Subcontracting clauses complementing Trackforce’s Terms and Conditions of Sale

Subcontracting clauses complementing TRACKFORCE’s Terms and Conditions of Sale

Updated 1 May, 2018

The software solutions marketed by Trackforce are designed and developed internally, without any use of subcontracting. However, Trackforce may need to approach third-party companies for certain services such as data hosting or the provision of dedicated software such as customer relationship management, sales management, sales force, production management, or project management.

These subcontracting Clauses therefore define the conditions under which Trackforce may either entrust these types of services to third party subcontractors, or execute itself, as a Subcontractor, the services on behalf of the Client Data Controller according to European Regulation no. 2016/679 of 27 April 2016 on the protection of personal data as of its entry into force on 25 May 2018 (hereinafter the “GDPR”).

As a result, these Subcontracting Clauses supplement the Trackforce Terms and Conditions of Sale as regards subcontracting as set out below.

Clause no. 1: Subcontracting between TRACKFORCE and third party subcontractors

The Client expressly authorizes TRACKFORCE to subcontract all or part of the services stipulated in the CGV to any third party subcontractor of its choice.

The purchase by the Client of the Goods listed and marketed in the TRACKFORCE’s CGV implies acceptance by the Client of the Subcontractor’s terms and conditions of services.

It is TRACKFORCE’s responsibility to ensure that the chosen Subcontractor provides sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing the requirements of the GDPR.

Clause no. 2: Subcontracting between TRACKFORCE and the Client

Pursuant to this article 2, TRACKFORCE is the Subcontractor and the Client is the Data Controller as defined in the GDPR for all personal data processed by TRACKFORCE on behalf of the Client pursuant to TRACKFORCE’s CGV.

Clause no. 2-1: Subject

The purpose of this Clause 2.1 and its subsections is to define the conditions under which TRACKFORCE (acting as a Client’s Subcontractor) undertakes to perform on behalf of the Client (acting as Data Controller) the personal data processing operations defined below.

As part of their contractual relations, the Parties undertake to respect the regulations in force applicable to the processing of personal data and, in particular, the mandatory GDPR as of 25 May, 2018.

Clause no. 2-2: Processing on instructions

TRACKFORCE and any person acting under its authority, having access to the Client’s personal data, undertake to process such data only on the Client’s documented instructions, including, if need be, the transfer of such data to a third country or to an international organization, unless TRACKFORCE is required to do so under European Union law or the law of the Member State to which TRACKFORCE is subject. In this case, TRACKFORCE informs the Client of this legal obligation prior to processing, unless the right concerned prohibits such information for important reasons of public interest.

TRACKFORCE will inform the Client immediately if, according to TRACKFORCE, a Client’s instruction constitutes a breach of European Legislation relating to the protection of personal data.

Clause no. 2-3: Description of the subcontracted process

TRACKFORCE is authorized to process on behalf of the Client the personal data necessary to provide the service(s) defined by mutual agreement between the Parties, including the duration of the processing, its nature and purpose, its type and the categories of individuals concerned, and the obligations and rights of the Client as the Data Controller.

Clause no. 2-4: Obligations of the TRACKFORCE Subcontractor to the Client Data Controller

As a Subcontractor for the data involved in the Subcontracting, TRACKFORCE undertakes to:

• Process the personal data in question only for the sole purpose(s) which is/are the subject of the subcontracting.
• Process the data in accordance with the documented instructions of the Client Data Controller.
• Guarantee the confidentiality of the personal data processed.
• Ensure that persons authorized to process personal data under this agreement (i) undertake to respect confidentiality or are subject to an appropriate legal duty of confidentiality and (ii) receive the necessary training in the protection of personal data.
• Take into account, in terms of tools, products, applications or services, the principles of data protection from the design stage and the protection of data by default.

Clause no. 2-5: 2^nd rank subcontracting

As a subcontractor for data involved in Subcontracting, TRACKFORCE may use another subcontractor (hereinafter, the “2nd rank subcontractor”) to conduct specific processing activities.

In this case, TRACKFORCE informs the Data Controller in advance and in writing of any proposed change regarding the addition or replacement of other subcontractors. This information must clearly indicate the subcontracted processing activities, the subcontractor’s identity and contact information, and the dates of the subcontracting agreement. The Data Controller has a period of 10 (ten) days from the date of receipt of this information to present his objections. This subcontracting can only be done if the Data Controller has not objected within the agreed period.

The 2^nd rank subcontractor is required to comply with the obligations of this agreement on behalf of and in accordance with the Data Controller’s instructions. It is the responsibility of the Subcontractor to ensure that the 2nd rank Subcontractor provides sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR. If the 2^nd rank Subcontractor does not fulfil its data protection obligations, the original subcontractor remains fully responsible to the Data Controller for performance of its obligations.

Clause no. 2-6: Right of information of the people concerned

It is the responsibility of the Client Data Controller to provide information to those involved in the processing operations at the time of data collection.

Clause no. 2-7: Exercising personal rights

Whenever possible, TRACKFORCE, as a Subcontractor, will assist the Client Data Controller in fulfilling his obligation to respond to requests for exercise of the rights of persons involved: right of access, rectification, erasure and opposition, right to limitation of processing, right to data portability, right not to be the subject of an individual automated decision (including profiling).

When the persons concerned present the TRACKFORCE Subcontractor with requests to exercise their rights, TRACKFORCE must send these requests as soon as they are received by email to the Client’s email address as shown on its profile.

Clause no. 2-8: Notification of personal data breaches

As a subcontractor, TRACKFORCE will notify the Client Data Controller of any personal data breaches as soon as possible in accordance with article 34 of the GDPR, after having read it, and by e-mail to the Client’s contact e-mail address as shown on its profile.

This notification will be accompanied by all relevant documentation to enable the Client Data Controller, if necessary, to notify this breach to the competent supervisory authority, in this case the National Data Protection Commission (CNPD) as regards Luxembourg.

Clause no. 2-9: Help to TRACKFORCE’s Subcontractor as part of compliance by the Client Data Controller with its obligationss

As a Subcontractor, TRACKFORCE will assist the Client Data Controller in producing impact analyses relating to data protection and prior consultation of the supervisory authority.

The services set out in this Clause 2-9 will be provided by TRACKFORCE under the particular financial and time conditions to be agreed in advance between the Client and TRACKFORCE.

Clause no. 2-10: Security measures

Insofar as article 32 of the GDPR stipulates that the implementation of security measures is the responsibility of the Data Controller and the subcontractor, each Party undertakes, insofar as the personal data for which it is responsible is involved, to instigate technical and organizational security measures guaranteeing a level of security consistent with the risk, including, inter alia, according to needs:

• Pseudonymisation and encryption of personal data;
• Means to ensure the confidentiality, integrity, availability and resilience of data processing systems and services;
• Means to restore the availability of personal data and access to it in good time in the event of a physical or technical incident;
• A procedure to test, analyse and assess regularly the effectiveness of technical and organizational measures to ensure data processing security.

The application of an approved code of conduct as stipulated in section 40 of the GDPR or an approved certification mechanism as stipulated in section 42 of the GDPR may be used as an element to demonstrate compliance with the prescribed safety requirements of paragraph 1 of article 32 of the GDPR as recalled above.

Clause no. 2-11: Fate of data

TRACKFORCE undertakes to destroy personal data at the end of its retention period determined according to the nature of said data, it being recalled that the Client must regularly make its own backups using the software tools made available on the Guardtek Platform.

Clause no. 2-12: Data Protection Officer

In its capacity as Subcontractor, TRACKFORCE communicates to the Client Data Controller the name and contact details of its Data Protection Officer, hereinafter “DPO”, designated in accordance with article 37 of the GDPR, if the Client requests it.

Clause no. 2-13: Processing activity categories register

As a Subcontractor, TRACKFORCE declares it will keep in writing a register of all categories of processing activities performed on behalf of the Client Data Controller, including:

• The name and contact details of the Client Data Controller, on behalf of whom the TRACKFORCE Subcontractor acts, any second-ranking Subcontractors and, where applicable, the Data Protection Officer;
• The categories of processes performed on behalf of the Client Data Controller;
• Where appropriate, transfers of personal data to a third country or to an international organization, including identification of this third party country or international organization and, in the case of transfers listed in article 49 paragraph 1, second sub-paragraph of the GDPR, documents certifying the existence of appropriate guarantees;
• As far as possible, a general description of technical and organizational security measures, including inter alia, as appropriate (i) pseudonymisation and encryption of personal data; (ii) ways to ensure ongoing confidentiality, integrity, availability and resilience of data processing systems and services; (iii) means of restoring the availability of and access to personal data in good time in the event of a physical or technical incident; (iv) a procedure to test, analyse and regularly evaluate the effectiveness of technical and organizational measures to ensure data processing security.

Clause no. 2-14: Documentation

As a Subcontractor, TRACKFORCE makes available to the Client Data Controller the necessary documentation to demonstrate compliance with all its obligations and to perform audits, including inspections, by the Client Data Controller or another auditor it may have appointed, and contribute to these audits.

Clause no. 3: Obligations of the Client Data Controller to the TRACKFORCE Subcontractor

As a Data Controller, the Client undertakes to:

• Provide the TRACKFORCE Subcontractor with the information and data listed in Clause 2-3 hereof.
• Document in writing any instructions regarding the processing of data by the TRACKFORCE Subcontractor.
• Ensure, in advance and throughout the duration of the processing, compliance by the TRACKFORCE Subcontractor with the obligations stipulated by the GDPR.
• Supervise the data processing, including conducting audits and inspections with the TRACKFORCE Subcontractor.

Clause no. 4: Maintenance of non-contrary provisions of TRACKFORCE’s CGV

These Subcontracting Clauses supplement TRACKFORCE’s Terms and Conditions of Sale, the non-contrary provisions of which remain applicable.