Data Processing Agreement
This document was last updated on Jan 21, 2019.
“Contract”, “CodinGame”, “You”, “Services”, “Site” have the same definitions as the ones from the CodinGame Assessment Customer Agreement (hereinafter referred to as the “Customer Agreement”) available at https://www.codingame.com/work/codingame-assessment-customer-agreement.
This Data Processing Agreement (the “DPA”) forms an integral part of the Contract concluded between CodinGame (the “Service Provider”) and You (the “Client”), the purpose of which is to define the conditions applicable to the Services. The DPA and the other documents of the Contract are complementary and mutually explanatory. However, in case of contradiction, the priority rules are defined in the Customer Agreement.
This DPA scope is limited to the CodinGame Assessment Service.
The purpose of this DPA concluded between the Service Provider and the Client in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”), is to define the conditions under which, CodinGame, the Service Provider, as a subcontractor and as part of the Services defined in the Contract, processes, on instructions from You, the Client, Personal Data as defined in Article 4(1) of the GDPR (“Personal Data”).
For the purposes of this DPA, the Service Provider acts as “Subcontractor” and the Client is deemed to act as “Data Controller”. The terms “Subcontractor” and “Data Controller” have the meanings given to them within the GDPR (respectively Article 4 (8) and Article 4 (7) of the GDPR).
If the Client acts as Subcontractor on behalf of a third party responsible for the processing, the Parties expressly agree that the following conditions apply:
(a) The Client has previously ensured that all necessary authorizations to conclude this DPA, including the appointment by the Client of the Service Provider as a subsequent subcontractor, have been obtained from the controller;
(b) a contract, which is in full compliance with the terms and conditions of the Contract (including this DPA), has been concluded with the third-party controller in accordance with Article 28 of the GDPR;
(c) The Client complies with all the provisions of the GDPR.
1. Compliance with applicable regulations on the protection of personal data
Each Party undertakes to comply with all obligations resulting from the application of any applicable regulations relating to the protection of Personal Data, in particular the provisions of the GDPR.
To this end, they acknowledge that they are subject to an obligation of enhanced cooperation throughout the term of the Contract and therefore undertake to provide each other without delay with any information, intelligence, document or file that enables them to maintain or demonstrate their compliance with the GDPR and to immediately inform each other of any failure or risk of failure to comply with the regulations.
2. Rights and obligations of the Service Provider and the Client
As part of the Contract, the Service Provider undertakes to process the Data only for the purposes of the processing mentioned in Appendix 1, which are outsourced to it.
In addition, the Service Provider undertakes to process Personal Data only on the basis of and in accordance with the Client’s documented instructions.
In the event that European and/or French law conflicts with the Client’s instructions or does not allow the Service Provider to process Personal Data in accordance with such instructions, the Service Provider must inform the Client as soon as possible before processing. In such a case, the Parties undertake to meet in order to find the most appropriate amicable solution with regard to the Contract and the rights and freedoms of the person concerned.
In addition, the Service Provider undertakes to respect the Client, by its employees authorized to process Personal Data, the strictest confidentiality regarding the Personal Data processed pursuant to this Contract and all the information contained in Appendix 1. All this information is considered confidential information. The Service Provider guarantees to the Client that it has implemented and maintains all necessary measures to preserve and ensure that its employees respect the confidentiality of Personal Data.
Thus, the Service Provider must only make the Personal Data accessible and consultable to the Service Provider’s employees duly authorized, by virtue of their duties and qualities, to process the Personal Data within the strict limits of what is necessary for them to perform their duties.
The Service Provider declares that it keeps a written record of all categories of processing activities carried out on behalf of the Client.
The Service Provider’s Data Protection Officer, on the date of signature of the Contract, is identified in Appendix 4 of this DPA. In the event of a change, the Service Provider undertakes to inform the Client as soon as possible and to provide him with the new identity and contact details of the Data Protection Officer.
For its part, the Client undertakes to:
- Transmit to the Service Provider any information or document it may need to fulfill its obligations under this paragraph;
- Inform the Service Provider of any request, audit or control initiated by a supervisory authority that would directly concern or involve the Service Provider in its capacity as subcontractor.
3. Description of the processing of personal data
Appendix 1 of the DPA defines:
- The purpose, nature and purpose of each of the processing of Personal Data that the Service Provider carries out on behalf of the Client under the Contract;
- The categories of Personal Data processed;
- The categories of data subjects within the meaning of Article 4 (1) of the Regulation by the said processing operations;
- The period of storage of personal data;
- The places of processing of Personal Data located outside the European Economic Area.
4. Client’s right to audit and impact analysis
For the purpose of monitoring the compliance of the Parties to the GDPR, the Client has an audit right, which he may exercise subject to fifteen (15) working days’ notice. In this respect, the Client shall appoint, at its own expense, an independent auditor who is not a competitor of the Service Provider on the SaaS market, who shall be validated by the Service Provider and who shall sign a confidentiality agreement.
This specific audit on the protection of Personal Data by the Service Provider will focus on compliance with the GDPR and this DPA. The audit may not cover the Service Provider’s financial, accounting and commercial data.
The audit will be conducted remotely and during the Service Provider’s working hours.
During this audit, the Service Provider undertakes to cooperate in good faith with the auditor and shall (i) provide the auditor with all documentation to establish compliance with the GDPR and this DPA and (ii) answer all questions.
A copy of the audit report prepared by the auditor shall be provided to each Party.
In the event that the audit report reveals one or more breaches by the Service Provider of the GDPR or this DPA, the Parties agree to meet as soon as possible to establish an action plan to remedy the identified breach(s).
In addition, at the Client’s express request, the Service Provider undertakes to provide all necessary assistance in the event that the Client carries out, during the term of the Contract, an impact analysis in relation to the Personal Data processed by the Service Provider.
5. Notification of violations of Personal Data
If the Service Provider becomes aware of an incident affecting the Personal Data of the Data Controller (unauthorized access or disclosure, loss, destruction or alteration of Data, of accidental or unlawful origin), the Service Provider shall inform the Client as soon as possible, and in any event no later than forty-eight (48) hours after the Service Provider becomes aware of such an event, specifying whether the violation in question is likely to create a risk for the rights and freedoms of the persons concerned.
This notification shall be accompanied by all relevant documentation in order to enable the Client, if necessary, to notify the competent authority of this violation.
At a minimum, the notification must (i) describe the nature of the incident, and if possible, the number of persons involved (ii) describe the likely consequences of the incident, (iii) describe the measures taken or proposed by the Service Provider in response to the incident and (iv) specify who is the Service Provider’s preferred contact person for the incident.
In general, it is the Client’s responsibility to communicate directly to the data subject the violation of Personal Data, when it is likely to create a high risk to the rights and freedoms of a Data Subject, unless otherwise agreed in writing by the Parties.
The Service Provider informs the Client that, on the date of the last update of this DPA, it uses the subcontractors identified in Appendix 2 of this DPA, which the Client accepts.
The Service Provider declares that, on the date of the last update of this DPA, it has signed contracts with each of these subcontractors for the processing of Personal Data. The Service Provider undertakes to maintain these contracts in force throughout the term of the Contract.
The Service Provider guarantees to the Client that it has verified that these subcontractors provide sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing operations identified in Appendix 1 meet the requirements of the GDPR.
In addition, the Service Provider undertakes to inform the Client and obtain the Client agreement in the event of any planned change concerning the addition or replacement of any subcontractor. Notification of the change will be made by e-mail to the Client’s address provided for this purpose and listed in Appendix 4 of this Appendix. In the event of the Client’s disagreement with such a change, the Parties shall meet and discuss in good faith with a view to resolving the disagreement.
In the event of non-response from the Client within ten (10) working days, the change is considered as automatically accepted by the Client.
In addition, before any subcontracting operation, the Service Provider undertakes to sign a contract with its subcontractor in accordance with Article 28(4) of the GDPR, which shall transfer to the latter, mutatis mutandis, the obligations provided for in this paragraph, in particular as regards providing sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing operation meets the requirements of the applicable regulations.
7. Security of Personal Data
The Service Provider declares that it has put in place and maintains in force and up to date, throughout the duration of the Contract, and until the destruction of the Personal Data identified in Appendix 1, all appropriate security measures to ensure the security of the Data in order to protect them from any destruction, loss, alteration, disclosure and unauthorized access, whether such acts are of accidental or illegal origin.
The security measures identified at the date of the last update of this DPA are listed in Appendix 3 of this DPA.
The Parties shall notify each other, throughout the term of the Contract, of any necessary updates or modifications to the said security measures, in particular in order to respond to any new threat or any change in the state of the art or regulations.
8. Data subjects’ right to information
It is the Client’s responsibility to provide the persons concerned by the processing operations at the time of data collection with the information listed in Articles 13 and 14 of the GDPR.
The Service Provider will assist the Client in fulfilling its obligation to comply with requests to exercise the rights of the Persons concerned, whether it concerns the right of access, rectification, deletion and opposition, the right to limit processing, the right to the portability of the Data or the right not to be the subject of an automated individual decision (including profiling), by providing it with any necessary information, intelligence, document or file.
If the persons concerned make requests to the Service Provider to exercise their rights, the Service Provider must send these requests as soon as it receives them by email to the Client contact referred to in Appendix 4.
9. Transfer of Personal Data outside the European Union
The Client is informed that the Service Provider uses subcontractors established outside the European Union. These subcontractors are listed in Appendix 2 of this DPA.
Apart from these subcontractors, provided that the Client has authorized it to use one or more other subcontractors, the Personal Data may only be transferred by the Service Provider to:
- subcontractors established in Member States of the European Union and/or in third countries recognized by the European Commission as ensuring an adequate level of protection;
- or subcontractors based in the United States who have joined the Privacy Shield. Transfers are then considered to provide an adequate level of protection;
and this within the strict limit necessary for the performance of the Services provided for in the Contract.
Subject to the Client’s prior consent, in the event that the Service Provider transfers Personal Data to subcontractors established in a country or countries recognized by the European Commission as not providing an adequate level of protection, outside the United States, the Service Provider undertakes, on the one hand, to implement sufficient and appropriate safeguards to ensure their security and, on the other hand, to sign with its subcontractor the “standard contractual clauses” for Data protection adopted by the European Commission.
10. Personal data at the end of the Contract
At the end of the Contract, account deletion can be requested by the Client directly from the Site. Account deletion triggers the destruction process of all Personal Data attached to it.
The Service Provider also undertakes to destroy all Personal Data upon written instructions from the Client. These instructions may be given at any time after the end of the Contract, up to a maximum of one (1) year.
The destruction shall be carried out by the Service Provider within five (5) working days from the date of receipt of the instructions, with the exception of:
- security logs that will be deleted within a maximum period of six (6) months after receipt of instructions;
- database backups that will be deleted within a maximum period of one (1) month after receipt of instructions.
In the event that the Service Provider has not received instructions from the Client three years after the end of the Contract, the Service Provider shall destroy the Personal Data, unless otherwise agreed by the Parties.
In any event, and unless otherwise provided by European or French law, the Service Provider undertakes not to keep any copy of the Personal Data and to provide the Client with a written certificate of destruction of the said copies.
APPENDIX 1: IDENTIFICATION OF PROCESSING OPERATIONS OF PERSONAL DATA
All Personal Data are subject to daily backups. These backups are destroyed after one (1) month from their creation.
The destruction of Personal Data at the end of the storage period results in anonymization at the technical level: the Identification Data are destroyed (email, surname, first name, IP, etc.) while the associated Data, which do not allow the identification of a person within the meaning of Article 4 (1) of the GDPR, are kept (for example, the score and rank of a Candidate) in order to continuously improve the Services. This Anonymized Data no longer constitutes Personal Data.
APPENDIX 2: LIST OF APPROVED SUBCONTRACTORS
APPENDIX 3: DESCRIPTION OF SECURITY MEASURES
- All communications between the server and clients are encrypted (HTTPS).
- Passwords stored in the Provider’s database are encrypted in a non-reversible way (one-way hash).
- Unsuccessful connection attempts are logged and trigger alerts.
- Access to the Service Provider’s database is restricted to certain authorized IPs.
- Access to Personal Data by the Service Provider’s employees is authorized according to roles as defined in the Service Provider’s Security Policy (for example, the support team is authorized to access Personal Data in the event of a bug).
- Access is technically managed by a secure LDAP.
APPENDIX 4: SERVICE PROVIDER AND CLIENT POINTS OF CONTACT
DPO of the Service Provider:
Admitted to the Paris Bar
4, place de Valois – 75001 Paris
01 86 95 18 81
Contact of the Service Provider for any requests or instructions relating to this DPA:
09 54 39 85 49
Client contact for notification of a breach of personal data protection:
The email address entered by the Client in the CodinGame for Work UI (by default, the email address used by the Client when creating their account)
Client contact for any other CodinGame request related to this DPA:
The email address used by the Client when creating their account