This Data Processing Agreement (hereinafter referred to as the “DPA”) forms an integral part of the General Terms and Conditions of Sale and Use (TC) of Tamtam. The use of the Tamtam Solution, as defined in the TC, implies full and complete acceptance of the DPA.
Each Party undertakes to comply with the applicable regulations concerning the processing of personal data, including the provisions of Law No. 78-17 of January 6, 1978, as amended, and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”),
hereinafter collectively referred to as the “Regulation”.
In this clause, the terms used have the same meaning as given to them in the Regulation.
1. Processing of data relating to the Parties' representatives
As part of the conclusion and management of the performance of the Contract, each Party is informed that personal data relating to its employees, collected by the other Party, may be processed, for which each Party acts as a data controller. The purpose of data processing is the management and monitoring of the performance of the Contract, the relationships between the Parties, and communication about the Parties’ activities.
To this end, the individuals concerned by this processing may exercise their rights over their personal data within the limits of the Regulation, in accordance with the provisions set out in the Policy, accessible via the following link: https://www.tamtam.ai/privacy-policy.
2. Processing carried out under the TC
As part of the performance of the TC, Tamtam processes personal data (the “Data”):
- As a data controller, for the constitution of its professional prospect database;
- As a data processor within the meaning of the Regulation, on behalf and under the instructions of the Client, acting as a data controller, for providing the Client with the Data requested during a specific query.
The DPA defines the conditions under which Tamtam processes Data as a processor on behalf of the Client.
The details of the processing operations, including the categories of personal data and the purposes of the processing for which the Data is processed on behalf of the Client, are specified in Appendix 1.
2.1. Client’s Obligations
The Client agrees to:
- Document in writing the instructions provided to Tamtam for the processing of Data;
- Ensure Tamtam’s compliance with the Regulation;
- Ensure compliance with the Regulation when processing Data provided by Tamtam, as well
as compliance with applicable regulations concerning prospecting.
2.2. Tamtam’s Obligations
When acting as a data processor, Tamtam undertakes to:
- Process the Data only on documented instructions from the Client and for the purposes defined in the TC, unless it is required to do so under Union law or the law of the Member State to which it is subject. In such a case, Tamtam shall inform the Client of this legal obligation before processing, unless prohibited by law for important public interest reasons;
- Immediately inform the Client if an instruction from the Client constitutes a violation of the Regulation;
- Process the Data only for the specific processing purpose(s) defined in Appendix 1, unless otherwise instructed in writing by the Client;
- Grant its personnel access to the Data only to the extent strictly necessary for the execution, management, and monitoring of the TC;
- Ensure that persons authorized to process the Data are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality and are trained in data protection;
- Make available to the Client all information necessary to demonstrate compliance with the obligations set out in these clauses and directly arising from the Regulation. At the Client's request, Tamtam shall also allow audits or inspections of processing activities covered by the DPA and shall reasonably contribute to them, limited to one audit per year and subject to one month's notice. The Client may choose to conduct the audit itself or to appoint a third-party auditor who is not a competitor of Tamtam;
- Promptly inform the Client of any request it receives from a data subject, it being understood that only the Client is responsible for responding to such requests. Tamtam shall provide all reasonable assistance to the Client, particularly through appropriate technical and organizational measures, in fulfilling its obligation to respond to data subjects wishing to exercise their rights;
- Assist the Client in ensuring compliance with its data security obligations (Article 32 of the GDPR), data breach obligations (Articles 33 and 34 of the GDPR), impact assessments (Article 35 of the GDPR), and prior consultation (Article 36 of the GDPR).
2.3. Data security
Tamtam implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect Data against any security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
In the event of a data breach directly affecting the processing of Data carried out on behalf of the Client, Tamtam shall inform the Client by any means, as soon as possible after becoming aware of it.
Tamtam shall communicate to the Client all relevant information available to it regarding the nature of the data, the individuals and records concerned, the probable consequences, and the measures taken or proposed by Tamtam to remedy the data breach, and, if possible, at the same time as the
notification of the occurrence of the data breach, supplementing this information subsequently if necessary. Tamtam shall reasonably cooperate with the Client, it being understood that only the Client is authorized to notify such a breach to the competent supervisory authority and, where applicable, to inform the data subjects.
2.4. Subsequent subprocessing
The Client grants Tamtam general authorization to use subsequent subprocessors in the processing (the “Subprocessors”). Tamtam shall inform the Client of the recruitment of a new Subprocessor, and the Client has eight (8) days to submit a justified objection, if applicable. Tamtam shall ensure that
Subprocessors are subject to the same data protection obligations as those incumbent upon it, it being understood that Tamtam remains fully liable to the Client in the event of a Subprocessor’s failure to comply with its data protection obligations.
The list of Subprocessors authorized by the Client at the effective date of the TC is listed in Appendix 2.
2.5. Data transfers outside the European Union
Tamtam undertakes to host the Data within the European Union.
The Client authorizes Tamtam to perform data transfers outside the European Union, provided that Tamtam complies with the provisions of Chapter V of the GDPR.
2.6. Data return and deletion
Within one month from the termination of the TC, for any reason whatsoever, Tamtam undertakes to delete all Data processed on behalf of the Client, it being understood that the Data processed by Tamtam for the constitution of its professional prospect database as a data controller will not be deleted.
APPENDIX 1 - DESCRIPTION OF PROCESSING ACTIVITIES UNDER THE CONTRACT
1. Purpose(s) of processing
The purposes of the processing entrusted to Tamtam by the Client under the performance of the TC are the provision to the Client of professional prospect Data, requested during a specific query made via the Tamtam Solution.
2. Nature of Operations Performed by Tamtam on the Data:
The nature of the operations performed by Tamtam on the Data are as follows:
- Collection or recording of data
- Organization or structuring of data
- Hosting or storing of data
- Extraction or consultation of data
- Use of data
- Communication of data through transmission, dissemination, or any other form of making available
- Matching or interconnection of data
- Erasure or destruction of data
3. Categories of data processed
The categories of Data processed by Tamtam on behalf of the Client are as follows:
- Identification data (e.g., name, first name, etc.)
- Professional contact data (e.g., company, address, phone number, email)
- Professional life data (e.g., CV, professional training, awards, etc.)
- LinkedIn profile link
- Calendar data (names, first names, emails, events present in the calendar)8No sensitive or highly personal Data is processed by Tamtam on behalf of the Client.
4. Categories of data subjects
The category of data subjects processed by Tamtam on behalf of the Client is “Professional Prospects.”
5. Duration of processing
The duration of the processing corresponds to the validity period of the TC between the Client and Tamtam.
6. Contact
Tamtam’s Data Protection Officer (DPO) can be contacted at the following address:
contact@tamtam.ai.
APPENDIX 2 - LIST OF TAMTAM’S SUBPROCESSORS
None
