Data processing addendum
This Data Protection Addendum (“Addendum”) forms part of the Terms of Service between Stonly and the Customer.
The purpose of this Addendum is to define the conditions under which Stonly is entitled, as a data processor and as part of the Services, to process under the Customer’s instructions and on its behalf, personal data.
Stonly may have access to personal data (any and all personal data filled within the Platform’s free fields, browsing data (during sessions), IP address) pertaining to Users and any visitor of the Platform (i.e. Customer’s clients or prospects) (the “Personal Data”), necessary for the performance of the Services. The purpose of this Addendum is to set forth the conditions under which Stonly – acting as a processor – undertakes to carry out, on the Customer’s – acting as controller – behalf, these processing operations.
Each Party undertakes to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 (hereinafter, the “GDPR”), the French legal and regulatory provisions relating to the processing of personal data notably those following from Law n° 78-17 of 6 January 1978 as modified from time to time, Directive 2002/58/EU of the European Parliament and Council of 12 July 2002, guidelines, opinions, certifications, approvals, recommendations or final court decisions (altogether, the “Regulations”).
Stonly undertakes to:
process the Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or member state law to which Stonly might be subject; in such a case, Stonly shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Where Stonly considers that an instruction infringes the GDPR or of any other legal provision of the European Union or of member states bearing on data protection, immediately inform the Customer. In any event, Stonly shall neither be required to carry out an instruction from the Customer nor be held liable for the consequences of such instruction if it considers that it does not comply with the Regulations;
ensure the confidentiality of Personal Data;
ensure that the persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality training;
inform the Customer, in writing beforehand, of any subprocessor processing the Personal Data and of intended changes concerning the addition or replacement of subprocessors. This information must indicate which processing activities are being subcontracted out, the name and contact details of the subprocessor and the dates of the subcontract. The Customer shall then have ten (10) days from the date on which it receives said information to object thereto. Such sub-contracting is only possible where the Customer has not objected thereto within the agreed timeframe. The subprocessor is obliged to comply with the obligations hereunder on behalf of and on instructions from the Customer. It is Stonly’s responsibility to ensure that the subprocessor provides the same sufficient warranties to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of the GDPR. Where the subprocessor fails to fulfil its data protection obligations, Stonly remains fully liable with regard to the Customer for the subprocessor’s performance of its obligations;
assist the Customer, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR and forward data subjects’ requests it may receive, without undue delay, at the email address mentioned in its account;
notify the Customer of any Personal Data breach without undue delay after having become aware of it and via email at the email address mentioned in its account. Said notification shall be sent along with any necessary documentation to enable the Customer, where necessary, to notify this breach to the competent supervisory authority;
assist the Customer in ensuing compliance with its obligations under the GDPR (including articles 32 to 36);
implement technical and organisational measures to ensure security of the Personal Data;
maintain a written record of all categories of processing activities carried out on behalf of the Customer;
at the choice of the Customer, delete or return all the Personal Data to the Customer at the term of the Terms of Service, and deletes existing copies unless European Union or member state law requires storage of the Personal Data;
provide the Customer with the necessary documentation for demonstrating compliance with all of its obligations and for allowing the Customer or any other auditor it has authorized to conduct audits, including inspections, and for contributing to such audits.
warrants and declares to Stonly that any processing it entrusts, in whole or in part, to Stonly is in compliance with the Regulations, and in particular that the data subjects have been duly informed, before the collection of their Personal Data and, where applicable, have given their consent for the processing carried out by Stonly as part of the Services, and that it holds all the rights or consents necessary for the transfer of Personal Data by Stonly outside the European Union;
undertakes to provide Stonly with the Personal Data necessary for the processing and give Stonly only instructions that comply with the Regulations and are documented in writing;
If Stonly is ordered to compensate all or part of the damage suffered by a third party as a result of the processing of Personal Data by any User and/or Stonly in violation of the Regulations (an “Action”) even though (i) Stonly has complied with its obligations as a processor under the Regulations or (ii) said penalty results from Stonly’s performance of an instruction from the Customer or any of its Users, the Customer undertakes to indemnify Stonly for all damages to which Stonly may be ordered in respect of such Action, including reasonable attorneys' fees and expenses or any settlement costs and to indemnify Stonly for its full loss.
If the Customer acts as a processor on behalf of a third-party controller, the following provisions shall also apply:
Stonly processes Personal Data only upon documented instructions from the Customer; and
the Customer shall ensure that: (a) all necessary authorizations to enter into these Terms of Service, including the appointment by the Customer of Stonly as subprocessor, have been obtained from the controller, (b) all the obligations imposed by the Regulations - and contained in these Terms of Service - are included in the contractual documentation between Customer and the controller, (c) any instructions received by Stonly from the Customer pursuant to these Terms of Service are fully consistent with the controller’s instructions, and (d) all information communicated or made available to the Customer by Stonly pursuant to this Addendum (in particular in the context of compliance with its obligation to provide assistance and advice) shall, where appropriate, be communicated in an appropriate and timely manner to the controller.
the Customer, who is fully liable to Stonly for the proper performance of the data controller's obligations, indemnifies and holds Stonly harmless from and against (i) any failure of the controller to comply with applicable law, and (ii) any action, claim or complaint of the controller with respect to the provisions of the Terms of Service or with respect to instructions received by Stonly from the Customer or any of the Users.