Protection of Personal Data

Resources Protection of Personal Data

Protection of Personal Data

PREAMBLE

As the Service Provider may process Personal Data under the Agreement on behalf of the Client, the Parties wish to specify their respective rights and obligations.

DEFINITIONS

In this Agreement, the words or expressions beginning with a capital letter shall have the following meanings:

“Agreement” means the agreement entered into with the Service Provider, to which this annex is attached.

“Personal Data or PD” means any information relating to an identified or identifiable natural person (“Data Subject”), directly or indirectly, in particular by reference to an identification number, location data, online identifiers (for example, username and password), or to one or more factors specific to that individual’s physical, physiological, mental, economic, cultural, or social identity;

“Regulation” means, where applicable, all laws and regulations relating to PD in the European Union and Canada, for example the French Data Protection Act (“Informatique et Libertés”) No. 78‑17 of 6 January 1978 as amended, and the General Data Protection Regulation 2016/679 of 27 April 2016 (“GDPR”), in Québec the Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act”); as well as any other applicable law, regulation, recommendation, or opinion replacing, supplementing, amending, extending, restating, or consolidating the Regulation;

“Services” means all services provided by the Service Provider for the Client, as specified in the Agreement;

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing. Under the Agreement and this annex, the Controller is the Client;

“Processor” means the natural or legal person, public authority, agency or other body which processes PD on behalf of the Controller and in accordance with its instructions. Under the Agreement and this annex, the Processor is the Service Provider, i.e., GENERIX;

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

The terms “Personal Data Breach,” “Processing,” “Data Subject,” “Member State,” “Supervisory Authority,” “Standard Contractual Clauses” have the meaning given to them in the Regulation, and similar expressions shall be interpreted accordingly.

ARTICLE 1

GENERAL OBLIGATIONS OF THE CLIENT

The Client undertakes to comply with the Regulation under the Agreement.
As Processor, GENERIX shall process Personal Data only in accordance with the Client’s documented instructions, as set out in Appendix A of this annex, and solely for the performance of the Services under the Agreement. The Client undertakes to complete Appendix A upon signing the Agreement and no later than four weeks after signature.
If the Client uses the services covered by the Agreement to process other data or categories of Personal Data, or for other types of Processing not described in Appendix A, the Client does so at its own risk, and GENERIX cannot be held liable for any resulting breach of the Regulation.
The Client acknowledges that GENERIX only follows the Client’s documented instructions, subject to informing the Client if any instructions appear non‑compliant with the Regulation. Any request from the Client exceeding or modifying the processing instructions listed in Appendix A shall be subject to a separate quotation. Any instruction not documented in writing or not compliant with the Regulation will not be taken into account.
As Controller, the Client undertakes to promptly notify GENERIX of any change in the requested services that could result in a potential change in GENERIX’s status as Processor under the Regulation.
The Client acknowledges that GENERIX’s commitments under this annex constitute sufficient guarantees of compliance with the Regulation.
It is the Client’s responsibility to provide information to the Data Subjects regarding the processing at the time of data collection. At the Controller’s discretion, GENERIX shall assist the Client in fulfilling this information obligation. The terms of such assistance shall be agreed jointly by the Parties.

ARTICLE 2

OBLIGATIONS OF GENERIX TOWARDS THE CLIENT

Acting on the Controller’s documented instructions
GENERIX undertakes to process the Personal Data covered by this annex in accordance with the purposes of the Services and the instructions in Appendix A, unless GENERIX is required to process the PD under a mandatory provision of EU law or the law of a Member State to which it is subject. In such a case, GENERIX shall inform the Client as soon as possible, and if possible before the processing.
If GENERIX considers that an instruction constitutes a violation of the Regulation, it shall inform the Client.
Ensure the confidentiality of the Personal Data (PD)

GENERIX undertakes to ensure the confidentiality of Personal Data processed under this annex.
GENERIX shall ensure that individuals authorised to process Personal Data:
Are bound by confidentiality obligations or are subject to an appropriate statutory confidentiality obligation;
Receive the necessary awareness training regarding personal data protection.
- Sub‑processing

GENERIX may engage another processor (“Subprocessor”) for specific processing activities. In such case, GENERIX shall inform the Client in writing. GENERIX must ensure that the Subprocessor provides sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing complies with the Regulation. GENERIX must also ensure that all obligations under this annex bind any such Subprocessor.

Data Subject rights

Where possible, GENERIX shall assist the Client in responding to Data Subjects’ requests to exercise their rights under the Regulation.
Where Data Subjects address requests directly to GENERIX, it shall forward them by email to the person designated in Appendix A. GENERIX shall only respond directly to a Data Subject on the Controller’s documented instruction.
The Client acknowledges that the aforementioned measures satisfy GENERIX’s obligation to cooperate with and assist the Client in ensuring that the Processing complies with the Regulation. Should it be necessary to implement additional measures, the Parties agree to meet and discuss in good faith the terms of such additional measures, which shall be documented in an amendment to this annex.
- Notification of Personal Data Breaches
A Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to PD transmitted, stored or otherwise processed.
GENERIX shall notify the Client of any Personal Data Breach as soon as possible after becoming aware of it and in accordance with the procedure defined by the Controller in Appendix A, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification shall include all useful documentation to enable the Controller, if necessary, to notify the competent Supervisory Authority.
The Client acknowledges that the aforementioned measures satisfy GENERIX’s obligation to cooperate with and assist the Client in ensuring that the Processing complies with the Regulation. Should it be necessary to implement additional measures, the Parties agree to meet and discuss in good faith the terms of such additional measures, which shall be documented in an amendment to this annex.
- Impact assessments
GENERIX shall assist the Controller in carrying out data protection impact assessments required under the Regulation.
The Client acknowledges that the aforementioned measures satisfy GENERIX’s obligation to cooperate with and assist the Client in ensuring that the Processing complies with the Regulation. Should it be necessary to implement additional measures, the Parties agree to meet and discuss in good faith the terms of such additional measures, which shall be documented in an amendment to this annex.

ARTICLE 3

SECURITY AND CONFIDENTIALITY

GENERIX undertakes to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks.
GENERIX undertakes to take all necessary precautions, considering the nature of the Data and the risks associated with the Processing, to preserve the security of the Data and to prevent any distortion, alteration, damage, accidental or unlawful destruction, loss, disclosure, and/or any access by unauthorized third parties.
The measures implemented by GENERIX must take into account the most up‑to‑date technical capabilities and the cost of their implementation, the characteristics of the processing (nature, scope, purpose, etc.), as well as the risks posed to the rights of the Data Subjects. These measures may include, in particular:

Data encryption;
Measures ensuring ongoing confidentiality, integrity, availability, and resilience of systems;
Measures to restore availability and access to PD in the event of a physical or technical incident;
Procedures for testing and evaluating the effectiveness of such measures.
- The Client acknowledges that the aforementioned measures satisfy GENERIX’s obligation to cooperate with and assist the Client in ensuring that the Processing complies with the Regulation. Should it be necessary to implement additional measures, the Parties agree to meet and discuss in good faith the terms of such additional measures, which shall be documented in an amendment to this annex.

ARTICLE 4

RETURN OR DELETION OF PERSONAL DATA

Upon termination of the Agreement, GENERIX shall, at the Client’s option, either return all processed Personal Data or delete them and retain no copy, and shall certify the deletion in writing, except where retention is required by law.

ARTICLE 5

AUDIT

The Client may, if it so wishes, and up to one (1) time per year, conduct, at its own expense, an audit at GENERIX’s premises, directly or through any independent third party that is not a competitor of GENERIX, in order to verify compliance with the measures for the protection of Personal Data processed under the Agreement.
If the Client wishes to appoint a third party to carry out the audit, the Client expressly undertakes to have such third party sign a confidentiality agreement and to ensure compliance with its terms.
The Client shall provide GENERIX with at least forty-five (45) calendar days’ prior notice of any audit request, including the proposed audit date and the name of any third party appointed to conduct the audit. GENERIX may refuse the audit firm or the individuals designated to perform the audit if the Client’s proposal indicates a conflict of interest and/or if the audit firm is a competitor of GENERIX. In the event of such refusal, GENERIX must notify the Client within eight (8) calendar days following the Client’s audit notice or that of the appointed audit firm (“the Auditor”), in accordance with the conditions defined in the Agreement.
The terms and conditions for carrying out the audit shall be set out in a prior written agreement signed by the Parties, which shall specify in particular:

The audit schedule, it being understood that the audit may only take place during business days and business hours;
The individuals involved;
The qualifications of the audit firm and the Auditor, it being understood that the audit firm and Auditor must be ISO 27001 certified and/or GDPR compliant;
The procedures for providing the audit report to GENERIX.
- GENERIX shall cooperate in good faith with the Auditor and shall provide all information, documents or explanations necessary for the audit. Access procedures shall be communicated by GENERIX to the Client and must be respected. Logical connections required to access Client data shall be carried out by GENERIX at the Auditor’s request and, when necessary, in the Auditor’s presence.
- GENERIX shall bear the cost of the time spent by its staff for audit purposes up to a maximum of one (1) business day per year. Beyond this limit, the audit shall be invoiced at 3,000 (three thousand) euros excluding taxes per business day of audit.
- The audit report shall be provided free of charge to GENERIX by the auditors or by the Client within the timeframe specified in the audit agreement, so that GENERIX may submit any comments or objections within twenty (20) business days following receipt, by sending a registered letter with acknowledgment of receipt to both the Auditor and the Client. The audit report shall be treated as confidential under the confidentiality provisions of the Agreement.
- If the audit report identifies a serious breach of Personal Data protection directly and exclusively attributable to GENERIX, GENERIX expressly undertakes to implement, at its own expense, all corrective measures necessary to fulfill its contractual obligations.

ARTICLE 6

INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

6.1. GENERIX hosts, uses, and processes PD in the United States and Québec. The Parties conducted a privacy impact assessment that concluded the processing complies with local legislation.

6.2. Where GENERIX appoints an affiliate or Subprocessor to process PD outside Québec, GENERIX must ensure such processing complies with the requirements of the Regulation.

APPENDIX A: INSTRUCTIONS – SUPPLY CHAIN EXECUTION

The information below is derived from Generix Group’s standard solution mapping. As Controller, the Client must verify its accuracy and completeness. Generix Group cannot, under any circumstances, be held liable in this respect, which the Client expressly acknowledges.

Name of the Controller	[enter the name of the client as shown in the contract header]
Internal contract reference at Generix	[insert OPPY number]
Start date of personal data processing Duration of personal data processing	[date of signature unless another execution date is specified in the Specific Conditions (SC)] [insert contract duration]
Purpose of the processing	Depending on the subscribed business processes: SOLOCHAIN : – Manage warehouse operations: storage, receiving/returns, picking, packing, shipping – Manage transportation operations: planning, optimization, freight management, documentation management, cost calculation and invoicing – Analyze performance B TO B INTEGRATION – Monitoring of data flows related to the B2B process – Client and/or supplier collaboration platform – Tax-compliant electronic invoicing and archiving – File transfers, inter-application exchanges – Maintenance and support
Categories of Data Subjects whose personal data are processed	– Users of the client’s solution and/or its partners – Data Subjects included in customer and prospect data
Categories of personal data processed	[retain only the subscribed business processes, delete others] – Example: identification data of customers to be delivered (such as first and last name) or warehouse operators and/or truck drivers (operator ID number, supervisor name), contact details of customers to be delivered (such as email, phone number), delivery address, selected transportation mode, lines of customer orders, free‑text fields – Contractual status of the Data Subject, license plate number, free‑text fields – Email, phone number, delivery address, selected transportation mode, lines of customer orders, free‑text fields
Processing operations performed on the personal data	– Recording – Storage – Access, consultation – Disclosure by transmission – Erasure – Extraction for analysis using business analytics solutions
List of subprocessors as defined under Law 25, subject to future changes	https://generixgroup.file.force.com/servlet/fileField?id=0BE7T00000059q5
Client DPO/Privacy Officer contact information	– Name and position: [to be completed] – Email : [to be completed] – Phone : [to be completed]
Generix NorAm Privacy Officer contact information	– Email : noram-rens.pers@generixgroup.com