In accordance with the General Data Protection Regulation 2016/679 of April 27, 2016 (hereinafter "the Regulation") and the amended Loi Informatique et Libertés, this article:

Qualifies the Parties and defines their respective responsibilities ;

Defines the measures implemented by the Publisher under the Customer's control in order to fulfill its obligations ;

Defines the conditions of collaboration between the Parties.

Analysis of the system by a specialist external consultancy firm has concluded that the system and this article comply with the General Data Protection Regulation (GDPR).

Pursuant to the Regulation, the Customer, as defined in the Contract, is a controller within the meaning of Article 4 7) of the Regulation, and PYSAE (the Publisher as defined by the Contract) is a processor within the meaning of Article 4 8) of the Regulation.

In application of the Regulation, and subject to the penalties set out in Articles 82, 83 and 84, it is the responsibility of the Customer, the data controller, to :

The data controller remains responsible for the choice of his subcontractors and for the overall compliance of the processing.

Pursuant to articles 28 and 29 of the Regulation, and subject to the penalties provided for in articles 82 and 83, it is the responsibility of the Publisher, the subcontractor, to :

In accordance with article 28 3. paragraph 1 of the Regulation, this Section defines

Unless otherwise agreed between the Parties, this part constitutes the documentation of the Instructions of the controller to the processor.

In accordance with article 28 10. of the Regulation, the Publisher will be considered as a data controller if it alone determines the purposes and means of the processing, or uses the data for its own purposes which have not been defined by the Customer.

See paragraph "Purpose of the Contract" in the Contract between the Customer and PYSAE.

The processing operations carried out on the data are as follows:

The solution processes data relating to :

These categories of people are under the authority and responsibility of the Customer.

Data relating to users of the "Apps": the Solution does not process data relating to users of the pysae.com website or the Passenger Application available for iPhone and Android systems.

Information relating to user preferences, geographical location and next-trip notifications is stored only on the user's terminal.

Similarly, no identifying information is collected (identity, e-mail address, IP address, phone number, phone identifier, etc.). The application does not provide subscription services for information or alerts by SMS, email or any other means.

The solution also processes data relating to solution Administrators on behalf of the Publisher. For these persons, the processing and data concerned are the sole responsibility of the Publisher.

* In order to modify your RGPD settings, you can click >here<

Table: Data subjects, processed data and standard retention periods

The employment contracts of the Publisher's employees include a confidentiality clause ensuring the protection of data processed on behalf of Customers.

The subcontractor is aware of its security obligations and implements the following measures, defined in application of the main ANSSI recommendations.

All systems run the latest versions of Amazon Linux EKS, applying the usual good security practices. All systems are updated automatically.

Access to the network and systems is restricted to authorized Publisher personnel.

Technical access to servers is via the orchestrator console, using a combination of api key and secret. These identifiers are personal and administered. Access via the traditional "code + password" system is deactivated.

No direct access is granted from an external network.

Access to application and database servers is protected by firewalls and reverse proxies.

Each server implements protection systems, including within the network (firewalls, brute-force attack blocking, etc.).

All server accesses are logged and monitored.

When a system is decommissioned, all data is securely erased using tools approved by the U.S. Department of Defense.

Data is stored exclusively on servers housed in data centres certified to ISO 27001 or equivalent.

These data centres provide at least a fenced perimeter, access to the premises by personal badge or biometrics, and 24-hour video surveillance of accesses, rooms and servers.

Development methods apply good security practices, as defined by OWASP, in order to limit the risks of undue modification, injection or alteration of data.

All System components are identified. The Publisher actively monitors the security of these components and applies security corrections as required, without delay.

Only authorized employees of the Publisher have access to data processed on behalf of Customers.

Access is granted on a Customer-by-Customer basis.

All access, via the administration interfaces or system accesses, is carried out exclusively by means of personal accounts and is traced.

As standard, the passwords for the accounts of the Customer's operations managers apply the following rules: minimum size: 8 characters; minimum number of character classes: 3.

These passwords are salted and encrypted in the database (SHA256 HMAC).

Personal and technical data is encrypted during all transmissions from the user's terminal to the database server:

from a connected device to the application servers: TLS encryption with a strong RSA 2048-bit certificate;

from the operator's workstation to the application servers: TLS encryption with a strong RSA 2048 bit certificate;

from the application server to the database server (TLS+VPC) ;

between database servers (TLS+VPS);

All insertion, update and deletion operations are authenticated and traced.

Data is checked and sanitized before being inserted into the database.

All system components are designed and operated to withstand breakdowns. Applications and data are replicated in real time on at least 3 servers, from 3 different suppliers, in datacentres located in 3 different locations.

The resilience of the system is tested regularly and has already functioned successfully during a major breakdown at one of the three suppliers.

Data is backed up 4 times a day, once a week and once a month. Backups are kept for 13 months.

The Publisher implements a system for centralising connection logs and supervising the proper functioning of systems.

The Customer may have access to back-ups of his data on request.

Each Customer's data is isolated in the database.

The following sub-contractors provide data hosting services on behalf of the Publisher:

Amazon Web Services EMEA SARL38 avenue John F. Kennedy,L-1855 Luxembourg whose servers used by PYSAE are located in the Paris region (https://aws.amazon.com/fr/local/france/paris/)

Services are provided under contracts ensuring data security and compliance with the RGPD.

The Publisher certifies that all personal data is stored in data centres and servers located within the European Economic Area.

The data retention periods indicated in Table 1: Data subjects, data processed and standard retention periods.

In accordance with article 25.2 of the Regulation, the Customer, the data controller, may determine specific and different data retention periods and instruct the Publisher to apply them.

The processing is set up within the strict framework of the drivers' activity. It is intended for the sole purpose of measuring and improving service quality.

Although the data collected and the high frequency with which it is collected may enable the individual activity of drivers to be monitored, the processing is not intended for this purpose; it does not provide screens, interfaces or transactions enabling the activity or performance of an individual to be tracked; the absence of these functions is a voluntary decision to protect privacy (privacy by design).

The processing does not involve a large number of people.

The processing does not include data from the special categories of data referred to in Article 9 of the Regulation (so-called "sensitive" data).

The data subjects are informed of the existence and purposes of the processing.

The data is kept for a limited period.

Access to the application is restricted to authorized users and is protected by a password in accordance with CNIL recommendations. Access and actions are logged.

Unauthorized disclosure of the data is not likely to create a serious breach of the professional life or privacy of the data subjects.

Consequently, and in application of the above criteria, the risk to data subjects is assessed as follows:

Intrinsic risk linked to the principle of implementing the processing :

Negligible - Limited - Significant - Maximum

Residual risk following the application of organizational and technical measures:

Negligible - Limited - Significant - Maximum

In the absence of a high risk for individuals, as defined by Article 35 and Recitals 89 to 92, it is not necessary to carry out a data protection impact assessment for this processing operation.

In the event of termination of the subscription contract, for whatever reason, the Publisher :

The Customer is responsible for informing its staff.

The System records the individual activities of drivers and operations managers.

In the private sector, the system is covered by article L2323-32 of the French Labour Code:

"(The works council) is also informed, prior to their introduction into the company, about automated personnel management processing and any modification thereof.

The works council shall be informed and consulted, prior to any decision to implement in the company, on the means or techniques used to monitor employees' activities.

In the public sector, the System is subject to article 33 of law no. 84-53 of 26 January 1984, which states that

"Territorial social committees deal with issues relating to :

(...)

7° The protection of physical and mental health, hygiene, the safety of employees at work, the organization of work, teleworking, issues relating to disconnection and mechanisms for regulating the use of digital tools, the improvement of working conditions and the legal requirements relating thereto;

Subject to any special circumstances in the Customer's context, the Customer should provide information relating to the system to the appropriate staff representative bodies.

Pursuant to articles 5 1. a) and 12 of the Regulation and article L1222-4 of the French Labour Code, the Data Controller must provide users with the information set out in article 13 of the Regulation.

This information may take the form of a paper document given to users when they are trained on the system, when they are issued with an individual terminal, and/or be displayed to the user when they first connect to the system. It remains available to the user throughout the use of the system on a dedicated page of the application, accessible via a "Data protection" link.

This document contains a Proposal for an individual information notice to system users. The Customer is responsible for adapting and validating this notice, and for distributing it directly to its users.

Pursuant to article 30 of the European Regulation, the Customer must keep a Register of processing activities carried out under its responsibility.

This document contains a Proposal for a form to be entered in the Customer's Register of Processing Activities. The Customer is responsible for adapting and validating this proposal.

Other mechanisms to ensure compliance of processing operations with the European Regulation and to protect personal data

Not applicable.

In order to facilitate collaboration between the Parties on the subject of the protection of personal data, the Parties designate the following contact persons:

In accordance with article 28 3 e) of the Regulations, the Publisher shall, as far as possible, assist the Customer in fulfilling its obligation to respond to requests made to it by data subjects with a view to exercising their rights under chapter III.

If a data subject submits a request directly to the Publisher, the latter will forward the request to the Customer's designated contact within 24 working hours and will inform the data subject by paper or electronic mail, depending on the type of request, using the standard letter set out in the attachment, modified if necessary by the Customer's Instructions.

If the CNIL refers a request relating to a data subject directly to the Publisher, the Publisher shall immediately inform the Customer's designated contact and forward all the details of the request.

The Publisher is prohibited from communicating directly with the CNIL on these matters, unless otherwise instructed in writing by the Customer in specific cases.

The Publisher is prohibited from compiling a file to monitor such requests or from keeping documents relating to such requests.

The implementation of this measure does not give rise to invoicing by the Publisher, up to a limit of 10 referrals per year.

If the Customer discovers a data breach as defined in article 4 12) of the Regulations, the Publisher shall provide the Customer with its full assistance in analyzing and resolving the breach, in accordance with articles 28 3. f) and 33 2 of the Regulations.

If the Publisher discovers such a data breach, it will inform the Customer's designated contact as soon as possible, and at the latest within 24 hours of discovering the breach.

If the Publisher becomes aware of such a data breach in the context of a contract with another Customer, the Publisher will conduct a system security analysis in the context of the contract with the Customer.

The Publisher is prohibited from notifying the CNIL directly of security breaches, unless otherwise instructed in writing by the Customer in specific cases.

The implementation of this measure does not give rise to invoicing by the Publisher, regardless of which Party discovers the breach.

In accordance with Article 28 3. h) of the Regulation, the Publisher shall make available to the Customer all the information necessary to provide proof of compliance with the obligations set out in the Regulation and in this Appendix to the Contract, and to allow audits, including inspections, to be carried out by the controller or another auditor appointed by it, and to contribute to such audits.

Except in emergencies, the Customer may carry out such audits or have them carried out by giving the Publisher at least 7 days' notice. The Customer informs the Publisher of the identity of the auditors, the scope and conditions of the audit. The Contractor may make comments on these points.

The Customer forwards the results of the audit to the Contractor.

The Customer may carry out an audit or have an audit carried out by the Contractor. The conditions are to be defined with the Publisher.

In the event of contact, control or sanction by the CNIL concerning one of the Parties, the latter shall immediately assess the possibility of the other Party's involvement and, where appropriate, send it any useful information.

The Parties shall co-ordinate before any response on a subject concerning both Parties.

Additional documents

(This proposed notice may be used on the paper documents given to users when they are trained on the system, when they are issued with an individual terminal, and/or be displayed to the user when they log on to the system for the first time. It remains available to users throughout their use of the system on a dedicated page of the application, accessible via a "Data protection" link).

Pursuant to article 12 of the European Data Protection Regulation, XXXXXXXX, the data controller, informs users of the existence of processing decided in application of the Company's legitimate interest in sound management, intended to assist with operations and passenger information, to the exclusion of any individual monitoring or profiling of drivers or operations managers. The data collected relates to the terminal used and the associated user, the line concerned, the theoretical and actual position of the vehicle, the history of exchanges with drivers and the associated acknowledgements of receipt. This data is kept for 13 months. It is only processed by a limited number of people within the Company's management team, and may be passed on to legally authorized authorities. Data is processed exclusively within the European Union.

You have the right to access, rectify, delete or limit the processing of your data, which you may exercise by contacting the Data Protection Officer of the Hauts-de-France Region. If, after contacting the Data Protection Officer, you feel that your data protection rights have not been respected or that the processing does not comply with data protection rules, you may lodge a complaint with the CNIL.

(This proposed form for the Register of processing activities provided for in article 30 of the Regulation may be taken up or adapted by the Customer's department responsible for describing the processing, or by the Customer's DPO).