Personal Data Protection Agreement

Appendix to Skipcall General Terms and Conditions

Last updated: April 1, 2026

This agreement (hereinafter the "Agreement") is intended to define the conditions under which SKIPCALL, acting as a "data processor" within the meaning of European data protection regulations, undertakes to perform, on behalf of the Client, acting as the data controller, personal data processing operations in connection with the performance of the services covered by the Agreement as described in the SKIPCALL General Terms of Service, of which this Agreement forms an appendix.

Within the framework of their contractual relationship, the Parties undertake to comply with applicable personal data protection regulations, in particular the GDPR or Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (applicable since May 25, 2018), as well as French Law No. 78-17 of January 6, 1978 on Data Processing, Files and Freedoms (hereinafter collectively referred to as the "Applicable Regulations").

The Parties adopt the definitions set out in applicable regulations, in particular the GDPR, including but not limited to "personal data", "processing", "controller", and "processor".

Article 1. General Obligations of SKIPCALL

SKIPCALL undertakes to:

  • Process Personal Data only on the Client's instructions and not use personal data for any purpose other than the strict performance of the Agreement.
  • Process data in accordance with the Client's instructions. The Client understands it may configure processing parameters itself (type of data, processing operations, retention period, etc.). If SKIPCALL considers an instruction to be non-compliant with Applicable Regulations, it will inform the Client.
  • Ensure confidentiality of processed Personal Data and ensure authorized persons are bound by confidentiality obligations.
  • Apply data protection by design and by default principles in its tools and services.
  • Implement appropriate technical and organizational measures and provide assistance to enable the Client to meet legal obligations.
  • Implement security measures taking into account risks such as destruction, loss, alteration, unauthorized disclosure, or access to personal data.
  • Notify the Client of any personal data breach as soon as possible after becoming aware of it, including via email to the Client's DPO, including:
    • Description of the breach
    • Contact point
    • Likely consequences
    • Measures taken or proposed

    If full information is not immediately available, additional details will be provided as soon as possible.

  • Provide all necessary information to demonstrate compliance and allow audits under reasonable conditions. The Client is limited to one audit per contract year (except emergency situations). If audits create workload, they may be billed unless required by GDPR Article 28.
  • Maintain a written record of processing activities including:
    • Client details
    • Sub-processors
    • Processing categories
    • International transfers
    • Security measures

Article 2. Subprocessing

SKIPCALL may use listed sub-processors.

If new sub-processors are added, SKIPCALL will notify the Client, who may object within 15 days for valid reasons.

Sub-processors must comply with equivalent data protection obligations and confidentiality requirements.

Article 3. Data Subject Information Rights

The Client is responsible for informing data subjects during data collection.

If data subjects contact SKIPCALL directly, SKIPCALL will forward requests to the Client promptly.

Article 4. Personal Data Retention and Deletion

SKIPCALL will not retain data beyond Client-defined retention periods except for compliance or contractual proof.

Upon Client instruction or contract termination, SKIPCALL will return or permanently delete data and provide destruction confirmation.

Article 5. Data Protection Officer

Each Party must communicate DPO contact details and notify changes.

Article 6. Data Transfers

SKIPCALL will host and process personal data within the EU or in countries with adequate protection recognized by the European Commission and CNIL.

Transfers outside the EU will only occur with appropriate safeguards such as certifications or Standard Contractual Clauses.

Article 7. Sensitive Data

Services do not process sensitive data under GDPR Articles 9 and 10.

If needed, processing will be governed by an amendment specifying additional safeguards.

Article 8. Client Obligations

The Client undertakes to:

  • Provide necessary data
  • Document instructions
  • Ensure compliance with regulations and perform impact assessments if needed
  • Supervise processing and audits
  • Maintain processing records
  • Ensure lawful data processing
  • Obtain equivalent obligations if acting as processor itself

Article 9. Cooperation in Case of Non-Compliance

If a compliance breach occurs, Parties will collaborate to assess severity and determine whether processing should be suspended or the Agreement terminated.

If SKIPCALL cannot comply, it will inform the Client. After 30 days of suspension, termination rights may apply.

The Client may terminate if SKIPCALL is in serious or repeated breach or fails to comply with regulatory decisions.

SKIPCALL may terminate if Client instructions violate applicable laws.