Personal Data collected and Processed in this context will only be accessible to and/or processed by:
- WGS and its Affiliates’ employees on a need-to-know basis, i.e. the employees who need to access the data in order to perform their duties;
- third party service providers, acting as Processors, in order to perform services related to the provisions of software solutions used to process Client’s Personal Data: hosting, storage, analysis, communication, database management or IT maintenance services;
- judicial or financial authorities, state agencies or public bodies, upon request and to the extent permitted by the Applicable Regulation, if required by law or if WGS believes in good faith that such disclosure is reasonably necessary to comply with legal proceedings;
- external counsel (lawyers, statutory auditors, accountants, etc) on a need-to-know basis only;
- third parties in connection with any merger, acquisition or sale of all or part of the WGS’s assets.
The Personal Data collected and processed may be transferred outside the European Economic Area (EEA), mainly among WGS group of companies (located in India, Singapore, the United Kingdom), and on some particular cases due to the use of third-party service providers.
When Personal Data is transferred outside the EEA, WGS puts in place all appropriate safeguards to ensure the protection of the Personal Data of the Client's employees, representatives and/or directors in accordance with Articles 45 et seq. of the GDPR. Depending on the transfer involved, WGS relies on an adequacy decision issued by the European Commission (this is the case for transfers to the United Kingdom), or on its Processors Binding Corporate Rules or execute binding agreements incorporating the European Commission's standard contractual clauses available at the following link (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en), a copy of which can be requested by email to the address below.
In accordance with the Applicable Regulations, the Client and/or the employees, representatives and directors of the Client have a right of access, rectification, erasure of their Personal Data, a right to restrict the processing, as well as a right to object the Processing of Personal Data about them. The Client and/or the Client's employees, representatives and/or directors also have the right to send to WGS specific instructions regarding the fate of their Personal Data after their death.
To exercise these rights, the Client and/or the employees, representatives and directors of the Client may submit a request to WGS:
- by email to: [email protected]; or,
- by mail to: Web Geo Services – Legal Department- 19 rue Blanche 75009 Paris
The Client and/or the employees, representatives and/or directors of the Client may lodge a complaint with the Supervisory Authority.
The Client undertakes to inform its employees, directors and/or representatives of the information contained in this DPA relating to the Processing of their Personal Data within the context of the performance of the Agreement.
3. PROCESSING OF PERSONAL DATA IMPLEMENTED BY WGS ON BEHALF OF THE CLIENT
For the hosting of Woosmap Platform and Client Databases, the provision of certain Woosmap APIs, as listed in Woosmap APIs Specifications Table as updated from time to time and available in its latest version online, as well as for the provision of the Associated Services (hereinafter “Processor Services”), Parties acknowledge that the Client is acting as a Controller and WGS is acting as a Processor on behalf of and following Client’s instructions.
3.1. WGS obligations as a Processor
In this context, WGS undertakes to provide Processor Services in compliance with the provisions of the Agreement and the Applicable Regulations.
Parties acknowledge and agree that for the provision of Processor Services, WGS will have access to and/or process Client’s Databases, Client’s Data as well as End-Users’ data which contain Personal Data and will implement a Processing whose specificities are described Section 3.3 of this DPA. WGS undertakes to retain Personal Data processed on behalf of Client for the duration of the Term or as otherwise instructed by Client. WGS shall, at the choice of Client, either return such Personal Data to Client in compliance with the provisions of the Agreement or delete such Personal Data. WGS also undertakes to destroy all copies of the Personal Data in WGS’s possession or control, unless legislation imposed upon WGS prevents the destruction of all or part of the Personal Data.
WGS, as a Processor, undertakes:
- to process Personal Data for the sole purpose of providing the Processor Services and in general to only act in accordance with Client’s written and documented instructions;
- to immediately inform the Client if WGS believes that Client’s instructions would infringe the Applicable Regulations. In such a case, WGS shall not proceed with the Processing of Personal Data unless and until (i) the Client issues new instructions, or (ii) if applicable, Client confirms in writing the previous instructions, it being specified that in such a case, should the instructions be held infringing the Applicable Regulation by a competent Supervisory Authority or a Court, WGS shall bear no liability in this respect;
- to take all appropriate measures to preserve the confidentiality and security of Personal Data and to implement appropriate technical and organizational measures to comply with the Applicable Regulations and ensure the protection of Data Subjects’ rights and more specifically protect Personal Data against accidental or unlawful destruction, accidental loss, alteration, disclosure or unauthorized access, in particular where the processing involves the transmission of data through a network, and against any form of unlawful Processing. These measures must ensure, given the state of the art and the cost of their implementation, an appropriate level of security in consideration of the risks of the Processing and the nature of Personal Data which is to be protected. These technical and organizational measures are documented under the following link: https://www.woosmap.com/policies/security-measures. WGS regularly monitors compliance with these measures and may update them from time to time in accordance with the provisions of the Agreement;
- that the personnel authorized to process Client’s Personal Data is bound by a confidentiality obligation;
- to the extent possible, taking into account the nature of the Processing, to answer, without undue delay and at the latest within ten (10) business days, to any request from Client relating to the Personal Data so that Client may respond within due time to any request from Data Subjects (right of access, to rectification, to erasure, to object, etc.);
- to the extent reasonably possible, to cooperate and assist Client in case Client has to demonstrate compliance with the Applicable Regulations;
- to the extent reasonably possible, cooperate and assist with Client for the completion of any formalities and for the performance of data protection impact assessments in accordance with Article 35 of the GDPR;
Client hereby acknowledges and agrees that WGS Affiliates and any other third party may be involved in the Processing of Personal Data for the provision of Processor Services (the “Sub-processors”).
The current list of Sub-processors approved by Client is available at the following link : https://woosmap.com/policies/authorized-subprocessors-list. WGS undertakes to keep such detailed list of all Sub-Processors that will be involved up-to-date and inform Client of any intended changes concerning the addition or replacement of Sub-Processors before such changes being effective, it being specified that Client may oppose such changes on reasonable legal grounds, based on a concrete provision of Applicable Regulation. In any case, subcontracting by WGS may only occur if Client has not objected to it within one (1) month following the notification of the change by WGS. Upon receipt of Client’s objection, WGS in its discretion may elect to cure the objection by: (i) not using the Sub-Processor; (ii) taking the corrective steps requested to continue using the Sub-Processor; or (iii) ceasing to provide the part or aspect of the Processor Service conducted by the Sub-Processor. If the objection has not been cured within one (1) month after WGS’s receipt of Client’s objection, either party may terminate Processor Services upon one (1) month’ written notice
In case of sub processing, WGS undertakes to enter into an agreement with the Sub-processor which include obligations at least equivalent to those to which WGS is bound under this DPA. WGS shall be liable for the acts and omissions of its Sub-processors to the same extent WGS would be liable if performing the services of each Sub-processor directly under the terms of the Agreement.
Client hereby acknowledges and agrees that WGS and/or its authorized Sub-Processors may transfer Personal Data outside the EEA. The current list of authorized transfers outside the EEA approved by Client is available at the following link : https://woosmap.com/policies/authorized-subprocessors-list. In this respect, WGS undertakes to inform the Client within one (1) month before the effective implementation of any new transfer and to either transfer Personal Data to a third country recognized as providing an adequate level of protection or to implement appropriate safeguards (including the execution of Standard Contractual Clauses of the European Commission Implementing Decision 2021/914 dated June 2021, under module 3; or to base such transfers on Sub-Processors’ Binding Corporate Rules) so that all appropriate guarantees aimed at ensuring the protection of the data in accordance with the Applicable Regulation are taken.
If WGS has reasons to believe or has become convinced of the existence of a Personal Data Breach, WGS undertakes:
- to notify Client of the existence of the Personal Data Breach as soon as possible after becoming aware of it;
- to provide Client with information allowing it to comply with its notification obligations with the Supervisory Authority and/or any other competent authorities in accordance with Article 33 of the GDPR.
WGS uses external auditors to verify the adequacy of the technical and organizational security measures on the infrastructure that is used to perform the Processor Services. This audit is performed, at least annually, by independent third-party security professionals, at WGS’s selection and expense. It will result in the generation of an audit report, which shall be considered as WGS’ Confidential Information. At Client’s written request, and provided that the parties have an applicable NDA in place, WGS will provide Client with a copy of such audit report so that Client can reasonably verify WGS’ compliance with its obligations under this DPA.
3.2. Client’s obligations as a Controller
For Processor Services, Client undertakes to :
- document in writing any specific and additional instruction that would not be reflected in this DPA, it being specified that such instructions should be accepted by WGS to be binding;
- inform End-Users of the Processing implemented with its Personal Data through the Processor Services, in accordance with Applicable Regulations;
- obtain, where necessary, End-Users’ consent to process their Personal Data and/or make sure the Processing implemented through the Processor Services relies on an appropriate legal basis under the GDPR;
- more generally, ensure that the Processing complies with the obligations set forth in Applicable Regulations;
- implement appropriate security measures on its websites and apps to ensure the requests from its websites and apps to WGS servers are secure.
Without affecting its other obligations, Client undertakes and will ensure, for all Personal Data that it transfers to WGS that (i) it is lawfully entitled to transfer the same to WGS and (ii) it shall procure such consent from the data subjects for which it is responsible as may be required to allow WGS to provide, and the Client to receive, the Woosmap Services in accordance with the Applicable Regulations.
Client acknowledges and agrees that it is solely responsible for the accuracy of Personal Data provided to WGS as well as the compliance and legality of the Processing implemented through Woosmap Platform.
3.3. Description of the Processing implemented
Subject matter and Purpose of the Processing
Personal Data is Processed in connection with the hosting of Woosmap Platform and Client Databases, as well as for the provision of certain Woosmap API, as listed in Woosmap APIs Specifications Table as updated from time to time and available in its latest version online, as well as for the provision of the Associated Services.
In this context, Client processes Personal Data, as a Controller, in order to provide geolocation services, such as store locator; store opening hours; closest store; nearest click-and-collect store for delivery; itineraries as well as associated time including with real traffic data; etc.
Nature of the Processing
Personal Data is subject to the following Processing activities:
- End-User’s Personal Data: Collection; Organization; Comparison; Disclosure by transmission;
- Other Personal Data, including the ones included in Client’s Database: Collection; Organization; Input; Storage; Comparison; Disclosure by transmission ;
- Hosting, Maintenance and Support of the Woosmap Platform.
Duration of the Processing
Personal Data is Processed for the Term as defined under the Agreement and/or any other written instruction provided for by the Client and accepted by WGS, it being specified that End-Users’ Personal Data is not retained by WGS following the provision of the answer to the request. Indeed, WGS deletes End-Users’ Personal Data immediately after the provision of the answer to the request.
Categories of Data Subjects
The following categories of Data Subjects are concerned by the Processing:
- Client’s Authorized Users
Types of Personal Data concerned
The following categories of Personal Data are processed:
Regarding Client’s Authorized Users: contact details information (in particular name, surname, login and associated password);
Regarding End-User: IP Address; WGS internal ID; content of the requests and answers provided, i.e. closest store; starting and ending point of itineraries as well as itinerary and associated time, etc;
4. PROCESSING OF PERSONAL DATA IMPLEMENTED BY WGS AND THE CLIENT AS CONTROLLERS
For the provision of certain Woosmap API as listed in Woosmap APIs Specifications Table as updated from time to time and available in its latest version online (hereinafter “Controller Services”), Parties acknowledge that WGS and the Client are acting as Separate independent Controllers under the Applicable Regulations.
4.1. Roles and obligations of the Parties.
Parties acknowledge and agree that for the provision of Controller Services, WGS is making Woosmap Databases available that shall be used to provide answers to End-Users’ requests. Such Woosmap Databases contain Personal Data that shall be processed in the context of providing the services to Client and consequently to End-Users. In this respect, each Party:
- is individually and separately determining the purposes and means of its Processing activities with Personal Data, therefore acting as a separate Controller in its own ground;
- shall comply with all the obligations applicable to Controllers set forth by Applicable Regulations for its own Processing. For the avoidance of doubt, Parties acknowledge and agree that (i) WGS shall not be responsible of the compliance of the Processing implemented by the Client with Personal Data made available by WGS to the Client as part of Controller Services; (ii) Client shall not be responsible for the compliance of the Processing implemented by WGS with its own Woosmap Databases;
- can sub-contract part of its activities to a sub-contractor.
Notwithstanding the above, the Client acknowledge and agree that it is the only Party which has direct contact with End-Users and therefore undertakes to:
- inform End-Users of the Processing implemented with its Personal Data through the Woosmap Services, including for Controller Services, in accordance with Applicable Regulations;
- answer any End-Users’ request based on their rights under Applicable Regulations in the context of Controller Services;
- obtain End-Users’ consent, where necessary, to process their Personal Data and/or make sure the Processing implemented through the Woosmap Services relies on an appropriate legal basis under the GDPR;
- implement appropriate security measures on its websites and apps to ensure the requests from its websites and apps to WGS servers are secure.
4.2. Personal Data Breach.
If either Party has reason to believe or has become convinced that a Personal Data Breach exists with respect to the Processing implemented under the Controller Services or that would impact such Processing, then such Party agrees to:
- notify the other Party of the existence of such incident as soon as possible, and no later than forty-eight (48) hours after becoming aware of the incident,
- refrain from communicating about the incident until a line of communication has been agreed upon with the other Party, notably so as to decide which Party should be notifying, where necessary, the Personal Data Breach to the Supervisory Authority and Data Subjects.