General Conditions for the Processing of Personal Data for ENERGYSOFT services

Article 1 – Subject matter

The purpose of these conditions is to define the conditions whereby S4E (hereafter “S4E” or the “Data processor”) agrees to carry out on behalf of the User (hereafter the “User” or the “Data Controller”) the operations for processing data of a personal nature as defined below. S4E and the User are known collectively as the “Parties” and individually as the “Party”.

These Conditions cancel and replace all previous conditions and contracts between the Parties with the same purpose. In the context of this agreement, the User is acting as the Data Controller and S4E as the Data processor within the meaning of Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 applicable as of 25 May 2018 (hereafter the “European Data Protection Regulations”).

S4E is known as the Data Controller when it determines the purposes and means for its processing of data of a personal nature. This is namely the case when it processes the details of an individual(user company contact person) in the context of a request for assistance.

The Parties agree to comply with the current applicable regulations for the processing of personal data and, in particular, the European Data Protection Regulations.

Article 1 – Definitions

Personal Data or Data of a personal nature:

means any information relating to an individual identified or identifiable within the meaning of the European Data Protection Regulations (GDPR), which the Data processor processes on behalf of the Data Controller.

Personal Data Breach: means a security breach resulting in the accidental or illegal destruction, loss, unauthorised disclosure or access, to the personal Data transmitted, held or otherwise being processed.

Processing: means any operation or set of operations carried out on personal Data, encompassing the collection, recording, organisation, structuring, storing, adaptation or alteration, recovery, consultation, use, disclosure by transmission, distribution or combination, restriction or deletion of personal Data.

Article 2 – Details of the Processing

a. Types of personal Data: Information on contacts, including email addresses, postal addresses, latitude and longitude of installations, phone numbers, family names, first names, connection data, energy meter measures, sensors or similar, collected on site and any other type of data identified and controlled by the User at its sole discretion, in the context of its use and its parameters for the S4E services.

b. Categories of persons covered: All categories of persons covered (individuals) identified and controlled by the User at its sole discretion, namely: – Any person (customers, employees, data processors, etc.) whose email address and/or phone number is/are recorded as users of the service; or owner (individual) of any power plant for which operational information (location of the installation, forecast production, etc.) are stored or collected (production or consumption measures) through the services.

c. Purpose and type of Processing: The purpose of the Personal Data Processing by the Data processor is the supply of services to the Data Controller which involves the Processing of personal Data and the execution of the obligations of the Data processor under the agreement and all the terms and conditions agreed between the Parties. The Data processor makes available software that enables the monitoring of energy production, consumption and performances, as well as associated services. The services may include in particular: The collection of measures of production and consumption and of the associated sensors, the analysis of generation performances, etc. The personal Data will be subject to Processing operations such as specified in the General Conditions, the information agreed for each order and as appropriate, in any special conditions.

d. Retention period: The personal Data are processed for the period of the contractual relationship between the Parties.

Article 3 – Obligations on the Parties

3.1. Obligations on the User

The User is responsible for the Processing within the subscribed services. The User therefore is solely responsible for the personal Data used, supplied and stored through the services of S4E. In this the User is solely responsible for the obligations arising in its role as Data Controller under the current applicable regulations for the Processing of personal Data and, in particular, the European Data Protection Regulations.

The User agrees to:

1. Supply to S4E the personal Data required for the performance of the subscribed services. The User must not forward so-called sensitive data within the meaning of the GDPR;

2. Document all instructions relating to the Processing of personal Data by S4E. It is agreed that the details for the use of the services and this agreement constitute instructions issued to S4E concerning the Processing to be performed. Any additional instructions or exemptions require written agreement by the Parties. These must first of all be stated in writing with the order for the services and can, at any time, subject to the prior written agreement of S4E, be amended, supplemented or replaced at the request of the User, in separate written instructions:

3. Ensure, prior to and throughout the period of the Processing, compliance with the obligations arising under the European Data Protection Regulations (GDPR) for S4E;

4. Supervise the Processing, including carrying out audits, inspections of S4E. In the context of the carrying out of audits and inspections, the User agrees to inform S4E of its decision to carry out an audit or an inspection giving notice of at least 1 month;

In terms of these audits/inspections, it agrees (i) to make use of qualified personnel or service providers; (ii) to bear all costs associated with these audits/inspections; (iii) to only carry out the audits/inspections during working hours and days; (iv) that the purpose of these audits/inspections is: an analysis of compliance with this agreement and the Regulations covering the protection of personal data.

5. To take all security measures necessary to protect the personal Data in its capacity as Data Controller and in particular to ensure the confidentiality of its logins and passwords for accessing the services, to use passwords that apply best practice; to ensure the security of the workstations and equipment through which its personnel and all persons authorised by it access the services in particular by authenticating the users by name, by regularly reviewing their authorisations, ensuring the application of corrections and system updates, by using updated anti-virus and firewall or similar software, by prioritising Wi-Fi networks using WPA2, WPA2_PSK or similar encryption, by encouraging the backing up of data by its users to appropriate locations; by protecting its premises in particular with anti-intrusion systems and regularly tested access controls, the differentiation of zones within the premises according to level of risk (e.g.: computer room), granting access to its personnel on the basis of operational need applying the principle of least privilege; to use personnel trained for the protection of personal data; etc.

6. To obtain, in compliance with the European Data Protection Regulations (GDPR) and any other rules relating to data protection, whenever required, the consent of those persons concerned by the planned Processing operations, and in any case to ensure that the Processing is and remains legal.

The User is also responsible for supplying the information to the Data Subjects of the Processing operations at the instant of the collection of the personal Data.

7. To respond to requests from Data Subjects exercising their rights (right of access, correction, removal and opposition, processing restrictions, data portability, to not be subject to an automated individual decision).

The Parties agree to comply with the current applicable regulations for the processing of personal data and, in particular, the European Data Protection Regulations.

3.2 Obligations on the Data processor

S4E will only process personal Data on the documented instructions of the User in accordance with Article 3.1.2, unless obliged to do so by EU or French law. If S4E considers that an instruction is in breach of the European Data Protection Regulations (GDPR) or any other EU or Member State legal provision relating to data protection, it will immediately inform the User.

S4E agrees to:

• Only process the personal Data for the purposes that are within the scope of the processing.
• To apply with regard to its tools, products, applications and services, the principles of data protection as of the design and data protection by default.
• Not to transfer personal data to any country outside the EU/EEA or to any third party country not recognised by the European Commission as providing an adequate level of protection for data of a personal nature, without the prior agreement of the User.

In general, the Data Controller can at any time through the services delete and export any personal Data. In each case and unless instructed otherwise by the Data Controller, personal Data are not held by the Data processor for more than six months as of the termination or end of the services to which the personal Data relates or an earlier termination, with the exception of those that must be retained to fulfil legal or regulatory obligations.

Security / Confidentiality / Data Breaches

S4E implements all appropriate technical and organisation measures to ensure that the Processing complies with the requirements of the European Data Protection Regulations (GDPR). S4E agrees in particular to takes all useful measures to ensure the protection and integrity of the personal Data and to prevent any misappropriation or fraudulent use of the personal Data, and this within the limits of its scope of intervention and resources within its control under the conditions and during the period of the contractual relations.

S4E agrees to protect the confidentiality of the personal Data, not to disclose these, in any form whatever, except (i) for the requirements of delivering the services, the outcomes and this agreement; (ii) in application of a legal or regulatory provision; (iii) in responding to requests from judicial and/or administrative bodies; (iv) with the prior agreement or request of the User. In this regard, S4E will ensure those persons authorised to process the personal Data (personnel, partners, Subsequent Data processors, etc.) agree to maintain the confidentiality of the personal data or are subject to relevant legal obligations of confidentiality.

S4E will notify the User of any Personal Data Breach within a maximum of 72 hours following it becoming aware of this. All useful documentation to enable the User to fulfil its obligations will be supplied with this notification.

Assistance

As far as possible, given the nature of the Processing and the information available to it, S4E agrees with regard to the User, and at its request, to:

• Assist it in fulfilling its obligation to respond to requests from data subjects exercising their rights, in as long as the User does not possess the information or the tools within the services. The User remains solely liable for the responses provided to the data subjects. In the event that the requests of exercising rights or complaints from data subjects are sent directly to S4E, this latter agrees to forward such requests as quickly as possible to the User.
• Assist it in carrying out a data protection impact assessment relating to personal Data, when the processing of these could result in an increased risk in terms of the rights and liberties of the data subjects, and in carrying out the prior consultation of the supervisory authority;
• Assist it in producing the notifications for the supervisory authority, and if necessary for the data subject, in the event of a Personal Data Breach in accordance with the “Security / Confidentiality / Data Breaches” section;
• Make available to the User all necessary information to evidence compliance with the obligations arising in the context of the European Data Protection Regulations (GDPR) and to enable the conduct of audits, including inspections.
• Audits will be conducted in accordance with the provisions of Article 3.1.4.

Processing

S4E can make use of another Data processor to carry out specific Processing (hereafter “Subsequent Data processor(s)”), which the Data Controller accepts. Subsequent Data processors currently include:

• OVH – Public cloud, file servers (located in France)
• Scaleway – Public Cloud (located in France)
• Infomaniak – file servers (located in Switzerland).
• Hetzner – Public cloud, file servers (located in Germany)

The Data Controller acknowledges and agrees that S4E can make use of each of the Subsequent Data processors as listed above.

S4E agrees to inform the User in advance and in writing, including electronically, of any planned change with the addition or replacement of other Subsequent Data processors. The User has a period of 15 calendar days as of the date of the sending of this notification to terminate the service or services concerned if it objects. If the User does not terminate within this period, the User is deemed to have agreed to the change with the addition or replacement of other Subsequent Data processors. In the event of the termination, the User will not be entitled to any reimbursement for ongoing subscriptions. Any notice of termination in this context must be sent to the following address: dpo@s4e-software.com

If the Subsequent Data processor fails to fulfil its obligations on terms of data protection, S4E remains wholly liable with regard to the User.

Record of processing activity categories

S4E certifies that it keeps a written record of all categories of processing activity carried out on behalf of the User.

Article 4 – Data Protection Authorities

The Parties agree to cooperate with the relevant data protection agencies, specifically in the event of a request for information that could be addressed to them in the course of an inspection.

Article 5 – Data Protection Officer

S4E certifies that it has appointed a Data Protection Officer who can be contacted at the following electronic address: dpo@s4e-software.com or by letter at the registered office of S4E. As soon as the User has appointed a Data Protection Officer, it agrees to forward their contact details to the S4E Data Protection Officer.

Article 6 – Application of the General Terms and Conditions

This agreement supplements the General Terms and Conditions of Sale applicable to the Services subscribed to by the User.

In the event of contradictions, these Conditions shall prevail over the General Terms and Conditions.