AGREEMENT BETWEEN GAI AND GROUPAUTO LISTED SUPPLIERS FOR THE PROCESSING OF PERSONAL DATA FOR MARKETING PURPOSES
GROUPAUTO INTERNATIONAL (hereinafter “GAI”) is a leader in the distribution of aftermarket parts. As such, GAI manages networks with members in charge of the distribution of parts.
GROUPAUTO INTERNATIONAL has developed a project allowing its GROUPAUTO Listed Suppliers to access its Intranet and to contact the different members of the GROUPAUTO INTERNATIONAL networks to propose their products and services to all members of the networks.
The conditions of access to the Intranet by the Listed Suppliers are set out in the Terms & Conditions, accessible here
( Terms & Conditions ).
This data processing agreement (“Agreement”) intends to set forth the obligations of GAI as well the GROUPAUTO Listed Suppliers in the processing of Data subjects’ personal data for the sole marketing purpose by Listed Suppliers.
The Parties agree that GAI may amend the Appendix 1 of the Agreement from time to time. If so, GAI will inform the Listed Suppliers in due time of such changes.
For this purpose, GAI and GROUPAUTO Listed Suppliers will comply with the obligations set out in the Agreement for the processing of these personal data in France.
- 1.1. CNIL: means the Commission Nationale pour l'Informatique et les Libertés (CNIL), the independent French administrative authority responsible for ensuring compliance with the Personal Data Regulations in France and/or any locally competent authority in this area for the territory concerned by the Agreement.
- 1.2. Data Breach: means any event resulting in the accidental or unlawful destruction, loss, modification, disclosure, or unauthorized access of the Data Subject's Personal Data
- 1.3. Data Controller: has the meaning given by the Regulation on Personal Data.
- 1.4. Data subject: means the natural person whose Personal Data is collected and processed for marketing purposes under the Agreement, and which are employees of Entities.
- 1.5. GTC: designate the general terms and conditions of use of GAI’s Intranet that Listed Suppliers must accept to access the said Intranet.
- 1.6. Entity: means all the entities which are member of GROUPAUTO international, based on the territory of France.
- 1.7. Mandatory Information: means all the information that must be communicated by the Data Controller to the Data Subject, in accordance with the Agreement and the Personal Data Regulations.
- 1.8. Recipient: has the meaning given by the Regulation on Personal Data.
1.9. Regulation on Personal Data: means the (i) Law no. 78-17 of 6 January 1978 on data processing, data files and individual liberties, as last amended by Order no. 2018-1125 of 12 December 2018 and commonly referred to as the "Loi Informatique et Libertés,
(ii) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,
commonly known as the General Data Protection Regulation or "GDPR" and (iii) the guidelines and recommendations of the CNIL and/or the European Data Protection Committee, in the form of opinions and guidelines.
- 1.10. Party(ies): means GAI and/or the Entity.
- 1.11. Personal Data: has the meaning given by the Regulation on Personal Data, which are collected and processed under the Contract.
- 1.12. Specific Rights: means the rights granted to Data Subjects by the Personal Data Regulation and in particular: the right of access, the right of rectification, the right to erasure, the right to limitation of processing, the right to portability, the right to object, the right to give post-mortem instructions, the right not to be subject to an automated individual decision (including profiling) and the right to lodge a complaint with the CNIL.
- 1.13. GROUPAUTO Listed Suppliers: means the suppliers of GAI and its members who will send marketing emails and more generally contact and propose products and services.
The purpose of the Agreement is to determine the rights, obligations, and liabilities of each Party in the processing of Data Subjects’ Personal Data by Listed Suppliers and GAI in order to allow the collection and communication of Data Subject’s Personal Data to Listed Suppliers allowing them to perform marketing operations towards Data Subjects.
It is agreed by Parties that each of them determines its own purposes and means in the processing of the Data Subjects’ Personal Data listed in Appendix 1 and act as independent Data Controllers.
The Agreement enters into force at the date of the release of the Agreement on GAI Intranet. The Agreement is applicable each time the Listed Suppliers access GAI Intranet.
The Personal Data of Data Subjects is collected by the GAI and transferred to Listed Suppliers.
- 4.1. Obligations of Listed Suppliers
The Personal Data of Data Subjects collected will be retained by Listed Suppliers for the duration of the subscription of the Entities to GAI’s network or until the Data Subjects withdraw their consent to receive commercial communications from Listed Suppliers and will then be destroyed.
Before sending any commercial communication to Data Subjects, Listed Suppliers shall verify that Entities are member of the GAI network and that the Data Subjects did not withdraw their consent to receive such communications.
Listed Suppliers guarantees to process all Personal Data of Data Subjects in accordance with the Regulation on Personal Data and undertakes in particular to take all necessary precautions in order to :
- Preserve the security of and access to the Personal Data collected.
- Prevent the said Personal Data from being distorted, damaged or communicated to unauthorized persons.
- To ensure that persons authorized to process Personal Data collected in this way undertake to respect confidentiality or are subject to an appropriate legal or contractual obligation of confidentiality.
- Not to transfer Personal Data outside the European Economic Area unless one of the specific guarantees imposed by the Personal Data Regulations has been adopted and formalized with the Recipient(s) of the Personal Data concerned.
- To share Personal Data only with Recipients, including its Listed Suppliers, who comply with the Regulation on Personal Data.
- Not to use the Personal Data processed for purposes other than those specified by GAI under the GTC and the Agreement.
Listed Suppliers guarantee to use the Personal Data in accordance with the Agreement, within the limits of the Mandatory Information given to the Data Subject by the Entity and within the limits of the consent obtained by GAI, subject to the latter's compliance with its contractual obligations relating to this Agreement and its legal obligations relating to the Personal Data Regulations in this respect.
Listed Suppliers shall provide GAI with all necessary information, in a timely manner, to enable GAI to comply with its Mandatory Information obligations to Data Subjects and to obtain their consent to perform the GTC in accordance with the Agreement.
GAI will provide, upon request from the Data Subjects sent to the address 147 Avenue Charles de Gaulle, 92200, Neuilly sur Seine, France, all information requested by the latter in order to ensure compliance with the Regulation on Personal Data when processing Personal Data by GAI such as, in particular, the security measures put in place to ensure the protection of Personal Data and the identity of the Recipients.
- 4.2. Obligations of GAI
GAI declares and guarantees to provide the Mandatory Information to Data Subjects and in particular:
- The precise purposes of the processing of Data Subjects’ Personal Data collected by Entities, in accordance with the purposes communicated by GAI.
- The Data Processors linked to the processing of Data Subject’s Personal Data. If necessary, GAI will decide whether or not to update the information communicated to the Data Subjects depending on the extent of the updates to the information to be provided, and will bear the consequences of such an update.
- Informing the Data Subjects of their right and ability to object, at any time, to the processing of their Personal Data and to receive marketing operations.
- The broad outlines of this Agreement.
- The possibility of consenting or refusing or modifying the choice already made, in the same way, by a clear positive act, independently and specifically for each distinct purpose or category of purposes of Personal Data processing.
In the absence of prior consent from the Data Subjects to the processing of its Personal Data, where applicable after consent, no Personal Data will be processed by GAI and transferred to Data Subjects.
GAI must be able to provide certain, individual and time-stamped proof of the collection of consent from the Data Subjects and to demonstrate that the mechanism put in place, where applicable by a third party, has all the characteristics required to collect valid consent (free, specific, informed and unambiguous) and complies with the GAI's contractual obligations under this Agreement and the GAI's legal obligations under the Regulation on Personal Data.
Each Data Subject may exercise the Specific Rights conferred upon it by the Regulation on Personal Data with regard to and against each of the Data Controllers, and the Parties shall communicate to each other any request from a Data Subject based on these Specific Rights, as soon as it is received, provided that it relates to the processing of Personal Data carried out for the purposes of sending commercial operations to Data Subjects.
The Parties shall jointly examine and analyze the Data Subject's request within a maximum of five (5) working days and, within the same period, shall jointly designate the Party that will respond to the Data Subject. It is agreed that the exercise of their Specific Rights by Data Subjects will be managed by GAI in priority.
The Party concerned will process the request in accordance with the Regulation on Personal Data and will report to the other Party on the follow-up to the Data Subject's request.
The Parties undertake to notify each other as soon as possible of any Data Breach, within a period which may not exceed 36 hours from the time of becoming aware of it, which endangers or has consequences for the Personal Data.
In order, in particular, to enable the Parties to control their communications, each of the Parties undertakes not to inform third parties, including the Data Subjects or the CNIL, of a Data Breach in the context of the Agreement of which it has become aware without having obtained the prior written consent of the other Party within a period of forty-eight (48) hours. Failing to obtain such prior written consent from the other Party, each Party may inform third parties without its direct or indirect liability being incurred in any way whatsoever by the other Party as a result.
The Parties will jointly designate the Party or Parties authorized to communicate on the Data Breach, it being specified that GAI will be given priority.
The Parties will then meet within twelve (12) working hours of notification of the Data Breach to determine whether:
- The documentation required to notify the CNIL of this Data Breach within 72 hours, as well as any additional documentation to be sent to the CNIL after notification.
- The forms and methods of notification.
- Whether or not it is necessary to notify the data subjects of the data breach.
- The documentation required to notify data subjects of the breach.
- The forms and methods of notification.
Each Party undertakes to update, at least once a year, a data register of the processing operations it carries out under the Agreement.
The data register shall be maintained by the Data Protection Officer and/or a privileged contact of the Party and shall contain at least the following information:
- The name and contact details of the Party and its DPO.
- The purposes of the identified personal data processing operations.
- A description of the categories of data subjects and categories of personal data.
- The categories of recipients to whom the Personal Data has been and/or will be communicated, including recipients located outside the European Economic Area.
- Where applicable, transfers of Personal Data to Recipients located outside the European Economic Area, identification of the third country or international organization and, in the case of such transfers, documents justifying the guarantees implemented in accordance with the Personal Data Regulations.
A general description of the technical and organizational security measures adopted.
GAI shall ensure that it has a written agreement with the Entities guaranteeing the compliance of processing of Personal Data by both GAI and Listed Suppliers with the Regulation on Personal Data Regulations and the proper performance of the GTC and the Agreement.
In the event of a dispute, claim and/or action by a third party claiming that one of its rights has been infringed, or in the event of an inspection by the CNIL resulting in a fine, only the Party responsible for the element in question shall be liable, where applicable. In order to determine which Parties are liable and the proportion of their liability, the Parties may refer to the decision of the CNIL and/or any final court judgment.
In the event of mixed causality of a claim arising from elements provided by the Parties, their joint liability may be maintained to the extent of the causality.
Each Party therefore undertakes to indemnify the other Party for any damage of any nature whatsoever that the latter may suffer as a result of any challenge or sanction and, in any event, undertakes to pay any damages and interest that the other Party may be ordered to pay, as well as any costs resulting from any judicial or extrajudicial action brought by a third party or by the CNIL or resulting from a data breach.
No settlement agreement may be entered into without the consent of each of the Parties.
Each Party may only be held liable for compensation for actual, personal, and specific loss or damage suffered by the other Party, to the exclusion of any indirect loss or damage, such as loss of turnover, customers or reputation, suffered by the other Party as a result of the performance or non-performance, even partial, of this Agreement.
Each Party shall do everything in its power to minimize any damage it may suffer as a result of the application of this Agreement.
In no event shall either party be liable for the processing of personal data by the other Party for which it does not act as joint controller with the other party.
The Parties undertake to collaborate and co-operate actively and to provide each other or facilitate each other's consultation or transmission in good time of all the elements and/or documents that they may require for the proper performance of their obligations under the Agreement and to meet as soon as possible in the event of difficulties in its performance.
Each Party undertakes to behave at all times towards the other Party as a loyal partner acting in good faith and, in particular, to inform the other party without delay of any dispute or difficulty which it may encounter in the performance of the Agreement.
The Parties have appointed a Data Protection Officer and a single point of contact for all notifications provided for in this Agreement, whose contact details are set out below:
All notices required to be given under the terms of the Agreement shall be in writing and sent to the above addresses. All notices given in accordance with the provisions of this article shall be effective: (a) at the time of delivery, in the case of delivery by hand against a receipt; (b) on the date of the first presentation of the letter to the addressee by the services of La Poste, in the case of sending by registered mail with acknowledgement of receipt; or (c) on the date of sending the notice by electronic mail.
Personal Data of Entities’ Data Subjects are the following:
- Contact Name
- Contact Phone Number
- Contact Email Address