DPA - Data Processing
Agreement

Data Processing Agreement

This Data Processing Agreement (DPA) sets out the terms under which Magileads, as a data processor, processes personal data on behalf of the Client. In this DPA, Magileads relies on the European Commission's standard contractual clauses (available at: https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX:32021D0915 ).

It complements the contract between Magileads and the Client and is incorporated into the Contract formed by the Client's acceptance of the General Terms and Conditions of Use (accessible at the following address: https://www.magileads.com/cgu-conditions-generales-d-utilisation/ ), including the Magileads Privacy Policy (accessible at the following address: https://www.magileads.com/accord-de-confidentialite/ ).

In case of conflict with the Contract, the DPA prevails.

Magileads acting as a subcontractor, the Client is presumed to be acting as Data Controller for all processing other than that carried out by Magileads for its own needs, detailed by Magileads' Privacy Policy.

If the Client acts as a data processor on the instructions of a third-party data controller, the Client undertakes to:

  • Obtain all authorizations necessary to conclude this DPA from the Data Controller;
  • Declare Magileads as a subsequent subcontractor to the Data Controller;
  • Having entered into a contract with the Data Controller in accordance with Article 28 of the GDPR and in line with this DPA and the Contract concluded between Magileads and the Client;
  • To give Magileads instructions consistent with those it has received from the Data Controller, without Magileads receiving instructions directly from the Data Controller, except in cases where the Client has transferred its rights and obligations to the Data Controller, who must provide proof thereof.
  • Make this DPA available to the Data Controller.

The Client remains fully responsible to Magileads for the Data Controller's implementation of this Data Processing Agreement (DPA). The Client releases Magileads from all liability for any breach by the Data Controller of applicable law, as well as for any action, claim, or complaint by the Data Controller relating to this DPA, the Contract between Magileads and the Client, or instructions given by the Client to Magileads.

SECTION I

Clause 1
Purpose and scope
  1. The purpose of these standard contractual clauses (hereinafter the "clauses") is to ensure compliance with Article 28, paragraphs 3 and 4, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. The controllers and processors have accepted these clauses in order to ensure compliance with the provisions of Article 28, paragraphs 3 and 4, of Regulation (EU) 2016/679.
  3. These clauses apply to the processing of personal data as described in Annex I.
  4. Annexes I to III form an integral part of the clauses.
  5. These clauses are without prejudice to the obligations to which the controller is subject under Regulation (EU) 2016/679.
  6. The clauses alone are not sufficient to ensure compliance with the obligations relating to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.

 Clause 2

Invariability of clauses
  1. The parties agree not to modify the clauses, except with regard to adding information to the annexes or updating the information contained therein.
  2. The parties are not prevented from including the standard contractual clauses defined in these clauses in a broader contract, nor from adding other clauses or additional guarantees, provided that these do not directly or indirectly contradict the clauses or infringe upon the fundamental rights and freedoms of the persons concerned.

Clause 3

Interpretation
  1. Where terms defined respectively in Regulation (EU) 2016/679 appear in the clauses, they shall be understood as in the Regulation in question.
  2. These clauses must be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
  3. These clauses shall not be interpreted in a manner contrary to the rights and obligations provided for by Regulation (EU) 2016/679 or in a manner which infringes the fundamental rights or freedoms of the persons concerned.

Clause 4

Hierarchy

In the event of any conflict between these clauses and the provisions of related agreements existing between the parties at the time these clauses are agreed upon or subsequently entered into, these clauses shall prevail.

Clause 5

Mooring clause
  1. Any entity that is not a party to these clauses may, with the agreement of all parties, adhere to them at any time, either as a controller or as a processor, by completing the annexes.
  2. Once the annexes mentioned in point a) are completed and signed, the adhering entity is considered a party to these clauses and enjoys the rights and is subject to the obligations of a controller or processor.
  3. These clauses do not create any rights or obligations for the adhering party for the period prior to adhering.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 6

Description of the treatment(s)

Details of the processing operations, and in particular the categories of personal data and the purposes of the processing for which the personal data are processed on behalf of the controller, are specified in Annex I.

Clause 7

Obligations of the parties
7.1. Instructions
  1. The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law. In such cases, the processor shall inform the controller of this legal obligation before processing, unless prohibited by law for substantial reasons of public interest. The controller may also issue further instructions at any point during the processing of personal data. These instructions must always be documented.
  2. The subcontractor shall immediately inform the controller if, in its opinion, an instruction given by the controller constitutes a violation of Regulation (EU) 2016/679 or other provisions of Union or Member State law relating to data protection.
7.2. Limitation of purpose

The subcontractor processes personal data only for the specific purpose(s) of the processing, as defined in Annex I, unless otherwise instructed by the controller.

7.3. Duration of processing of personal data

The processing by the subcontractor only takes place during the period specified in Annex I.

7.4. Processing Security
  1. The processor shall implement at least the technical and organizational measures specified in Annex II to ensure the security of personal data. These measures include the protection of data against any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (personal data breach). When assessing the appropriate level of security, the parties shall duly consider the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks to data subjects.
  2. The subcontractor grants its staff members access to the personal data being processed only to the extent strictly necessary for the performance, management, and monitoring of the contract. The subcontractor ensures that individuals authorized to process personal data are bound by confidentiality obligations or are subject to an appropriate legal obligation of confidentiality.
7.5. Sensitive Data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the subcontractor applies specific limitations and/or additional safeguards.

7.6 Documentation and compliance
  1. The parties must be able to demonstrate compliance with these clauses.
  2. The subcontractor shall process requests from the data controller concerning data processing in a timely and appropriate manner in accordance with these clauses.
  3. The processor shall provide the controller with all the information necessary to demonstrate compliance with the obligations set out in these clauses and arising directly from Regulation (EU) 2016/679. At the controller's request, the processor shall also allow and contribute to audits of the processing activities covered by these clauses, at reasonable intervals or when there are indications of non-compliance. When deciding on a review or audit, the controller may take into account any relevant certifications held by the processor.
  4. The data controller may decide to conduct the audit themselves or to appoint an independent auditor. Audits may also include inspections of the processor's premises or physical facilities and are, where appropriate, carried out with reasonable prior notice.
  5. The parties shall make available to the competent supervisory authority(ies), upon request, the information set out in this clause, including the results of any audit.
7.7. Use of subsequent subcontractors
  1. The processor has general authorization from the data controller to engage subsequent sub-processors based on an agreed list. The processor must specifically inform the data controller in writing of any proposed changes to this list, such as adding or replacing subsequent sub-processors, at least 30 (thirty) days in advance, thus giving the data controller sufficient time to object to these changes before the engagement of the relevant subsequent sub-processor(s). The processor must provide the data controller with the information necessary to exercise its right to object.
  2. When the processor engages a sub-processor to carry out specific processing activities (on behalf of the controller), it does so by means of a contract that imposes on the sub-processor, in substance, the same data protection obligations as those imposed on the processor under these clauses. The processor shall ensure that the sub-processor complies with the obligations to which it is itself subject under these clauses and Regulation (EU) 2016/679.
  3. At the request of the data controller, the processor shall provide the controller with a copy of the contract concluded with the subsequent processor and any subsequent amendments thereto. To the extent necessary to protect trade secrets or other confidential information, including personal data, the processor may redact the text of the contract before distributing a copy.
  4. The processor remains fully responsible to the controller for the performance of the subsequent processor's obligations under the contract concluded with the subsequent processor. The processor shall inform the controller of any breach by the subsequent processor of its contractual obligations.
  5. The subcontractor agrees with the subsequent subcontractor on a third-party beneficiary clause according to which — in the event that the subcontractor has materially disappeared, has ceased to exist in law or has become insolvent — the controller has the right to terminate the contract concluded with the subsequent subcontractor and to instruct the subsequent subcontractor to erase or return the personal data.
 7.8. International Transfers
  1. Any transfer of data to a third country or international organisation by the processor is carried out only on the basis of documented instructions from the controller or to comply with a specific requirement of Union or Member State law to which the processor is subject and is carried out in accordance with Chapter V of Regulation (EU) 2016/679.
  2. The controller agrees that where the processor engages a subsequent processor in accordance with clause 7.7 to carry out specific processing activities (on behalf of the controller) and where those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the subsequent processor may ensure compliance with Chapter V of Regulation (EU) 2016/679 by using the standard contractual clauses adopted by the Commission on the basis of Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the use of those standard contractual clauses are met.

Clause 8

Assistance to the data controller
  1. The data processor shall inform the data controller without delay of any request received from the data subject. The data processor shall not act on the request itself unless authorized to do so by the data controller.
  2. The processor assists the controller in fulfilling its obligation to respond to data subjects' requests to exercise their rights, taking into account the nature of the processing. In carrying out its obligations under points (a) and (b), the processor complies with the controller's instructions.
  3. In addition to the processor's obligation to assist the controller under clause 8(b), the processor shall also assist the controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to the processor:
  4. The obligation to carry out an assessment of the impact of envisaged processing operations on the protection of personal data (“data protection impact assessment”) when a type of processing is likely to present a high risk to the rights and freedoms of natural persons;
  5. The obligation to consult the competent supervisory authority(ies) prior to processing when a data protection impact assessment indicates that the processing would present a high risk if the controller did not take steps to mitigate the risk;
  6. The obligation to ensure that personal data is accurate and up-to-date, by informing the controller without delay if the processor learns that the personal data it processes is inaccurate or has become outdated;
  7. The obligations laid down in Article 32 of Regulation (EU) 2016/679. 
  8. The parties shall define in Annex II the appropriate technical and organisational measures by which the subcontractor is required to assist the controller in the application of this clause, as well as the scope and extent of the assistance required.

Clause 9

Notification of personal data breaches

In the event of a personal data breach, the processor shall cooperate with the controller and assist the controller in complying with the obligations incumbent upon it under Articles 33 and 34 of Regulation (EU) 2016/679, taking into account the nature of the processing and the information available to the processor.

9.1 Data breach relating to data processed by the data controller

In the event of a personal data breach relating to data processed by the data controller, the data processor shall provide assistance to the data controller:

  1. for the purpose of notifying the competent supervisory authority(ies) of the personal data breach as soon as possible after the controller has become aware of it, where appropriate (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons); 
  2. for the purpose of obtaining the following information which, in accordance with Article 33(3) of Regulation (EU) 2016/679, must be included in the controller's notification, and must include, at least:
  3. the nature of the personal data, including, where possible, the categories and approximate number of persons affected by the breach and the categories and approximate number of personal data records concerned; 
  4. the likely consequences of the personal data breach;  
  5. the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse consequences. 

When, and to the extent that, it is not possible to provide all the information at the same time, the initial notification contains the information available at that time and, as it becomes available, additional information is subsequently communicated as soon as possible;

  1. for the purpose of fulfilling, in accordance with Article 34 of Regulation (EU) 2016/679, the obligation to communicate the personal data breach to the data subject without undue delay, where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach related to data processed by the subcontractor

In the event of a personal data breach relating to data processed by the subcontractor, the subcontractor shall inform the data controller as soon as possible after becoming aware of it. This notification shall contain at least:

  1. a description of the nature of the breach found (including, where possible, the categories and approximate number of persons affected by the breach and of personal data records concerned);
  2. the contact details of a point of contact from which further information can be obtained regarding the personal data breach;
  3. its likely consequences and the measures taken or proposed to be taken to remedy the violation, including mitigating any potential negative consequences.

When, and to the extent that, it is not possible to provide all the information at the same time, the initial notification contains the information available at that time and, as it becomes available, additional information is subsequently communicated as soon as possible.

The parties define in Annex III all other elements which the subcontractor must communicate when assisting the controller in fulfilling the latter's obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III – FINAL PROVISIONS

Clause 10 

Failure to comply with the terms and termination
  1. Without prejudice to the provisions of Regulation (EU) 2016/679, if the processor fails to comply with its obligations under these terms, the controller may instruct the processor to suspend the processing of personal data until it complies with these terms or until the contract is terminated. The processor shall promptly inform the controller if it is unable to comply with these terms for any reason.
  2. The data controller is entitled to terminate the contract insofar as it relates to the processing of personal data in accordance with these clauses if:
  3. the processing of personal data by the subcontractor has been suspended by the controller in accordance with point a) and compliance with these clauses is not restored within a reasonable time and, in any event, within one month of the suspension;
  4. the subcontractor is in serious or persistent breach of these clauses or of the obligations incumbent upon it under Regulation (EU) 2016/679; 
  5. the subcontractor does not comply with a binding decision of a competent court or of the competent supervisory authority(ies) concerning the obligations incumbent upon it under these clauses or Regulation (EU) 2016/679.
  6. The subcontractor is entitled to terminate the contract insofar as it relates to the processing of personal data under these clauses where, after having informed the controller that its instructions infringe the applicable legal requirements in accordance with clause 7.1(b), the controller insists that its instructions be followed.
  7. Following termination of the contract, the processor shall, at the controller's discretion, delete all personal data processed on behalf of the controller and certify to the controller that such deletion has been carried out, or return all personal data to the controller and destroy any existing copies, unless Union or national law requires that they be retained for a longer period. The processor shall continue to ensure compliance with these terms until the data has been deleted or returned. 

ANNEX I

Description of treatments

Categories of personal data processed and data subjects

The type of Personal Data and the categories of persons concerned are determined and controlled by the Client, at its sole discretion, through its use of the Magileads Platform.

In order to ensure the security of the Platform, error management and access logging, Magileads will process the following personal data on behalf of the Client: IP address and User Agent of connections to the Platform (including access to applications hosted on the Platform by the Client), the addresses of the resources accessed (URLs).

Nature of the treatments

The processing operations carried out by Magileads concerning Personal Data may include the calculation, classification, organization of data, storage, securing and/or any other processing carried out by the Client in the context of its use of the Magileads Platform.

Duration of treatments

The processing covered by this DPA is carried out for the duration of the contract, or for any shorter period under the exclusive control of the Client.

ANNEX II

Technical and organizational measures, including technical and organizational measures to ensure data security

Magileads implements organizational and technical measures to guarantee the security and confidentiality of data processed on behalf of the Client. These measures include, in particular, the use of:

  1. Data encryption measures in transit and during storage;
  2. Physical security measures (including identity verification) and logical control of access rights to Magileads servers and the data center rooms housing said servers;
  3. Enhanced authentication processes for all access to data belonging to Magileads and its clients;
  4. Physical and/or logical isolation of the personal and non-personal data of the various Magileads clients;
  5. Procedures for the systematic application, as quickly as possible, of the security patches documented by CERT-FR;
  6. Confidentiality agreements required from all employees and service providers acting on behalf of Magileads;
  7. A log of actions performed on Magileads' information systems.
  8.  

The following is referred to as the data controller:
Francois KOLLI,
DPO ue.sdaeligam@opd , KA-Groupe – MAGILEADS,
40 Rue de Plaisance, 75014 Paris

RC / Siret number: number 848746632
APE code: 7022Z

Search

Nicolas, co-founder of Magileads

Got it, we'll send it to you
right away!


our free 2025 playbook on
multi-channel prospecting

  • Proven methods (from targeting to nurturing).
  • Mistakes That Sabotage Your Campaigns (And How to Avoid Them)
  • Checklists to structure your sequences from A to Z.
  • A backlog of experiments that are easy to launch today.