PERSONAL DATA PROCESSING AGREEMENT

This Data Processing Agreement (hereinafter, DPA) is part of the General Conditions of Use of Sendinblue services (hereinafter, Agreement). All capitalized terms not defined in this DPA will have the same meaning set forth in the Agreement.

The purpose of this DPA is to define the conditions under which Sendinblue undertakes to carry out, on behalf of the User, the data processing operations defined below.

In the context of this DPA, the User acts as the Data Controller and Sendinblue as the Data Processor within the meaning of the EU Data Protection Law.

1 – DEFINITIONS

User Data means any Personal Data that Sendinblue processes on behalf of the User as Data Processor while providing the services.

Data Controller means the User (Werku Tools SA)

Data Processor means Sendinblue.

EU Data Protection Law means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons about the processing of Personal Data and on the free circulation of such data (General Data Protection Regulation) (GDPR).

EEA means the European Economic Area.

Personal Information means any information related to an identified or identifiable natural person.

Processing has the meaning attributed to it in the DRPD and process, processes and processed will be interpreted accordingly.

Subprocessor means any Data Processor contracted by Sendinblue to help fulfill its obligations with respect to the provision of the services in accordance with the Agreement or this DPA. Subprocessors may include third parties or members of the Sendinblue group.

2 – DATA PROCESSING DETAILS

2.1 Sendinblue will process User Data only for the purposes described in the DPA and only in accordance with the User’s documented legal instructions. The Parties agree that this DPA and the Agreement set forth the complete and final User instructions for Sendinblue in relation to the processing of User Data.

2.2 Duration: Between Sendinblue and the User, the duration of data processing under this DPA is until the termination of the Agreement in accordance with its terms.

2.3 Purpose: The purpose of data processing under this DPA is to send marketing and / or transactional emails and/or SMS.

2.4 The data processing operations that Sendinblue performs on behalf of the User are defined below:
– Storage of contact lists uploaded by the User
– Sending messages by email or SMS, whether automated or not (including order tracking, order confirmation, newsletters)
– Retention and analysis of email deliverability data (retargeting screen)
– Collection of subscription cancellations and User information
– Collection of consents (in case the User uses the Sendinblue form to retrieve contact information from their own site)
– Analysis of the behavior of the email recipients (tracking of open rates, click rates and bounce rates at the individual level)

2.5 Categories of data subject: Any individual: (i) whose email address is included in the User’s distribution list; (ii) whose information is stored or collected through the services, or (iii) to whom the User sends emails or engages or communicates through the services and, more precisely, customers and prospects.

2.6 Types of User Data: Any type of data determined and controlled by the User at their sole discretion, in the context of their use and configuration of the services, such as contact information (such as email and telephone number); computer information (IP addresses, cookie data).

3 – USER OBLIGATIONS

3.1 If the User is established in the European Union, or if his Distribution List contains Personal Data of citizens who are members of the European Union, the User agrees that he will comply with his obligations as a Data Controller under the EU Data Protection Law, and in particular:
– That the Personal Data contained in the transmitted files have been collected and processed in accordance with the applicable regulations
– That the User has informed the interested parties in accordance with the applicable regulations
– Where appropriate, that the interested parties have given their consent for the collection and treatment
– That the interested parties may exercise their rights in accordance with the applicable regulations
– That the User undertakes that the information be rectified, completed, clarified, updated or eliminated if it is inaccurate, incomplete, ambiguous or out of date, or if the interested party wishes to prohibit its collection, use, communication or storage

3.2 It is specified that the User is solely responsible for managing the retention periods of the Personal Data that he uploads to the Sendinblue platform, and that he is responsible for deleting the data when its retention period expires. Sendinblue is solely responsible for deleting this data at the end of its contractual relationship with the User.

3.3 The User agrees not to include in the distribution lists uploaded to the platform any Personal Data known as «sensitive» in the sense of article 9 of the GDPR.

4 – SENDINBLUE’S OBLIGATIONS

4.1 Compliance with the User’s instructions and regulations.
Sendinblue is committed to:
– Process Personal Data only for the purpose established in this DPA
– Process Personal Data in accordance with the instructions of the controller. If Sendinblue considers that an instruction constitutes a violation of EU Data Protection law, it will immediately inform the User
– Guarantee the confidentiality of the Personal Data processed under this Agreement
– Ensure that the persons authorized to process Personal Data under this DPA:

– They undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality
– Receive the necessary training in the protection of Personal Data; appoint a Delegate of Data Protection: Jules Jeanroy, dpo@sendinblue.com

– Maintain a register with a list of the processing operations carried out on behalf of the Data Controller, including all the information listed in Article 30 (2) of the GDPR

4.2 Security: Sendinblue undertakes to take all necessary precautions, about the nature of Personal Data and the risks posed by the processing, to preserve the security of Personal Data and, in particular, to prevent it from being distorted, damaged or accessed by unauthorized third parties. Sendinblue is committed in this context to implement the adequate technical and organizational security and confidentiality measures.

4.3 Data leakage: Upon becoming aware of any violation of Personal Data, Sendinblue will notify the User within 72 hours of its knowledge, by means of notification through the User’s customer account or by email to the address, at particular to allow the User to comply with the obligation provided in article 33 of the GDPR.

4.4 Destruction: At any time during the execution of the Agreement, the User can access or delete the Personal Data processed by Sendinblue directly from his customer account by clicking the «export button» in his customer account. At the end of the contractual relationship, Sendinblue undertakes, at the User’s request, to destroy all Personal Data, or return it to the User or another data processor designated by them if it is technically feasible and within a maximum period of 3 months. The return must be accompanied by the destruction of the existing copies in Sendinblue’s information systems, unless some applicable law requires their retention. Sendinblue undertakes to provide the User, upon request, with proof of such destruction.

5 – ASSISTANCE AND AUDIT

5.1 Assistance: To the extent that the User is unable to independently access the relevant User Data within the services, Sendinblue shall (at the User’s expense) provide reasonable cooperation to assist the User in responding to any requests from individuals or applicable data protection authorities related to the processing of Personal Data under the Agreement. If such request is made directly to Sendinblue, Sendinblue will not respond to such communication directly without the prior authorization of the User, unless it is legally obliged to do so. If Sendinblue is required to respond to such a request, Sendinblue will immediately notify the User and provide a copy of the request, unless legally prohibited. 

5.2 Audit: Sendinblue undertakes to provide the User with all the information and documents necessary to demonstrate compliance with the obligations established in this APD. Sendinblue authorizes the User or any other external auditor that does not compete with Sendinblue and that the User has entrusted, at the User’s expense, to inspect and audit their Personal Data processing activities and undertakes to agree to all reasonable requests made by the User to verify that Sendinblue complied with the contractual obligations imposed by this DPA. Said audits cannot be carried out more than one (1) per contract year. In all cases, the User must give Sendinblue a minimum notice of thirty (30) days, and the audit must in no case interrupt Sendinblue’s ongoing activities. The audit will be limited to personal data processing activities carried out by Sendinblue on behalf of the User, and the User will not be able to access data related to other Sendinblue customers. A copy of the audit report will be provided to Sendinblue free of charge.

6 – DATA TRANSFERS AND SUB-PROCESSING 

6.1 Authorized Sub-processors: The User, who expressly accepts, is informed that, in relation to the provision of the service under the Agreement, Sendinblue may resort to Sub-processors, who will have access/process to/of the Personal Data entrusted by the User on their behalf. The list of relevant processors is available https://bit.ly/subcontactors-SIB-EN-int

6.2 Obligations of Sub-processors: Sendinblue must: (i) enter into a written agreement with Sub-processors that impose data protection terms that require the Sub-processor to protect User Data according to the standard required by the Data Protection Law of the EU; and (ii) you will remain responsible for your compliance with the obligations of this APD and for any act or omission of the Subprocessor that causes Sendinblue to breach any of its obligations under this DPA.

6.3 Changes in Subprocessors: In case of modification of the list of its Subprocessors, Sendinblue will notify the User by email or by notification through the customer’s account, and the User will have the possibility to terminate the Agreement in case of objection.

It is specified that this notification will include any information related to possible transfers of Personal Data to the EEA.

7 – VARIOUS

7.1 This DPA can be modified at any time. All changes are published on the Sendinblue website and communicated to the User through the website.

Unless the User terminates the Services by sending a registered letter with acknowledgment of receipt to Sendinblue within thirty (30) days after these changes, the User will be deemed to have accepted the changes.

7.2 This DPA has been written in several languages. For the purposes of interpreting this DPA, the French version will prevail.

8 – APPLICABLE LAW AND JURISDICTION

Applicable law and competent jurisdiction remain as stipulated in the Agreement.