PERSONAL DATA TREATMENT

The objective of this contract is to outline the terms under which LOBSTR (hereafter referred to as “LOBSTR” or the “Subcontractor”) agrees to perform personal data processing operations on behalf of the user (hereafter referred to as “User” or the “Data Controller”). LOBSTR and the User collectively are referred to as the “Parties” and individually as a “Party”. This contract supersedes and replaces all previous agreements and conditions between the Parties with the same intent.

In this contract, the User serves as a Data Controller and LOBSTR serves as a Subcontractor, as defined by Regulation (EU) 2016/679 of the European Parliament and the Council dated April 27, 2016, effective from April 7, 2023 (hereafter referred to as the “European Data Protection Regulation”).

LOBSTR functions as a controller when determining the objectives and methods of personal data processing. This is specifically applicable when processing contact information of an individual (representative of the user company) for assistance requests. The Parties commit to comply with the current regulations applicable to personal data processing, particularly the European Data Protection Regulation.

DEFINITIONS

Personal Data: refers to any information relating to an identified or identifiable natural person as defined by the European Data Protection Regulation, which the Subcontractor processes on behalf of the Data Controller.

Personal Data Breach: refers to a security breach resulting in the accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access to Personal Data transmitted, stored, or otherwise processed.

Processing: denotes any operation or set of operations performed on or with Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, usage, disclosure by transmission, dissemination or combination, restriction, or deletion of Personal Data.

DETAILS OF PROCESSING

a. Types of Personal Data: Contact details, including email addresses, phone numbers, last name, first name, occupation, gender, demographic information, preferences, location data, login credentials, and any other type of data determined and controlled by the User at their sole discretion, within the context of utilizing and setting up LOBSTR services.

b. Categories of data subjects: All categories of data subjects (natural persons) determined and controlled by the User at their sole discretion, including:

• Any individual (customers, prospects, employees, subcontractors, suppliers, etc.) whose email address and/or phone number is/are included in the User’s distribution list; or recipient of any email/SMS communication; or whose information is stored or collected via the Services.

c. Purpose and nature of Processing: The subject of Personal Data Processing by the Subcontractor is to provide Services to the Data Controller, which involves Personal Data Processing and the fulfillment of the Subcontractor’s obligations within the contract and all conditions agreed upon between the Parties. The Subcontractor offers software that enables automated and recurring collection and exportation of publicly available online data, which may include personal data, from cloud-based hosted infrastructure. Additionally, they provide task automation services, including the ability to send messages from a third-party platform.

d. Duration of Processing: Personal Data will be processed for the duration of the contractual relationship between the Parties.

OBLIGATION OF THE PARTIES

OBLIGATION OF THE USERS

The User is responsible for the Processing under the subscribed services.

Therefore, they are solely responsible for the Personal Data they use, provide, and store through LOBSTR services. As such, the User is solely responsible for fulfilling the obligations as the Data Controller in accordance with the current regulations applicable to Personal Data Processing, particularly the European Data Protection Regulation.

The User agrees to:

1. Supply LOBSTR with the necessary personal data to carry out the subscribed services, taking care not to provide sensitive data as defined by personal data protection regulations;
2. Record any instructions concerning the processing of Personal Data by LOBSTR. It is understood that the methods of using the services and this agreement will serve as instructions for LOBSTR regarding the processing to be implemented. Additional or deviating instructions necessitate a written agreement between the Parties. These instructions must initially be specified in writing when ordering services and can be modified, supplemented, or replaced at the User’s request, with LOBSTR’s prior written consent, in separate written instructions;
3. Ensure, beforehand and throughout the duration of the Processing, that LOBSTR adheres to the European Data Protection Regulation requirements;
4. Oversee the Processing, including conducting audits and inspections with LOBSTR. While carrying out audits and inspections, the User commits to notifying LOBSTR of their decision to perform an audit or inspection with a minimum notice period of 15 days;

In relation to these audits/inspections, they agree to (i) engage qualified personnel or a service provider; (ii) cover only the full costs of the audits/inspections; (iii) conduct audits/inspections exclusively during regular working days and hours; (iv) verify that the purpose of these audits/inspections is to analyze compliance with this Agreement and personal data protection regulations.

1. Implement necessary security measures to protect Personal Data in their capacity as the Data Controller. This includes ensuring the confidentiality of their login and password for accessing the services, using secure passwords, safeguarding workstations and equipment used by authorized personnel, authenticating users, periodically reviewing authorizations, applying system patches and updates, maintaining up-to-date antivirus and firewall protections, favoring Wi-Fi networks with WPA2, WPA2_PSK, or similar encryption, performing regular backups of user data in secure locations, and protecting their premises with anti-intrusion systems and periodically tested access controls. Differentiate areas of the premises based on risk (e.g., computer rooms) and grant staff access according to operational needs and the principle of least privilege. Employ individuals trained and knowledgeable about personal data protection.
2. Collect, in accordance with the European Data Protection Regulation and other applicable data protection laws, any necessary consent from individuals affected by the proposed processing operations, ensuring that the processing remains lawful. It is the User’s responsibility to provide information to the individuals concerned during the collection of Personal Data.
3. Address requests related to the exercise of data subject rights (right of access, rectification, deletion, objection, limitation of processing, data portability, and freedom from automated individual decision-making).

More generally, comply with obligations imposed by applicable regulations regarding personal data processing, particularly the European Data Protection Regulation.

SUBCONTRACTOR OBLIGATIONS

LOBSTR processes Personal Data solely based on the User’s documented instructions, as per Article 3.1.2, unless required by EU or French law. If LOBSTR believes an instruction violates the European Data Protection Regulation or any other EU or member state data protection law, it will promptly inform the User.

LOBSTR commits to:

• Processing Personal Data exclusively for subcontracted purposes.
• Considering data protection by design and default principles in its tools, products, applications, or services.
• Not transferring Personal Data to countries outside the EU/EEA or to any third country not recognized by the European Commission as ensuring adequate personal data protection levels without the User’s prior consent.

Generally, the Data Controller can delete and export any Personal Data through the services at any time. Unless instructed otherwise by the Data Controller, LOBSTR will not retain Personal Data for more than six months following the termination, expiration, or early cancellation of the service related to Personal Data processing, except when data retention is necessary to comply with legal or regulatory obligations.

Security / Confidentiality / Data Breach

LOBSTR implements suitable technical and organizational measures to ensure processing meets Data Protection Regulations requirements. LOBSTR commits to taking all necessary measures to preserve and maintain the integrity of Personal Data, prevent misuse or fraudulent use of Personal Data, within the scope of its intervention and means under its control during the contractual relationship. Users can review these measures on the website at any time.

LOBSTR agrees to maintain the confidentiality of Personal Data and not disclose it in any form, except (i) for executing the Services and this agreement; (ii) as required by a legal or regulatory provision; (iii) in response to requests from judicial and/or administrative authorities; or (iv) with the User’s prior consent or request. In this regard, LOBSTR ensures that individuals authorized to process Personal Data (staff, partners, sub-subcontractors, etc.) commit to maintaining the confidentiality of the Personal Data or are subject to a suitable legal confidentiality obligation.

LOBSTR will notify the User of any Personal Data breach within 48 hours of becoming aware of it. This notification will include any relevant documentation to help the User fulfill their obligations.

Assistance

When possible, considering the nature of the Processing and the information available, LOBSTR commits to assisting the User, upon request:

• In fulfilling their obligation to respond to requests for exercising the rights of individuals involved in the Processing, provided the User lacks the information or tools via the services. The User remains solely responsible for responding to these individuals. If LOBSTR receives any requests or complaints from individuals directly, it commits to forwarding them to the User as soon as possible.
• In conducting personal data protection impact assessments when the data processing is likely to pose a high risk to the rights and freedoms of the individuals involved, and when consulting the supervisory authority beforehand is required.
• In notifying the supervisory authority and, if necessary, the data subject in case of a Personal Data breach, in accordance with the “Security, Confidentiality, Data breach” section.
• In providing the User with all necessary information to demonstrate compliance with the European Data Protection Regulation and facilitating audits, including inspections. Audits will be conducted according to the provisions in Article 3.1.4.

Subcontracting

LOBSTR may use another subcontractor to carry out specific processing activities (hereinafter, “Subcontractor(s)”), which the Data Controller agrees to. The list of current Subcontractors is available on the website. LOBSTR commits to informing the User in advance, in writing or electronically, about any planned changes involving the addition or replacement of other Subcontractors. The User has 15 calendar days from the date this information is sent to terminate the service(s) in case of objection. If the User does not terminate within that period, they will be considered to have accepted any changes related to adding or replacing Subcontractors. In case of termination, the User will receive a refund for any prepaid but unused expenses for the remaining period following the termination’s effective date. Any termination notice in this context must be sent to the following address: contact@lobstr.io

LOBSTR commits to entering into a contract with each of its Subcontractors, including the same obligations as those to which it is subject under this agreement. If the Subcontractor processes services outside the EU/EEA, this information is specified in the list above. LOBSTR must ensure the transfer complies with standard contractual clauses approved by the European Commission for Personal Data transfers, which the User authorizes LOBSTR to conclude on their behalf and for their account, or that other appropriate legal data transfer mechanisms are applied. If the Subcontractor fails to fulfill its data protection obligations, LOBSTR remains fully liable to the User.

Processing Activity Categories Register

LOBSTR confirms that it maintains a written register of all categories of processing activities performed on behalf of the User.

SUPERVISORY AUTHORITIES

The Parties commit to cooperating with competent data protection authorities, particularly in the event of an information request sent to them or in case of control.

DATA PROTECTION OFFICER

LOBSTR confirms it has appointed a data protection officer who can be reached at contact@lobstr.io or by mail at LOBSTR’s head office. If the User has a data protection officer, they commit to providing their contact information to LOBSTR’s Data Protection Officer.

APPLICABILITY OF GENERAL TERMS

This agreement supplements the general terms applicable to the Services subscribed by the User. In case of contradictions, this agreement takes precedence over the general terms.

MODIFICATIONS

This Agreement may be amended at any time. All changes are published on LOBSTR website and brought to the User’s attention through the website. It is the User’s responsibility to regularly check the site.

The User may terminate the Services without charge within thirty days of these changes taking effect by sending a registered letter with acknowledgment of receipt to LOBSTR.