Être rappelé

Nous sommes là pour identifier vos besoins et vous proposer la solution la mieux adaptée à votre activité.

Merci pour votre demande 🙏

Margaux, notre responsable des ventes, vous appellera dans les plus brefs délais pour en savoir plus sur votre projet.

A très vite !
Oups ! Une erreur est survenue 😬

ATELIER BUSINESS FOOD / BOOKING SHAKE

DATA PROTECTION AGREEMENT

As part of the implementation of the Contract between ATELIER BUSINESS FOOD and the Customer, the purpose of this Annex is to define the conditions under which the Parties will process the personal data communicated to them. ATELIER BUSINESS FOOD and the Customer (hereinafter “) The Parties ”) undertake to comply with the regulations in force applicable to the processing of personal data and, in particular:

- The Information Technology and Freedom Act of 6 January 1978,

- The European Personal Data Regulation (RGPD.) of May 23, 2018

- The law transposing the European Regulation on the Protection of Personal Data

(RGPD) of 20 June 2018.

The terms used in this Annex have the meaning given to them by the GDPR or are defined in the Contract between the parties and to which this Annex is attached. In the event of a contradiction between the Annex and the Contract, the Annex prevails.

Article 1 - Definitions

For the purposes of this Appendix, the terms below have the meaning ascribed to them in

meaning of the RGPD (Article 4):

▪ Consent: “of the data subject, any free, specific, informed and unequivocal expression of will by which the data subject accepts, by a statement or by a clear positive act, that personal data concerning him or her may be processed”;

▪ Standard contractual clauses: are models of contracts for the transfer of personal data adopted by the European Commission;

▪ Data controller: “the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing; when the purposes and means of such processing are determined by Union law or the law of a Member State, the data controller may be appointed or the specific criteria applicable to his appointment may be provided for by Union law or by law of a Member State”;

▪ Subcontractor: “the natural or legal person, public authority, public authority, service or other body that processes personal data on behalf of the data controller”;

▪ Subcontractor (s): refers to any (all) subcontractor (s) of ATELIER BUSINESS FOOD who must (must) have been previously and expressly accepted by the Customer;

▪ Processing: “any operation or set of operations effected or not carried out using automated processes and applied to personal data or data sets, such as collection, registration, organization, structuring, preservation, adaptation or modification, adaptation or modification, extraction, adaptation or modification, extraction, consultation or modification, extraction, consultation, modification, modification, extraction, consultation, modification, extraction, consultation, modification, extraction, consultation, use, use, communication by transmission, dissemination or any other form of provision, reconciliation or interconnection, limitation, erasure or destruction”;

▪ Personal data breach: “a security breach resulting, in an accidental or unlawful manner, in the destruction, loss, alteration, or unauthorized disclosure of personal data transmitted, stored or otherwise processed, or otherwise processed, or in the unauthorized access to such data”.

Article 2 — Role of the Parties

The Customer provides ATELIER BUSINESS FOOD and authorizes the latter to process, for the purposes of providing the Services under the Contract, data, files, etc. of any nature and in any form whatsoever, constituting Personal Data.

In accordance with the applicable regulations:

- The Customer acts as a Personal Data Controller;

- ATELIER BUSINESS FOOD acts on behalf of the Customer in the sole capacity of Subcontractor for the treatments indicated in article 3, in accordance with the Contract and the sole instructions of the Customer.

Article 3 — Description of treatments

3.1 Categories of data subjects whose personal data are processed

The Data Controller may submit Personal Data to the Processor, which may include the following categories of persons:

The Customer is also required to process the personal data of ATELIER BUSINESS Employees.

FOOD for the execution of the Contract.

3.2 Categories of personal data processed

The Data Controller may submit Personal Data to the Processor,

which may include, but are not limited to, the following categories of personal data:

The Customer is also required to process the following personal data of ATELIER BUSINESS FOOD Employees in order to execute the Contract: name, first name, title, email and telephone number.

3.3 Nature and purposes of the treatment

The Processing of Personal Data occurs as part of the performance of Services by ATELIER BUSINESS FOOD: provision of services related to the use by the Customer of the ATELIER BUSINESS FOOD Platform.

Nature of processing operations by the Subcontractor:

- Provision of services related to the ATELIER BUSINESS FOOD Platform;

- Recording and use of personal data in the context of the use of the Platform by the Customer's Users;

- Commercial communication (Newsletter) on the functionalities of the ATELIER BUSINESS FOOD Platform;

- Sending notifications to Users (by email) related to their use of the ATELIER BUSINESS FOOD Platform;

- Insure billing, manage unpaid invoices and payment reminders.

ATELIER BUSINESS FOOD data processed by the Customer is processed exclusively for the purpose of monitoring the Contract between the Parties and payment of fees due by the Customer to ATELIER BUSINESS FOOD.

The legal basis is the Execution of a Contract between the Parties.

Any other processing or any other purpose does not fall within the scope of this annex and each Party will release the responsibility of the other Party for any dispute related to these third party treatments.

3.4 Duration of processing and data retention period

The subcontractor will process Personal Data for the duration of the Contract, unless otherwise agreed between the Parties in writing. At the end of the Contract, the Personal Data will be:

- Category 1: deleted after one (1) month after the end of the Contract;

- Category 3: deleted after one (1) month after the end of the Contract;

Data related to the execution of the Contract (billing data) and data of the Customer and ATELIER BUSINESS FOOD (commercial data) will be retained for up to five (5) years after the end of the commercial relationship between the Parties.

In addition, each Party is likely to keep certain personal data in order to fulfill its legal or regulatory obligations and to allow the exercise of individuals' rights. At the end of the retention period of personal data, they will be deleted or anonymized.

Data may also be transmitted by a Party to third parties and competent authorities to meet legal, judicial, fiscal or regulatory obligations.

Article 4 — Obligations of the Data Controller

The data controller undertakes to provide ATELIER BUSINESS FOOD with all the instructions necessary for the processing of personal data and to ensure in advance the lawfulness of the processing of Personal Data. It undertakes to provide information to the subjects concerned by the processing operations and to ensure that the Persons Concerned (3.1) are able to exercise their rights over their personal data.

Article 5 — Obligations of the Subcontractor

5.1 Instructions

The processor only processes personal data on the documented instructions of the controller, unless it is required to do so under Union law or the law of the Member State to which it is subject. In this case, the processor informs the data controller of this legal obligation before processing, unless prohibited by law for important reasons of public interest. Instructions may also be given later by the data controller throughout the duration of the processing of personal data. These instructions should always be documented.

The processor shall immediately inform the controller if, in his opinion, an instruction given by the controller constitutes a violation of Regulation (EU) 2016/679/Regulation (EU) 2018/1725 or other provisions of Union law or Member State law relating to data protection.

5.2 Purpose limitation

The processor processes personal data only for the specific purpose (s) of the processing, as defined in Article 3, unless further instructions are given by the data controller.

5.3 Treatment Security

The subcontractor shall at least implement the technical and organizational measures specified below to ensure the security of personal data. These measures include the protection of data against any security breach that results, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (personal data breach). When assessing the appropriate level of security, the Parties shall take due account of the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks for the persons concerned.

The subcontractor only grants its staff members access to the personal data being processed to the extent strictly necessary for the execution, management and monitoring of the contract. The subcontractor ensures that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.

Measures taken by the Subcontractor:

- Measures for the pseudonymization and encryption of personal data

- Measures to ensure the continued confidentiality, integrity, availability, and resilience of treatment systems and services

- Measures ensuring the availability of means to restore the availability of and access to personal data within appropriate time frames in the event of a physical or technical incident

- Procedures for regularly testing, analysing and evaluating the eficiency of technical and organizational measures to ensure the security of processing

- User identification and authorization measures

- Data protection measures during transmission

- Data protection measures during storage

- measures for the governance and management of internal IT and computer security.

Article 6 — Subsequent subcontractors

6.1 Obligations of ATELIER BUSINESS FOOD

The processor has the general authorization of the data controller for the recruitment of subsequent subcontractors on the basis of an agreed list. The subcontractor shall specifically inform the controller in writing of any proposed changes to this list by adding or replacing subsequent subcontractors at least ten days in advance, thus giving the controller sufficient time to be able to oppose these changes before the recruitment of the subsequent processor (s) concerned. The subcontractor provides the data controller with the information necessary to enable him to exercise his right of opposition.

When the subcontractor hires a subsequent subcontractor to carry out specific processing activities (on behalf of the controller), it does so by means of a contract that imposes on the subsequent subcontractor, in essence, the same data protection obligations as those imposed on the subcontractor under these clauses.

Il appartient à BOOKING SHAKE de s’assurer que le sous-traitant ultérieur présente les mêmes garanties suffisantes quant à la mise en œuvre de mesures techniques et organisationnelles appropriées de manière que le traitement réponde aux exigences du règlement européen sur la protection des données. Si le sous-traitant ultérieur ne remplit pas ses obligations en matière de protection des données, ATELIER BUSINESS FOOD demeure pleinement responsable devant le responsable de traitement de l’exécution par l’autre sous-traitant de ses obligations.

The processor agrees with the subsequent processor on a third party beneficiary clause according to which — in the event that the processor has materially disappeared, has ceased to exist in law or has become insolvent — the controller has the right to terminate the contract concluded with the subsequent processor and to instruct the subsequent processor to erase or return the personal data.

6.2 List of subsequent subcontractors

The Subcontractor uses the following subsequent subcontractors:

Article 7 — Transfer of Data outside the European Union

With the exception of the subsequent subcontractors mentioned above, the Parties declare and undertake not to transfer personal data outside the European Union or to any country that is not recognized as presenting an adequate level of protection as understood by the European Commission, without having taken the applicable legal and regulatory measures and in particular:

- When the third party (subsequent subcontractor or affiliate of ATELIER BUSINESS FOOD) is established in a third country, sign the standard contractual clauses on the most recent model of the European Commission;

- Comply with all resulting obligations and provide a copy of the clauses to the other Party;

- If the situation requires it, to sign Binding Corporate Rules (BCRs) with the authorized third party.

Any transfer of data to a third country or an international organization by the processor is effected only on the basis of documented instructions from the data controller.

In addition, if the Processor is required to transfer data to a third country or to an international organization, under Union law or the law of the Member State to which it is subject, it must inform the data controller of this legal obligation before processing.

Article 8 — Rights of the Persons Concerned

8.1 Data of the Parties

With regard to the legal provisions of the Data Protection Act of January 6, 1978 and the European Data Protection Regulation (“RGPD”), each Party has the following Rights:

a. right to access (article 15 RGPD) and to rectify (article 16 RGPD), to update, to complete the data, to block or to erase the data of the Personal Party (article 17 of the RGPD), when they are inaccurate, incomplete, equivocal, outdated, or whose collection, use, communication or storage

Is forbidden

b. right to withdraw consent at any time (article 13-2c RGPD)

c. right to restriction of data processing (article 18 GDPR)

d. right to object to data processing (article 21 GDPR)

e. right to data portability, when this data is subject to automated processing based on their consent or on a contract (article 20 RGPD)

f. right to define the fate of data after their death and to choose who to communicate them to (or not) to a previously designated third party.

To exercise any of the rights, simply write a letter to the respective data controllers of

Parts listed in the preamble.

Requests will be processed within one month, unless there is an urgent reason advanced and justified by a Party justifying an extension of the deadline. If the Party does not satisfy the request of the other Party, the latter is entitled to refer the matter to the CNIL (Commission Nationale de l'Informatique et des Libertés, https://www.cnil.fr) in order to enforce its rights.

8.2 Data of Persons Concerned by Processing Operations

As far as possible, each Party undertakes to assist the other Party by appropriate technical and organizational measures in fulfilling its obligation to respond to requests for the exercise of individuals' rights.

The Service Provider undertakes (without responding directly to the Persons Concerned) to:

- Transmit to the Customer, within an appropriate period and not exceeding seventy-two (72) hours, any request and/or any request and/or notification from a Data Subject whose purpose is the exercise of their rights under the applicable regulations (rights of access, rectification, opposition, opposition, limitation, right to be forgotten, to portability, etc.).

- As from the above information, cooperate with the Data Controller and provide him with the information necessary to enable the Data Controller to respond to the Data Controller within an appropriate period of time, which may not exceed ten (10) days;

- In all cases, implement and have implemented by Subprocessors, within an appropriate period of time and not exceeding ten (10) days, any request from the Data Controller concerning the rights of the Persons concerned.

Article 9 — Personal Data Breach

In the event of a personal data breach, the subcontractor cooperates with the data controller and provides assistance to him in order to comply with his obligations under the applicable regulations.

The Party that identified a personal data breach must notify the other Party of such breach within a maximum of forty-eight (48) hours from the discovery of the breach.

This notification will be accompanied by:

- Description and nature of the breach, including where possible, the categories and approximate number of the Persons concerned by the breach and the categories and approximate number of records of the Personal Data concerned,

- The contact details of the data protection officer or other contact point from which additional information can be obtained;

- The categories and the approximate number of persons affected by the violation;

- The probable consequences of the personal data breach;

- All relevant documentation relating to the breach and allowing the parties to take appropriate measures to warn data subjects and to remedy possible consequences.

In the event of a data breach, the Parties will conduct a contradictory investigation in order to determine responsibility for the breach. The responsible party will indemnify the other party against any actions, claims, claims, losses, and damages suffered by the other party or by a third party relating to this data breach.

Contact us

If you have any questions about this data protection agreement, contact us at hello@bookingshake.com