GDPR
PREAMBLE This charter - "the Charter" - has been drawn up in order to define the commitments for data protection and to specify the implementation of the General Data Protection Regulations - "GDPR" within the company - the "Company". The Company attaches particular importance to the protection of the personal data of its employees - the "Employees" -, its customers, its partners, as well as the users of its websites and mobile applications. The Company informs about the procedures for collecting personal data, their use and the options available to the persons concerned. This Charter may be amended by the Company in the event of regulatory, legal or technical changes. The Company complies with the French Data Protection Act No. 78-17 of January 6, 1978 as amended, as well as with the Act No. 2004-575 of June 21, 2004 on confidence in the digital economy, and the General Data Protection Regulations No. 2016/679 of April 27, 2016. This General Data Protection Regulation, no. 2016/679 of April 27, 2016 became applicable in the European Union on May 25, 2018.
ARTICLE 1 - DEFINITION
The General Data Protection Regulations concern the processing and circulation of personal data, the information on which companies rely to offer services and products. It lays down rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data. It protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. The main objectives of the DPMR are to increase both the protection of data subjects when processing their personal data and the accountability of those involved in such processing. The objective is also to harmonise the European legal standard for the protection of personal data, so that there is one single framework applying to all Member States.
ARTICLE 2 - CONCEPT OF PERSONAL DATA
Personal data is information that makes it possible to identify a natural person, directly or indirectly. It can be a name, a photograph, an IP address, a telephone number, a computer connection identifier, a postal address, a fingerprint, a voice recording, a social security number, an email address, etc. Some data are sensitive because they relate to information that may give rise to discrimination or prejudice: political opinion, religious sensitivity, trade union involvement, ethnicity, sexual orientation, medical situation or philosophical ideas are sensitive data. They have a specific framework, which prohibits any prior collection without clear and explicit written consent, and for specific cases, validated by the National Commission for Information Technology and Civil Liberties - "CNIL" and whose public interest is proven.
ARTICLE 3 - DATA COLLECTED WITHIN THE COMPANY
The collection of personal data is the subject of a declaration to the French personal data protection authority, the CNIL. Information may be collected in different ways Consent The Company does not collect any personal data without obtaining express consent and giving prior information concerning in particular the type of data collected, its purposes, the person responsible for processing it, and the various rights that the persons who are the originators of the data are able to exercise over it. Visits to the Company's website may also lead to the collection of information during various exchanges, or from external companies via a dynamic and/or interactive internet or mobile application with internet users, whether or not they are Employees of the Company. Cookies The Company's sites and services may issue cookies. They make it possible to recognise the terminal concerned each time this terminal accesses digital content containing cookies from the same issuer. They enable the services to operate efficiently and to remember preferences. There is, however, a possibility to erase the cookies stored on the connection terminal in order to permanently delete the information they contain.
ARTICLE 4 - THE OBLIGATION TO PROVIDE INFORMATION AND TO RESPECT CONSENT
The Company guarantees the rights of access, rectification and opposition to their data that existed prior to the application of the RGPD. It also guarantees the right to limitation of processing, the right to forget, the right to portability of data or the right to erasure of data. The protection of minors under the age of 16 is also strengthened. The consent of the holder of parental authority must be given. At each collection of data, the data subject must be informed of the legal basis on which the processing is carried out, of his or her rights regarding the processing (limitation, portability and recourse) and of the exact modalities of the processing of his or her data. This information must be visible and accessible on the Internet site where the data are collected, or, where appropriate, on the media which allow the data to be collected, such as signed contracts, etc.
ARTICLE 5 - PURPOSES OF THE DATA COLLECTED
Only data that is necessary and relevant to the purposes pursued is collected, in compliance with the principle of proportionality, in order to improve the quality of the products or services that the Company offers. The Company will only collect data that is adequate, relevant and strictly necessary for the purpose of processing. The data identified as mandatory are necessary in order to benefit from the corresponding functionalities and more specifically from the operations on the contents offered within the Company. This policy concerns the Company and its sites, applications, software and services published by the Company and/or using its interface or functionalities.
ARTICLE 6 - USE OF COLLECTED DATA
The Data collected by the company is processed for the purposes of carrying out operations on the contents of the service. This use is based on one of the legal grounds provided by law: the protection of the legitimate interests of the company, the execution of a contract or commitment, the fulfilment of a legal or regulatory obligation, the preservation of the public interest, such as the prevention or detection of fraud or financial crime. Under no circumstances will the data be processed in a manner incompatible with these purposes, except with prior consent.
ARTICLE 7 - DATA SECURITY
The personal data collected by the Company shall not under any circumstances be transferred, rented or exchanged to third parties, with the exception of the Company's partners and subsidiaries, unless this was clearly specified at the time of collection of the data concerned. However, the data may be disclosed pursuant to a law or regulation or pursuant to a decision of a competent regulatory or judicial authority or, if necessary, for the purpose of protecting its rights and interests. In addition, the Company may, as the case may be, disclose information if it acquires another company or is subject to a takeover, merger, absorption, combination or reorganization of any kind. Any user opening an account is invited to create a login or username and a password. This password must remain secret and he must limit access to his computer or mobile devices and disconnect at the end of the use of the services. As personal data is confidential, the company limits access to it only to company employees or service providers who need it to carry out the processing. All persons having access to personal data are bound by a duty of confidentiality and are liable to disciplinary measures and/or other sanctions if they fail to comply with these obligations.
ARTICLE 8 - DATA RETENTION PERIOD
The data are stored and kept for as long as necessary to achieve the intended purposes. Personal data will thus be kept for the period during which the Company's Employees use the services supporting the said data. The aforementioned data shall be deleted no later than 5 years from the last contact with the person or Employees who provided the data.
ARTICLE 9 - THE RIGHTS CONCERNED
The Company intends to respect all rights regarding the processing of Personal Data vis-à-vis Employees: the right to be informed about the use of Personal Data; the right to access the personal information collected from the Company's Employees; the right to request the correction of inaccurate, incomplete, ambiguous or outdated Personal Data for the Company's Employees; the possibility to require the transferability (right to portability) of the data to another service provider/user; the right to define guidelines regarding the fate of Personal Data after death; the right to lodge justified and duly motivated complaints with the national authority in charge of the protection of Personal Data.
ARTICLE 10 - SANCTIONS IN CASE OF NON-COMPLIANCE
In the event of failure to comply with the obligations imposed by the GDPR, the undertakings concerned may be subject to a fine.
ARTICLE 1 - DEFINITION
The General Data Protection Regulations concern the processing and circulation of personal data, the information on which companies rely to offer services and products. It lays down rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data. It protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. The main objectives of the DPMR are to increase both the protection of data subjects when processing their personal data and the accountability of those involved in such processing. The objective is also to harmonise the European legal standard for the protection of personal data, so that there is one single framework applying to all Member States.
ARTICLE 2 - CONCEPT OF PERSONAL DATA
Personal data is information that makes it possible to identify a natural person, directly or indirectly. It can be a name, a photograph, an IP address, a telephone number, a computer connection identifier, a postal address, a fingerprint, a voice recording, a social security number, an email address, etc. Some data are sensitive because they relate to information that may give rise to discrimination or prejudice: political opinion, religious sensitivity, trade union involvement, ethnicity, sexual orientation, medical situation or philosophical ideas are sensitive data. They have a specific framework, which prohibits any prior collection without clear and explicit written consent, and for specific cases, validated by the National Commission for Information Technology and Civil Liberties - "CNIL" and whose public interest is proven.
ARTICLE 3 - DATA COLLECTED WITHIN THE COMPANY
The collection of personal data is the subject of a declaration to the French personal data protection authority, the CNIL. Information may be collected in different ways Consent The Company does not collect any personal data without obtaining express consent and giving prior information concerning in particular the type of data collected, its purposes, the person responsible for processing it, and the various rights that the persons who are the originators of the data are able to exercise over it. Visits to the Company's website may also lead to the collection of information during various exchanges, or from external companies via a dynamic and/or interactive internet or mobile application with internet users, whether or not they are Employees of the Company. Cookies The Company's sites and services may issue cookies. They make it possible to recognise the terminal concerned each time this terminal accesses digital content containing cookies from the same issuer. They enable the services to operate efficiently and to remember preferences. There is, however, a possibility to erase the cookies stored on the connection terminal in order to permanently delete the information they contain.
ARTICLE 4 - THE OBLIGATION TO PROVIDE INFORMATION AND TO RESPECT CONSENT
The Company guarantees the rights of access, rectification and opposition to their data that existed prior to the application of the RGPD. It also guarantees the right to limitation of processing, the right to forget, the right to portability of data or the right to erasure of data. The protection of minors under the age of 16 is also strengthened. The consent of the holder of parental authority must be given. At each collection of data, the data subject must be informed of the legal basis on which the processing is carried out, of his or her rights regarding the processing (limitation, portability and recourse) and of the exact modalities of the processing of his or her data. This information must be visible and accessible on the Internet site where the data are collected, or, where appropriate, on the media which allow the data to be collected, such as signed contracts, etc.
ARTICLE 5 - PURPOSES OF THE DATA COLLECTED
Only data that is necessary and relevant to the purposes pursued is collected, in compliance with the principle of proportionality, in order to improve the quality of the products or services that the Company offers. The Company will only collect data that is adequate, relevant and strictly necessary for the purpose of processing. The data identified as mandatory are necessary in order to benefit from the corresponding functionalities and more specifically from the operations on the contents offered within the Company. This policy concerns the Company and its sites, applications, software and services published by the Company and/or using its interface or functionalities.
ARTICLE 6 - USE OF COLLECTED DATA
The Data collected by the company is processed for the purposes of carrying out operations on the contents of the service. This use is based on one of the legal grounds provided by law: the protection of the legitimate interests of the company, the execution of a contract or commitment, the fulfilment of a legal or regulatory obligation, the preservation of the public interest, such as the prevention or detection of fraud or financial crime. Under no circumstances will the data be processed in a manner incompatible with these purposes, except with prior consent.
ARTICLE 7 - DATA SECURITY
The personal data collected by the Company shall not under any circumstances be transferred, rented or exchanged to third parties, with the exception of the Company's partners and subsidiaries, unless this was clearly specified at the time of collection of the data concerned. However, the data may be disclosed pursuant to a law or regulation or pursuant to a decision of a competent regulatory or judicial authority or, if necessary, for the purpose of protecting its rights and interests. In addition, the Company may, as the case may be, disclose information if it acquires another company or is subject to a takeover, merger, absorption, combination or reorganization of any kind. Any user opening an account is invited to create a login or username and a password. This password must remain secret and he must limit access to his computer or mobile devices and disconnect at the end of the use of the services. As personal data is confidential, the company limits access to it only to company employees or service providers who need it to carry out the processing. All persons having access to personal data are bound by a duty of confidentiality and are liable to disciplinary measures and/or other sanctions if they fail to comply with these obligations.
ARTICLE 8 - DATA RETENTION PERIOD
The data are stored and kept for as long as necessary to achieve the intended purposes. Personal data will thus be kept for the period during which the Company's Employees use the services supporting the said data. The aforementioned data shall be deleted no later than 5 years from the last contact with the person or Employees who provided the data.
ARTICLE 9 - THE RIGHTS CONCERNED
The Company intends to respect all rights regarding the processing of Personal Data vis-à-vis Employees: the right to be informed about the use of Personal Data; the right to access the personal information collected from the Company's Employees; the right to request the correction of inaccurate, incomplete, ambiguous or outdated Personal Data for the Company's Employees; the possibility to require the transferability (right to portability) of the data to another service provider/user; the right to define guidelines regarding the fate of Personal Data after death; the right to lodge justified and duly motivated complaints with the national authority in charge of the protection of Personal Data.
ARTICLE 10 - SANCTIONS IN CASE OF NON-COMPLIANCE
In the event of failure to comply with the obligations imposed by the GDPR, the undertakings concerned may be subject to a fine.