General conditions for the protection and management of personal data

The purpose of the present clauses is to define the conditions under which the Company PROOFTAG SAS (hereinafter «Prooftag») undertakes to carry out on behalf of the Customer (hereinafter «the Processing Manager») the Personal Data Processing Operations defined hereafter. Within the framework of their contractual relations, the parties undertake to comply with the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as of 25 May 2018 (hereinafter, the «European Data Protection Regulation», «EDPR» or «Regulation») hereafter GDPR

Description of the processing being outsourced:

Prooftag is authorized to process on behalf of the Processing Manager the personal data necessary to provide the following services: Implementation of the ProoftagCerv online service platform, provision of information enabling the latter to supervise the distribution and implementation of its products or documents, and technical support.

The nature of the operations carried out on the data is the analysis of the information in order to correct erroneous information, the performance of computer maintenance tasks to ensure the availability of the service, and the provision of functional advice on the use of data entry and exploitation software.

Prooftag undertakes to comply with the provisions of the GDPR within the framework of its obligations.

The Processing Manager undertakes to define the data collected in compliance with the GDPR.

The legal basis of the processing operation is the execution of the service contract.

The categories of data subjects are the customers of the Processing Manager.

For the execution of the service, which is the object of the present clauses, the Processing Manager provides Prooftag with the following necessary information:

  1. Name and contact details of the Data Processing Manager Representative.
  2. Name and contact details of the Data Protection Officer of the Processing Manager (if applicable).
  3. For a support request: file reference, last name and first names of the relevant person.

Obligations of Prooftag regarding to the Processing Manager:

Prooftag undertakes to:

  1. Process the data only for the purpose(s) that is/are the subject of the service.
  2. Process the data in accordance with the documented instructions of the Processing Manager. If Prooftag considers that an instruction constitutes a breach of the European Data Protection Regulation or of any other provision of Union law or of the law of the Member States relating to data protection, it shall immediately inform the Processing Manager. Furthermore, if Prooftag is required to transfer data to a third country or to an international organization, by virtue of Union law or the law of the Member State to which it is subject, it must inform the Processing Manager of this legal obligation prior to the processing, unless the law concerned prohibits such information for important reasons of public interest.
  3. Guarantee the confidentiality of the personal data processed in the framework of this contract.
  4. Ensure that the persons authorized to process personal data under this contract:
  • Undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
  • Receive the necessary training in the protection of personal data.
  1. Consider, with respect to its tools, products, applications or services, the principles of data protection from the design stage, and data protection by default

Rights to Information of the persons concerned

It is the responsibility of the Processing Manager to provide information to the persons concerned by the processing operations at the time of data collection.

Exercise of individual rights

As far as possible, Prooftag must help the Processing Manager to fulfil its obligation to respond to requests to exercise the rights in relation of data: right of access, rectification, deletion and opposition, right to limit processing, right to portability of the data, right not to be subject to an automated individual decision (including profiling). When the concerned persons make requests to Prooftag to exercise their rights, Prooftag must send these requests upon receipt by e-mail to the Data Protection Officer of the Processing Manager or  to the representative of the Processing Manager.

Notification of personal data breaches

Prooftag notifies the Processing Manager, as soon as possible after becoming aware of it, of any violation of personal data for which it is responsible, by e-mail to the Processing Manager . This notification shall be accompanied by any useful documentation to enable the Processing Manager, if necessary, to notify the competent supervisory authority of the breach.

Support from Prooftag in the context of the Compliance of the Processing Manager with his obligations

Prooftag may assist the Processing Manager in carrying out impact analyses relating to data protection. Prooftag may assist the Processing Manager in carrying out any prior consultation of the control authority system.

Security measures

In application of article 32.1 of the GDPR, the Processing Manager and Prooftag acknowledge that they implement the appropriate technical and organizational measures in order to guarantee a level of security appropriate to the risks.

Prooftag is responsible for the security of the outsourced processing only for those aspects falling within its control. The Processing Manager remains responsible for the security and confidentiality of its information systems and its internal policy for access to the Software, particularly in the definition and allocation of functional roles. It is the responsibility of the Processing Manager to ensure that the uses and configuration choices of the ProoftagCerv online service platform at his disposal meet the requirements of the Regulation. Prooftag has no obligation to protect personal data that is stored or transferred by the Processing Manager outside the Software provided by Prooftag:

Data output:

At the end of the provision of services relating to the processing of this data, Prooftag undertakes, at the choice of the parties:

a.         To destroy all personal data or

b.         To return all personal data to the Processing Manager, or

c.         To send the personal data to the processor designated by the Processing Manager .

The return must be accompanied by the destruction of all existing copies in the Subcontractor’s information systems. Once they have been destroyed, Prooftag must justify the destruction in writing.

Data Protection Officer:

  1. Any communication to the DPO should be addressed to:

    GDPR Service

    PROOFTAG SAS, 1100 av de l’Europe – 8200 Montauban – France


Register of categories of processing activities

Prooftag declares that it keeps in writing a register of all categories of processing activities carried out on behalf of the Processing Manager, including:

  1. The name and contact details of the Processing Manager on whose behalf he or she acts, any subcontractors and, where applicable, the Data Protection Officer.
  2. The categories of processing operations carried out on behalf of the Processing Manager .
  3. Where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or international organization and, in the case of the transfers referred to in the second subparagraph of Article 49(1) of the European Data Protection Regulation, the documents attesting to the existence of appropriate safeguards.


Upon request, Prooftag will provide the Processing Manager with the documentation necessary to demonstrate compliance with all its obligations and to enable audits, including inspections, to be carried out by the Processing Manager or another auditor that it has mandated, and to contribute to these audits.

Obligations of the Processing Manager vis-à-vis Prooftag

The Processing Manager undertakes to:

  1. Provide Prooftag with the data referred to in chapter 1 of the present clauses.
  2. Document in writing any instruction concerning the processing of data by Prooftag.
  3. Ensure, beforehand and throughout the duration of the processing, that the obligations provided for by the European Data Protection Regulation are respected.

Application of the general conditions for the management of personal data

The general conditions set out above are applicable from the signature of the contract and during the entire period of execution of the contract between, in accordance with the European Data Protection Regulation.