I. Purpose

The purpose of these clauses is to define the conditions under which the subcontractor undertakes to carry out on behalf of the data controller the personal data processing operations defined below. As part of their contractual relations, the parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. applicable from May 25, 2018 (hereinafter, “the European data protection regulation”).

II. Description of the processing which is the subject of the subcontracting

The subcontractor is authorized to process on behalf of the data controller the personal data necessary to provide the services detailed below:

Identity Document

Service Verification of identity documents (ID, passport, residence permit and other personal document (RIB, proof of address, salary slip, tax notice, driving license, etc.)
Nature of operations Capture of the document image, reception, extraction of document data, control on the basis of defined rules, retur of control results.
Purpose of processing Verification of documents communicated by end customers.
Categories of data subjects End customers
Information made available to the subcontractor by the data controller for the performance of the service covered by this contract Image of the identity document or document, possibly acquired directly from the end customer.

Facial Recognition

Service Facial recognition to identify the holder of the identity document
Nature of operations Capture a selfie-type photo, receive the selfie and automatically compare it with the face found on the ID document.
Purpose of processing Verification of documents communicated by end customers.
Categories of data subjects End customers
Information made available to the subcontractor by the data controller for the performance of the service covered by this contract Image of the identity card and selfie of the end customer, possibly acquired directly from the end customer.

III. Contract Length

This contract is valid during the Service Period as defined in the Contract.

IV. Obligations of the subcontractor regarding the controller

The subcontractor undertakes to:

Process the data only for the sole purpose (s) which is / are the subject of the subcontracting

Process the data in accordance with the description of the service communicated to the data controller in the appendix to this contract. If the processor is required to transfer data to a third country or to an international organization, under Union law or the law of the Member State to which it is subject, it must inform the controller the processing of its legal obligations before processing, unless the law concerned prohibits such information for important reasons of public interest.

Guarantee the confidentiality of personal data processed under this contract

Ensure that the persons authorized to process personal data under this contract: undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality receive the necessary training in the protection of personal data

Subcontracting: The processor may use another processor (hereinafter, “the subsequent processor”) to carry out specific processing activities. In this case, it informs the data controller in advance and in writing of any planned change concerning the addition or replacement of other subcontractors. This information must clearly indicate the subcontracted processing activities, the identity and contact details of the subcontractor and the dates of the subcontract. The data controller has a minimum period of 15 days from the date of receipt of this information to present his objections. This subcontracting can only be carried out if the data controller has not objected within the agreed period.

Right to information of data subjects: Depending on whether the information is collected by the data controller or the processor, it is the responsibility of the data controller or the processor, respectively, to provide the information to the people concerned by the processing operations at the time of data collection.

Exercise of personal rights: As far as possible, the subcontractor must help the controller to fulfill his obligation to respond to requests to exercise the rights of data subjects: right of access, rectification, erasure and 'opposition, right to restriction of processing, right to data portability, right not to be the subject of an individual automated decision (including profiling). When the data subjects make requests to the subcontractor to exercise their rights, the subcontractor must send these requests as soon as they are received by email to a contact within the data controller whose contact details appear in the annex to the contract.

Notification of personal data breaches: The processor notifies the data controller of any personal data breach within a maximum of 24 hours after becoming aware of it and by e-mail sent to a contact within the data controller whose contact details appear in the annex to the contract. . This notification is accompanied by any useful documentation to enable the controller, if necessary, to notify this violation to the competent supervisory authority.

After agreement of the controller, the subcontractor notifies the competent control authority (the CNIL), in the name and on behalf of the controller, of the personal data breaches as soon as possible and, if possible 72 hours at the latest after becoming aware of it, unless the violation in question is not likely to create a risk for the rights and freedoms of individuals.

The notification contains at least:

  • Description of the nature of the personal data breach including, where possible, the categories and approximate number of persons affected by the breach and the categories and approximate number of personal data records affected;
  • The name and contact details of the data protection officer or other point of contact from which further information can be obtained;
  • Description of the likely consequences of the personal data breach;
  • A description of the measures taken or that the controller proposes to take to remedy the personal data breach, including, where applicable, measures to mitigate any negative consequences. If, and to the extent that it is not possible to provide all of this information at the same time, the information may be communicated in stages without undue delay.

Help from the subcontractor in the context of compliance by the controller with its obligations: The processor helps the data controller to carry out:

  • Impact assessments relating to data protection
  • Prior consultation of the supervisory authority.

Security measures: The subcontractor undertakes to implement the following security measures:

  • Personal data stored in the database is encrypted using AES256.
  • Data stored as an image on the file system is encrypted using AES256.
  • As soon as the data is no longer needed, it is immediately deleted.
  • Technical traces do not contain personal information.
  • The data in transit is protected by TLS connections.
  • External access to the service is protected by security equipment, the configurations of which are periodically audited.
  • The data that are kept in the database (for the duration of their processing or during their period of use for the data controller) are kept in a replicated database allowing service to be reassembled in the event of a failure of one of the nodes. In the event of a failure on all nodes, a Business Continuity Plan is triggered and uses the last daily encrypted data backup.
  • The data processing nodes are redundant so that the service can be provided even in the event of a failure of one of the nodes.
  • The service as a whole is supervised in real time and an automatic alert system is in place to inform the system administrators of any anomaly in the rendering of the service.
  • Access to servers is restricted to identified personnel. All their actions on these servers are recorded in unalterable logs.
  • An annual audit of the service verifies compliance with procedures and vigilance measures.

Note : the data is not anonymized / pseudonymized since the purpose of the service is to validate the identity of the end user.s

Data fate: At the end of the provision of services relating to the processing of this data, the subcontractor undertakes to return then to destroy all the personal data to the controller.

  • The return must be accompanied by the destruction of all existing copies in the information systems of the subcontractor.
  • As the subcontractor uses learning and automatic processing algorithms that he develops himself, he is authorized by the data controller to keep data for the purposes of improving said algorithms. The stored data is used by a dedicated team of the subcontractor, all of whose members have signed a specific confidentiality obligation. The stored data is not accessible outside the internal information system of the subcontractor.

Data protection officer: The processor communicates to the data controller the name and contact details of his data protection officer, if he has appointed one in accordance with Article 37 of the European data protection regulation.

Register of processing activity categories: The processor declares to keep in writing a register of all categories of processing activities carried out on behalf of the controller, including:

  • The name and contact details of the data controller on whose behalf they are acting, any subcontractors and, where applicable, the data protection officer;
  • The categories of processing carried out on behalf of the controller;
  • Where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or that international organization and, in the case of transfers referred to in Article 49, paragraph 1, second paragraph of the European data protection regulation, the documents attesting to the existence of appropriate guarantees
  • To the extent possible, a general description of the technical and organizational security measures, including but not limited to, as required:
    • Pseudonymization and encryption of personal data; or means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
    • Means to restore the availability of personal data and access to them within appropriate time limits in the event of a physical or technical incident; or a procedure to test, analyze and regularly evaluate the effectiveness of technical and organizational measures to ensure the security of the processing.

Documentation: The processor provides the data controller with the necessary documentation to demonstrate compliance with all its obligations and to allow audits, including inspections, to be carried out by the data controller or another auditor that it has mandated, and contribute to these audits.

V. Obligations of the controller regarding the processor

The data controller undertakes to:

  • Provide the subcontractor with the data referred to in II of these clauses
  • Document in writing any instructions regarding the processing of data by the processor
  • Ensure, beforehand and throughout the duration of the processing, compliance with the obligations provided for by the European data protection regulation on the part of the processor
  • Supervise the processing, including performing audits and inspections on the processor