General Data Protection Regulation – Supplier Policy


The purpose of this policy is to define the conditions under which the supplier hereinafter referred to as the “Subcontractor” undertakes to perform in place of ” Experteam ” hereinafter referred to as “the Contractor”, for the account of the client hereinafter referred to as the “Data Controller”, the personal data processing operations defined below.

The Supplier may also call upon, with the prior agreement of the Contractor, a Subcontractor, hereinafter referred to as “the subsequent Subcontractor”.

As part of their contractual relations, the parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. applicable from 25 May 2018 (hereinafter, “the European data protection regulation”).


The characteristics of the processing of Personal Data (DCP) are detailed in each Order Form (BDC). If it is not possible at the time of the conclusion of the BDC to fill in the characteristics because they were not provided to the Subcontractor by the Data Controller, the Parties undertake to conclude an amendment to the BDC in order to provide for their future and certain transmission by the Data Controller.

The subcontractor is authorized to process on behalf of the data controller the personal data necessary to provide the service (s) defined in the BDC.

The nature of the operations carried out on the data, the purpose (s) of the processing, the nature of the personal data processed, and the identification of the categories of persons concerned by the processing of personal data are also defined and framed in the BDC.


In general, the Subcontractor undertakes to implement all the necessary measures enabling the Data Controller to comply with the applicable regulations and in particular the principles of privacy by design and privacy by default.

3.1 Compliance with the instructions of the Data Controller and the regulations

The Subcontractor undertakes to:

  • Process personal data within the strict and necessary framework of the Services and, in general, to act only on the sole written and documented instruction of the Data Controller;
  • Immediately inform the Data Controller if one of the instructions constitutes a violation of the applicable regulations on the protection of personal data and suspend the execution of said instruction until confirmation or modification of the instruction by the Data Controller;
  • Make sure that the persons authorized to access the personal data are aware of the instructions of the Data Controller and undertake to treat them only in strict compliance with them;
  • Ensure that the persons authorized to access the personal data for the performance of the Services receive the necessary training in the protection of personal data;
  • Not to grant, rent, assign or otherwise communicate to any person, all or part of the personal data, even free of charge, as well as, more generally, not to use the personal data for purposes other than those strictly provided for in the Contract, in particular, for any commercial prospecting, marketing and / or other use;
  • Take into account, with regard to its tools, products, applications or services, the principles of protection of personal data from the design stage.
  • Security, confidentiality, breach and destruction of personal data

The Subcontractor undertakes to:

  • Take all necessary precautions to preserve the confidentiality and security of personal data, and in particular, prevent them from being distorted, damaged or communicated to unauthorized third parties, and more generally, to implement technical and organizational measures appropriate to protect personal data against accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access. These measures must ensure, taking into account the state of the art, an appropriate level of security with regard to the risks presented by the processing operations and the nature of the data to be protected;
  • Set up authorizations to restrict people’s access to personal data and only communicate them to people who need to know about them, ensuring that these people are subject to a contractual, written and individual, or legal obligation to confidentiality and appropriate security;
  • Update the security measures taking into account the evolution of technology, without resulting in a reduction in the level of security and / or a negative impact on the provision of the Services and inform the Data Controller of any modification substantial security measures;
  • Notify the Data Controller as soon as possible of any known or suspected breach of DCP, or any breach of security resulting, accidentally or unlawfully, in the destruction, loss, alteration or unauthorized disclosure of transmitted DCP , stored or processed in another way, or unauthorized access to such data, in particular to allow the Data Controller to comply with the obligation to notify the CNIL, provided for in Article 33 of the GDPR, to any violation of DCP. The Subcontractor’s notification must be sent to the contact person of the Data Controller designated by telephone and by e-mail, then confirmed by registered letter with acknowledgment of receipt;
  • Carry out all useful investigations on the breaches of the protection rules referred to above and / or on any threats in order to remedy the said breaches and / or threats and prevent their recurrence in the future;
  • Remedy such breaches and / or threats as quickly as possible and minimize the impact of such breaches and / or threats on the persons concerned;
  • Inform the Data Controller by means of a written report describing the nature and consequence of the violation of personal data, the corrective actions implemented or those proposed to remedy said breaches and / or threats, reduce the impact on vis-à-vis the persons concerned as well as the measures adopted to ensure that such breaches and / or threats do not recur. ;
  • Respect the retention periods for personal data, as specified by the Data Controller;
  • Destroy all personal data or return them to the Data Controller at the end of the contract and destroy the existing copies, as well as communicate to the Data Controller proof of such destruction, if applicable.
  • Assistance and audit

The Subcontractor declares that he understands that any breach of the regulations applicable to personal data may impose obligations on the Data Controller, in particular notifying the persons concerned as well as the supervisory authorities concerning such breaches.

The Subcontractor undertakes to cooperate with the Data Controller and to assist him to help him fulfill his obligations.

It guarantees the Data Controller against the consequences of any complaints from the persons concerned arising from a breach of the regulations applicable to personal data for which they are responsible.

Thus, the Subcontractor undertakes, at no additional cost, to:

  • Collaborate with the Data Controller in order to guarantee compliance with the obligations incumbent on him in accordance with the applicable regulations on the protection of personal data. In particular, as part of its duty to advise and at the end of a proactive approach, provides all assistance to the Data Controller for carrying out impact analyzes relating to the protection of personal data and for carrying out the prior consultation of the supervisory authority, for example by providing all useful information on first request;
  • Provide the Data Controller with all the information necessary to demonstrate compliance with the obligations stipulated in the Contract and incumbent on him with regard to the applicable regulations on the protection of personal data and allow audits to be carried out relating to compliance with the provisions of this Annex including inspections by the Data Controller or any other mandated auditor and actively collaborate within the framework of these audits.


It is the responsibility of the Data Controller to provide the information to the persons concerned by the processing operations at the time of data collection.


As far as possible, the Subcontractor must help the Data Controller to fulfill his obligation to respond to requests for the exercise of the rights of data subjects: right of access, rectification, erasure and ‘opposition, right to restriction of processing, right to data portability, right not to be the subject of an individual automated decision (including profiling).

When the persons concerned make requests to exercise their rights with the Subcontractor, the latter, after receiving them, must send them to the Entrepreneur by e-mail to


The Subcontractor may call on a subsequent Subcontractor to carry out specific processing activities. In this case, he requests prior written authorization from the Contractor for any change envisaged concerning the addition or replacement of other subsequent Subcontractors.

This authorization request must clearly indicate the characteristics of the Subcontracting, in particular the processing activities, the identity and contact details of the subsequent Subcontractor, the duration of the subcontracting contract. The Contractor has a maximum period of one calendar week from the date of receipt of the request to authorize or refuse this subcontracting.

The Subcontractor is obliged to comply with the obligations of this contract on behalf of and according to the instructions of the Subcontractor.

It is the responsibility of the Subcontractor to ensure that the Subcontractor presents the same sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the European regulation on the protection of data. data

If the Subcontractor does not fulfill its data protection obligations, the Subcontractor remains fully responsible to the Contractor for the performance by the Subcontractor of its obligations.


The Subcontractor undertakes, whether by reason of the Services that it performs or by reason of the Services carried out within the framework of recourse to the subcontracting authorized under the conditions of the Contract, not to transfer the DCPs. processed within the framework of the Contract, outside the European Union or countries known as “adequate protection”, without the prior written authorization of the Data Controller in order to be able to proceed, prior to the transfer to:

  • The establishment of appropriate guarantees as provided for by the applicable regulations for the protection of personal data;
  • Completing the formalities and obtaining, if necessary, the prior authorization to transfer the personal data on the basis of a commitment from the importer of the personal data obtained within the framework of an alternative personal data protection mechanism accepted by the CNIL;
  • Information of the persons concerned.

The commitments entered into by the Subcontractor under this article cannot be subject to any limitation of liability.


At the end of the provision of services relating to the processing of this data, on the instruction of the Data Controller, the Subcontractor undertakes to:

  • Destroy all personal data, or ;
  • To return all personal data to the controller, or ;
  • To return the personal data to the processor designated by the data controller.

The return must be accompanied by the destruction of all existing copies in the information systems of the Subcontractor. Once destroyed, the Subcontractor must justify the destruction in writing.


The Subcontractor, if he has appointed one, and in accordance with article 37 of the General Data Protection Regulations must communicate to the Contractor in the order form, the name and contact details of his delegate to the data protection or its GDPR employee.

The Entrepreneur will then communicate this information to the Data Controller.


The Processor declares to keep in writing a register of all categories of processing activities carried out on behalf of the Data Controller.


The Data Controller undertakes to:

  • Provide the Service Provider with the data referred to in 2 of these clauses;
  • Document in writing any instructions regarding the processing of data by the Subcontractor ; 
  • Ensure, beforehand and throughout the duration of the processing, that the subcontractor complies with the obligations provided for by the European data protection regulation;
  • Oversee the processing, including performing audits and inspections with the Subcontractor.