GROUPAUTO INTERNATIONAL (hereinafter “GAI”) is a leader in the distribution of aftermarket parts. As such, GAI manages networks with members in charge of the distribution of parts.
GROUPAUTO INTERNATIONAL has developed a project allowing its GROUPAUTO Listed Suppliers to access its Intranet and to contact the different members of the GROUPAUTO INTERNATIONAL networks to propose their products and services to all members of the networks.
The conditions of access to the Intranet by the Listed Suppliers are set out in the Terms & Conditions, accessible here
( Terms & Conditions ).
This data processing agreement (“Agreement”) intends to set forth the obligations of GAI as well the GROUPAUTO Listed Suppliers in the processing of Data subjects’ personal data for the sole marketing purpose by Listed Suppliers.
The Parties agree that GAI may amend the Appendix 1 of the Agreement from time to time. If so, GAI will inform the Listed Suppliers in due time of such changes.
For this purpose, GAI and GROUPAUTO Listed Suppliers will comply with the obligations set out in the Agreement for the processing of these personal data in France.
The purpose of the Agreement is to determine the rights, obligations, and liabilities of each Party in the processing of Data Subjects’ Personal Data by Listed Suppliers and GAI in order to allow the collection and communication of Data Subject’s Personal Data to Listed Suppliers allowing them to perform marketing operations towards Data Subjects.
It is agreed by Parties that each of them determines its own purposes and means in the processing of the Data Subjects’ Personal Data listed in Appendix 1 and act as independent Data Controllers.
The Agreement enters into force at the date of the release of the Agreement on GAI Intranet. The Agreement is applicable each time the Listed Suppliers access GAI Intranet.
The Personal Data of Data Subjects is collected by the GAI and transferred to Listed Suppliers.
The Personal Data of Data Subjects collected will be retained by Listed Suppliers for the duration of the subscription of the Entities to GAI’s network or until the Data Subjects withdraw their consent to receive commercial communications from Listed Suppliers and will then be destroyed.
Before sending any commercial communication to Data Subjects, Listed Suppliers shall verify that Entities are member of the GAI network and that the Data Subjects did not withdraw their consent to receive such communications.
Listed Suppliers guarantees to process all Personal Data of Data Subjects in accordance with the Regulation on Personal Data and undertakes in particular to take all necessary precautions in order to :
Listed Suppliers guarantee to use the Personal Data in accordance with the Agreement, within the limits of the Mandatory Information given to the Data Subject by the Entity and within the limits of the consent obtained by GAI, subject to the latter's compliance with its contractual obligations relating to this Agreement and its legal obligations relating to the Personal Data Regulations in this respect.
Listed Suppliers shall provide GAI with all necessary information, in a timely manner, to enable GAI to comply with its Mandatory Information obligations to Data Subjects and to obtain their consent to perform the GTC in accordance with the Agreement.
GAI will provide, upon request from the Data Subjects sent to the address 147 Avenue Charles de Gaulle, 92200, Neuilly sur Seine, France, all information requested by the latter in order to ensure compliance with the Regulation on Personal Data when processing Personal Data by GAI such as, in particular, the security measures put in place to ensure the protection of Personal Data and the identity of the Recipients.
GAI declares and guarantees to provide the Mandatory Information to Data Subjects and in particular:
In the absence of prior consent from the Data Subjects to the processing of its Personal Data, where applicable after consent, no Personal Data will be processed by GAI and transferred to Data Subjects.
GAI must be able to provide certain, individual and time-stamped proof of the collection of consent from the Data Subjects and to demonstrate that the mechanism put in place, where applicable by a third party, has all the characteristics required to collect valid consent (free, specific, informed and unambiguous) and complies with the GAI's contractual obligations under this Agreement and the GAI's legal obligations under the Regulation on Personal Data.
Each Data Subject may exercise the Specific Rights conferred upon it by the Regulation on Personal Data with regard to and against each of the Data Controllers, and the Parties shall communicate to each other any request from a Data Subject based on these Specific Rights, as soon as it is received, provided that it relates to the processing of Personal Data carried out for the purposes of sending commercial operations to Data Subjects.
The Parties shall jointly examine and analyze the Data Subject's request within a maximum of five (5) working days and, within the same period, shall jointly designate the Party that will respond to the Data Subject. It is agreed that the exercise of their Specific Rights by Data Subjects will be managed by GAI in priority.
The Party concerned will process the request in accordance with the Regulation on Personal Data and will report to the other Party on the follow-up to the Data Subject's request.
The Parties undertake to notify each other as soon as possible of any Data Breach, within a period which may not exceed 36 hours from the time of becoming aware of it, which endangers or has consequences for the Personal Data.
In order, in particular, to enable the Parties to control their communications, each of the Parties undertakes not to inform third parties, including the Data Subjects or the CNIL, of a Data Breach in the context of the Agreement of which it has become aware without having obtained the prior written consent of the other Party within a period of forty-eight (48) hours. Failing to obtain such prior written consent from the other Party, each Party may inform third parties without its direct or indirect liability being incurred in any way whatsoever by the other Party as a result.
The Parties will jointly designate the Party or Parties authorized to communicate on the Data Breach, it being specified that GAI will be given priority.
The Parties will then meet within twelve (12) working hours of notification of the Data Breach to determine whether:
Each Party undertakes to update, at least once a year, a data register of the processing operations it carries out under the Agreement.
The data register shall be maintained by the Data Protection Officer and/or a privileged contact of the Party and shall contain at least the following information:
A general description of the technical and organizational security measures adopted.
GAI shall ensure that it has a written agreement with the Entities guaranteeing the compliance of processing of Personal Data by both GAI and Listed Suppliers with the Regulation on Personal Data Regulations and the proper performance of the GTC and the Agreement.
In the event of a dispute, claim and/or action by a third party claiming that one of its rights has been infringed, or in the event of an inspection by the CNIL resulting in a fine, only the Party responsible for the element in question shall be liable, where applicable. In order to determine which Parties are liable and the proportion of their liability, the Parties may refer to the decision of the CNIL and/or any final court judgment.
In the event of mixed causality of a claim arising from elements provided by the Parties, their joint liability may be maintained to the extent of the causality.
Each Party therefore undertakes to indemnify the other Party for any damage of any nature whatsoever that the latter may suffer as a result of any challenge or sanction and, in any event, undertakes to pay any damages and interest that the other Party may be ordered to pay, as well as any costs resulting from any judicial or extrajudicial action brought by a third party or by the CNIL or resulting from a data breach.
No settlement agreement may be entered into without the consent of each of the Parties.
Each Party may only be held liable for compensation for actual, personal, and specific loss or damage suffered by the other Party, to the exclusion of any indirect loss or damage, such as loss of turnover, customers or reputation, suffered by the other Party as a result of the performance or non-performance, even partial, of this Agreement.
Each Party shall do everything in its power to minimize any damage it may suffer as a result of the application of this Agreement.
In no event shall either party be liable for the processing of personal data by the other Party for which it does not act as joint controller with the other party.
The Parties undertake to collaborate and co-operate actively and to provide each other or facilitate each other's consultation or transmission in good time of all the elements and/or documents that they may require for the proper performance of their obligations under the Agreement and to meet as soon as possible in the event of difficulties in its performance.
Each Party undertakes to behave at all times towards the other Party as a loyal partner acting in good faith and, in particular, to inform the other party without delay of any dispute or difficulty which it may encounter in the performance of the Agreement.
The Parties have appointed a Data Protection Officer and a single point of contact for all notifications provided for in this Agreement, whose contact details are set out below:
All notices required to be given under the terms of the Agreement shall be in writing and sent to the above addresses. All notices given in accordance with the provisions of this article shall be effective: (a) at the time of delivery, in the case of delivery by hand against a receipt; (b) on the date of the first presentation of the letter to the addressee by the services of La Poste, in the case of sending by registered mail with acknowledgement of receipt; or (c) on the date of sending the notice by electronic mail.
Personal Data of Entities’ Data Subjects are the following: