GROUPAUTO INTERNATIONAL (hereinafter “GAI”) is a leader in the distribution of aftermarket parts. As such, GAI manages networks with members in charge of the distribution of parts.

GAI has developed a project allowing its GROUPAUTO Listed Suppliers to contact the members of the GROUPAUTO networks to propose their products and services to all members of the networks.

In the frame of this project, GAI, the GROUPAUTO Regions, and GROUPAUTO Listed Suppliers will process personal data regarding the Regions, Distributors, and Workshops for different purposes, depending on nature of the processed personal data and the concerned data subjects.

This data processing agreement (“Agreement”) intends to set forth the obligations of GAI as well the Members and Regions in the processing of personal data referring to Members, Regions, Distributors and Workshops.

The Parties agree that GAI may amend the Appendix 1 and 2 of the Agreement from time to time. If so, GAI will inform the Entities in due time of such changes.

If provisions of the Agreement are contrary to any other contractual document relating to the processing of Personal Data listed in Appendix 2, the provision of this Agreement shall prevail upon any other document.

For this purpose, GAI and the Regions and Members will comply with the obligations set out in the Agreement for the processing of these personal data in France.

The purpose of the Agreement is to determine the rights, obligations, and liabilities of each Party in the processing of Data Subjects’ Personal Data by the GROUPAUTO MEMBER and GAI in order to allow the collection and communication of Data Subject’s Personal Data to GROUPAUTO Listed Suppliers allowing them to perform marketing operations towards Distributors and Workshops.

It is agreed by Parties that each of them determines its own purposes and means in the processing of the Distributors and Workshops’ Personal Data listed in Appendix 1 and act as independent Data Controllers.

In application of the Agreement, GAI will act as sole Data Controller in the processing of Personal Data of Entities’ Data Subjects listed in Appendix 2.

The Agreement enters into force as the last date between (i) the release of the Agreement on GAI Intranet or (ii) the date of entry into force of the Distribution Agreement. The Agreement will remain into force for the duration of the Distribution Agreement.

The Personal Data of Data Subjects part of Distributors and Workshops is collected by the Entity directly from Data Subjects as part of the process of adding them to the local GROUPAUTO Distributor or Workshop network.

GAI will process the Personal Data of Entities’ Data Subjects for the purpose of allowing the sending to them of commercial and marketing operational by GROUPAUTO Listed Suppliers, on the basis of either the execution of the contractual relationships between GAI and Entities or the consent of Data Subjects.

The Personal Data collected will be retained by GAI or the GROUPAUTO Listed Suppliers for the duration of the subscription of the Entities to GAI’s network and will then be destroyed.

Personal Data will only be shared with the GROUPATUO Listed Suppliers to allow them to carry out marketing operations towards Entities.

GAI guarantees to process all Personal Data of Entities in accordance with the Regulation on Personal Data and undertakes in particular to take all necessary precautions in order to:

Each Data Subject of Entities, Workshops and Distributors may exercise the Specific Rights conferred upon it by the Regulation on Personal Data with regard to and against each of the Data Controllers, and the Parties shall communicate to each other any request from a Data Subject based on these Specific Rights, as soon as it is received, provided that it relates to the processing of Personal Data carried out within the framework of the Distribution Contract.

The Parties shall jointly examine and analyze the Data Subject's request within a maximum of five (5) working days and, within the same period, shall jointly designate the Party that will respond to the Data Subject. It is agreed that the exercise of their Specific Rights by Entities’ Data Subjects will be managed by Entities in priority, except if specific circumstances justify that GAI manages such request.

The Party concerned will process the request in accordance with the Regulation on Personal Data and will report to the other Party on the follow-up to the Data Subject's request.

The Parties undertake to notify each other as soon as possible of any Data Breach, within a period which may not exceed 36 hours from the time of becoming aware of it, which endangers or has consequences for the Personal Data.

In order, in particular, to enable the Parties to control their communications, each of the Parties undertakes not to inform third parties, including the Data Subjects or the CNIL, with the exception of the GROUPAUTO Listed Suppliers concerned where applicable, of a Data Breach in the context of the Agreement of which it has become aware without having obtained the prior written consent of the other Party within a period of forty-eight (48) hours. Failing to obtain such prior written consent from the other Party, each Party may inform third parties without its direct or indirect liability being incurred in any way whatsoever by the other Party as a result.

The Parties will jointly designate the Party or Parties authorized to communicate on the Data Breach, it being specified that GAI will be given priority for any Data Breach originating in the processing of Personal Data operated by GAI and/or an Entity in the execution of the Agreement.

The Parties will then meet within twelve (12) working hours of notification of the Data Breach to determine whether:

Each Party undertakes to update, at least once a year, a data register of the processing operations it carries out under the Agreement.

The data register shall be maintained by the Data Protection Officer and/or a privileged contact of the Party and shall contain at least the following information:

A general description of the technical and organizational security measures adopted.

GAI shall ensure that it has a written agreement with the GROUPAUTO Listed Suppliers guaranteeing the compliance of the services provided by the latter with the Regulation on Personal Data Regulations and the proper performance of the Distribution Agreement and the Agreement.

In the event of a dispute, claim and/or action by a third party claiming that one of its rights has been infringed, or in the event of an inspection by the CNIL resulting in a fine, only the Party responsible for the element in question shall be liable, where applicable. In order to determine which Parties are liable and the proportion of their liability, the Parties may refer to the decision of the CNIL and/or any final court judgment.

In the event of mixed causality of a claim arising from elements provided by the Parties, their joint liability may be maintained to the extent of the causality.

Each Party therefore undertakes to indemnify the other Party for any damage of any nature whatsoever that the latter may suffer as a result of any challenge or sanction and, in any event, undertakes to pay any damages and interest that the other Party may be ordered to pay, as well as any costs resulting from any judicial or extrajudicial action brought by a third party or by the CNIL or resulting from a data breach.

No settlement agreement may be entered into without the consent of each of the Parties.

Each Party may only be held liable for compensation for actual, personal, and specific loss or damage suffered by the other Party, to the exclusion of any indirect loss or damage, such as loss of turnover, customers or reputation, suffered by the other Party as a result of the performance or non-performance, even partial, of this Agreement.

Each Party shall do everything in its power to minimize any damage it may suffer as a result of the application of this Agreement.

In no event shall either party be liable for the processing of personal data by the other Party for which it does not act as joint controller with the other party.

The Parties undertake to collaborate and co-operate actively and to provide each other or facilitate each other's consultation or transmission in good time of all the elements and/or documents that they may require for the proper performance of their obligations under the Agreement and to meet as soon as possible in the event of difficulties in its performance.

Each Party undertakes to behave at all times towards the other Party as a loyal partner acting in good faith and, in particular, to inform the other party without delay of any dispute or difficulty which it may encounter in the performance of the Agreement.

The Parties have appointed a Data Protection Officer and a single point of contact for all notifications provided for in this Agreement, whose contact details are set out below:

All notices required to be given under the terms of the Agreement shall be in writing and sent to the above addresses. All notices given in accordance with the provisions of this article shall be effective: (a) at the time of delivery, in the case of delivery by hand against a receipt; (b) on the date of the first presentation of the letter to the addressee by the services of La Poste, in the case of sending by registered mail with acknowledgement of receipt; or (c) on the date of sending the notice by electronic mail.

Personal Data of Workshops’ and Distributors’ Data Subjects are the following:

Personal Data of Entities’ Data Subjects are the following: