Third party personal data
To complete an order, and generally during various exchanges with the Client, Amaïa, hereinafter the Company, may receive personal data regarding third parties, hereinafter the Data.
Such Data may be included in the documents to be translated, or in any other document provided by the Client. The Data may relate to any natural person and may be of any nature such as: surname, first name, age, profession, address, telephone number, etc. Some of these Data may be particularly sensitive, in particular those relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, sex life or sexual orientation, health, offences or convictions of any kind, in particular criminal.
The Client guarantees the Company that they have obtained the valid consent of the persons whose Data are cited in the documents provided to the Company, and that they have informed them of their rights as the data controller. The Company, as a subcontractor, shall not be bound by any obligation in this respect, and shall not be held liable if the processing requested by the Client is unlawful. If, as a result of the Client, the Company is sought after to be held liable on the basis of Data processed, the Client shall protect the company up to the amount of the required compensation.
The Company is authorised to process said Data on behalf of the Client in order to carry out the following services:
- The translation of documents and/or content provided to it by the Client; and/or
- The legalization/certification of a document given by the Client; and/or
- Participation in an interpreting mission; and/or
- Participation in any other linguistic-based mission ordered by the Client.
In order to carry out these services, the Company may be required to process Data, in particular to receive, consult, modify, copy, save and/or restore the Data.
In addition, as part of the execution and follow-up of the order, the Company is authorised to subcontract all or part of the processing of the Data to a third party of its choice, whether this third party is located in or outside the European Union.
During the execution of the order, and as long as the Company remains in possession of the Data, it undertakes, in its capacity as subcontractor, to:
1. Communicate to the Client, at the Client’s request, its information systems security policy;
2. implement all technical and organizational measures to guarantee a maximum level of security taking into account the sensitive nature of the Data, the risk involved, and the state of technical knowledge;
3. process the Data only on the Client’s documented instructions and in accordance with it, a fortiori with regard to the transfer of such Data to another European Union Member State or to a country outside the European Union;
4. immediately inform the Client if one or more of the Client’s instructions constitutes a violation of the provisions of the Regulation or a violation of European Union law on personal data,;
5. process the Data entrusted by the Client only within the limits that will be defined by the Client on a case-by-case basis, in particular as regards the purpose, nature, duration and purposes of the processing;
6. assist the Client, as much as is possible, in order to enable the owners of such Data to exercise their rights (in particular their rights of access, rectification, deletion and opposition, their rights to limit processing, the portability of the Data, and their right not to be the subject of an automated individual decision);
7. inform the Client of any incident or security breach likely to affect the security and/or confidentiality of the Data without delay following the occurrence;
8. assist the Client, as much as is possible so as to react effectively and within the briefest possible time to a breach of the Data, including the obligation to use all means at its disposal to immediately inform the Client of such a breach, and the obligation to cooperate with the Client in order to inform the supervisory authority and the persons concerned, as well as the obligation to inform the Client of the probable consequences of such a breach and the measures to be taken to remedy it;
9. Assist the Client, as much as is possible, in the implementation of impact assessments and in prior consultation with the supervisory authority, such assessments having the objective of determining a priori the risks that may arise from a particular processing operation on the rights and freedoms of the persons concerned;
10. Upon the Client’s instructions and without delay, delete the transmitted Data from all media on which they appear, retaining no copy in any form whatsoever, making no subsequent use of them for any reason, and substantiating their destruction in writing;
11. At the end of a ten-year-period from the date of execution of the order, permanently delete the Data transmitted from all media on which they appear, keeping no copy in any form whatsoever and making no kind of subsequent use of them for any reason, and substantiating their destruction in writing, unless laws of the European Union or the laws of the Member State requires that the Data be kept for a longer period;
12. Communicate the name and contact details of the Data Protection Officer (DPO), if one has been appointed;
13. Inform the Client of the existence of a processing registry if necessary;
14. Provide the Client with all the information necessary to demonstrate compliance with the obligations arising herein, and, if necessary, allow an audit to be carried out for these purposes, in the care of the Client or by any third party mandated by them.