DOCUMENTATION
01 84 20 16 50
Contact
Personal Data Protection Policy
Customer contacts and contacts
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter GDPR) sets out the legal framework applicable to the processing of personal data. The GDPR reinforces the rights and obligations of controllers, processors, data subjects and data recipients.
Subsequently, and in order to implement the changes to the GDPR, Law No. 78-17 of 6 January 1978 known as the Data Protection Act was amended by Law No. 2018-493 of 20 June 2018 by Ordinance No. 2018-1125 of 12 December 2018 on data protection.
The regulations applicable to the protection of personal data are thus understood to include the following texts:
- GDPR;
- the Data Protection Act, which is up to date with the above-mentioned texts;
- the recommendations of the CNIL.
For a clear understanding of this policy, it is specified that:
- "Controller" means the natural or legal person who determines the purposes and means of the processing of personal data. For the purposes of this policy, the data controller is SENEF;
- "Data subjects" are persons who can be identified, directly or indirectly, by reference to the personal data collected by the Data Controller, i.e., within the framework of this policy, all of SENEF's interlocutors attached to its customers and prospects, regardless of their status (employees or managers).
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable and easily accessible manner.
"personal data" means:
any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity;
"Enriched Data" means:
Enriched personal data is opposed to the notion of "raw" personal data provided by the data subject. This is the data that is generated by the controller. It may also be inferred and/or derived data created by the controller on the basis of the data "provided by the data subject";
"processing of personal data" means:
any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, or blocking, erasure or destruction;
"personal data breach" means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In order to ensure its proper functioning, our company is obliged to process personal data relating to our contacts with our customers, prospects and partners in the context of business relationships and contracts concluded with them.
The purpose of this policy is to comply with our obligation to provide information and to remind our interlocutors of the rights they have with our customers, prospects and partners with regard to the processing of their personal data.
Our company does not process any data about you if it does not relate to personal data collected by or for its services or processed in connection with its services and if it does not comply with the general principles of the GDPR.
Any new processing, modification or deletion of an existing processing will be brought to the attention of our interlocutors with our customers and prospects by means of a modification of this policy.
The data is mainly collected directly from our interlocutors, customers and prospects of our company.
As a result, we only collect and use the data that is necessary to conclude or perform contracts with our company, namely:
- identity of the contact(s) in charge of a file or contacted for prospecting purposes (e.g. title, surname, first name);
- professional contact details of the contact(s) in charge of a file or contacted for prospecting purposes (e.g. professional email, professional postal address, professional landline or mobile telephone number, fax number);
- professional information of the contact(s) in charge of a file or contacted for prospecting purposes (e.g. position, grade, function);
- technical data depending on the use case (identification or connection data such as IP address or logs);
- Images of the contact(s) in charge of a file or contacted for prospecting purposes (e.g. in the case of access to our premises).
Pre-contractual exchanges
We process data of people who interact with us when we have approached the structure to which they belong for prospecting purposes or when they have contacted us to contract with us.
Contract & Contract Follow-up
We process the data of our contact persons attached to our customers as part of the follow-up of the contractual relationship between us and our customers.
Invoicing, Payment & Accounting
We process the data of our contact persons with our customers and prospects in the context of invoicing and payment for orders placed.
Customer/prospect relationship management
We process the data of our contact persons with our customers and prospects in order to communicate with them in the context of questions that they may ask us in connection with the current or future performance of a contract with our company.
Management of the directory of our customers and prospects
We keep an up-to-date directory of our customers and one of our prospects, which implies that the latter mention our main contacts with the latter.
Organization of events by our company
We process the data of our interlocutors with our customers and prospects when we invite them to events that we organise or co-organise.
Third-party staff access management
We process the data of our interlocutors accessing our premises in order to secure access to them (e.g. keeping a register, access badges, etc.).
Third-party staff video surveillance
Certain specific areas of our premises, such as barriers and fences, are subject to video surveillance, which results in the processing of third-party data that may be filmed.
Compilation of statistics
We may compile statistics on the data of our customers and prospects.
We define the retention period of our interlocutors' data with our customers and prospects with regard to the legal and contractual constraints that weigh on us and, failing that, according to our needs.
As a matter of principle, data relating to our customers and prospects must be kept for the time strictly necessary for the management of the commercial relationship. More specifically, we are committed to the following retention periods:
Contracts with our customers
5 years from the date of conclusion
10 years for electronically concluded contracts of more than €120
Business correspondence (purchase orders, delivery orders, invoices, etc.)
10 years from the end of the financial year
CCTV footage
For a maximum of one month
Access to buildings
For a maximum of one month
Technical Data
1 year from collection
Cookies
See the Cookie Policy
The periods indicated in the previous table are necessarily extended for the legal limitation period as evidence in the event of a dispute. In the latter case, the retention period is extended for the duration of the dispute.
After the set deadlines, the data is either deleted or kept after having been anonymised, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.
It is reminded that deletion or anonymization are irreversible operations and that SENEF is no longer able to restore them.
The processing of our contact persons' data with our customers and prospects as presented above is based on the following conditions of lawfulness, which differ depending on whether the processing concerns customers or prospects:
Customers
Pre-contractual or contractual performance
Leads
Pre-contractual performance or legitimate interest of SENEF
The recipients of the data are the natural or legal persons who receive the personal data. The recipients of the data can therefore be SENEF employees as well as external bodies.
We ensure that the data collected and processed in the context of our relationships with our customers and prospects is only accessible to authorised internal and external recipients, and in particular, to the following recipients:
- the staff of the competent departments authorised to manage the relationship with our interlocutors with our customers and prospects and their line managers;
- support services staff, i.e. administrative, logistics and IT services and their line managers;
- our service providers or support services (e.g. IT service provider);
- the competent authorities in case we are required to share certain data with court officers, services in charge of internal control procedures, etc. ;
- In the event of a visit to our premises, the reception staff, who collect the data of any visitor in a register.
In the case of internal recipients, we decide which recipient will have access to which data according to an enabling policy and we ensure that they are subject to an obligation of confidentiality.
With regard to external recipients, we inform you that the personal data of our contacts with our customers and prospects may thus be communicated to some of our service providers or to any authority legally entitled to know them (tax and social security authorities in particular). In this case, SENEF is not responsible for the conditions under which the staff of these authorities have access to and use the data.
Our customers and prospects have the right to ask us whether we actually process data about their members (staff, managers, etc.) in the context of contracts concluded with them or in the direct marketing messages we send them.
They may also ask us to provide them with a copy of their members' data being processed.
However, in the event of a request for additional copies, we may require our customers and prospects to bear the cost of the new copy.
If requests from our customers and prospects are made electronically, the requested information will be provided in a commonly used electronic form, unless otherwise requested.
Our customers and prospects are informed that this right of access may not relate to confidential information or data or for which the law does not authorize communication.
The right of access must not be exercised in an abusive manner, i.e. carried out on a regular basis with the sole aim of destabilizing the proper performance of our services.
Our customers and prospects have the right to ask us to rectify certain data concerning their staff that is outdated or incorrect.
Our customers can only invoke the right to erasure in relation to their personnel data in the following cases:
- the contract has been terminated and no longer has any effect between our company and its customer;
- Members of staff whose data is processed and who are no longer part of the workforce of one of our customers and who therefore wish to be deleted from our customer database.
Our prospects can invoke the right to erasure with regard to their staff data insofar as they have a right to object to the receipt of prospecting messages.
Our customers and prospects are informed that this right is not intended to apply insofar as the conditions required by the applicable regulations are not met with regard to the processing that we make of the personal data of their members of their staff with whom we exchange.
Our customers and prospects are informed that this right is not intended to apply insofar as the conditions required by the applicable regulations are not met with regard to the processing that we make of the personal data of their members of their staff with whom we exchange.
Customers and prospects have the right to object to any commercial prospecting by post, telephone or e-mail, including profiling insofar as it is related to such prospecting.
In the specific case of electronic prospecting, it will be possible at any time for customers and prospects to oppose such prospecting either by clicking on the link in the sending email, or by modifying the preferences in the customer account on our website (to be completed). By SMS, it is possible to object to any prospecting by sending "stop" to the number indicated in the message received.
To be able to exercise their rights, our customers and prospects must contact us either in writing, by post or by email at the following addresses: dpo-groupesenef@racine.eu.
We make every effort to respond to requests within a reasonable time and, at best, within one month of receipt of the request.
However, in the event that the processing of requests proves to be complex or that we are faced with a high number of requests to exercise rights simultaneously, the processing time may be extended to two months.
We may involve any subcontractor of our choice in the context of the processing of the personal data of our interlocutors with our customers and prospects.
For the purposes of the GDPR, processor means any natural or legal person who processes personal data on behalf of the controller. In practice, these are the service providers with whom SENEF works and who work on SENEF's personal data.
In this case, we ensure that the processor complies with its obligations under the GDPR.
We are committed to signing a written contract with all our subcontractors and impose the same data protection obligations on them as we impose on ourselves. In addition, we reserve the right to audit our subcontractors to ensure that they comply with the provisions of the GDPR.
We undertake, as the data controller, to keep an up-to-date record of all processing activities carried out where required by law to do so.
This register is a document or application that makes it possible to identify all the processing carried out by SENEF as data controller.
We undertake to provide the CNIL, at first request, with the information enabling it to verify the compliance of the processing with the data protection regulations in force.
We implement such technical physical or logical security measures as we deem appropriate to prevent accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.
These measures mainly include:
- management of authorisations for access to data;
- internal safeguards;
- identification process;
- conducting security audits and penetration testing;
- the adoption of an information systems security policy;
- the adoption of business continuity/recovery plans;
- the use of a security protocol or solutions.
In any case, we undertake, in the event of a change in the means to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change can lead to a regression in the level of security.
We undertake to notify the CNIL of any data breach that we may suffer under the conditions prescribed by the regulations on personal data.
Our contacts with our customers and prospects are informed of any data breach that could pose a high risk to their privacy.
We have appointed a data protection officer who can be contacted at the following contact details for any questions relating to data processing: dpo-groupesenef@racine.eu.
Our interlocutors with our service providers have the right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:
CNIL – Complaints Department
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Phone: 01 53 73 22 22
This policy may be modified or adjusted at any time in the event of legal or jurisprudential changes, decisions and recommendations of the CNIL or customs.
Any new version of this policy will be brought to the attention of our customers and prospects by any means we choose, including electronic means (e.g. by e-mail or online).
For further information, please contact our Data Protection Officer at the following email address: dpo-groupesenef@racine.eu.
For any other more general information on the protection of personal data, you can consult the CNIL www.cnil.fr website.