DATA PROTECTION POLICY FOR CUSTOMERS OF LINKFLUENCE AFFILIATES

Linkfluence France / Linkfluence US / Linkfluence SINGAPORE / Linkfluence GERMANY / Linkfluence UK / Linkfluence SCOOP IT FRANCE / Linkfluence SCOOP IT US (hereinafter “Linkfluence”) provides the Services (as defined below) to customer (hereinafter the “Customer”). In the course of the Services, Linkfluence processes personal data related to staff members of the Customer and to Web Users. The purpose of this data protection policy is (i) to describe the respective roles of Customer, Linkfluence and its parent company Linkfluence France SAS and (ii) to determine their respective obligations with regard to data protection requirements where Linkfluence provides its services (hereinafter the “Data Protection Policy”).

 

1. DEFINITION

For the purposes of this Data Protection Policy :
Agreement” means the agreement between Customer and Linkfluence describing the terms and conditions under which Linkfluence provides the Services and the Linkfluence Platform is made available to Customer.
Calculated Data” means the result of calculations carried out by the Linkfluence Platform on Raw Data.
GDPR” refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Linkfluence France SAS” means the parent company of Linkfluence group which controls the Subsidiaries including Linkfluence.
Linkfluence Platform” means collectively “Linkfluence Search”, “Linkfluence Tribes” and “Radarly”.
Raw Data” means the content and data collected directly by the Linkfluence Platform from third-party sources, such as but not limited to social media outlets.
Services” means access to the online, Web-based application provided by Linkfluence on a Subscription basis (as defined in the Agreement), including but not limited to the Linkfluence Platform; and the Professional Services (as defined in the Agreement) that are ordered by Customer.
Subsidiary” refers to any company that controls, is controlled by or is under the joint control of Linkfluence France SAS.
User” means an individual who is authorized by Customer to use the Services on behalf of the Customer, including but not limited to employees, consultants, contractors, and agents of Customer.
Web User” means any individual who generated content, their profile or interactions, that is publicly available on the Internet.
The terms “Data Controller”, “Data Processor”, “Personal Data”, “Processing”, and “Data Subject” have the meaning given to them in the GDPR.

 

2. PRESENTATION OF PROCESSING

Depending upon the processing at stake, Linkfluence and Customer are either Data Controller or Data Processor of Personal Data.

 

2.1. Situations where Linkfluence or Linkfluence France SAS is a separate Data Controller

Linkfluence or Linkfluence France SAS act as Data Controller in relation with the following processing of Personal Data:
   (i) Processing of Raw Data: The parent company Linkfluence France SAS collects Raw Data from third-party sources, and in compliance with Article 6 .1 (f) of the GDPR. Customer is not a Data Processor in this respect.
   (ii) Processing of Customer’s personnel Personal Data: Linkfluence processes the Personal Data of the other party’s personnel (for example, their name, telephone, email address), for the purposes of managing the commercial relationship.
   (iii) Processing of Customer’s Personal Data: Linkfluence processes Personal Data for the management/creations of accounts to access the Linkfluence Platform.

The processing (ii) and (iii) shall be carried out pursuant to the performance of the Agreement and/or based on Linkfluence's legitimate interest. This Personal Data is necessary to allow Linkfluence to fulfil its obligations under the Agreement. If the Customer does not provide Linkfluence with this Personal Data, Linkfluence cannot meet its obligations pursuant to the Agreement. This Personal Data may be communicated for management of the internal services of Linkfluence, and may be transferred to the parent company Linkfluence France SAS and to Data Processor(s). Furthermore, Personal Data may be sent outside of the EEA, in particular to the United States, on the basis of the Standard Contractual Clauses entered into by Linkfluence. This Personal Data will be kept for the full term of the Agreement and shall be archived for the purposes of justification or proof. In accordance with applicable data protection legislation, the Data Subject has the right to access, rectification, deletion, limitation, opposition and portability of their Personal Data, as well as the right to make a complaint to a competent supervisory body. The Data Subject may exercise their rights by writing to the following address: privacy@linkfluence.com. Insofar as Linkfluence is not in direct relationship with the Data Subject whose Personal Data was collected, the Customer undertakes to provide its staff concerned with processing operations with all the information relating to the processing of their Personal Data for the purposes stated above.

 

2.2. Situation where Customer is Data Controller and Linkfluence is Data Processor

Linkfluence acts as Data Processor in relation with the following processing of Personal Data:
    (i) Processing of Personal Data derived from the Raw Data for the purposes of providing the Services. Such derived Personal Data will be processed and made available via the Linkfluence Platform, and includes the Calculated Data.
    The Customer acknowledges that Raw Data, including Personal Data derived from Raw Data, does not belong to Linkfluence, Customer or Customer’s clients and has been obtained by Linkfluence from Third-Party Sources, as such term is defined in the Agreement. Therefore, Customer may not hold Linkfluence liable in any manner whatsoever for the processing of the Personal Data mentioned above and carried out by the Third-Party Sources.
    (ii) Processing of Personal Data for the provision of support services to Customer in accordance with the Agreement


With respect to the above processing (i) and (ii), Customer, as Data Controller, has sole authority in determining the purposes and the conditions of processing Personal Data as well imposing general and specific instructions to Linkfluence, the Data Processor.


Customer acknowledges and authorizes Linkfluence to engage its parent company Linkfluence France SAS as a sub-processor in order to provide the Services to Customer.
The following Sections 3 and 4 apply to the processing activities described in this section 2.2.

 

3. DESCRIPTION OF THE ROLES AND RESPONSIBILITIES OF EACG PARTY WHEN LINKFLUENCE ACTS AS DATA PROCESSOR

A description of the nature and purposes of the processing, types of Personal Data, categories of Data Subjects and the duration of the processing are provided below:
 
  • Purposes of processing: The processing of Personal Data is necessary to allow Linkfluence to provide the Services. Linkfluence processes, in particular, Personal Data on behalf of the Customer with the purposes of:
    • providing the Linkfluence Platform to Customer, that is to say providing social intelligence data in the context of social media monitoring for marketing and communication purposes and customer servicing and experience ;
    • providing support services;
  • Nature of processing: The nature of processing for the above mentioned purposes include: 
    • retrieval, structuring, organisation, adaptation, consultation and use of Raw Data ; and
    • transmission, making available and storage of Calculated Data.
  • Data Subject Categories: The Personal Data that shall be processed include:
    • Web Users
    • Customers’ Users of the Service
  • Type(s) of Personal Data subject to processing:
    • For authors of publicly available web content publications, the types of Personal Data subject to processing are :
      • screen name (which can include first and last names),
      • published content
      • interactions
      • photos,
      • videos,
      • location,
      • gender,
      • age,
      • occupation, 
      • website URLs,
      • website names
    • For Users of the Services the types of Personal Data subject to processing are:
      • contact details including name, email,
      • login and account information, including screen name, password and unique user ID
      • traffic data, including cookies (beacons, pixels, tags), IP addresses, referrer headers, data identifying the web browser and version, and device information (to the extent considered by applicable law to be personal data),
      • social network information, including credentials,
      • photos
  • Duration of the Processing: Unless Customer instructs otherwise Personal Data is kept for the duration necessary either to the provisions of the Linkfluence Platform to Customers and for the provisions of the support services:
    • personal Data kept by Linkfluence for the provisions of the Linkfluence Platform : for the duration of the Agreement within the limit of seven (7) years ;
    • for the provisions of the support services : for the duration necessary to provide the support services.

4. OBLIGATIONS OF CUSTOMER (DATA CONTROLLER) AND LINKFLUENCE (DATA PROCESSOR)

4.1. General obligations of Customer

As Data Controller, Customer remains responsible for the lawfulness of the processing entrusted to Linkfluence, particularly with regard to the principles and duties set out in the GDPR concerning, in particular, the legal basis of the processing and the information of the Data Subjects.
The Customer undertakes to process the Personal Data in compliance with the GDPR. In this regard, during the full duration of the Agreement, the Customer undertakes:

  • to send Linkfluence documented instructions in accordance with the GDPR;
  • to document in writing any additional instructions concerning the processing of Personal Data by Linkfluence;
  • to ensure that Linkfluence, acting as Data Processor, complies with the duties set out in the GDPR before and throughout the duration of the provision of the service;
  • to inform Data Subjects.

In the event of Linkfluence's supervision by a supervisory authority concerning all or part of the processing entrusted by the Customer, the latter undertakes to actively cooperate with Linkfluence and, if necessary any supervisory authority, including providing them with all the documents or information useful to them.

 

4.2. Personal Data Processing by Linkfluence

Linkfluence shall process the Personal Data in accordance with the Customer’s lawful and documented instructions, and only for the purposes described in this Data Protection Policy, with the exception of the instructions that Linkfluence believes to be in breach of the GDPR or contrary to the applicable law relating to Personal Data Protection, in which case Linkfluence would inform the Customer of it in writing immediately. If Linkfluence is required to process the Personal Data outside of the Customer’s documented instructions pursuant to the applicable law, Linkfluence shall inform the Customer of this legal obligation before processing, unless the law concerned forbids such information for reasons of public interest.

4.3. Security

Linkfluence must put in place appropriate technical and organisational measures in order to protect the Personal Data from destruction, loss or alteration, non-authorised disclosure of the personal data and non-authorised access to this data (a “Security Incident”). As soon as Linkfluence learns of a Security Incident concerning the Personal Data processed on behalf of the Customer, Linkfluence must warn the Customer without delay and provide all the reasonable assistance that the Customer requires in order to meet the notification duties regarding any violation of the data referred to in the GDPR. Linkfluence must also take all reasonably necessary measures or action to correct or mitigate the repercussions of the Security Incident and inform the Customer of all significant developments relating to the Security Incident.

 

4.4. Personal Data Breach

Linkfluence shall notify the Customer without undue delay upon Linkfluence becoming aware of a Personal Data Breach affecting Personal Data, providing Customer with information (as and when available) to assist the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach.
Where Linkfluence becomes aware of a Personal Data Breach, it shall, without undue delay, also provide the Customer with the following information:
   i. description of the nature of the Personal Data Breach, including the categories and approximate number of both Data Subjects and Personal Data concerned;
   ii. the likely consequences; and
   iii. description of the measures taken, or proposed to be taken, including measures to mitigate its possible adverse effects.
Linkfluence shall, at the Customer's cost, co-operate with the Customer and take such reasonable commercial steps as are reasonably instructed by the Customer to assist in the investigation and mitigation of each such Personal Data Breach.

 

4.5. Duties of Confidentiality

Linkfluence must ensure that any member of staff authorised to process personal data is subject to a duty of confidentiality.

 

4.6. Sub-processing

The Customer authorizes Linkfluence to engage subsequent third party data processors (“Subsequent Data Processors”) in order to process the Personal Data on behalf of Linkfluence. The Customer authorizes Linkfluence to use the subsequent Data Processors listed in Exhibit 1 of this Data Protection Policy. The Customer provides a general authorization to the use of Subsequent Data Processors, and Linkfluence must notify the Customer enough in advance of taking on any new subsequent Data Processor and if the Customer refuses the new subsequent Data Processor within a period of five (5) calendar days from the receipt of such a notification for legitimate or justifiable reasons related to data protection, Linkfluence may either (i) not call upon the subsequent Data Processor to process the Personal Data; or (ii) discuss in good faith with the Customer in order to find a solution, or (iii) suspend or terminate the processing activities at stake or suspend or terminate the Agreement with the Customer.

 

4.7. International transfers

Linkfluence is authorised to process (or to have processed) Personal Data from the EEA in a third party country located outside the EEA subject to the establishment of the appropriate guarantees as defined in Article 46 of the GDPR. Particularly, Personal Data may be sent outside of the EEA, in particular to the United States, on the basis for instance of the Standard Contractual Clauses entered into by Linkfluence.

 

4.8. Rights of Data Subjects

Linkfluence shall provide all reasonable assistance to the Customer, insofar as possible, in order to allow it to respond to the requests of data subjects who wish to exercise their rights under the GDPR. If such a request is made directly to Linkfluence, Linkfluence will forward this request to the Customer as soon as possible without responding to it.

 

4.9. Record(s) of processing activities

Linkfluence regularly updates any records of data including Personal Data that is processed by the Linkfluence Platform. Customer may access such records and the processing operations carried out by Linkfluence in its capacity of Data Processor of the Personal Data processed through the Linkfluence Platform for Customer.

 

4.10. Analysis of the impact of data protection

Linkfluence shall, at the Customer's cost, provide reasonable assistance to the Customer so that it can meet its duty to carry out an impact analysis relating to data protection and prior consultation with the supervisory authorities in accordance with the GDPR.

 

4.11. Audit

Once a year and at its own cost, the Customer will have the possibility to audit or have audited the internal personal data protection systems put in place by Linkfluence in order to check Linkfluence's compliance with this Data Protection Policy. The Customer shall inform Linkfluence of the audit with a minimum of one (1) month notice. Linkfluence reserves the right to refuse the identity of the auditor retained by the Customer if it belongs to a company competing with Linkfluence. The audit should be carried out during Linkfluence's opening hours and in such a way that it interrupts Linkfluence's activity as little as possible. The audit shall not affect in any way whatsoever (i) the technical and organisational security measures used by Linkfluence, (ii) the security and confidentiality of the data of Linkfluence's other Customers, or (iii) Linkfluence's proper functioning and production organisation. Insofar as possible, the Parties will agree in advance on the scope of the audit. The audit will be carried out at the cost of the Customer. The audit report will be sent to Linkfluence in order to allow Linkfluence to make any potential comments and observations in writing, which will be attached to the final version of the audit report. Each audit report will be deemed confidential information.

 

4.12. Return or Suppression of Personal Data.

Upon expiry or termination of the Agreement, Linkfluence is required to, depending on the Customer’s preference, suppress or return the Personal Data (including copies) in its possession to the Client. Linkfluence undertakes to destroy all existing copies of the Personal Data.

 

Exhibit 1. List of Subsequent Data Processors

List of Linkfluence Subsequent Data Processors

List of

Subsequent Data Processors

Name

Role / Purpose

Location (incl. any international data export solution in place)

Parent company

LINKFLUENCE France SAS

Data Processing for the provision of Services

France

External providers

OVH

Hosting/ Data Processing / Data archive

France (Roubaix, Gravelines), Canada (Beauharnois)

LeaseWeb

Data Processing / Customer projects

Netherlands (Haarlem)

Amazon Web Services (AWS)

Hosting / Data Processing / Customer settings / Backups

Ireland (Dublin) and Japan (Tokyo)

FullStory

User session analytics

United States (Google Cloud Platform)

Alibaba Cloud[1]

Hosting / Data processing

China (Shanghai)

Pendo

User session analytics

 

United States (Google Cloud Platform)

Zendesk

Support ticket management

 

United States

 

[1] If applicable, Alibaba Cloud is a Subsequent Data Processor only to the extent that China is covered in the Agreement.