Personal data processing agreement

Table of Contents
Privaly Policy PageThis subcontracting agreement applies to any customer who has authorized KAVKOM to process on its behalf the personal data processed within the business telephony and customer relationship management software solutions published by Kavkom (hereafter the “Solution”) and used by the customer following his order and his acceptance of the general conditions of sale of Kavkom.

Kavkom will be induced in this context to process personal data under the title contained in the customer is responsible for processing and will act accordingly based on the sole instructions of the customer, following the role of the processor of Kavkom under regulations applicable to the protection of personal data.

For this contract, the terms “processing,” “controller,” “subcontractor,” “data subjects,” and “personal data” have the meaning given by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and the free movement of such data (hereinafter, the “GDPR”).

1. Description of the processing that is the subject of the outsourcing

Kavkom is authorized, as a processor, to process on behalf of the client, as data controller, the personal data necessary for the following processing purposes:

  •  Management of a contact database via the Solution
  •  Management of telephone and emailing campaigns via the Solution
  •  Recording of telephone conversations to improve customer service via the Solution
  •  Management of opposition requests from data subjects via the Solution
Nature of the processing: Collection, recording, consultation, communication, and deletion Types of personal data processed: Identification data, contact data, data relating to professional life, billing data, telephone conversations. Categories of data subjects: Customers and prospects, employees, suppliers, and other business partners Duration of processing: The data is deleted 30 days after the end of the service contract. The data can be deleted and/or exported at any time from the Solution by the customer.

2. General obligations of KAVKOM as a processor under the GDPR

As a subcontractor, KAVKOM undertakes to implement all the necessary measures, allowing the customer to comply with the GDPR and the applicable regulations on personal data protection. In this sense, KAVKOM undertakes to:

  •  process personal data within the strict and necessary framework of the services provided under the contract concluded with the client and, in general, to act only on written and documented instructions from the client;
  •  immediately inform the client if one of its instructions constitutes a violation of the applicable regulations on the protection of personal data and suspend the execution of the said instruction until confirmation or modification of the instruction by the client;
  •  ensure that the persons authorized to access the personal data are aware of the client’s instructions and undertake to process them only in strict compliance with them;
  •  ensure that persons authorized to access personal data receive the necessary training in the protection of personal data;
  •  not to grant, rent, assign, or otherwise communicate to any person, all or part of the personal data, even free of charge, as well as, more generally, not to use the personal data for purposes other than those strictly provided for in the contract, in particular, for any use of commercial prospecting, marketing and/or other;
  •  where appropriate, assist the client in carrying out impact analyzes relating to the protection of personal data;
  •  if necessary, help the client carry out prior consultation with the supervisory authority.

3. Subsequent subcontracting – Location of processing

KAVKOM is authorized under this contract to host the personal data entrusted by the customer within the hosting infrastructures of Amazon Web Services. These infrastructures are located in Europe, more specifically in Paris, France. KAVKOM may also call on certain third-party service providers, who may have access in the context of their activity to the personal data hosted on the Solution. The services provided by these service providers are necessary for the operation of the Solution and the services offered by KAVKOM, such as the service provider allowing customers to send SMS to their contacts via the Solution. All of the service providers used by KAVKOM are located in the European Economic Area. However, KAVKOM teams are partly located in Israel, a country that has benefited from an adequacy decision issued by the European Commission establishing that this country ensures an adequate level of protection of personal data. KAVKOM may call on another subcontractor to carry out specific processing activities during the contract. In this case, KAVKOM will inform the customer in advance and in writing of any planned change concerning the addition or replacement of other subcontractors. The customer has a maximum period of one (1) month from the date of receipt of this information to present his objections. This outsourcing can only be carried out if the client has not raised any objections within the agreed period. KAVKOM ensures that any subcontractor it uses presents the same sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR. KAVKOM remains, in any event, fully liable to the client for the performance by any other subcontractor of its obligations.

4. Right to information and exercise of the rights of data subjects

The Customer warrants to KAVKOM that he has complied with all of the obligations necessary for the collection and processing of the personal data collected, incumbent on him in particular under the terms of the GDPR and that he has informed the persons concerned of the use that is made of said personal data via the Solution. As far as possible, KAVKOM will help the customer to fulfill its obligation to respond to requests to exercise the rights of data subjects: right of access, rectification, erasure, and opposition, due to limitation of processing, right to data portability, right not to be subject to automated individual decision-making (including profiling). When the persons concerned make requests to KAVKOM to exercise their rights, KAVKOM will also send these requests upon receipt by e-mail to the customer at the address indicated in the customer’s order.

5. Applicable technical and organizational security measures

During the contract term, the parties must take all appropriate technical and organizational measures to protect personal data against any accidental or unlawful destruction, accidental loss, deterioration, dissemination, or unauthorized access, particularly during the transmission process of data on a network and against any unlawful processing. KAVKOM also implements the following specific measures to ensure the security of the personal data entrusted by the customer:
  •  Verification of activity on the Solution using a log and analysis system,
  •  KAVKOM personnel with access to data are made aware of the risks associated with handling data and must be specifically empowered,
  •  Tests on the Solution are carried out regularly by KAVKOM and its service providers (notably Checkpoint) to verify its security (penetration tests, security scans, threat detection, etc.),
  •  Staff terminals are protected by automatic locking procedures, antivirus/firewalls, and the possibility to lock and disable terminals remotely,
  •  Regular review of change codes and procedures to verify compliance with any changes to security procedures,
  •  AWS servers are located in highly secure infrastructures guaranteeing:
    •  Means to ensure the confidentiality, integrity, availability, and constant resilience of processing systems and services,
    •  Means to restore the availability of personal data and access to them within appropriate deadlines and at most within twenty-four hours in the event of a physical or technical incident,
    •  Procedures to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing.

6. Notification of Personal Data Breaches

KAVKOM notifies the customer of any breach of personal data within a maximum period of 48 hours after becoming aware of it and by any appropriate means of contact, particularly by e-mail or telephone. Any helpful documentation accompanies this notification to enable the client, if necessary, to notify this violation of the competent supervisory authority.

7. Support and Audit

KAVKOM makes the client the necessary documentation to demonstrate compliance with all its obligations and allows audits to be carried out, including inspections, by the client or another auditor appointed by it and to contribute to these audits… However, it is specified that these audits will be carried out at the customer’s expense and strictly limited to the audit of the measures taken in terms of protection of personal data, within the limit of one audit per year notified in advance to KAVKOM.

8. The fate of personal data

At the end of the contract, KAVKOM undertakes to destroy the personal data still in its possession within thirty (30) days from the end date of the service contract. The data can also be exported at any time from the Solution by the Customer.

9. Obligations of the customer vis-à-vis KAVKOM

The customer undertakes to:

  •  Document in writing any instructions added to the stipulations of this agreement;
  •  Ensure, before and throughout the duration of the processing, compliance with the obligations provided for by the GDPR;
  •  To inform the persons concerned about the outsourced processing of the information required by the GDPR and collect their consent when relevant;
  •  Delete personal data that has reached its maximum retention period from the Solution;
  •  Supervise processing, including carrying out audits and inspections with KAVKOM.