General provisions
Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR) sets out the legal framework applicable to the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
Subsequently, and in order to implement the changes made by the RGPD, Law no. 78-17 of 6 January 1978, known as the Data Protection Act, was amended by Law no. 2018-493 of 20 June 2018 by Order no. 2018-1125 of 12 December 2018 on data protection.
The regulations applicable to the protection of personal data thus include the following texts:
the RGPD ;
the French Data Protection Act (Loi Informatique et Libertés), as updated by the aforementioned texts;
Cnil recommendations.
For a proper understanding of this policy, it is specified that :
the “controller” is the natural or legal person who determines the purposes and means of processing personal data. For the purposes of this policy, the controller is SENEF;
Data subjects” are persons who can be identified, directly or indirectly, by reference to personal data collected by the controller, i.e., in the context of this policy, all SENEF contacts related to its customers and prospects, regardless of their status (employees or managers).
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable and easily accessible manner.
Definitions
“Personal data” means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity;
“Enriched data”: enriched personal data is the opposite of “raw” personal data supplied by the data subject. This is data generated by the data controller. It may also refer to inferred and/or derived data created by the data controller on the basis of data “supplied by the data subject”;
“processing of personal data” means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
“personal data breach”: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
Purpose
In order to ensure the smooth running of our company, we are required to process personal data relating to our contacts with customers, prospects and partners in the context of commercial relations and contracts concluded with them.
The purpose of this policy is to meet our obligation to provide information and to remind you of the rights of our contacts with our customers, prospects and partners with regard to the processing of their personal data.
General principles
No processing is carried out by our company concerning data about you if it does not relate to personal data collected by or for its services or processed in connection with its services and if it does not comply with the general principles of the RGPD.
Any new processing, modification or deletion of existing processing will be brought to the attention of our contacts with our customers and prospects by means of an amendment to this policy.
Identification of processing operations
Categories of data collected and data origins
Data is mainly collected directly from our contacts at our company’s customers and prospects.
Consequently, we only collect and use the data necessary for the conclusion or performance of contracts with our company, i.e. :
.identity of the contact person(s) in charge of a file or contacted for prospecting purposes (e.g. title, surname, first name) ;
.professional contact details of the person(s) in charge of a file or contacted for canvassing purposes (e.g. professional e-mail address, professional postal address, professional fixed or mobile telephone number, fax number);
.professional details of the contact person(s) in charge of a file or contacted for canvassing purposes (e.g. position, grade, function);
.technical data (identification or connection data such as IP address or logs);
.images of the person(s) in charge of a file or contacted for prospecting purposes (e.g. in the case of access to our premises).
Purposes of processing
Pre-contractual exchanges
We process the data of people who interact with us when we have approached the structure to which they belong for prospecting purposes or when they have contacted us to enter into a contract with us.
Contract and follow-up
We process the data of our customers’ contact persons as part of our contractual relations with them.
Billing, payment and accounting
We process the data of our contacts with customers and prospects for the purposes of invoicing and paying for orders.
Customer/prospect relationship management
We process the data of our customers’ and prospects’ contacts in order to communicate with them in connection with any questions they may have concerning the current or future performance of a contract with our company.
Managing a directory of our customers and prospects
We keep an up-to-date directory of our customers and prospects, which includes the names of our main contacts.
Organization of events by our company
We process the data of our contacts with customers and prospects when we invite them to events that we organize or co-organize.
Third-party access management
We process the data of our contacts accessing our premises in order to secure access to them (e.g.: keeping a register, access badges, etc.).
Video surveillance of third-party personnel
Certain specific areas of our premises, such as gates and fences, are subject to video surveillance, resulting in the processing of data on third parties likely to be filmed.
Statistics
We may produce statistics on the data of our customers and prospective customers.
Retention periods
We define the length of time we keep data on our contacts with our customers and prospects in the light of the legal and contractual constraints we are subject to, or, failing that, according to our needs.
As a matter of principle, data relating to our customers and prospects must be kept for the time strictly necessary to manage the commercial relationship. More specifically, we undertake to respect the following retention periods:
Contracts concluded with our customers
5 years from the date of conclusion
10 years for contracts over 120 euros concluded electronically
Commercial correspondence (purchase orders, delivery notes, invoices, etc.)
10 years from the end of the financial year
Images from video protection cameras
For up to one month
Access to buildings
For up to one month
Technical data
1 year from collection
Cookies
See Cookies Policy
The periods indicated in the above table are necessarily extended for the legal period of prescription as evidence in the event of litigation. In the latter case, the retention period is extended for the duration of the dispute.
Once these periods have elapsed, the data is either deleted, or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes.
Please note that deletion or anonymization are irreversible operations and that SENEF is no longer able to restore them.
Legal basis
The processing of the data of our contacts with our customers and prospects as presented above is based on the following conditions of lawfulness, which differ depending on whether the processing concerns customers or prospects:
Customers
Pre-contractual or contractual performance
Prospects
Pre-contractual performance or legitimate interest of SENEF
Data recipients
Data recipients are natural or legal persons who receive personal data. Data recipients may therefore include both SENEF employees and external organizations.
We ensure that the data collected and processed in the context of our relations with our customers and prospects is only accessible to authorized internal and external recipients, and in particular to the following recipients:
.staff in departments responsible for managing relations with our customers and prospects, and their line managers;
.support staff, i.e. administrative, logistics and IT departments, and their line managers;
.our service providers or support services (e.g. IT service providers);
.the competent authorities, should we be required to share certain data with law enforcement officers, departments in charge of internal control procedures, etc. ;
.in the event of a visit to our premises, reception staff, who collect the data of all visitors in a register.
As far as internal recipients are concerned, we decide which recipient will have access to which data according to an authorization policy, and ensure that they are bound by an obligation of confidentiality.
With regard to external recipients, we inform you that the personal data of our contacts with our customers and prospects may be communicated to some of our service providers or to any authority legally empowered to know (tax and social authorities in particular). In this case, SENEF is not responsible for the conditions under which the personnel of these authorities have access to and use the data.
Personal rights management
Access and copy rights
Our customers and prospective customers have the right to ask us whether we actually process data concerning their members (staff, managers, etc.) in the context of contracts concluded with them or prospecting messages we send them.
They may also ask us to provide them with a copy of their members’ data being processed.
However, in the event of a request for additional copies, we may require our customers and prospective customers to bear the cost of the new copy.
If requests from our customers and prospects are made electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.
Our customers and prospective customers are informed that this right of access may not relate to confidential information or data, or data for which communication is not authorized by law.
The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilizing the proper performance of our services.
Right of rectification
Our customers and prospects have the right to ask us to rectify any data concerning their personnel that may be obsolete or erroneous.
Right to erasure
Our customers may invoke the right to erasure of their personnel data only in the following cases:
.the contract has been terminated and is no longer in effect between our company and the customer;
.staff members whose data is processed and who are no longer employed by one of our customers, and who therefore wish to be deleted from our customer database.
Prospective customers may invoke the right to erasure of their personnel data, insofar as they have the right to object to the receipt of prospecting messages.
Right to limitation
Our customers and prospects are informed that this right is not intended to apply insofar as the conditions required by the applicable regulations are not met with regard to our processing of the personal data of the members of their staff with whom we deal.
Right to portability
Our customers and prospects are informed that this right is not intended to apply insofar as the conditions required by the applicable regulations are not met with regard to our processing of the personal data of the members of their staff with whom we exchange information.
Right to object
Customers and prospects have the right to object to any commercial prospecting by post, telephone or e-mail, including profiling insofar as it is linked to such prospecting.
In the particular case of electronic prospecting, customers and prospects may at any time object to such prospecting either by clicking on the link in the e-mail or by modifying the preferences in the customer account on our website (to be completed). By SMS, it is possible to oppose all prospecting by sending “stop” to the number appearing in the message received.
Exercising our customers’ rights
To exercise their rights, our customers and prospects should contact us either in writing, by post or by e-mail at the following addresses: dpo-groupesenef@racine.eu.
We do our utmost to respond to requests within a reasonable timeframe, and at best within one month of receipt of the request.
However, should the processing of requests prove complex or should we be faced with a large number of requests to exercise rights simultaneously, the processing time may be extended to two months.
Additional provisions
Subcontracting
We may involve any subcontractor of our choice in the processing of the personal data of our contacts with our customers and prospects.
Within the meaning of the RGPD, a processor is any natural or legal person who processes personal data on behalf of the data controller. In practice, this therefore refers to service providers with whom SENEF works and who intervene on SENEF’s personal data.
In this case, we ensure that the processor complies with its obligations under the RGPD.
We undertake to sign a written contract with all our subcontractors and impose on them the same data protection obligations that we impose on ourselves. In addition, we reserve the right to audit our subcontractors to ensure their compliance with the provisions of the RGPD.
We undertake to sign a written contract with all our subcontractors and impose on them the same data protection obligations that we impose on ourselves. In addition, we reserve the right to audit our subcontractors to ensure that they comply with the provisions of the RGPD.
Register of processing operations
We undertake, in our capacity as data controller, to keep an up-to-date register of all processing activities carried out where we are required to do so by law.
This register is a document or application making it possible to list all processing implemented by SENEF as data controller.
We undertake to provide the Cnil, on first request, with information enabling it to verify the compliance of processing with current data protection regulations.
Security measures
We implement the physical or logical technical security measures we deem appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.
These measures mainly include
.management of data access authorizations ;
.internal backup measures
.identification processes;
.security audits and penetration tests;
.adoption of an information systems security policy;
.adoption of business continuity/disaster recovery plans;
.the use of security protocols and solutions.
In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
Data breaches
We undertake to notify the CNIL of any data breach that we may suffer, in accordance with the conditions laid down in the regulations governing personal data.
Our contacts with customers and prospects are informed of any data breach that could pose a high risk to their privacy.
Contacts
Data Protection Officer
We have appointed a Data Protection Officer who can be contacted at the following address for any questions relating to data processing: dpo-groupesenef@racine.eu.
Right to lodge a complaint with the CNIL
Our service provider contacts have the right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:
CNIL – Service des plaintes
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
Changes
The present policy may be modified or amended at any time in the event of changes in legislation, case law, CNIL decisions and recommendations, or usage.
Any new version of the present policy will be brought to the attention of our customers and prospects by any means we choose, including electronically (by e-mail or online, for example).
For further information
For further information, please contact our Data Protection Officer at the following e-mail address: dpo-groupesenef@racine.eu.
For more general information on the protection of personal data, please visit the Cnil website at www.cnil.fr.
