Home > Data Processing Agreement

Data Processing Agreement

1. Introduction

The purpose of the Data Processing Agreement (hereinafter the « Agreement ») is to govern the use of the Personal Data of the Clients (hereinafter the « Client ») of Solpay (hereinafter the « Processor » or « Solpay ») when they use their onlyne platform/mobile app (hereinafter the « Service »).

2. Definitions

The terms “adequacy decision”, “technical and organisational measures”, “data subjects”, “protection by design”, “protection by default”, “register”, “joint controller(s)”, “controller of processing activities”, “processor”, “processing”, “personal data breach” present in the Agreement have the meanings described in Articles 4 et seq. of the GDPR.

Other terms are defined below:

  • “Agreement”: means the annex to the Contract governing the use of the Client’s Personal Data in accordance with the provisions of Article 28 of the GDPR also entitled “Data Processing Addendum” (“DPA”).
  • “Data Protection Impact Assessment”: means an impact assessment to verify the proportionality of the processing of Personal Data and to prevent the risks associated with the processing of Personal Data.
  • “Anonymization”: means a processing operation designed to make it irreversibly impossible to identify the data subjects concerned by the processing operations carried out as part of the Service.
  • “Supervisory authority”: means the competent GDPR supervisory authority for the Service provided by the Processor.
  • “Client”: refers to the entity that has subscribed to the Service provided by the Processor.
  • “Contract”: means the contract entered into between the Processor and the Client in order to use the Service, to which this Agreement is annexed.
  • “Right claim(s)”: refers to the fundamental right(s) created by the GDPR in Articles 15 et seq. (e.g. right of access, right of erasure, etc.).
  • “Client’s personal data”: means any data relating to an identified or identifiable natural person sent to the Processor and processed by the latter on behalf of the Client as part of the Service, a detailed list of which is given in the annex.
  • “Party(ies)”: refers jointly to the Client and the Processor.
  • “GDPR”: means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, also known as the General Data Protection Regulation.
  • “Applicable regulations on the protection of personal data”: means both the French Data Protection Act (Law No. 78-17 of January 6, 1978, on Information Technologies, Data Files and Individual Liberties) and the GDPR.
  • “Reversibility”: refers to the operation aimed at enabling the transfer and integration, in a usable and recognised format, of the Client’s Personal Data from the Processor’s Service to an equivalent service offered by another provider.
  • “SaaS service”: means software hosted by the Processor that can be used simultaneously by an infinite number of Clients.
  • “Sub-processor”: refers to the sub-processors recruited by the Processor to process the Client’s Personal Data exclusively within the framework of the Service.
  • “End Users”: means the persons whose Personal Data is processed by the Processor on behalf of the Client.

3. Contractual relationship and duration

The Agreement is an indivisible annex to the Contract signed between the Client and the Processor for the use of the Service.

In the event of any contradiction between the Contract concluded for the use of the Service and the Agreement, the obligations set out in the Agreement shall take precedence over the Contract with regard to the GDPR as a whole.

The Agreement is applicable for the duration of the Contract entered into in the context of the use of the Service and may continue beyond that period as long as all the obligations set out herein remain applicable.

4. Role of the Parties and scope of application

Under the Agreement, the Client acts as controller for the processing activities and Solpay acts as processor within the meaning of Article 28 of the GDPR.

Under no circumstances may the Parties be considered to be joint controllers in relation to the Service. However, the Parties agree that in the event of an error or change in their qualification, the Parties shall meet, without undue delay, to amend the Agreement and take all measures relating to such a situation in order to comply with the requirements of the applicable Regulations on the protection of

personal data.
The Agreement exclusively governs the processing of the Client’s Personal Data carried out as part of the Service as a Processor within the meaning of Article 28 of the GDPR, to the exclusion of the processing carried out as a controller by Solpay, which is governed by the Contract.

5. Instructions and commitments

The Processor undertakes to use the Client’s Personal Data in connection with the use of the Service only in accordance with the instructions documented in the annex to the Agreement. The Processor shall immediately inform the Client if it considers that an instruction given by the latter is illegal with regard to the Regulations applicable to the protection of personal data. The Processor may not be held liable in the event that, despite the Processor’s notification concerning the illegality of the instruction, the Client maintains and applies this instruction via the Service.

The Processor undertakes to comply with the provisions of the GDPR and, in particular, to keep a record of processing activities specific to the Service and to develop its Service in compliance with the rules of “Privacy by design” and “Privacy by default”.

The Processor undertakes never to transfer the Client’s Personal Data for any purpose other than the provision of the Service and undertakes never to use the Client’s Personal Data for its own purposes as controller.

The Processor declares that all internal or external staff who are required to process the Client’s Personal Data are bound by one or more binding legal documents and regularly undergo training and awareness-raising.

The Processor undertakes to guarantee the security of the Client’s Personal Data and to implement all the technical and organisational measures necessary for its Service, details of which are set out in the annex to the Agreement.

On the other hand, the Processor is never liable for the Client’s failure to comply with the Regulations applicable to the protection of personal data when using the Service as a controller.

6. Assistance with DPIA

The DPIAs must be carried out by the Client, in compliance with the GDPR. Nevertheless, the Processor undertakes to provide, at the Client’s written request, all the information necessary and required for the Client to ensure that a DPIA is carried out.

On the other hand, the Processor is not obliged to carry out the DPIA instead of and on behalf of the Client. Any additional request for information may be refused.

7. Assistance with data subject requests

Data subject rights requests sent by End Users are transferred to the Client without undue delay. The Processor is not required to maintain an inventory of data subject rights requests on behalf of the Client and is not liable for the Client’s failure to manage such requests.

At the Client’s written request, the Processor carries out the technical actions to be undertaken so that the Client can fulfil its obligation to comply with data subject rights requests.

The Client accepts and understands that the Processor is not obliged to manage data subject rights requests as part of the Service in place of and on behalf of the Client. Any additional request for such management will be refused.

Data subject rights requests sent to the Processor as controller are processed exclusively by the Processor and are not transferred to the Client.

8. Assistance with security measures

The Processor undertakes to provide all necessary and required information on the technical and organisational security measures to be implemented to guarantee the security of the Client’s Personal Data as part of the provision of the Service.

9. Personal data breaches

The Processor undertakes to notify the Client, as soon as possible and, at the latest, within 48 working hours of becoming aware of any personal data breach in connection with the Service that may affect the Client’s Personal Data, together with all the necessary and required information in its possession to mitigate the effects of the personal data breach. The Client accepts and acknowledges that the 72-hour period applicable to him only starts from the time he becomes aware of the personal data breach and that, in this respect, the 48-hour period complies with the GDPR.

The Processor is not authorised to handle data breach notifications to the Supervisory authority and to inform End Users on behalf of the Client. Any such request from the Client will be refused.

10. Subsequent processors

The Client grants the Processor general authorization to recruit Sub-processors on condition that it is informed of any changes to such Sub-processors without undue delay to allow the Client to object.  The Client accepts and acknowledges that a specific authorization, for a SaaS tool, is not applicable and could lead to the Service being blocked. 

In the absence of objections raised by the Client within eight (8) days of notification, the new Sub-processor shall be definitively recruited without the Client being able to object, claim damages or request termination of the Contract. If the objection made within the time limit is considered acceptable by the Processor, the latter may propose one of the following solutions to the Client: i) the withdrawal of the Sub-processor, ii) the implementation of additional measures to guarantee the security of the Client’s Personal Data, iii) the termination of the Service without the Client being able to claim damages.

To be considered admissible by the Processor, objections must be objective and serious and must be duly demonstrated. The Parties accept that the following situations will, by default, be considered admissible: i) the proposed Sub-processor is a direct competitor of the Client, ii) the Sub-processor is in a situation of dispute with the Client, iii) the Sub-processor has been the subject of a sanction by a Supervisory authority in the 12 months prior to its recruitment and iv) the Sub-processor does not comply, if applicable, with the applicable rules relating to transfers outside the European Union.

The Processor undertakes to recruit only Sub-processors who, after checking, offer the necessary and sufficient guarantees to ensure the security and confidentiality of the Client’s Personal Data. The relationship between the Processor and the Sub-processor must be set out in an agreement containing obligations similar to this Agreement.

The Processor remains responsible, within the limits of liability set out in the Contract, for any breaches of the GDPR by its Sub-processors in the context of the Service.

11. Hosting and transfers outside the European Union

a) Data hosting

The Processor undertakes to do everything necessary to host the Client’s Personal Data exclusively within a Member State of the European Union. The Client authorises the Processor to choose the European Union Member State of its choice. In the event that Personal Data is hosted in a country outside the European Union, the Processor undertakes to obtain the Client’s prior authorisation and to implement all the mechanisms required to govern this transfer, as set out in the standard contractual clauses and, where applicable, to implement additional technical measures to strengthen the security of the Client’s Personal Data.

b) Data transfers

The Client grants the Processor a general authorization for transfers outside the European Union if, cumulatively, i) the transfers are made exclusively to GDPR-compliant Sub-processors and ii) the transfers are made exclusively to a country benefiting from an adequacy decision or are governed by appropriate safeguards such as, in particular, Standard Contractual Clauses. If these conditions are not met, transfers outside the European Union are only authorised with the prior agreement of the Client. Additional technical security measures aimed at reinforcing the security of the Client’s Personal Data must be implemented if the Personal Data is transferred to a non-democratic country.

12. Retention periods and fate of the Client’s Personal Data

The Processor undertakes to retain the Client’s Personal Data only for the duration of the use of the Service, in accordance with the instructions detailed in the annex, and to delete it at the end of the Contract. The Processor shall certify, upon written request, that the Personal Data and all existing copies thereof have been deleted.

The Client is informed that it must retrieve its Personal Data before the end of the Agreement. Failing this, the Client may no longer retrieve its Personal Data, the deletion of Personal Data being irreversible and definitive. The Processor may not be held liable for any loss of Personal Data after it has been deleted, as the Client assumes full responsibility. The Client accepts that total and irreversible and definitive anonymisation of the Client’s Personal Data may be used as a means of deletion and that the Processor shall retain the anonymised data for the improvement of the Service, as is accepted for the Supervisory Authorities.

The Processor informs the Client that the return of Personal Data provided for in the GDPR does not constitute Reversibility of the data to a new processor and that any request to this effect will always be refused by the Processor.

13. Audits

The Client has the right to carry out an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire shall have the force of a sworn undertaking binding on the Processor. The questionnaire may be sent in any form to the Processor, who undertakes to reply without undue delay from the date of receipt.

The Client also has the right to carry out, once a year and at its own expense, an on-site audit, if necessary at the Processor’s premises, in the event of a data breach due to a proven and demonstrated failure on the part of the Processor which has resulted in duly justified prejudice to the Client. An audit at the Processor’s premises may be carried out either by the Client or by an independent third-party appointed by the Client and must be notified to the Processor in writing at least thirty (30) days before the audit is carried out. The Processor has the right to refuse the choice of the independent third-party if the latter is i) a direct or indirect competitor of the Processor, ii) in a situation of conflict of interest with the Processor (e.g.: counsel to a competitor of the Processor) or ii) in pre-litigation or litigation with the Processor. In this case, the Client undertakes to choose a new independent third-party to carry out the audit. The Processor may refuse access to certain areas for reasons of confidentiality or security. In this case, the Processor will carry out the audit in these areas and communicate the results to the Client.

In the event of a discrepancy being identified during the audit, the Processor undertakes to implement, without delay and at its own expense, the measures required to comply with this Agreement. Deviations may only concern the Regulations applicable to the Client’s Personal Data and may not concern internal procedures or measures implemented by the Client on a specific basis. Deviations must be duly demonstrated, justified and documented.

In the event that the Processor disputes the discrepancies identified, the Processor may, at the Client’s option and subject to prior written acceptance, propose to i) meet to find an amicable solution and compromise, ii) refer the dispute to the Supervisory authority for arbitration, and iii) refer the dispute to an independent expert for arbitration.

14. Cooperation with authorities

The Processor undertakes to cooperate with the CNIL (French Data Protection Authority), the competent Supervisory Authority, in the event of an inspection concerning the processing carried out as part of the Service and undertakes to notify the Client as soon as possible in the event of requests concerning its Personal Data being made by the Supervisory authority or by an administrative, judicial or police authority.

15. Contact

The Client and the Processor shall each designate a speaker responsible for this Agreement, who shall be the recipient of the various notifications and communications to be made under the Agreement.

  • The Processor informs the Client that it has appointed Dipeeo SAS as Data Protection Officer, who can be contacted at the following contact details:
  • Email address: dpo@solpay.com
  • Postal address: Société Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France
  • Telephone number: 01 59 06 81 85

16. Revisions

The Processor reserves the right to modify this Agreement in the event of changes to the rules applicable to the protection of Personal Data or in the event of changes to the Service which would have the effect of modifying any of its provisions.