Data protection policy
1. Who are we?
1.1 Data controller
The following information is provided to you to explain the commitments for the protection of personal data of SB Alliance (a company belonging to the Savencia Group) whose registered office is located at 42 rue Rieussec, 78223 Viroflay Cedex, France, acting as the data controller for the processing of personal data described in the present document and designated the “Data Controller” or “we”.
1.2 Our data protection policy
The Data Controller has designated a person responsible for data protection whom you may contact:
by email at the following address: firstname.lastname@example.org
by post at the following address:
42 rue Rieussec,
78223 Viroflay Cedex
The data protection officer may be contacted at the following address: email@example.com.
2. The personal data we process
In the framework of processing of personal data, the Data Controller collects and processes the following data:
- Title, surname, forename(s), Company name, email address, telephone number, IP.
3. The purposes and legal bases of our processing of personal data
3.1 The purposes of our processing
The data processing, we are implementing is to ensure:
- Management of Website content;
- Audience analysis;
- Management requests from the contact form;
- Statistics and reporting.
3.2 The legal bases for our processing
We only process personal data if one at least of the following conditions is met:
- Your consent has been obtained;
- We or a third party have a legitimate interest in the processing intended;
- The processing is required for the purposes of performance of a contract with you;
- We have a legal or regulatory obligation to perform the processing intended.
4. The recipients of your data
The personal data we collect at present or subsequently are destined for our use as the Data Controller.
We will ensure that only authorised persons may have access to that data. Our subcontractors and service-providers located in France, Europe and the United States may receive that data for performance of the services we confer on them.
Your personal data may be compared or shared between all the Data Controller’s parent or associated companies and subsidiaries. They may be communicated to those entities for the purposes described in the present notice, in accordance with the applicable regulatory requirements and in such a manner as to ensure protection of your data and civil liberties.
5. Transfer of your data
We transfer your personal data to partners located in the United States.
Each such transfer is subject to appropriate legal safeguards.
6. The period(s) for which we retain your data
The period(s) for which we retain your data are proportionate to the purposes for which we collected them. Our retention policy is thus organised as follows:
- Processing purpose : Cookies
- Cookies: 13 months from their installation on your device.
- In case of exercise of the rights of access, rectification, deletion, limitation, the data relating to the identity documents and the information allowing to take into account these rights: 1 year as from the reception of the request.
- In case of exercise of the right of opposition, the data relating to the identity documents and the information allowing to take into account the right of opposition: 6 years as from the reception of the request.
- Requests made through the contact form: For the time of the processing of the request increased by the legal prescription period.
7. Your rights
7.1 Exercise of your rights
You may exercise your rights by email sent to the following address: firstname.lastname@example.org
or by letter sent to the following address:
42 rue Rieussec,
78223 Viroflay Cedex
For that purpose, you must provide your surname, forename(s) and the address at which you wish to receive the reply.
In principle, you may exercise all your rights without charge, but you may be asked to pay a reasonable charge reflecting the administrative cost of providing any copies of data you may request.
Regarding the right to information, the Data Controller is not obliged to respond if you request information you already possess.
The Data Controller will inform you if a response cannot be made.
The rights mentioned are not absolute and are subject to various conditions founded in:
- The law locally applicable to the protection of personal data or privacy; and
- Local legal and regulatory requirements more generally.
The Data Controller stresses that any failure to provide, or modification of, your data may have consequences for the processing of certain aspects of the performance of our contractual relationship, and that your request in exercise of your rights will be retained for 6 years in the case of your right of opposition and 1 year in the case of your other rights.
All the rights of which you have the benefit are detailed below.
7.2 Your right to information
You recognise that the present notice informs you as to the purposes, applicable legal framework and interest of collection of your personal data, and as to the recipients or categories of recipients with whom your personal data are shared, as well as to the possibility of transfer of your data towards a third country or international organisation.
In addition to that information and for the purpose of ensuring fair and transparent processing of your data, you confirm that you have received additional information concerning:
- The period of conservation of your personal data;
- The rights of which you dispose and how to exercise them.
If we decide to process your data for another purpose than that initially indicated, we will provide you with full information on that other purpose.
7.3 Your right of access to and rectification of your data
By exercising this right, you may obtain confirmation that your personal data are (or are not) subject to processing and if they are so subject, you may have access to them and to information concerning:
- The purposes of the processing;
- The categories of personal data concerned;
- The recipients or categories of recipient, in particular recipients in third countries;
- Where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period;
- The existence of the right to request from the Data Controller rectification or erasure of your personal data, or restriction of processing of your personal data, or to object to such processing;
- The right to lodge a complaint with a supervisory authority;
- Where your personal data are not collected from you directly, any available information as to their source;
- The existence of automated decision-making, including profiling and, at least in that case, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the persons concerned.
You may request that your personal data be rectified or completed if they are inexact, incomplete, equivocal or out of date.
7.4 Your right to erasure of your data
You may request erasure of your personal data if:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- You withdraw your consent;
- You object to the processing and there are no overriding legitimate grounds for the processing;
- The personal data have been processed in breach of the applicable legal and regulatory requirements;
- The personal data were collected when you were a minor.
Exercise of this right is nevertheless not possible if the conservation of your personal data reflects a legal or regulatory requirement or is necessary for the establishment, exercise or defence of legal claims.
7.5 Your right to restrict the processing of your data
You may request restriction of the processing of your personal data in accordance with the applicable legal and regulatory provisions.
7.6 Your right of opposition to the processing of your data (deregistration)
You have the right to object to processing of your personal data unless such processing is justified by compelling legitimate grounds on the part of the Data Controller.
If we contact you directly, this right may be exercised by any means including, in particular, clicking on the unsubscribe link at the bottom of the message sent.
7.7 Your right to data portability
You have the right to portability of your personal data. The right is applicable to the following data:
- Uniquely your personal data, i.e. excluding anonymised data or data not concerning you;
- Personal data declared or associated with your use of goods and services;
- Personal data not prejudicial to the rights and freedoms of third parties (such as data protected by business secrecy).
The right is limited to processing based on your consent or on a contract and to personal data you have personally generated. It does not extend to derived or inferred data which are personal data created by the Data Controller.
7.8 Your right to withdraw your consent
Where processing is based on your consent, you may withdraw your consent at any time, in which case we will no longer process your personal data but any earlier processing to which you agreed will not be affected.
7.9 Your right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority without prejudice to your other rights of administrative or legal recourse.
7.10 Your right to leave instructions for after your death
You have the right to leave instructions in respect of the storage, erasure and communication of your personal data for after your death, subject to the formal designation of a trusted third party and of compliance with the applicable legal requirements.
8. Security of your data
We attach great importance to the protection, integrity and confidentiality of your data. Therefore, we have implemented technical and organisational measures to ensure a level of security appropriate to the risk and to protect your data from loss, alteration, access or disclosure to unauthorised third parties.
However, despite our efforts, no security measure can protect against all risks of misuse or hacking, for which we, as the controller, cannot be held responsible.
In the event of a personal data breach, we undertake to notify the CNIL in accordance with the regulations in force on the protection of personal data. In the event that a data breach presents a high risk to your rights and freedoms, we will inform you as soon as possible and always in accordance with the conditions set out in the regulations in force relating to the protection of personal data.