Data Processing Agreement (DPA)
Last updated: [DATE]
Parties and purpose
This data processing agreement (DPA) is entered into between the business Customer using the Service (the Controller) and [LEGAL NAME], the publisher of the Mon Carnet Client software (the Processor). Within the meaning of Article 28 GDPR, it governs the Processor's processing of the Controller's end customers' personal data, on behalf of and on the instructions of the Controller, in connection with providing the Service. It forms an integral part of the business terms of service.
Roles of the parties
The Controller determines the purposes and means of processing its end customers' data and is accountable for it. The Processor processes that data solely to provide the Service, in accordance with the Controller's documented instructions. The Processor never acts as controller of that data and does not use it for its own purposes.
Nature, purpose and duration of processing
The nature of the processing is the collection, recording, hosting, consultation, organisation and, at the end of the contract, deletion of data. Its purpose is to run a digital loyalty programme: issuing and managing Apple/Google Wallet cards, counting stamps, points and visits, granting rewards and, subject to consent obtained by the Controller, delivering marketing communications via wallet push notifications, to the exclusion of any marketing email or SMS. The processing lasts for the duration of the contractual relationship between the parties.
Categories of data and data subjects
The data subjects are the Controller's end customers (consumers). The categories of data processed are: first name, last name, date of birth, preferred language, loyalty balance (stamps, points, visits), and consents (acceptance of terms and marketing consent) with their timestamp and source. No data falling within the special categories under Article 9 GDPR is required by the Service; the Controller must not introduce any.
Documented instructions
The Processor processes the data only on the Controller's documented instructions, as expressed through the use of the Service's features, this DPA and the terms of service. If the Processor considers that an instruction infringes the GDPR or another applicable provision, it informs the Controller. The Processor informs the Controller if it is required by Union or Member State law to carry out processing, unless legally prohibited from doing so.
Confidentiality
The Processor ensures that persons authorised to process the data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to the data is limited to staff members who need it to provide the Service.
Security measures
The Processor implements the appropriate technical and organisational measures required by Article 32 GDPR, in particular: encryption of data in transit, access control and logging, environment segregation, permission management, regular backups, and continuity and recovery procedures. Erasure of end customers' data is implemented through anonymisation: deletion of identifying data (name, email, phone) and freezing of the account, while a non-identifying history (visits, rewards) may be kept for the Controller's statistical purposes. The detailed list of measures is set out in [SECURITY ANNEX TO BE COMPLETED].
Sub-processors
The Controller authorises the Processor to use sub-processors to provide the Service. As at the date of this DPA, these are: Stripe (billing), Cloudinary (hosting of pass images), [TRANSACTIONAL EMAIL PROVIDER], Apple Wallet and Google Wallet (issuance and notifications of cards), and [HOSTING PROVIDER] (PostgreSQL database). The Processor imposes on each sub-processor data-protection obligations equivalent to those in this DPA and remains liable to the Controller for their performance. It informs the Controller of any intended change of sub-processor, giving it the opportunity to object.
Transfers outside the European Union
Some sub-processors may process data outside the European Union. In that case, the Processor ensures that such transfers are framed by a mechanism recognised by the GDPR (adequacy decision, the European Commission's standard contractual clauses, or equivalent safeguards together with the necessary supplementary measures). [NON-EU TRANSFERS AND SAFEGUARDS TO BE CONFIRMED PER SUB-PROCESSOR]
Assistance with data-subject requests
The Processor assists the Controller, by appropriate technical and organisational measures and insofar as possible, in responding to requests to exercise data-subject rights (access, rectification, erasure, restriction, portability, objection, withdrawal of marketing consent). To this end, the Service includes features allowing marketing unsubscribe and erasure through anonymisation, which can be triggered by the end customer from their card (dedicated erasure page) or by the Controller from the back office.
Assistance with compliance
The Processor assists the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR (security, breach notification, communication to data subjects, impact assessment and prior consultation), taking into account the nature of the processing and the information available to it.
Personal data breach notification
The Processor notifies the Controller of any personal data breach of which it becomes aware without undue delay after becoming aware of it, and at the latest within [NOTIFICATION DEADLINE, e.g. 48 or 72 hours]. The notification describes, as far as possible, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. It is for the Controller to make, where applicable, the notification to the CNIL and the communication to data subjects.
Fate of data at the end of the contract
At the end of the service, and at the Controller's choice, the Processor returns the data in a usable format or deletes it, together with existing copies, within [RETURN/DELETION DEADLINE] after the end of the contract, unless there is a legal obligation to retain it. Once that period has elapsed and the data has been returned where applicable, the Processor proceeds with its definitive deletion.
Audits
The Processor makes available to the Controller the information necessary to demonstrate compliance with the obligations of Article 28 GDPR and allows for audits, including inspections, by the Controller or a mandated auditor, on reasonable terms, subject to reasonable notice, respect for the confidentiality and security of the Service, and the arrangements set out in [AUDIT ARRANGEMENTS TO BE COMPLETED].