Privacy Statment Saas Jalios

This Agreement (hereinafter referred to as the "Agreement") determines the conditions under which the parties undertake to process personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as the "GDPR" or "European Data Protection Regulation") as well as production data entrusted by the Processor in the context of the provision of Jalios' SaaS application services.

The purpose of the Agreement is to define the obligations incumbent on Jalios in the context of the processing of personal data and production data on which the provision of services as defined by Jalios is based, including in particular the obligations with regard to data security and confidentiality.

The parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as of 25 May 2018 (hereinafter, "the European Data Protection Regulation").

 

I- Description of the processing subject to the subcontracting

Jalios is authorized to process on behalf of the data controller the personal data necessary to provide the installation and maintenance of JPlatform Cloud, Digital Workplace grouping together ¬6 major families of functionalities:

  • Corporate social network
  • Collaborative spaces
  • Document management
  • Content management
  • Portal
  • Social Learning (optional)

For the performance of the service covered by this agreement, the data controller provides the Jalios with administrator mode access to the Customer's platform.

The complete description of the processing is detailed in the appendix.

 

II- Obligations of the processor towards the controller

The Processor undertakes to:

1 - Process the data only for the sole purpose(s) for which the data are processed;

2 - Process the data in accordance with the documented instructions of the data controller set forth in the appendix to this agreement.

If the Processor considers that an instruction constitutes a breach of the European Data Protection Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the Controller. In addition, if the processor is required to transfer data to a third country or to an international organization under Union law or the law of the Member State to which it is subject, it must inform the controller of this legal obligation prior to the processing, unless the law concerned prohibits such information on important grounds of public interest.

3 - Guarantee the confidentiality of personal data processed under this agreement.

4 - Ensure that persons authorized to process personal data under this agreement:

  • Are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality;
  • Receive the necessary training in the protection of personal data.

5 - Consider the principles of data protection by design and data protection by default for its tools, products, applications or services

6 - Subcontracting

Jalios may engage another processor (hereinafter, "the sub-processor") to carry out specific processing activities. In this case, the processor shall inform the controller in advance and in writing of any planned changes regarding the addition or replacement of further processors.

This information must clearly indicate the processing activities outsourced, the identity and contact details of the processor and the dates of the outsourcing agreement. The data controller has a minimum of 15 days from the date of receipt of this information to present its objections. This subcontracting can only be carried out if the controller has not raised any objections within the agreed period.

The Jalios is obliged to fulfil the obligations of this agreement on behalf of and according to the instructions of the controller. It is the responsibility of the original processor to ensure that the subsequent sub-processor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the European Data Protection Regulation. If the sub-processor fails to fulfil its data protection obligations, the original processor remains fully responsible to the controller for the other processor's performance of its obligations.

7 - Right to information of data subjects

It is the responsibility of the data controller to provide information to the data subjects of the processing operations at the time of data collection.

8 - Exercise of the rights of data subjects

To the extent possible, the processor must assist the controller in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).

Where data subjects make requests to the processor to exercise their rights, the processor must send such requests upon receipt by email to pdo@customer.com

9 - Notification of personal data breaches

The processor shall notify the controller of any personal data breach within a maximum of 72 hours of becoming aware of it by email or post. This notification shall be accompanied by any useful documentation in order to allow the controller, if necessary, to notify the breach to the competent supervisory authority.

The notification shall contain at least:

  • A description of the nature of the personal data breach including, if possible, the categories and approximate number of individuals affected by the breach and the categories and approximate number of personal data records affected ;
  • The name and contact details of the Data Protection Officer or other point of contact from whom further information can be obtained;
  • A description of the likely consequences of the personal data breach;
  • A description of the measures taken or proposed to be taken by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any negative consequences.

If and to the extent that it is not possible to provide all of this information at the same time, the information may be provided in a staggered manner without undue delay.

For security purposes and in order to comply with the RGPD, we invite you to inform your business contact of your CISO and DPO contacts (name, first name and email). These contacts will be alerted of any personal data breach. These contacts will be alerted of the availability of security patches that Jalios will apply to the Customer's SaaS platform.

10 - Assistance of the processor in the compliance of the controller with its obligations

The processor assists the controller in carrying out data protection impact assessments.

The processor assists the controller in carrying out the prior consultation with the supervisory authority.

11 - Security measures

The processor undertakes to implement and maintain at its own expense appropriate technical and organizational measures relating to the processing of data within the framework of the services provided:

  • In such a way that the processing complies with the security requirements defined by the data protection laws and guarantees the protection of the rights of the data subjects;
  • To ensure a level of security with respect to the Protected Data processed by it as a Processor that is appropriate to the risks posed by the processing, in particular to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

12 - Fate of data

At the end of the use of the Jalios SaaS application, the Jalios must return all the Data collected and produced in the course of providing the application services to Jalios or delete them, in accordance with the provisions of article "11.6 Reversibility" of the agreement.

13 - Data Protection Officer

The Data Protection Officer of the Jalios can be contacted by email at gdpr@jalios.com, in accordance with Article 37 of the European Data Protection Regulation.

14 - Register of categories of processing activities 

The Processor declares to keep a written record of all categories of processing activities performed on behalf of the Controller including:

  • The name and contact details of the controller on whose behalf it is acting, any subcontractors and, where applicable, the data protection officer;
  • The categories of processing carried out on behalf of the controller;
  • Where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the European Data Protection Regulation, the documents attesting to the existence of appropriate safeguards;
  • To the extent possible, a general description of the technical and organizational security measures, including inter alia, as appropriate:
    • Pseudonymization and encryption of personal data ;
    • Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
    • Means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
    • A procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

15 - Documentation

The Processor shall make available to the Controller the documentation necessary to demonstrate compliance with all of its obligations and to enable and assist in audits, including inspections, by the Controller or another auditor appointed by the Controller.

16 - Third-party services

The Jalios publisher cannot make any commitment for third-party services for which Jalios provides a connector and for which the customer has signed a direct contract. It is up to the customer to prohibit or limit their use. For information, the main third-party services offered by the Jalios service (as standard or as an option) are Office 365, Skype for business, Google Drive, Google Analytics, Google Maps, Kofax Capture, Lecko RSE Analytics, Universign, XiTi, Momindum, etc.

 

III. Obligations of the data controller towards the processor

The data controller (Article 4.7 GDPR) undertakes, prior to any use of the SaaS Service and throughout the duration of the use of the Jalios application, to:

  • Provide the Data Processor with the data referred to in II of these clauses
  • To document in writing any instructions concerning the processing of data by the Jalios
  • Ensure, in advance and throughout the duration of the processing, that the processor complies with its obligations under the European Data Protection Regulation
  • Supervise the processing, including conducting audits and inspections of the processor
  • Collect and process the Customer's personal data in a lawful, fair and transparent manner, for specific, explicit and legitimate purposes that the data controller alone determines and that Jalios cannot know about.
  • Prove that it has previously informed (art. 12 GDPR) the persons whose personal data it processes of all its obligations towards them (in particular the determination of the legal basis of its processing and its precise purposes)
  • Inform the data subjects that their rights (art. 15 to 22 GDPR) must be exercised directly with the Customer and not with Jalios.