Smartcom – 2025 – Data Protection Agreement
1. Introduction
This Data Protection Agreement (hereinafter “Agreement”) governs the use of the Client’s personal data (hereinafter the “Client”) by Smartcom SAS (hereinafter the “Processor” or “Smartcom SAS”) when using the FiLIP and FiLIP Generic services (hereinafter the “Service”).
2. Definitions
All terms such as “adequacy decision,” “technical and organizational measures,” “data subjects,” “privacy by design,” “privacy by default,” etc., are defined in Articles 4 and following of the GDPR.
Key terms include:
- Agreement: The annex to the Contract governing personal data usage per GDPR Article 28.
- DPIA (AIPD): Impact analysis to assess proportionality and risks related to data processing.
- Anonymization: Processing that irreversibly renders identification of data subjects impossible.
- Supervisory Authority: The GDPR authority responsible for monitoring the Processor.
- Client: The entity subscribing to the Service provided by the Processor.
3. Contractual Relationships and Duration
The Agreement is an indivisible annex to the Contract signed between the Client and the Processor for the use of the Service. In case of conflict between the Service Contract and the Agreement, the obligations under this Agreement take precedence regarding GDPR compliance. The Agreement remains valid for the duration of the Service Contract and beyond, as long as its obligations apply.
4. Roles of the Parties and Scope
Under the Agreement, the Client is the data controller, and Smartcom SAS acts as the data processor according to Article 28 of the GDPR. The Parties are not joint controllers. However, in case of misclassification, they agree to amend the Agreement accordingly. This Agreement governs only personal data processing done as a processor, excluding processing as a controller by Smartcom SAS (which is covered under the Contract).
5. Instructions and Commitments
The Processor commits to processing personal data only per documented instructions detailed in the annex. If instructions are deemed illegal, the Processor must inform the Client, who assumes full responsibility if proceeding. The Processor agrees to comply with the GDPR, maintain a processing register, and develop the Service following privacy by design and default principles. Personal data will not be used for the Processor’s own interest or transferred for reasons outside the Service. All staff handling data are bound by legal obligations and trained regularly. Security measures are implemented per annex specifications. The Processor is not liable for the Client’s own GDPR violations when acting as a data controller.
6. Assistance with DPIAs
DPIAs must be conducted by the Client as required by the GDPR. However, upon written request, the Processor will provide necessary information for the Client to carry out a DPIA. The Processor is not required to perform DPIAs on behalf of the Client. Any additional requests may be declined.
7. Assistance with Data Subject Requests
Requests from end users are forwarded to the Client promptly. The Processor is not responsible for maintaining a registry of such requests or for Client failures in handling them. Upon written request, the Processor will perform the necessary technical actions to allow the Client to fulfill its obligations. The Processor will not manage data subject requests on behalf of the Client. Any such request will be refused. Requests addressed to the Processor as a data controller will be handled directly and not shared with the Client.
8. Assistance with Security Measures
The Processor agrees to provide all necessary information on the technical and organizational security measures implemented to protect the Client’s personal data.
9. Personal Data Breaches
The Processor will notify the Client of any personal data breach related to the Service within 48 business hours. All relevant details will be shared to mitigate the impact. The Client’s 72-hour breach notification window starts upon their own knowledge of the breach. The Processor will not contact supervisory authorities or end users on the Client’s behalf.
10. Subprocessors
The Client gives general authorization for the use of subprocessors, provided the Client is informed and can raise objections within 8 days. If the objection is valid, options include removing the subprocessor, implementing additional security, or terminating the Service. Objections must be objective, serious, and justified. Valid grounds include competition, legal dispute, regulatory penalties, or lack of compliance with international transfer rules. Only subprocessors offering adequate data protection guarantees will be engaged, and they must adhere to obligations equivalent to this Agreement. The Processor remains liable, within Contractual limits, for subprocessors’ GDPR violations.
11. Hosting and Transfers Outside the European Union
- a) Data Hosting
The Processor agrees to host the Client’s personal data exclusively within an EU member state. The Client authorizes the Processor to choose the specific member state. If hosting occurs outside the EU, prior Client approval is required, along with implementation of standard contractual clauses and additional safeguards.
- b) Data Transfers
The Client gives general authorization for data transfers outside the EU if: (i) subprocessors comply with GDPR; and (ii) the transfer is to a country with an adequacy decision or protected by appropriate safeguards (e.g., standard contractual clauses). For transfers to non-democratic countries, technical safeguards are mandatory.
12. Data Retention and Handling of Client Personal Data
The Processor will retain Client’s personal data only for the duration of Service usage, as per the annex, and delete it after Contract termination. Upon written request, the Processor will certify the deletion. The Client must retrieve its personal data before the Agreement ends; otherwise, data deletion is final and irreversible. The Processor is not liable for data loss following deletion. The Client accepts anonymization as a valid deletion method, allowing the Processor to retain anonymized data to improve the Service. Data returned as per GDPR does not equate to reversibility to another processor, and such requests will be refused.
13. Audits
The Client may perform a written audit (questionnaire) once a year. It acts as a sworn declaration, and the Processor must respond promptly. The Client may also conduct an on-site audit (once a year and at their own expense) in case of a data breach due to proven fault causing justifiable harm. A third-party auditor may be designated, subject to a 30-day notice and conditions ensuring no conflict of interest. The Processor may refuse access to sensitive areas but will perform the audit and report results. If non-compliance is found, the Processor must immediately correct the issue at its own cost. Disputes may be resolved through meetings, supervisory authority arbitration, or independent expert review.
14. Cooperation with Authorities
The Processor commits to cooperating with the CNIL and promptly informing the Client of any official requests concerning Client data.
15. Contact
Each Party designates a contact for all notifications related to this Agreement.
Smartcom has appointed Dipeeo SAS as its Data Protection Officer (DPO):
Email: dpo@smartcom.com
Mailing address: Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France
Phone: +33 (0)1 59 06 81 85
16. Revisions
The Processor reserves the right to amend this Agreement in case of regulatory changes or modifications to the Service affecting its terms.
Certified as compliant by Dipeeo ®