Appendix: Protection of Personal Information
Preamble
The Client, being in charge of the Processing of Personal Information under this Appendix for the Protection of Personal Information (“Agreement”), has determined the purposes and means of the Processing(s) that Talan will execute in the performance of the Services as Subcontractor.
The Parties hereby acknowledge the need to ensure the Processing of Personal Information in compliance with the regulation in force. Therefore, ensuring an appropriate level of security, each party warrants the means it implements to ensure the compliance of the Processing.
Now, therefore, the Parties hereto agree as follows:
1. Object
Talan is aware that, in the performance of the services, it will have access to Client’s Personal Information.
The object of this Appendix is to set out the conditions in which Talan, as a Subcontractor, will process Personal Information as defined in each Statement of Work in conformity with section 3 provided herein, the whole on behalf of the Client.
The Client hereby authorizes Talan, for the duration and only for the purposes of each Statement of Work, to process Personal Information that is needed for the performance of the services as defined under such Statement of Work.
The Client remains solely responsible for the Processing of Personal Information and retains full ownership thereof, including for any modifications or additions that may be made to it by Talan.
Talan undertakes to comply with Client’s instructions and to process Personal Information under Client’s instructions and solely on Client’s behalf. Unless expressly authorized to do so, Talan shall not process Personal Information for its own personal needs or on behalf of a Third Party.
Therefore, Talan shall use all necessary technical and organizational measures to protect Personal Information and shall take all appropriate precautions to maintain its security, availability, confidentiality, and integrity, in particular against accidental or unlawful destruction, accidental loss, alteration, distribution or unauthorized access.
3. Description of the Processing of Personal Information
For the execution of each statement of work, the Client agrees that it will instruct Talan as to the type of Personal Information to be processed by Talan and the nature of the Processing to be performed. Such instructions shall be given in the form of the following table:
Provided Services Summarize the services to provide under the terms of the Statement of Work | [TO BE COMPLETED: kindly describe the services to be provided by Talan] | ||||||||||||||||
Nature of Processing operations Specify whether the Processing consists of collection, recording, management, storage, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination or any other form of transmission, reconciliation or interconnection, blocking, deletion or data destruction. E.g.: data collection, storage, transfer, etc. | Check the appropriate boxes: ☐ Collection | ||||||||||||||||
Processing purposes Specify the purposes of the processing implemented through the services described in the Statement of Work. E.g.: To ensure the maintenance of the software X, database duplication, provide training to staff, carry out surveys, send e-mails on behalf of Talan, etc. | Specify the purpose: | ||||||||||||||||
Categories of people concerned Specify the categories of people whose Personal Information will be processed in the performance of the Statement of Work or equivalent contractual document, whether it is the purpose of this Statement of Work or not (collected, used, modified, etc.). | Check the appropriate boxes and complete if needed. ☐ Talan’s Clients | ||||||||||||||||
Categories of Personal Information Any information concerning an identified or identifiable person, including his/her name, identification number, geolocation data, or one or more physiological, genetic, economic, cultural, or social elements specific to him/her. | Check the appropriate boxes and complete if needed. ☐ Identification data (e.g.: first name, last name, phone number, address, etc.) | ||||||||||||||||
Special categories of Personal Information Also known as “Sensitive Personal Information”, such as any Information which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or union membership as well as the Processing of genetic data, biometric data and any Processing of Information concerning health, sex life, criminal record and Personal Information relating to illegal or prohibited behaviour. E.g.: health data, political beliefs, sexual orientation, etc. | Check the appropriate boxes and complete if needed. ☐ No. | ||||||||||||||||
Processing location(s) E.g.: Information hosted in Argentina (specify the address), support teams/hotline located in Tunisia (specify the address), sub-tier subcontractor accessing Information from India (specify the address), etc. | [TO BE COMPLETED: kindly specify where processing will be done (hosting, storage, back-up, maintenance, moderation, helpdesk, etc.)] Is there any transfer outside of the Province of Québec? ☐ No | ||||||||||||||||
Talan subsequent subcontractors identity Specify the juridical form and the address of the subcontractor(s) used by Talan in the performance of the services. Specify which services have been assigned to each subcontractor by Talan. E.g.: the subcontractor X has been assigned with the data hosting, the subcontractor Y has been assigned with the support service, etc. | [TO BE COMPLETED: please specify the subcontractors acting on behalf of Talan] Are there subsequent subcontractors (Talan subcontractors)? ☐ No. ☐ Yes. If so, kindly fill out the table below:
| ||||||||||||||||
| Processing Duration | Check the appropriate boxes and complete if needed. ☐ The duration of the Processing is the same as the duration of the services. |
In the event that the Subcontractor is required, under applicable law, to transfer Information to a third country or to an international organization, it must inform the Processing Controller prior to the Processing, unless the applicable law prohibits such information for important reasons of public interest.
Should the nature of the Personal Information and the categories of people concerned by the Processing change, the Client must obtain Talan's express consent before the latter proceeds with the Processing.
4. Obligations Related to the Protection of Personal Information
4.1 Common Obligations
During their contractual relations, the Parties undertake to comply with applicable regulation as regards to the Processing of Personal Information, the whole retroactively at the date of signature of the Agreement.
To the extent that the provisions of the aforementioned law and other legal or regulatory texts, or the recommendations of the Commission d’Accès à l’Information prescribe, the Parties shall examine the technical or security measures required for the Processing, Files and Information. If applicable, each party shall be held liable for non-compliance with the technical or security measures that it should have put in place.
In any case, the Parties shall designate a person who represents them in the context of the Services and who is involved in an appropriate and timely manner, in all matters relating to the Protection of Personal Information. Each party shall provide the other party with the name and the contact information of its Personal Information Manager (hereafter “PIM”) if it has designated one in accordance with the applicable regulations.
4.2 Client Obligations
As the Processing Controller, the Client warrants to Talan that it has fulfilled all its obligations, in particular the registration of the Processing in its inventory/register of its Personal Information Files, and that it has informed the people concerned of the use of their Information. Therefore, the Client remains solely responsible for the Processing for which it has determined the Purpose and the means implemented.
If the nature of the Processing requires it, the Client will carry out an Assessment of the Privacy-Related Factors and, if Talan’s assistance was necessary, will forward the conclusions to Talan.
Moreover, the Client is solely responsible for the quality, lawfulness, and relevance of the Personal Information that it provides to Talan for the performance of any Statement of Work.
It undertakes to ensure, prior to and during the Processing, that Talan complies, as Subcontractor, with its obligations with regard to the Personal Information, and to supervise the Processing, including by carrying out the audits provided herein.
4.3 Talan Obligations as Subcontractor
Talan undertakes to implement all appropriate technical and organizational measures consistent with the state of knowledge, the context, the Purposes of the Processing and the risks, to safeguard the security, availability, confidentiality and integrity of the Personal Information, in particular against accidental or unlawful destruction, accidental loss, alteration, unauthorized dissemination or access.
Therefore, upon written request by the Client, Talan will provide the Client with all taken measures to safeguard the security of Personal Information and will describe the conditions in which they are implemented, including, depending on the needs:
- Pseudonymization and encryption of Personal Information;
- The means to ensure the constant confidentiality, integrity, availability and resilience of the Processing systems and services;
- The means to restore the availability of and access to Personal Information in a timely manner in the event of a physical or technical incident;
- The means to guarantee the traceability of all operations carried out on Personal Information or to have direct or indirect access to it;
- The means to detect a breach exposing Personal Information and to notify the Client;
- The means to guarantee the exercise of people’s rights;
- A procedure to test, analyze, and evaluate efficiency of technical and organizational measures on a regular basis to ensure the security of the Processing;
- Any other appropriate measures.
In any event, the Client, as the Processing Controller, assesses whether these measures provide the security level that is appropriated to the risk to:
- Ensure the confidentiality of the Personal Information processed for the performance of the services, and to ensure that the people authorized to process Personal Information under the Agreement:
- Undertake to respect its confidentiality or be bound by an appropriate legal obligation of confidentiality;
- Receive a proper training about the protection of Personal Information.
- Consider, with respect to its tools, products, applications or services, the principles of protection of Information by design and protection of Information by default.
- Not to retain Personal Information beyond the retention period agreed with the Client with regards to the Purposes for which it was collected, and in any case, not to retain it after the termination or expiration of the Agreement.
- Perform archiving purges and anonymization, in accordance with legal and regulatory obligations and/or the Client’s instructions, the whole depending on the nature of the Personal Information and the Purpose of the Processing.
4.4 Inventory/register
Talan will keep a written record of all categories of Processing activity carried out on behalf of the Client, including:
- The name and the contact information of possible subsequent Subcontractors authorized under section 5 provided herein and, where applicable, the Personal Information Manager;
- The categories of Processing carried out on behalf of the Client;
- A general description of technical and organizational security measures, including, depending on the needs:
- Pseudonymization and encryption of Personal Information;
- The means to ensure the constant confidentiality, integrity, availability and resilience of the Processing systems and services;
- The means to restore the availability of and access to Personal Information in a timely manner in the event of a physical or technical incident;
- A procedure to test, analyze, and evaluate efficiency of technical and organizational measures on a regular basis to ensure the security of the Processing.
The Client undertakes to provide Talan with all the information that is necessary to properly keep this register.
4.5 Audits
The Client reserves its right to carry out technical audits of all or part of the Services once yearly, during the term of the Agreement, at its own expense, and to carry out any verification that it deems useful to verify compliance with the aforementioned obligations.
This audit may be carried out, except in cases or emergency situations including when a breach is suspected, subject to a one (1) month written notice specifying the scope of the audit. Such audit may be carried out either by one of the Client’s internal audit structures, or by an independent third-party firm that is not a direct competitor of Talan and which shall be bound be a confidentiality obligation. The conditions under which the audit will be carried out (e.g.: confidentiality rules, schedules and conditions of intervention deadlines, rates for Talan’s intervention, coverage of related expenses) will be provided in an agreement executed by all parties involved.
Talan will provide the Client, or the auditors, with the necessary documentation, excepting the documentation relating to Talan’s know-how, business secrets, or protected by confidentiality agreements. Any documents, information, or data, regardless of the medium, provided by Talan to the Client or the auditors, will be considered and treated as confidential in accordance with the “Confidentiality” section of the Agreement. The data contained in these documents are strictly covered by professional secrecy, as well as all data that the Client or the auditors become aware of during the execution of this Agreement.
5. Subcontracting
The Subcontractor may use another subcontractor (hereafter, “the subsequent subcontractor”) to conduct specific Processing activities. In this case, the Subcontractor notifies the Processing Controller in advance and in writing, of any anticipated change concerning the addition or replacement of other subcontractors. This notice must clearly state the Processing activities subcontracted as well as the identity and contact information of the subsequent subcontractor and the date of the Subcontracting Agreement. Upon reception of this notice, the Processing Controller has a maximum period of five (5) days to notify its objection to the Subcontracting, which can only be carried out if it has not been the subject of an opposition from the Processing Controller within the time limit.
The subsequent subcontractor must respect the obligations provided by the present Agreement on behalf of, and under the instructions of the Processing Controller. It is the initial Subcontractor’s sole responsibility to overview that the subsequent subcontractor has the same or equivalent warranty about the implementation of appropriate technical and organizational measures to ensure that the Processing respects legal and regulatory requirements with regards to the protection of Personal Information. In the event the subsequent subcontractor doesn’t comply with its obligations with regards to the protection of Personal Information, the initial Subcontractor shall remain fully liable to the Processing Controller for the subsequent subcontractor’s performance of its obligations.
6. Concerned Individuals' Rights and Information in the Event of a Direct Collection by the Subcontractor
In the event that, for the purposes of the Services, Talan is required to collect Personal Information directly and on behalf of the Client, it is Talan’s duty to provide the people concerned by the Processing operations with all necessary information about the Processing it does on behalf of the Client. The wording and format of the Information must be agreed with the Client prior to the collection of Personal Information.
Should people concerned exercise their rights (right to information, right of access, rectification, erasure and opposition, right to limit Processing, right to data portability, etc.) directly to Talan, and about Personal Information provided to Talan by the Client or processed by Talan on behalf of the Client, Talan shall send these requests by e-mail the address indicated by the Client for its communications and Talan will assist the Client in fulfilling its obligation to answer people concerned requests to exercise their rights: right of access, rectification, erasure and opposition, right to restriction of Processing, right to data portability, etc. Talan shall provide the Client with any useful information concerning the Recipients of the Personal Information, so that the Client is able to inform the people concerned by the Processing and to respond to their requests in accordance with the regulations in force.
7. Data Breach
In the event of a breach of Personal Information presenting a serious risk of injury, and, in conformity with the applicable regulations with regards to Personal Information, Talan undertakes to inform the Client by way of notification within a reasonable delay of any confidentiality incident. This notification shall be done by e-mail at the above-mentioned address.
This notification shall be accompanied by any relevant documentation enabling the Processing Controller, if necessary, to notify the relevant supervisory authority of such incident, and to communicate with the people concerned. At the very least, this notification shall include:
- A description of the nature of the incident involving Personal Information including, if possible, the categories and approximative number of people concerned by the incident and the categories and approximative number of records of Personal Information concerned;
- The name and the contact information of the Personal Information Manager or any other contact person from whom additional information can be obtained;
- The likely consequences arising from or resulting from the Personal Information breach;
- The measures taken or proposed by the Processing Controller to mitigate any negative consequences arising from or resulting from the breach of Personal Information.
In any case, Talan will not directly deal with complaints made by the people concerned.
8. Assistance
With regards to the Processing Controller’s obligations under the applicable regulations on the protection of Personal Information, to ensure the compliance of the Processing, Talan undertakes:
- To assist, through appropriate technical and organizational measures, the Processing Controller in fulfilling its obligation to answer people concerned requests to exercise their rights;
- To provide the Client with all necessary information and alerts as soon as possible to enable it to comply with its obligations as regards to the Processing of Personal Information.
Moreover, Talan undertakes to assist the Client in the performance of an APF, if needed, for which the Client may be responsible under applicable regulations regarding Personal Information.
9. Termination
Upon expiration or termination of any Statement of Work, and for any reason whatsoever, Talan shall without any delay and at the Client’s sole option:
- Destroy the Personal Information and any existing copy regardless of the medium; or
- Return the Personal Information in the same format as the one used by the Client to communicate the Personal Information to Talan or, failing to do so, in a structured and commonly used format, and destroy any existing copy of the Information regardless of the medium, unless Talan is required to retain the Personal Information pursuant to applicable law. If Talan is required to retain the Personal Information pursuant to applicable law, it undertakes to inform the Client.
It is Talan’s sole responsibility to ensure that any Personal Information or copy of Personal Information that might have been transferred to a Third Party be destroyed. In any event, Talan shall provide proof of destruction.
The provisions of this Appendix shall continue in full force and effect and shall be binding on Talan as long as Talan or its subsequent subcontractor, if any, retains Personal Information.