1. Parties acknowledge that, in the context of the performance of the Services, described in Software development Contract,  the Company is acting as a data controller and the Supplier is acting as a data processor as defined in the European Regulation 2016/679 dated 27 April 2016 (hereinafter the “GDPR”), on behalf of and following Company’s instructions. Supplier undertakes to provide the Services in compliance with the provisions of the Agreement and the GDPR.
    2. Supplier acknowledges and agrees that for the provision of the Services, Supplier will have access to Company’s documents and information which contain personal data, as defined in the GDPR (hereinafter “Personal Data”) and will implement a processing whose specificities are described in Annex 1.
    3. Supplier, as a data processor, undertakes:
      • To process Personal Data for the sole purposes of providing the Services, and in general to only act in accordance with the written and documented instructions of Company.
      • To implement the technical and organizational measures detailed in Annex 3 to preserve the confidentiality and security of Personal Data and in particular to prevent it from being destroyed, damaged or communicated to unauthorized third parties and to comply with the requirements of the GDPR and ensure data subjects’ rights protection, and more specifically protect Personal Data against accidental or unlawful destruction, accidental loss, alteration, disclosure or unauthorized access, in particular where the processing involves the transmission of data through a network, and against any form of unlawful processing.
      • That the Supplier’s personnel authorized to process Company’s Personal Data are subject to a confidentiality obligation.
      • To keep a list of any subprocessors that will be involved in the processing of Personal Data due to the provision of Services and to inform Company of any intended changes concerning the addition or replacement of subprocessors before such changes are effective thereby giving Company the opportunity to object to such changes. Company can object to such changes, it being specified that the sub-contracting can only occur if Company has not objected to such change within one (1) month following the notification of the change. The updated list of authorized subprocessors at date of conclusion of the Agreement is attached in Annex 2.
      • In case of subcontractor is established in third country, to assure that a proper contractual agreement is in place that governs transfer and processing of personal data to a Processor established in third country as defined and required by the GDPR. Alternatively, if subcontracting is to an affiliate, proper binding corporate rules can apply if approved by the lead authority as defined and required by the GDPR.
      • To answer, without undue delay and at the latest within 10 business days, to any request from Company relating to Personal Data processed, to enable Company to process, in due time, any request from data subjects (right of access, rectification, deletion, opposition, etc.);
      • To notify without undue delay and at the latest within 10 business days Company of any requests or queries from data subjects concerned by the processing of Personal Data, any data protection authority or any other competent authority and to only directly answer such requests or queries with the prior consent of the Company and according to the Company’s written instructions.
      • To cooperate and assist Company in case Company has to demonstrate compliance with the applicable data protection regulation;
      • To cooperate, assist and provide Company with all necessary information necessary for the performance of data protection impact assessment in accordance with Article 35 of the GDPR and/or consultation of the relevant supervisory authority in accordance with Article 36 of the GDPR;
      • To immediately inform Company in writing of any changes or modifications that may have an impact on the processing of Personal Data implemented by Supplier or Company;
      • To retain Personal Data processed on behalf of Company for the duration of the Services and, at the express choice of Company, to either return to Company or delete such Personal Data (i) when required by Company; (ii) on termination or expiry of the Agreement or (iii) if the processing of Personal Data ceases to be required by Supplier for the performance of its obligations under this Agreement. Supplier also undertakes to destroy all copies of the Personal Data that it may have made, unless applicable legislation prevents the destruction of all or part of the Personal Data;
      • To immediately inform Company if, in Supplier’s opinion, one of  Company’s instruction infringes the applicable data protection regulation;
    4. If Supplier has become aware of the existence of a personal data breach, as defined at Article 4 (12) of the GDPR, Supplier shall :
      • notify the existence of this incident to Company as soon as possible, and at the latest within forty-eight (48) hours after becoming aware of a personal data breach;
      • provide Company with any information that would allow Company to comply with its notification obligations with competent data protection authority in accordance with article 33 of the GDPR.
    5. Company consents and agrees that Supplier and/or its potential authorized subprocessors may transfer Personal Data outside of the European Union (EU). Supplier undertakes in this case to inform Company and to take all appropriate measures to ensure the protection of Company’s Personal Data in compliance with the applicable data protection regulation, including the conclusion of binding agreements integrating the European Commission’s standard contractual clauses
    6. Supplier undertakes to maintain a record of all categories of processing activities carried out on behalf of Company, including those operated by its subprocessors authorized by Company, in compliance with the applicable data protection regulation. Supplier undertakes to make this record of processing activities available to Company and competent data protection authorities.
    7. Supplier undertakes to make available to Company any information necessary to demonstrate compliance with the obligations laid down in this Article “Data protection” and allow for audits, at Company’s own costs, conducted by the Company or another auditor mandated by Company, subject to a one (1) month prior notice and limited to one (1) audit per year. Supplier will cooperate in good faith with any auditor appointed by Company.