Privacy policy

General Provisions

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the General Data Protection Regulation (hereinafter GDPR), establishes the legal framework applicable to the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, processors, data subjects, and data recipients.

Subsequently, and to implement the GDPR modifications, Law No. 78-17 of January 6, 1978, known as the "Data Protection Act," was amended by Law No. 2018-493 of June 20, 2018, through Order No. 2018-1125 of December 12, 2018, relating to data protection.

The regulation applicable to the protection of personal data is therefore understood to mean the following texts:

  • the GDPR;
  • The Data Protection Act, updated with the aforementioned texts;
  • CNIL recommendations.

For a better understanding of this policy, it is specified that:

  • «data controller» means the natural or legal person who determines the purposes and means of the processing of personal data. Under this policy, the data controller is SENEF; ;
  • «Data subjects» are individuals who can be identified, directly or indirectly, by reference to personal data that is collected by the data controller, meaning, for the purposes of this policy, all SENEF contacts connected to its clients and prospects, regardless of their status (employees or managers).

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, intelligible, and easily accessible manner.

Definitions
  • «personal data» any information relating to an identified or identifiable natural person (data subject); a natural person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, psychic, economic, cultural or social identity; ;
  • «enriched data enriched personal data is contrasted with «raw» personal data provided by the data subject. This refers to data generated by the controller. It may also refer to inferred and/or derived data created by the controller based on data «provided by the data subject.»;
  • «processing of personal data» any operation or set of operations performed, whether or not by automated processes, and applied to personal data, such as collection, recording, organization, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, matching or interconnection, as well as blocking, erasure or destruction;
  • «personal data breach» a security breach resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored, or otherwise processed, or unauthorized access to such data.
Object

To ensure proper functioning, our company is required to implement processing of personal data relating to our contacts at our clients, prospects, and partners within the framework of commercial relations and contracts concluded with them.

The purpose of this policy is to fulfill our information obligation and to remind our clients, prospects, and partners of their rights regarding the processing of their personal data.

General principles

No processing is carried out by our company concerning your data if it does not relate to personal data collected by or for its services or processed in connection with its services and if it does not comply with the general principles of the GDPR.

Any new treatment, modification, or deletion of an existing treatment will be brought to the attention of our contacts at our clients and prospects through an amendment to this policy.

Treatment identification

CATEGORIES OF DATA COLLECTED AND DATA ORIGIN

The data is essentially collected directly from our contacts at our company's clients and prospects.

Therefore, we only collect and use data that is necessary for the conclusion or execution of contracts with our company, namely:

  • Identity of the contact person(s) responsible for a case or contacted for prospecting purposes (e.g.: title, last name, first name);
  • professional contact details of the person(s) in charge of a file or contacted for prospecting purposes (e.g., professional email, professional postal address, professional landline or mobile phone number, fax number);
  • Professional information of the contact person(s) in charge of a case or contacted for prospecting purposes (e.g., position, title, function);
  • Technical data according to use cases (identification or connection data such as IP address or logs);
  • images of the contact person(s) in charge of a file or contacted for prospecting purposes (e.g., in the case of access to our premises).
PURPOSES OF PROCESSING

Pre-contractual exchanges
We process data from individuals who interact with us when we have approached the organization they belong to for prospecting purposes or when they have contacted us to contract with us.

Contract and contract monitoring
We process the data of our contacts associated with our clients as part of the monitoring of the contractual relationships that bind us to them.

Billing, Payment, and Accounting
We process the data of our contacts with our clients and prospects for the purpose of invoicing and payment of orders placed.

Customer/prospect relationship management
We process the data of our contacts with our clients and prospects in order to communicate with them regarding questions they may have in connection with the current or future performance of a contract with our company.

Managing our client and prospect directory
We maintain a directory of our clients and prospects, which includes their main points of contact for each.

Event organization by our company
We process the data of our contacts with our clients and prospects when we invite them to events that we organize or co-organize.

Third-party personnel access management
We process the data of our contacts accessing our premises to secure access to them (e.g., maintaining a register, access badges...).

Third-party personnel video surveillance
Certain specific areas of our premises, such as barriers and fences, are subject to video surveillance, which results in the processing of data of third parties who may be filmed.

Statistics implementation
We may perform statistics on our customer and prospect data.

Shelf lives

We define the retention period for our contacts' data with our clients and prospects in light of the legal and contractual constraints that apply to us and, failing that, based on our needs.

As a general principle, data relating to our clients and prospects must be kept for the time strictly necessary for the management of the commercial relationship. More specifically, we undertake to comply with the following retention periods:

Contracts concluded with our clients
5 years from their conclusion
10 years for contracts concluded electronically over 120 euros

Business Correspondence (purchase orders, delivery notes, invoices, etc.)
10 years from the end of the fiscal year

CCTV camera images
For a period of up to one month

Building access
For a period of up to one month

Technical data
1 year from their collection

Cookies
View Cookie Policy

The durations indicated in the previous table are necessarily extended for the legal prescription period as proof in case of dispute. In the latter case, the retention period is extended for the entire duration of the dispute.

After the set deadlines, the data is either deleted or retained after being anonymized, particularly for statistical purposes. It may be retained in cases of pre-litigation and litigation.

It is reminded that deletion or anonymization are irreversible operations and that SENEF is no longer able to restore them thereafter.

Legal basis

The processing of our clients' and prospects' data, as presented above, is based on the following lawful grounds, which differ depending on whether the processing concerns clients or prospects:

Customers
Pre-contractual or contractual execution

Prospects
Pre-contractual execution or legitimate interest of SENEF

Data recipients

Data recipients are natural or legal persons who receive communication of personal data. Data recipients can therefore be SENEF employees as well as external organizations.

We ensure that the data collected and processed in the context of our relationships with our clients and prospects is only accessible to authorized internal and external recipients, and in particular, to the following recipients:

  • the staff of the departments responsible for managing relations with our customers and prospects and their line managers;
  • support services personnel, namely administrative, logistics, and IT services, and their line managers;
  • our service providers or support services (e.g., IT service provider);
  • the competent authorities in the event that we are required to share certain data with legal auxiliaries, internal control departments, etc.; ;
  • In case of a visit to our premises, the reception staff collects visitor data in a register.

Regarding internal recipients, we decide which recipient will have access to what data according to an authorization policy and we ensure they are bound by a confidentiality obligation.

Regarding external recipients, please be advised that personal data of our contacts at our clients and prospects may be communicated to certain of our service providers or to any legally authorized authority (tax and social authorities in particular). In this case, SENEF is not responsible for the conditions under which the personnel of these authorities access and use the data.

Rights Management

RIGHT OF ACCESS AND RIGHT OF COPY

Our clients and prospects have the right to ask us if we process data concerning their members (staff, executives, etc.) within the framework of contracts concluded with them or of prospecting messages we send them.

They may also ask us to provide them with a copy of their members' data that is being processed.

However, if additional copies are requested, we may require our clients and prospects to cover the cost of producing that new copy.

If our customers and prospects submit their requests electronically, the requested information will be provided in a commonly used electronic format, unless otherwise requested.

Our clients and prospects are informed that this right of access cannot apply to confidential information or data, or to information for which the law does not authorize disclosure.

The right of access must not be exercised abusively, meaning it should not be carried out regularly for the sole purpose of disrupting the proper execution of our services.

RIGHT TO RECTIFICATION

Our clients and prospects have the right to ask us to correct certain data concerning their personnel that may be outdated or incorrect.

Right to erasure

Our clients can only invoke the right to erasure regarding their staff's data in the following cases:

  • the contract has been terminated and is no longer effective between our company and its client;
  • staff members whose data is processed and who are no longer part of one of our clients' workforces and who consequently wish to be removed from our client database.

Our prospects can invoke the right to erasure regarding their personnel's data to the extent that they have a right to object to receiving prospecting messages.

RIGHT TO LIMITATION

Our clients and prospects are informed that this right is not intended to apply if the conditions required by the applicable regulation are not met regarding the processing of personal data of their staff members with whom we interact.

RIGHT TO DATA PORTABILITY

Our clients and prospects are informed that this right is not intended to apply if the conditions required by the applicable regulation are not met regarding the processing of personal data of their staff members with whom we interact.

RIGHT TO OBJECT

Customers and prospects have the right to object to any commercial prospecting by mail, telephone, or electronic means, including profiling insofar as it is linked to such prospecting.

In the specific case of electronic prospecting, customers and prospects will at all times be able to object to such prospecting by either clicking on the link in the sending email or by modifying their preferences in their customer account on our website (to be completed). By SMS, it is possible to object to all prospecting by sending «stop» to the number appearing in the message received.

EXERCISING OUR INTERLOCUTORS' RIGHTS

To exercise their rights, our clients and prospects must contact us either in writing, by postal mail, or by email at the following addresses: dpo-groupesenef@racine.eu.

We do our best to respond to requests within a reasonable timeframe, and at the latest, within one month of receiving the request.

However, in cases where the processing of requests proves complex, or if we face a high number of simultaneous rights requests, the processing time may be extended to two months.

Additional provisions

Outsourcing

We may use any subcontractor of our choice to process the personal data of our contacts at our clients and prospects.

Within the meaning of the GDPR, a processor is any natural or legal person who processes personal data on behalf of the controller. In practice, this refers to service providers with whom SENEF works and who handle SENEF's personal data.

In this case, we ensure the subcontractor's compliance with its obligations under the GDPR.

We undertake to sign a written contract with all our subcontractors and impose on them the same data protection obligations as those we impose on ourselves. Additionally, we reserve the right to conduct an audit of our subcontractors to ensure their compliance with the GDPR provisions.

TREATMENT REGISTER

We undertake, in our capacity as data controller, to maintain a record of all processing activities carried out when the law requires us to do so.

This register is a document or application that inventories all processing activities carried out by SENEF as the data controller.

We undertake to provide the CNIL, upon first request, with the information enabling it to verify the compliance of the processing with the current data protection regulations.

SAFETY MEASURES

We implement the physical or logical technical security measures that we deem appropriate to prevent accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of data.

Among these measures are mainly:

  • Permissions management for data access;
  • internal safeguards;
  • identification process;
  • security audit and penetration testing ;
  • the adoption of an information system security policy;
  • adoption of business continuity/disaster recovery plans;
  • the use of a protocol or security solutions.

In any event, we undertake to replace the means used to ensure the security and confidentiality of personal data with means of superior performance in the event of changes to those means. No developments will lead to a regression in the level of security.

DATA VIOLATION

We undertake to notify the CNIL of any data breach we may suffer under the conditions prescribed by personal data regulations.

Our contacts with our clients and prospects are informed of any data breach that could pose a high risk to their privacy.

Contacts

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who can be contacted at the following details for all data processing questions: dpo-groupesenef@racine.eu.

RIGHT TO FILE A COMPLAINT WITH THE CNIL

Our contacts with our service providers have the right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they believe that the processing of personal data concerning them is not in compliance with the European data protection regulation, at the following address:

CNIL – Complaints Service
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Phone: 01 53 73 22 22

EVOLUTION

This policy may be modified or amended at any time due to changes in laws, case law, CNIL decisions and recommendations, or customary practices.

Any new version of this policy will be brought to the attention of our clients and prospects by any means we choose, including electronic means (e.g., by email or online).

FOR MORE INFORMATION

For any further information, you can contact our data protection officer at the following email address: dpo-groupesenef@racine.eu.

For any other, more general information on personal data protection, you can visit the CNIL website. www.cnil.fr.