Annex on the protection of personal data processed by SITEW on behalf of SITEW users

Article 1: Purpose

The purpose of this document is to define the conditions under which SITEW processes, within the framework of the Service, the personal data of visitors or end customers ("Visitors") of the website operated by the Client or the free User of the Service (hereinafter "Personal Data"), as defined in Article 4.1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data (GDPR).

It constitutes the written agreement on the processing of Personal Data, required by Article 28 of the GDPR, between the controller and the processor, and complements the General Terms and Conditions of Use (GTCU) or General Terms and Conditions of Service (GTCS) validated by the Customer, of which it is an integral part.

It is applicable to all processing that may be carried out by SITEW within the framework of the Service subscribed to by the Client, whether it involves hosting, viewing, storing, modifying, distributing or extracting personal data.

The Table of Processing summarizes the authorized processing acts according to the services provided.

Article 2: Respective responsibilities of the parties

The Client alone shall be responsible for the processing, within the meaning of the GDPR, of the Personal Data of Visitors processed by SITEW within the framework of the Service; SITEW shall only act as a "subcontractor" of such data in its capacity as service provider.

SITEW shall only be held liable, in its capacity as subcontractor, for obligations specifically imposed on it by the Subscription or by the regulations in force on the protection of personal data; or if it has acted outside the specific instructions of the Customer.

SITEW shall not be held liable for any failure by the Customer to comply with this regulation, which is not attributable to it in any way, pursuant to Article 82.3 of the GDPR.

In any case, SITEW's liability towards the Client, in the event of recourse by a Visitor under the joint and several liabilities instituted by Article 82.4 of the GDPR, is limited to the amount indicated in the article "Liability" of the General Terms of Service.

Article 3: Customer's obligations - guarantee

For all the Personal Data that the Client is required to process while using the Service, and in particular those processed while its website or messaging and emailing services, the Client guarantees SITEW that he has fulfilled all the obligations incumbent upon it under the terms of the French law of January 6, 1978 known as the "Informatique et Libertés" (Data Processing and Freedom) law and by virtue of other French and European legislative and regulatory provisions, in particular the GDPR. Consequently, the Customer guarantees that SITEW has informed the natural persons concerned, and in particular the Visitors, of the use that is made of their data as well as of the rights granted to them (right of opposition, deletion, limitation of processing, right of access and rectification) and that he has, where applicable, obtained their prior consent, in particular in the event of processing for the purposes of commercial prospecting. It is the Customer's responsibility to provide and to put online on his website a privacy policy that complies with the current regulations. SiteW does not offer a "standard document", but provides the Customer with technical tools enabling him to set certain criteria for the processing of personal data, such as the definition of the duration of the processing, their deletion, or the extraction of data in the context of the right of access.

The Customer guarantees SITEW against any recourse, complaint or claim from a natural person (and in particular a Visitor) whose personal data is processed by SITEW or its subcontractors in any way whatsoever in the context of the Service. Consequently, the Client shall hold SITEW harmless against any indemnity or sentence that may be imposed on it as a result of the recourse of a natural person whose Personal Data is hosted, copied, viewed or processed in any way by SITEW within the framework of the Service, and linked to the Client's failure to comply with its legal or contractual obligations as set out in this Policy.

Article 4: Authorized processing

The Client authorizes SITEW, as a subcontractor, to process Personal Data on its behalf, exclusively for the purposes set out in the Table of Processing.

SITEW undertakes to:

  1. process the Personal Data solely for the sole purpose(s) for which it is subcontracted;
  2. process the Personal Data in accordance with the documented instructions of the Client;
  3. guarantee the confidentiality of the Personal Data processed under this contract;
  4. ensure that persons authorized to process Personal Data under this Agreement:
    • are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality
    • receive the necessary training in the protection of Personal Data

Article 5: Subsequent subcontracting

In the event of the recruitment of subsequent subcontractors, within the meaning of the GDPR, SITEW shall inform the Client in advance and in writing, clearly indicating the subcontracted processing activities, the identity and contact details of the subcontractor and the dates of the subcontract. The Client will have a period of 15 days from the date of receipt of this information to present its objections. If no objection is raised within this period, the subsequent subcontractor shall be deemed to have been approved by the Client.

The subcontractors listed in the Processing Schedule below shall be deemed approved by Customer as of the date of the Order.

The subcontractor shall be obliged to fulfil the obligations of this agreement on behalf of and in accordance with the instructions of the controller. It is SITEW's responsibility to ensure that the sub-processor provides the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the European Data Protection Regulation. In all cases, SITEW shall remain fully responsible to the Customer for the performance by the subcontractor of its obligations.

Article 6: Data security

SITEW shall implement the necessary measures to ensure the security and confidentiality of the Personal Data that it is required to process within the framework of the Service.

More specifically, SITEW undertakes to implement the following security measures:

  • Encryption of data transmission if the SSL option is active on the Site
  • Storage on secure servers
  • Regular updating of servers
  • Limitation of access to only the services used
  • Automatic and encrypted data backup
  • Logging of accesses to detect any unauthorized access
  • Regular test procedure

In addition, depending on the nature of the personal data, its sensitivity, and the risks for the persons concerned in the event of a data breach, SITEW will implement, on the notice of the Customer, additional security measures for the Personal Data. These measures may include encryption of the Data, pseudonymization, or regular audits of the availability and security of the Data. These measures may result in additional billing, or a revision of the Subscription price, to consider the costs incurred by these additional security measures requested by the Customer.

Article 7: Transfer of data outside the European Union

All the Data processed by SITEW within the framework of the Service are stored or hosted on servers located in the European Union.

SITEW undertakes not to transfer any Data outside the European Union.

Furthermore, SITEW undertakes to use only subcontractors

  • established in a country of the European Union, and preferably in France, or
  • established in a country with an adequate level of protection according to the European data protection authorities or
  • having appropriate guarantees in accordance with Article 46 of the GDPR.

Article 8: Exercise of rights by Data Subjects

It is the Customer's responsibility to deal with requests from Data Subjects to exercise their rights under the applicable regulations (in particular the right to object, the right to access and rectify data, the right to portability, the right to erase data concerning minors, and the right to limit processing). Should the persons concerned exercise their rights, these will be systematically sent back to the Client so that it can process them within the legal time limits.

Article 9: Violation of Personal Data

SITEW undertakes to notify the Customer of any breach of personal data within a maximum of 48 hours of becoming aware of it and by e-mail. This notification will be accompanied by all useful documentation to allow the Customer, as the data controller, if necessary, to notify this violation to the competent control authority.

Article 10: Register of processing

SITEW declares that it keeps a written register of all categories of processing activities carried out on behalf of the Client, including:

  • the name and contact details of the controller on whose behalf it acts, any subcontractors and, where applicable, the data protection officer;
  • the categories of processing carried out on behalf of the controller;
  • as far as possible, a general description of the technical and organizational security measures implemented to ensure the security of the Data.

Article 11: Duration of processing - return of Personal Data

Unless otherwise agreed by the Parties, Personal Data shall be processed for the duration of the Subscription taken out by the Customer, or until the closure of the Customer/User Account, if this occurs earlier.

At the end of the Subscription or at the closure of the Account, SITEW undertakes to:

  • return all Personal Data to the Customer or, upon request by the Customer, made within 60 days of the end of the Subscription or closure of its Account,
  • to return them to the company, new subcontractor, designated by the Customer.

This data will be returned or transmitted in a readable and open format, under the conditions set out in the article "Consequences of the end of the Subscription" of the GTCU or GTCS.

Article 12: Duty to assist

SITEW shall make every effort to assist the Customer in its efforts to ensure that the processing of personal data complies with the regulations in force. SITEW will provide the Customer with all the necessary information for any compliance or security audit or impact analysis carried out by the Customer. On the other hand, the realization of the Customer's own procedures, such as the drafting of impact analyses or the declaration to the CNIL of a Data violation, will give rise, if necessary, to the invoicing of a separate service.

Article 13: Table of processing

Service Authorized processing acts Purpose
  • Registration
  • Organization
  • Consultation
  • Deletion
  • Destruction
  • Hosting of the Customer's Sites
  • Deletion of illicit contents or contrary to the GTCU/GTCS
Maintenance and Support
  • Registration
  • Consultation
  • Extraction
  • Corrective maintenance of the Sites
  • Registration
  • Organization and Structuring
  • Communication by transmission
  • Storage
  • Deletion
  • Creation of email addresses for Users
  • Sending and receiving email messages on behalf of the Customer
  • Filtering of spam and inappropriate messages
  • Maintenance of the service
  • Registration
  • Organization and Structuring
  • Use
  • Communication by transmission
  • Distribution
  • Retention
  • Deletion
  • Sending mass messages to the database provided or created by the customer
  • Presentation of the campaign results and provision of statistics

Article 14: List of subcontractors

Subcontracted service Identity of the subcontractor
  • OVH
  • Scaleway