These Undertakings are applicable to any and all AXSMarine Clients falling under GDPR regulations. They are forming a binding part of the Agreement.
These Data Processing Undertakings (the “Undertakings”) engage both AXSMarine S.A.S. (hereinafter defined as “AXSMarine” or the “data processor” or “we”), a limited liability company whose registered office is situated at CB21, 16 place de l’Iris, 92040 Paris La Défense Cedex, France, having a company identification number 431 720 010 R.C.S. Paris, and the Client as defined in AXSMarine General Terms and Conditions AXSMarine GT&C (the “Client” or the “data controller” or “you”). Each individually referred to as a “Party” or collectively as the “Parties”.
“Data Protection Law(s)” means (a) EU or Member State laws applicable to any Client Personal Data in respect of which AXSMarine is subject including, without limitation, the GDPR for so long as it remains in legal effect; and (b) any other Applicable Law with respect to Client Personal Data in respect of which is subject.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
“Personal Data” means any information relating to an identified or identifiable natural person.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, “Process” and “Processed” shall have an equivalent meaning.
Both Parties will comply with all applicable requirements of the Data Protection Laws, it being acknowledged and agreed that these Undertakings are in addition to, and do not relieve, remove or replace, a Party's obligations under the Data Protection Laws.
For the purposes of the Data Protection Laws, we process personal data on the Client’s behalf as a data processor.
3.1 We hereby confirm that, in our capacity as a data processor, the nature and purpose of the processing is to supply professional services as the Client may instruct.
3.2 For so long as AXSMarine is processing personal data on the Client’s behalf in a capacity as data processor, the Client will:
(a) be the data controller for the purposes of Data Protection Laws;
(b) deliver AXSMarine in writing any details needed about the types of personal data that it provides to AXSMarine for processing from time to time (inclusive of details about any special categories of personal data);
(c) ensure that it has secured all necessary appropriate consents, registrations, and notifications as may be required to enable the lawful transfer of the personal data to AXSMarine in order for AXSMarine to process such personal data to the extent required for, and for the duration of, our provision of services to the Client;
3.3 in relation to any personal data processed by AXSMarine where we are acting in the capacity as data processor, without prejudice to our rights and obligations where we are a data controller, we shall:
(a) process that personal data on the Client’s reasonable and lawfully written instructions where provided unless we are required otherwise under any applicable law. Where we are relying on applicable law as the basis for processing personal data outside of the Client’s instructions, we shall promptly notify the Client of this unless such laws prohibit AXSMarine from doing so;
(c) have in place appropriate technical and organizational measures to ensure a level of security appropriate to the data security risks presented by processing such Personal Data, (those measures may include, where appropriate, encrypting personal data, ensuring confidentiality, integrity, availability, and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by AXSMarine);
(d) regularly review and update the technical and organizational measures implemented in order to process the personal data in accordance with the Data Protection Laws;
(e) ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
(f) put in place appropriate safeguards to protect the personal data including (without limitation), executing with the Clients such further documentation as may be necessary for the transfers to be lawful, such as standard contractual clauses in the form approved by the European Commission as such contractual clauses are from time to time amended and updated;
(g) put in place enforceable data subject rights and effective legal remedies for data subjects as required by the Data Protection Laws;
(h) notify the Client within 48 hours on becoming aware of a Personal Data Breach.
(i) promptly inform the Client of any complaints, requests or inquiries received from data subjects, including but not limited to requests to access, correct, delete, block or restrict access to their personal data or receive a machine-readable copy thereof;
(j) at the Client’s request and sole cost, assist the Client in responding to any request from a data subject with respect to any complaints, requests or inquiries, and assist the Client with the compliance of the Client’s obligations according to article 32-36 of the GDPR, including security breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(k) immediately inform the Client if, in the data processor’s opinion, an instruction infringes Data Protection Laws;
(l) at the Client’s written direction, delete or return personal data and copies thereof to the Client on termination of the Agreement (as defined in AXSMarine General Terms and Conditions AXSMarine GT&C) unless we are separately a data controller of such information or are required by applicable law to retain the personal data.
(m) allow for limited audits, at the Client’s sole cost (including in respect of any of our own associated costs), which shall be strictly limited to the specific documents or information or part of any document or information that are reasonably necessary to demonstrate our compliance with the obligations of the Data Protection Laws as they directly relate to personal data that the Client is the data controller of. Such audits shall be carried out no more than once in any twelve-month period by the Client or such designated auditor that we are satisfied is not our competitor (as we determine, acting reasonably) and audits shall be on not less than 30 business days’ notice on a date agreed with AXSMarine and shall be carried out during normal working hours on a business day and shall not unreasonably disturb our operations; and
(n) maintain a written record of processing activities to demonstrate our compliance with paragraph 3, which shall include, as a minimum:
(i) the Client’s name and contact details, the Client’s representative and/or data protection officer or other privacy manager or officer (each where applicable);
(ii) the categories of data that we are processing for the Client;
(iii) the purpose of the processing;
(iv) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
(v) any transfers of personal data to a third country or an international organization (where applicable) and details of the suitable safeguards in place; and
(vi) the technical and organizational security measures in the form of a general description.
(vii) the list of the data processor sub-contractors to whom the data have been disclosed. Upon request of the Client, the data processor shall make such list available to the Client.
4.1 Where the Client submits personal data to AXSMarine from within the European Economic Area (EEA), such information may be consulted and/or processed by AXSMarine from countries outside the EEA. By way of example, this may happen if one or more of our employees with whom we share personal data and who might be located outside the Client’s country or the country from which the data were provided.
4.2 The Client consents to AXSMarine appointing third party-suppliers who may have located, or have their servers located, outside of the EEA. We confirm that we have entered or (as the case may be) will enter with the third-party processor into a written agreement reflecting the applicable Data Protection Laws.
4.3 As between the Client and AXSMarine, we may remain liable for acts or omissions of any third-party processor appointed by AXSMarine, however please note that where the Client enters into contract directly with any third-parties, then they may have their own privacy policies and terms and conditions, which we have no control over, accept no responsibility for, and shall have no liability for.
These Undertakings and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the applicable provisions of AXSMarine General Terms and Conditions AXSMarine GT&C.
6.1 As technologies and information governance practices develop, and data privacy laws (and surrounding guidance) evolve, we may need to revise and amend these Undertakings. If the amendments are significant or may materially impact upon the Client’s rights, we will provide a more prominent notice or contact the Client by other means (including, for certain services, email notification of Privacy Notice changes).
Last Updated: 22/10/2019