In accordance with the General Data Protection Regulation 2016/679 of April 27, 2016 (hereinafter "the Regulation") and the amended Loi Informatique et Libertés, this article:
Qualifies the Parties and defines their respective responsibilities ;
Defines the measures implemented by the Publisher under the Customer's control in order to fulfill its obligations ;
Defines the conditions of collaboration between the Parties.
Analysis of the system by a specialist external consultancy firm has concluded that the system and this article comply with the General Data Protection Regulation (GDPR).
Qualification and respective responsibilities of the Parties
Qualification of the parties
Pursuant to the Regulation, the Customer, as defined in the Contract, is a controller within the meaning of Article 4 7) of the Regulation, and PYSAE (the Publisher as defined by the Contract) is a processor within the meaning of Article 4 8) of the Regulation.
Responsibilities of the data controller
In application of the Regulation, and subject to the penalties set out in Articles 82, 83 and 84, it is the responsibility of the Customer, the data controller, to :
determine the purposes of the data processing;
define the data strictly necessary and proportionate to the fulfillment of these purposes;
define the rules governing data retention periods;
establish and apply security measures, and in particular define and apply the rules governing the authorization of personnel using the equipment;
define the means and procedures for implementing such processing, whether this implementation is internal, or entrusted in whole or in part to subcontractors presenting sufficient guarantees to meet the requirements of the Regulation, in accordance with article 28 1; and define for the attention of subcontractors the documented instructions provided for in article 28 3 a) (hereinafter referred to as "the Instructions");
inform data subjects of the purpose of the processing operations and of their rights;
implement the rights of data subjects (right of access, rectification, deletion, portability, limitation);
respond to any requests from data subjects within the legal time limits in force;
establish the circumstances and seriousness of any personal data breach, and if necessary notify the CNIL and/or the persons concerned;
keep a register of associated processing operations, and if necessary appoint a data protection officer;
as well as fulfilling any other obligations laid down by current legislation.
The data controller remains responsible for the choice of his subcontractors and for the overall compliance of the processing.
Subcontractor responsibilities
Pursuant to articles 28 and 29 of the Regulation, and subject to the penalties provided for in articles 82 and 83, it is the responsibility of the Publisher, the subcontractor, to :
effectively implement the technical and organizational measures defined in article 2 of this Appendix, so that the processing complies with the requirements of the Regulation and guarantees the protection of the rights of the persons concerned; as well as monitor the application of these measures and update them under the conditions set out in article 3.6 of this Appendix;
participate in the management of requests to exercise the rights of individuals, under the conditions set out in article 3.2 of this Appendix;
participate in the management of security breaches, in accordance with article 3.3 of this Appendix;
make available to the Customer all information necessary to provide proof of compliance with the obligations set out in the Regulation and in this Appendix to the Contract, and to enable audits, including inspections, to be carried out by the data controller or another auditor appointed by it, and to contribute to such audits, under the conditions set out in article 3.4 of this Appendix.
Provisions relating to the processing of personal data
In accordance with article 28 3. paragraph 1 of the Regulation, this Section defines
the purpose
the duration of processing
the nature and purpose of the processing,
the type of personal data
the categories of data subjects,
the obligations and rights of the data controller.
Unless otherwise agreed between the Parties, this part constitutes the documentation of the Instructions of the controller to the processor.
In accordance with article 28 10. of the Regulation, the Publisher will be considered as a data controller if it alone determines the purposes and means of the processing, or uses the data for its own purposes which have not been defined by the Customer.
Purpose of the contract
See paragraph "Purpose of the Contract" in the Contract between the Customer and PYSAE.
Processing operations carried out under the contract
The processing operations carried out on the data are as follows:
collection,
transmission,
storage,
correlation,
aggregation,
display and presentation,
making available for reuse.
People concerned
The solution processes data relating to :
drivers associated with routes and vehicles ;
system operators.
These categories of people are under the authority and responsibility of the Customer.
Data relating to users of the "Apps": the Solution does not process data relating to users of the pysae.com website or the Passenger Application available for iPhone and Android systems.
Information relating to user preferences, geographical location and next-trip notifications is stored only on the user's terminal.
Similarly, no identifying information is collected (identity, e-mail address, IP address, phone number, phone identifier, etc.). The application does not provide subscription services for information or alerts by SMS, email or any other means.
The solution also processes data relating to solution Administrators on behalf of the Publisher. For these persons, the processing and data concerned are the sole responsibility of the Publisher.
Processed data
Persons concerned | Data processed | Standard retention periods (modifiable) *
|
Drivers | - associated terminal: ID, model, version, phone number
- date and time of start and end of service
- journeys: line, theoretical vehicle positions, actual vehicle position recorded every 5 seconds, heading, advance/delay, calculated speed
- exchanges: content and time-stamp of acknowledgements of receipt of alerts and instructions
| History of vehicle positions and timetables: data retained until account is deleted
History of service starts and ends, lines and associated vehicles: maximum 36 months
History of exchanges and instructions: data retained until the account is deleted.
The customer may delete a Driver account at any time and without limit.
|
Operations managers | surname, first name, login details, encrypted password, account creation date, date and IP address of last connection, history of actions carried out in the application | Connection history: maximum 36 months
The customer may request the deletion of an Account Manager account at any time and without technical limitations.
|
* In order to modify your RGPD settings, you can click >here<
Table: Data subjects, processed data and standard retention periods
Confidentiality
The employment contracts of the Publisher's employees include a confidentiality clause ensuring the protection of data processed on behalf of Customers.
Data security
The subcontractor is aware of its security obligations and implements the following measures, defined in application of the main ANSSI recommendations.
System access control
All systems run the latest versions of Amazon Linux EKS, applying the usual good security practices. All systems are updated automatically.
Access to the network and systems is restricted to authorized Publisher personnel.
Technical access to servers is via the orchestrator console, using a combination of api key and secret. These identifiers are personal and administered. Access via the traditional "code + password" system is deactivated.
No direct access is granted from an external network.
Access to application and database servers is protected by firewalls and reverse proxies.
Each server implements protection systems, including within the network (firewalls, brute-force attack blocking, etc.).
All server accesses are logged and monitored.
When a system is decommissioned, all data is securely erased using tools approved by the U.S. Department of Defense.
Physical security
Data is stored exclusively on servers housed in data centres certified to ISO 27001 or equivalent.
These data centres provide at least a fenced perimeter, access to the premises by personal badge or biometrics, and 24-hour video surveillance of accesses, rooms and servers.
Application security
Development methods apply good security practices, as defined by OWASP, in order to limit the risks of undue modification, injection or alteration of data.
All System components are identified. The Publisher actively monitors the security of these components and applies security corrections as required, without delay.
Controlling access to the application and data
Only authorized employees of the Publisher have access to data processed on behalf of Customers.
Access is granted on a Customer-by-Customer basis.
All access, via the administration interfaces or system accesses, is carried out exclusively by means of personal accounts and is traced.
As standard, the passwords for the accounts of the Customer's operations managers apply the following rules: minimum size: 8 characters; minimum number of character classes: 3.
These passwords are salted and encrypted in the database (SHA256 HMAC).
Data encryption
Personal and technical data is encrypted during all transmissions from the user's terminal to the database server:
from a connected device to the application servers: TLS encryption with a strong RSA 2048-bit certificate;
from the operator's workstation to the application servers: TLS encryption with a strong RSA 2048 bit certificate;
from the application server to the database server (TLS+VPC) ;
between database servers (TLS+VPS);
Data flow control
All insertion, update and deletion operations are authenticated and traced.
Data is checked and sanitized before being inserted into the database.
Availability and resilience
All system components are designed and operated to withstand breakdowns. Applications and data are replicated in real time on at least 3 servers, from 3 different suppliers, in datacentres located in 3 different locations.
The resilience of the system is tested regularly and has already functioned successfully during a major breakdown at one of the three suppliers.
Data is backed up 4 times a day, once a week and once a month. Backups are kept for 13 months.
Supervision
The Publisher implements a system for centralising connection logs and supervising the proper functioning of systems.
Data control
The Customer may have access to back-ups of his data on request.
Data segregation
Each Customer's data is isolated in the database.
Subcontracting
Subcontractors to date
The following sub-contractors provide data hosting services on behalf of the Publisher:
Amazon Web Services EMEA SARL38 avenue John F. Kennedy,L-1855 Luxembourg whose servers used by PYSAE are located in the Paris region (https://aws.amazon.com/fr/local/france/paris/)
Services are provided under contracts ensuring data security and compliance with the RGPD.
Data localisation
The Publisher certifies that all personal data is stored in data centres and servers located within the European Economic Area.
Data retention periods
The data retention periods indicated in Table 1: Data subjects, data processed and standard retention periods.
In accordance with article 25.2 of the Regulation, the Customer, the data controller, may determine specific and different data retention periods and instruct the Publisher to apply them.
Assessment of the risk to data subjects
The processing is set up within the strict framework of the drivers' activity. It is intended for the sole purpose of measuring and improving service quality.
Although the data collected and the high frequency with which it is collected may enable the individual activity of drivers to be monitored, the processing is not intended for this purpose; it does not provide screens, interfaces or transactions enabling the activity or performance of an individual to be tracked; the absence of these functions is a voluntary decision to protect privacy (privacy by design).
The processing does not involve a large number of people.
The processing does not include data from the special categories of data referred to in Article 9 of the Regulation (so-called "sensitive" data).
The data subjects are informed of the existence and purposes of the processing.
The data is kept for a limited period.
Access to the application is restricted to authorized users and is protected by a password in accordance with CNIL recommendations. Access and actions are logged.
Unauthorized disclosure of the data is not likely to create a serious breach of the professional life or privacy of the data subjects.
Consequently, and in application of the above criteria, the risk to data subjects is assessed as follows:
Intrinsic risk linked to the principle of implementing the processing :
Negligible - Limited - Significant - Maximum
Residual risk following the application of organizational and technical measures:
Negligible - Limited - Significant - Maximum
Need for a data protection impact assessment (no)
In the absence of a high risk for individuals, as defined by Article 35 and Recitals 89 to 92, it is not necessary to carry out a data protection impact assessment for this processing operation.
Fate of data at the end of the contract - Reversibility
In the event of termination of the subscription contract, for whatever reason, the Publisher :
return all data to the Customer, in a standard and usable format, via secure channels ;
securely and irreversibly deletes all data relating to operations carried out on behalf of the Customer - with the exception of data required by the Publisher to fulfil its own obligations and duties;
confirms to the Customer, in writing or electronically, the successful completion of these deletion operations.
Information to the persons concerned
Collective information
The Customer is responsible for informing its staff.
The System records the individual activities of drivers and operations managers.
In the private sector, the system is covered by article L2323-32 of the French Labour Code:
"(The works council) is also informed, prior to their introduction into the company, about automated personnel management processing and any modification thereof.
The works council shall be informed and consulted, prior to any decision to implement in the company, on the means or techniques used to monitor employees' activities.
In the public sector, the System is subject to article 33 of law no. 84-53 of 26 January 1984, which states that
"Territorial social committees deal with issues relating to :
(...)
7° The protection of physical and mental health, hygiene, the safety of employees at work, the organization of work, teleworking, issues relating to disconnection and mechanisms for regulating the use of digital tools, the improvement of working conditions and the legal requirements relating thereto;
Subject to any special circumstances in the Customer's context, the Customer should provide information relating to the system to the appropriate staff representative bodies.
Individual information
Pursuant to articles 5 1. a) and 12 of the Regulation and article L1222-4 of the French Labour Code, the Data Controller must provide users with the information set out in article 13 of the Regulation.
This information may take the form of a paper document given to users when they are trained on the system, when they are issued with an individual terminal, and/or be displayed to the user when they first connect to the system. It remains available to the user throughout the use of the system on a dedicated page of the application, accessible via a "Data protection" link.
This document contains a Proposal for an individual information notice to system users. The Customer is responsible for adapting and validating this notice, and for distributing it directly to its users.
Information for the Customer's Data Processing Register
Pursuant to article 30 of the European Regulation, the Customer must keep a Register of processing activities carried out under its responsibility.
This document contains a Proposal for a form to be entered in the Customer's Register of Processing Activities. The Customer is responsible for adapting and validating this proposal.
Other mechanisms to ensure compliance of processing operations with the European Regulation and to protect personal data
Not applicable.
Cooperation between the parties
3.1 Contact persons
In order to facilitate collaboration between the Parties on the subject of the protection of personal data, the Parties designate the following contact persons:
| Name | Position | Contact Details |
For the customer | The representative indicated in the Contract with PYSAE | See contract with PYSAE | See contract with PYSAE |
For the publisher | Nicolas Jaulin | Director |
+33 1 84 80 07 49 |
3.2. Participation in the management of requests to exercise individuals' rights
In accordance with article 28 3 e) of the Regulations, the Publisher shall, as far as possible, assist the Customer in fulfilling its obligation to respond to requests made to it by data subjects with a view to exercising their rights under chapter III.
If a data subject submits a request directly to the Publisher, the latter will forward the request to the Customer's designated contact within 24 working hours and will inform the data subject by paper or electronic mail, depending on the type of request, using the standard letter set out in the attachment, modified if necessary by the Customer's Instructions.
If the CNIL refers a request relating to a data subject directly to the Publisher, the Publisher shall immediately inform the Customer's designated contact and forward all the details of the request.
The Publisher is prohibited from communicating directly with the CNIL on these matters, unless otherwise instructed in writing by the Customer in specific cases.
The Publisher is prohibited from compiling a file to monitor such requests or from keeping documents relating to such requests.
The implementation of this measure does not give rise to invoicing by the Publisher, up to a limit of 10 referrals per year.
Participation in the management of security breaches
If the Customer discovers a data breach as defined in article 4 12) of the Regulations, the Publisher shall provide the Customer with its full assistance in analyzing and resolving the breach, in accordance with articles 28 3. f) and 33 2 of the Regulations.
If the Publisher discovers such a data breach, it will inform the Customer's designated contact as soon as possible, and at the latest within 24 hours of discovering the breach.
If the Publisher becomes aware of such a data breach in the context of a contract with another Customer, the Publisher will conduct a system security analysis in the context of the contract with the Customer.
The Publisher is prohibited from notifying the CNIL directly of security breaches, unless otherwise instructed in writing by the Customer in specific cases.
The implementation of this measure does not give rise to invoicing by the Publisher, regardless of which Party discovers the breach.
Performance of audits
In accordance with Article 28 3. h) of the Regulation, the Publisher shall make available to the Customer all the information necessary to provide proof of compliance with the obligations set out in the Regulation and in this Appendix to the Contract, and to allow audits, including inspections, to be carried out by the controller or another auditor appointed by it, and to contribute to such audits.
Except in emergencies, the Customer may carry out such audits or have them carried out by giving the Publisher at least 7 days' notice. The Customer informs the Publisher of the identity of the auditors, the scope and conditions of the audit. The Contractor may make comments on these points.
The Customer forwards the results of the audit to the Contractor.
The Customer may carry out an audit or have an audit carried out by the Contractor. The conditions are to be defined with the Publisher.
CNIL inspection
In the event of contact, control or sanction by the CNIL concerning one of the Parties, the latter shall immediately assess the possibility of the other Party's involvement and, where appropriate, send it any useful information.
The Parties shall co-ordinate before any response on a subject concerning both Parties.
Additional documents
Suggested individual information notice for system users
(This proposed notice may be used on the paper documents given to users when they are trained on the system, when they are issued with an individual terminal, and/or be displayed to the user when they log on to the system for the first time. It remains available to users throughout their use of the system on a dedicated page of the application, accessible via a "Data protection" link).
Pursuant to article 12 of the European Data Protection Regulation, XXXXXXXX, the data controller, informs users of the existence of processing decided in application of the Company's legitimate interest in sound management, intended to assist with operations and passenger information, to the exclusion of any individual monitoring or profiling of drivers or operations managers. The data collected relates to the terminal used and the associated user, the line concerned, the theoretical and actual position of the vehicle, the history of exchanges with drivers and the associated acknowledgements of receipt. This data is kept for 13 months. It is only processed by a limited number of people within the Company's management team, and may be passed on to legally authorized authorities. Data is processed exclusively within the European Union.
You have the right to access, rectify, delete or limit the processing of your data, which you may exercise by contacting the Data Protection Officer of the Hauts-de-France Region. If, after contacting the Data Protection Officer, you feel that your data protection rights have not been respected or that the processing does not comply with data protection rules, you may lodge a complaint with the CNIL.
Proposal for a form to be added to the Customer's Data Processing Register
(This proposed form for the Register of processing activities provided for in article 30 of the Regulation may be taken up or adapted by the Customer's department responsible for describing the processing, or by the Customer's DPO).
Person responsible for processing
Purpose | Customer name and address Operating assistance and passenger information, excluding any individual monitoring or profiling of drivers or operating managers.
|
Categories of data subjects
| Drivers, Operations managers
|
Categories of data processed
| For drivers :
- terminal used and associated user,
- line concerned,
- theoretical and actual position of the vehicle,
- history of exchanges with drivers and associated acknowledgements.
For operations managers: surname, first name, login details, encrypted password, account creation date, date and IP address of last connection, history of actions carried out in the application.
|
Recipients | Customer name and address |
Transfer of data outside the European Union
| No transfer
|
Time limits for deleting data
| For data relating to journeys and operating logs: 13 months rolling.
For data relating to users: immediate deletion when a user's profile is deleted.
|
General description of technical and organizational security measures
| The concession-holder subcontractor implements a set of measures, validated by the Region's Information Systems Security Manager (RSSI) as complying with the Information Systems Security Policy (PSSI). The correct application of these measures can be checked. |