UPDATE: MARCH 2021
If you have any questions, comments or concerns about this policy, you can of course contact our Data Protection Officer whose details are provided below in the paragraph “What are your rights and how can you exercise them?”.
1 – DEFINITIONS
In addition to the terms defined elsewhere in this policy, the following terms, in which the first letter is written in capital letters, whether used in the singular or plural in this policy, shall have the following definitions:
1.1 “Recipient” means the natural or legal person, public authority, agency or other body that receives the Personal Data, whether or not it is a third party.
1.2 “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “Data Subject”); “identifiable natural person” means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, online identifier, or one or more elements specific to his/her physical, physiological, genetic, psychic, economic, cultural or social identity.
1.3 “Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the Processing.
1.4 “Data processor” means the natural or legal person, public authority, agency or other body that processes Personal Data on behalf of the Controller.
1.5 “Processing” means any operation or set of operations carried out or not using automated processes and applied to data or sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, erasure or destruction.
2 – WHAT IS OUR ROLE IN TERMS OF PROCESSING PERSONAL DATA?
2.1 EKINO (also referred to as “the company” or “we”), a simplified joint stock company with capital of €26,000, registered with the Nanterre Trade and Companies Register under no. 509 512 760, whose registered office is located at 157 rue Anatole France, LEVALLOIS PERRET (92300), Intra-Community VAT number FR70509512760, SIRET No. 509512760 00018, Tel: 06 22 73 05 58
email address: email@example.com, carries on a communication agency business and assists its customers in designing, creating and deploying new digital products and services.
To learn more about our company, click here.
2.2 EKINO (also referred to as “the company” or “we”) operates the website accessible to the public at the following address: ekino.com.
This website is intended to make available to users (i.e., any natural or legal person who visits or uses these websites, hereinafter the “users” or “you”) information to discover the activity and services offered by the company as well as its news (events, publications, etc.).
It also offers features allowing users to contact the company (contact request, spontaneous application or response to a job offer …) and presents the services offered by the company, the projects carried out by the company or the employees working within the company.
The company also administers pages presenting its activity and allowing it to publish content on social networks and interact with internet users (particularly on Twitter, LinkedIn or Instagram).
When you browse and interact with the aforementioned website (hereinafter referred to as the “Website”), on the pages administered by the company on social networks or, generally, during your interactions or exchanges with the company, the company may collect and process Personal Data concerning you, for the management of its activities and on its own behalf, as Data Controller.
In this context, the company applies the principles defined by the legal and regulatory provisions on the protection of Personal Data, in particular in Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the Processing of Personal Data (“GDPR”), and implements internal procedures for the management, storage and security of your Personal Data, whether you are a candidate, employee, customer, prospect, contact, internet user, supplier, service provider or Data processor.
2.3 When our customers request us to process Personal Data on their own behalf, in accordance with the purposes and means defined by them, we act as a Data Processor, in the context of a specific contract, concluded to this end, it being specified that this policy relates exclusively to the Processing of Personal Data implemented by the company as Data Controller and not as Data Processor.
3 – WHAT ARE THE PROCEDURES FOR COLLECTING YOUR PERSONAL DATA?
3.1 Your Personal Data is collected directly from you or indirectly from third parties.
3.1.1. In fact, your Personal Data is collected or processed in whole or in part during your browsing on the Website and the input by you of information in the data collection forms contained therein, but also more generally in the context of requests that you may be required to send to the company by any means at your convenience, your relationship and your exchanges with the company, as well as when you connect to a third party social network from the Website, when you share content on the Website using “buttons” offered on our Website, or during your browsing on one of the company’s pages on social networks.
In general, your Personal Data is therefore collected directly from you in the above-mentioned cases.
3.1.2. However, your Personal Data may also be collected through third parties (see indirect collection from third parties).
Indeed, the Personal Data we collect and process about you may be collected or enriched by us, including for the purposes of carrying out commercial, communication, solicitation, canvassing or marketing operations, through other sources of information (social networks, so-called “public” information, websites, file rentals, etc.).
In addition, with regard in particular to Personal Data processed as part of our recruitment operations, we use the information you provide to us (for example: form for this purpose on the Website or more generally information mentioned in your CV) that we include in our pool of candidates (CV database). However, we may also be required to contact third parties (for example, recruitment agencies, previous employers, internship supervisors or clients with whom you have worked in previous assignments) or to use other sources of information (including professional social networks, recruitment firms or recruitment websites) in order to collect information about you for the purpose of studying your application or profile. In addition, and even in the absence of an application by you, we may be required, in particular in connection with our monitoring and active search for professional profiles that may correspond to our job offers, to collect Personal Data from third parties (for example, recruitment agencies or “head hunters”) or to use other sources of information (including professional social networks or recruitment websites) in order to collect information about you in order to offer you to apply to a position.
In addition, in the case of Personal Data of suppliers, they are generally collected directly from them. However, with respect to the Personal Data of suppliers with whom we do not have a direct contractual or commercial relationship, their Personal Data may be communicated to us through third parties, such as other suppliers. Similarly, in the case of personnel/contacts from our suppliers in the broad sense, we may collect such Personal Data from any supplier.
3.2 In general, you are informed that:
- if the Processing of your Personal Data is necessary to comply with our legal or regulatory obligations, the collection of such Data is mandatory;
- if the Processing of your Personal Data is subject to your consent, the collection of such Data is completely optional (it being specified that the lack of communication may, however, prevent us at least in certain cases from carrying out the Processing concerned);
- if the Processing of your Personal Data is necessary for the performance of a contract or pre-contractual measures taken at your request, the disclosure of such Data is necessary for that purpose and the company may, in the absence of such data, be prevented from performing its contractual obligations or the aforementioned pre-contractual measures;
- if the Processing of your Personal Data is based on the pursuit of our legitimate interests, the disclosure of such Data is necessary for this purpose, and the failure to disclose your Data may not allow us to implement or may hinder the Processing concerned. For example, in the absence of any information that would be necessary to respond to a request from you (request for information, application, etc.), your request related to such collection of Personal Data may not be able to be processed or its processing may be delayed.
If Personal Data collection forms (for example, forms integrated on the Website or on our social media pages, or any collection form in any format that we may be required to make available to you to collect information about you) require the entry of mandatory Personal Data for the implementation of the Related Processing, the relevant fields will contain an asterisk and you will be notified of the possible consequences of the failure to provide such information. In the absence of an asterisk, the information requested is optional.
3.3 With the exception of specific legal obligations, or unless otherwise specified in this policy, we do not collect Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person, health data or data concerning a natural person’s sex life or sexual orientation.
3.4 Personal data of minors or protected adults: we draw the attention of persons with parental authority over minors and persons entrusted with a mission of representation in the context of guardianship, family member guardianship order or future protection mandate, on the need to ensure that the Personal Data of vulnerable persons whose legal protection they provide are not disseminated or in any manner used or processed outside their control and supervision. The fact, in particular, that a minor can legally consent to a Processing of Personal Data with regard to the direct provision of services of the information society from (in France, this age being likely to vary depending on the State of residence of the child) of the age of fifteen years does not limit the duty and interest, for holders of parental authority, to educate their children to the importance of respect for their privacy and their Personal Data.
In general, the use of the Website and the company’s dedicated pages on social networks is reserved for adults with legal capacity, and the company cannot under any circumstances be held liable for the use of the Website or its pages on social networks by minors or incapacitated persons, and therefore for the consequences that may result, in particular, in terms of the Processing of their Personal Data.
As an exception, the company may be required to process Personal Data of minors of at least fifteen years of age when the latter come into contact with the company in order to apply for an offer of employment or internship, for example.
4 – WHAT DATA IS COLLECTED, FOR WHAT PROCESSING PURPOSES AND ON WHAT BASIS?
4.1 In our capacity as Data Controller, we may be required to carry out Processing of your Personal Data for the following purposes:
a) Management of requests for information and exchanges with the company, initiated via or through the Website or the company’s social media pages:
- Purpose: we process your Personal Data in order to respond to any contact or information request sent to us, including through or initiated via the Website or through interactions on our social media pages (and, in this case, including in particular the management, processing, monitoring and moderation of your messages or comments), and to process, manage and track such requests and the answers to be provided, and more generally for the purposes of managing our relationships with our contacts.
- Processed data: identity (civility, first name, last name), user name (if the request is initiated on the company’s social media pages), contact details (including telephone number or email address), relevant company, request for contact, information or documentation and correspondence exchanged.
- Legal basis: Processing of your Personal Data in this context is necessary to pursue the legitimate interests of the company in responding to your requests and more generally to manage and monitor its relations with its contacts.
b) Management of our relations with our customers (pre-contractual, contractual and post-contractual relations):
- Purpose: to manage our pre- contractual, contractual and post-contractual relationships with our customers, we collect the Personal Data of our customers and/or our contacts from our customers to manage and track service quotations and offers, the conclusion and performance of contracts, orders, deliveries, invoices, payments and transactions (including the management of unpaid amounts and litigation), related accounting, customer relationship in the broad sense, and in particular the management and monitoring of customer accounts, complaints, or for the carrying out and preparation of studies, analyses, reports and statistics, including for commercial use.
- Processed data: identity, contact details (e-mail address, postal address, telephone number, etc.), relevant company and position, details of orders, quotations, payment details and means of payment, transaction data, contract monitoring and business relationship data, invoice data.
- Legal basis: In the case of Customer Personal Data, such Processing is, in principle, necessary for the performance of pre-contractual measures taken at the request of the customer or based on a contract concluded with the customer.
However, as regards in particular the management of invoicing and the keeping of the associated accounts, such Processing may result from legal obligations of the company. In addition, the secondary purposes of such Processing related to the management and monitoring of our relationships with our clients in the broad sense (including in particular the management and monitoring of accounts receivable, unpaid amounts and litigation, claims, or the preparation and development of studies, analyses, reports and statistics, etc.) are necessary for the pursuit of our legitimate interests in the management and monitoring of our relationships with our customers. With regard to the Personal Data of contacts at our customers, the Processing is based on our legitimate interests in managing and monitoring our relationships with our customers in the broad sense, particularly with a view to the organisation and proper performance of the tasks or services entrusted to us by the latter.
c) Management of applications and the recruitment process:
- Purpose: to ensure the processing, management and monitoring of applications, in response to job offers or internships or sent to us spontaneously, and operations prior to the recruitment process, including in particular the monitoring and active search of professional profiles corresponding to vacant positions within the company, the receipt and study of applications, the evaluation and selection of applications and professional profiles, particularly through the creation of a pool of candidates (or CV database), as well as methods and techniques of recruitment assistance, convening candidates and conducting recruitment interviews, as well as the resulting decision making (rejection of the application or recruitment of the candidate), we process Personal Data concerning you for the purposes of the positions to be filled.
- Processed data: identity, contact details (e-mail address, postal address, etc.) and means of contact, data relating to your professional life, information relating to your training (studies, diplomas, …), your experience and your career path, your professional skills and your job, and any information contained in your CV (including your interests where applicable), letter of intent, book, …
- Legal basis: such processing is necessary for the pursuit of our legitimate interests in the search and recruitment of potential new employees. However, if due to the nature of your profile or the type of position you are seeking, we wish to retain your Data for a period of more than two years (see below the details of the retention periods of your Personal Data), in order to allow us to contact you during this period if a position suitable for your profile becomes available, we will seek your consent, it being specified that you will have in any event the possibility of not consenting or withdrawing your consent at any time and that a refusal or withdrawal of consent on your part would not result in any consequence for the processing and outcome of your application (except for the fact that we would not be able to contact you at the end of the two-year period mentioned above).
d) Management of our relationships with our suppliers, including in particular our service providers and Subcontractors:
- Purpose: in order to manage our relationships with our suppliers, we collect Personal Data concerning the following data subjects: suppliers with whom we have a direct contractual or commercial relationship and/or members of their staff, and/or other suppliers with whom we do not have a direct contractual or commercial relationship and/or members of their staff, and/or more generally our contacts with the aforementioned suppliers. The purpose of such Processing is to manage suppliers and/or manage our relations with them, including in particular the management and monitoring of the performance of contracts, orders/services entrusted, deliveries, invoices, payments and transactions, related accounting, and in particular the management and monitoring of accounts payable, the supplier relationship in the broad sense and any claims or disputes.
- Processed data: identity, contact details (e-mail address, postal address, telephone number, etc.), relevant company and position, details of orders, payment details and means of payment, transaction data, contract monitoring and business relationship data, invoice data.
- Legal basis: with respect to the Personal Data of suppliers with whom we have a direct contractual or commercial relationship, such Processing is in principle necessary for the performance of pre-contractual measures taken at their request or a contract entered into by them with the company. However, as regards in particular the management of invoicing and the keeping of the associated accounts, such Processing may result from legal obligations of the company. Furthermore, the secondary purposes of the Processing related to the management and monitoring of the company’s relationships with its suppliers in the broad sense (including in particular the management and monitoring of accounts payable, or any claims or disputes, etc.) are necessary to pursue the legitimate interests of the company to manage and monitor its relations with its suppliers. With regard to the Personal Data of other data subjects (providers with whom we do not have a direct contractual or commercial relationship and/or staff/contacts at our suppliers in the broad sense), the Processing is based on our legitimate interests in managing and monitoring our relationships with our suppliers, particularly for the organisation and proper performance of the tasks or services entrusted to them.
e) Compliance with legal and regulatory obligations (including accounting, tax and administrative obligations) related to the performance of contracts entered into by the company, and more generally to the business of the company:
- Purpose: in order to comply with the various legal or regulatory obligations incumbent upon us (particularly with regard to our accounting, tax, or administrative obligations) arising from the performance of commercial contracts for which we are a party and more generally of our business, we process the Personal Data of our contacts (including, but not limited to, our customers, suppliers, etc.) for the pursuit of this purpose.
- Data processed: identity, contact details, payment details and means of payment, transaction data, contract monitoring and relationships with our contacts, invoice data.
- Legal basis: such Processing is necessary to comply with our legal or regulatory obligations (including financial, tax and accounting documents).
f) Newsletter (in case of registration on our Website)
- Purpose: we are also required to process your Personal Data in order to ensure the management and monitoring of the sending of our newsletters, relating in particular to the company’s news and/or activity (including possibly the performance of technical operations of segmentation, profiling or targeting for this purpose).
- Data: e-mail address, identity if applicable.
- Legal basis: by subscribing to the newsletter, you are doing a clear positive act that indicates your consent that we can send you such communications, it being specified that in any event you have the possibility to withdraw your consent at any time. In this respect, however, it is specified that you may also receive our newsletter as a result of the Processing that we carry out for marketing purposes by e-mail as part of our B2B relations with some of our contacts, without your prior consent, in which case you have the right to object to it at any time without having to provide any reason or explanation (see below).
g) B2B prospecting by email:
- Purpose: we may be required to process the Personal Data of our customers, prospects, and more generally B2B contacts (professionals whose profession relates to the object of the prospecting) for the purpose of carrying out our business operations, communication, solicitation, prospecting, loyalty or marketing (including technical operations of segmentation, targeting, etc.) by e-mail, particularly in order to send certain information to them in this respect by this means (namely: email, sms, mms): proposal of products and services that may be of interest to them, information on our news and/or activities (newsletters in particular), or studies, surveys, promotions or satisfaction surveys. We may also need to analyse the performance of our prospecting campaigns by means of so-called tracking information about your actions in relation to the emails we send.
- Processed data: identity, email address, position and relevant company, data relating to actions carried out in emails (openings, clicks, etc.).
- Legal basis: such Processing is carried out based on our legitimate interests in making our products and services known on the market, and more generally to carry out prospecting and solicitation operations in the broad sense, it being specified that the recipient of such prospecting shall in any event have the right to object to it at any time without having to provide any reason or explanation.
h) Direct prospecting by post or telephone:
- Purpose: in the context of carrying out commercial, communication, solicitation, prospecting, loyalty or marketing operations (including technical operations of segmentation, targeting, etc.) in order to offer our customers, prospects, and more generally contacts, products and services that may be of interest to them, we may send them by post or telephone prospecting information or materials, including, but not limited to studies, surveys, promotions, or satisfaction surveys.
- Processed data: identity, contact details.
- Legal basis: such Processing is carried out on the basis of the pursuit of our legitimate interests to make our products and services known on the market, and more generally to carry out prospecting operations, knowing that the recipient of such prospecting has the right in any event to object to it at any time without having to provide any reason or explanation.
i) Organisation, management and monitoring of events:
- Purpose: we may process your Personal Data in connection with the management and monitoring of the events we propose (organisation of interventions, management, processing and monitoring of registrations, responses to inquiries, etc.).
- Processed data: identity, contact details, position and relevant company.
- Legal basis: in general, the Processing of your Personal Data in this case is necessary for the organisation and management of events, and therefore based on the performance of a contract to which you are a party (see the event registration agreement).
j) Management of requests to exercise rights from data subjects:
- Purpose: in order to comply with our various legal and regulatory obligations regarding the protection of Personal Data, we process your Personal Data in connection with that purpose.
- Processed data: identity, contact details, content of the request and our response.
- Legal basis: such Processing is necessary to comply with our aforementioned legal and regulatory obligations.
k) Management and monitoring of pre-litigation and litigation
- Purpose: such Processing of Personal Data about you is carried out for:
- the management and monitoring of pre-litigation and litigation (sales representatives or suppliers), including in particular the preparation, exercise and monitoring of disputes and the enforcement of the decisions rendered;
- the management and monitoring of actions aimed at the establishment, exercise or defence of a legal right (including, where applicable, the enforcement of the decision rendered).
- Data processed: information relating to the persons involved, victims, witnesses, judicial officers appointed in the dispute/in the proceedings (full name, contact details, date of birth, etc., history of discussions with the company (ex: reminder letters, formal notices, pleadings and procedural documents, etc.), information on the financial situation, and also economic and financial information relating to the dispute and the persons involved, etc., and more generally any information if this is necessary with regard to the subject matter of the dispute, including, where applicable, data relating to criminal convictions or offences or security measures, the proceedings at issue, the proceedings at the origin of the dispute, including, where applicable, data relating to criminal convictions, breaches or security measures, the disputed facts giving rise to the proceedings, the information, documents and records collected to establish the facts that may be alleged (finding, testimony, certificate, formal notice, report, logs extracted from a computer resource security tool, fact finding sheet, filing of complaint, medical certificate), the details of the dispute (start and closing date of dispute, court seized, date of summons, date of hearing, state of the proceedings, nature and scope of claims, allegations, arguments, observations and views of legal representatives, date of the judgment), the date, nature, reasons, the amounts and any staggered payments of the decision, comments on the description and follow-up of the proceedings,…
- Legal basis: such processing of your personal data by the company is based on the legitimate interests pursued by the company in order to preserve/assert its interests and legal rights, particularly in performance of contractual relations with its customers, suppliers, contacts, training participants, etc. Furthermore, in the context of this Processing, so-called “special” Personal Data may be processed for the aforementioned purposes if they are strictly necessary for these purposes (for example: health data, data relating to criminal convictions, offences or security measures, etc.) and the establishment, exercise or defence of a legal right.
5 – WHO ARE THE RECIPIENTS OF YOUR PERSONAL DATA? HOW DO WE SHARE YOUR DATA?
5.1 We make sure that only persons authorised within the company can access your Personal Data when such access is necessary for the performance of their duties, including:
- The authorised personnel of the marketing and communication department, as well as their line managers;
- Authorised sales department staff and their line managers;
- Authorised staff of the customer relationship and prospecting departments and their line managers;
- Authorized administrative, financial and legal staff as well as their line managers;
- Authorised staff of the development, production and maintenance departments and their line managers;
- The authorized staff of the IT department, as well as their line managers;
- Project management staff, as well as their line managers;
- In terms of recruitment:
- The managers of the company offering the position;
- The human resources team dealing with the local recruitment process in France or the United Kingdom, or outside the European Union (Vietnam, Singapore, USA);
- The IT services of the company supporting the Human Resources departments locally and at the head office in Levallois Perret, France;
- Any persons authorised within the other entities of the HAVAS/VIVENDI Group to which we belong and some of whom may be located outside the European Union. To learn more about these Recipients and the flow of Personal Data that may be implemented in this context, as well as the appropriate safeguards we implement to ensure the protection of such Data, please refer to paragraph dedicated to transfers of Data outside the European Union below).
5.2 External Recipients may also receive your Personal Data, namely:
- The authorised staff of the departments responsible for control in our company (auditor, services responsible for the (internal or external) control procedures, bodies authorised to carry out controls, particularly social and tax audits, etc.;
- The staff of our counsel;
- Authorised staff of suppliers, including in particular service providers and data processors, who are subject to a contract specifying their obligations;
- Partners, whether contractual or commercial, and third-party companies, including, but not limited to social media publishers, publishers of third-party websites or publishers of cookies used on our Website, for example for marketing, communication, etc. or in the management of our digital marketing activities. In this respect, it is specified for the record that if you post content disclosing your Personal Data on the Internet, and in particular on our Website or on the social media pages of the company, such content may, of course, be accessible to any internet user;
Technical or other service providers involved in activities or missions for which access to Personal Data is strictly necessary and/or justified. This category of recipients may also include any application or tool publisher that would be used in connection with our activities, or any provider of IT service or provider of tool maintenance and applications that we use and in which your Personal Data may be processed;
- Bodies, judicial officers and ministerial officers, within the framework of their mission of collecting debts;
- If necessary, the body in charge of managing the telephone marketing opposition list;
- Judicial officers, ministerial officers and, where applicable, competent jurisdictions to allow the sale or transfer of all or part of our activities or assets, or in the management and monitoring of pre-litigation and/or litigation procedures;
- Our insurers;
- The entities of the group to which we belong: HAVAS/VIVENDI, in particular in order to participate in global projects, for example. In this case, you will be informed of the nature of the projects concerned and the entities involved, and if your consent is required in accordance with the applicable laws or regulations relating to the protection of Personal Data, it will be requested in advance.
5.3 We may also be required to disclose your Personal Data in the event of legitimate requests from public authorities worldwide, including in order to meet requirements regarding compliance with the law of Personal Data, national security, the fight against fraud or, more generally, the application of legal or regulatory provisions. Your Personal Data may therefore, in particular, be communicated to any authority authorised to have access to it, particularly in case of requisition from the judicial, police or administrative authorities. In these cases, we will examine the applicable local provisions, the nature of the request, as well as its legitimacy and proportionality of the information requested. Finally, we reserve the right to report activities that we consider in good faith as illegal and alleged abuses to the public authorities.
5.4 It is specified that the Recipients referred to above are not necessarily Recipients of all your Personal Data, but only of the data required for the purpose involving such communication.
6 – HOW LONG DO WE KEEP YOUR PERSONAL DATA?
6.1 Unless otherwise specified, our retention periods for your Personal Data are as follows:
a) Management of requests for information and exchanges with the company, initiated via or through the Website or the company’s social media pages: retention for the period necessary to respond to your request;
b) Management of our relations with our customers: retention for the duration of our relations, then, unless you object, for a period of three years at the end of your contractual or commercial relation with the company or from your last contact to us (online request, e-mail or postal mail, telephone call, click in an email to your attention by the company, etc.) for the purpose of managing our customer relations in the broad sense, or B to B prospecting by e-mail (see below);
c) Management of applications and the recruitment process: your Personal Data is retained for the duration necessary for the processing of your application.
In the event of a negative outcome of your application:
(i) If we wish to retain your Application Data in order to be able to resume contact with you immediately after a position that matches your profile is proposed, we will inform you and maintain such Data active in the database for a period of two years from our last contact.
(ii) If we do not wish to keep your Application Data to contact you later, we will keep your Data active in a database for three months from the email sent to you by the company indicating that your application is not successful and is not maintained in our applicant database so that you may, in this period, possibly question us about the reasons that led to this decision.
d) Management of our relations with our suppliers, including in particular our service providers and data processors: duration of the contractual or commercial relation;
e) Compliance with legal and regulatory obligations (including accounting, tax and administrative obligations) related to the performance of the contracts entered into by the company, and more generally to the company’s activity: duration of the current financial year increased by six months;
f) Newsletter (in case of registration on the Website): three years from the collection of Personal Data (see newsletter subscription) or the last contact from the Data Subject (for example: click on a link in the newsletter);
B2B prospecting by e-mail or by post or telephone: three years from the collection of Personal Data or the last contact from the Data Subject (for example, for a customer, from an order, the end of a service contract or the last contact from the customer and, for a potential customer, from the last contact by the customer (online request, e-mail or postal mail, telephone call, or click in an email to the customer’s attention sent by the company, etc.);
Understanding and browsing studies, including the carrying out and preparation of studies, analyses, reports and statistics: period to receive consent for cookies of six months from the storage of cookies on your terminal, and up to 25 months for Personal Data collected by this method. For more information, please refer to our dedicated Cookies Policy;
g) Organisation, management and monitoring of events: retention for the duration necessary for the organisation and follow-up of the event;
h) Management of requests for the exercise of the rights of data subjects: time necessary for processing the request and possibly retaining the Data necessary to take into account the exercise of these rights for a period of three years from the request sent by the Data Subject to the company.
6.2 It is specified that your Personal Data may, however, be retained for longer than the aforementioned periods:
- either after obtaining your consent; or
- or, in the form of archives, in order to meet any legal and regulatory obligations imposed on the company (for example ten years with regard to the retention of documents and accounting documents) or even during the statutory limitation periods, particularly for purposes of evidence (in general five years as regards the statutory limitation period in civil matters, six years with regard to the statutory limitation period for criminal offences or two to five years in labour law) or opposition (15 months for payment card data that have been used in a transaction for example).
6.3 In the event of pre-litigation initiated before the end of the above periods and which would require the retention of the Personal Data, particularly in view of the establishment, exercise or defence of the rights of the company, the data shall be retained until the amicable settlement of the dispute (including its enforcement if applicable), or, failing this, shall be deleted when the corresponding legal action has been time-barred.
In the event of litigation/procedure, particularly legal proceedings, initiated before the end of the above periods and which would require the retention of the Personal Data particularly in view of the establishment, exercise or defence of the rights of the company, the data shall be retained for the duration of such proceedings and until ordinary and extraordinary remedies are no longer possible against the decision handed down. The decisions handed down may be kept by the company until the full enforcement of the decision, or even as definitive archives.
7 – WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?
7.1 You have the following rights, in accordance with the terms and conditions and within the limits defined by the applicable provisions relating to the protection of Personal Data:
- Right of access: you may obtain confirmation that your Personal Data is processed or not by the company and, when it is, access to such Personal Data, as well as certain information relating to the Processing of your Personal Data;
- Right of correction: you can ask for any of your Personal Data that you consider incomplete or inaccurate to be corrected;
- Right to erasure: you may in some cases request deletion of your Personal Data;
- Right to restriction of Processing: you may request that the Processing of your Personal Data be restricted, allowing you to request in certain cases the marking of your Personal Data in order to limit its future Processing;
- Right to portability of your Personal Data: you have the right in certain circumstances and under certain conditions to request the receipt of Personal Data about you that you have provided to us or, where technically possible, to transfer it to a third party, in a machine-readable form;
- Right to withdraw your consent if the Processing is carried out on the legal basis of your consent;
- Right to refer any complaints to the Commission Nationale de l’Informatique et des Libertés (National Commission for IT and Liberties) (cnil.fr) or “Cnil” if you consider that the Processing of your Personal Data is not carried out in accordance with the applicable provisions on the protection of Personal Data;
- Right to set guidelines regarding the retention, erasure or disclosure of your Personal Data after your death. In this respect, in the event of death brought to our attention, please note that your Personal Data will be deleted, unless we need to retain it for a fixed period of time for reasons relating to our legal and regulatory obligations and/or the statutory limitation periods referred to above, after, where applicable, it has been communicated to a third party that may be designated by you.
In addition, under certain circumstances and under certain conditions, you have a Right of Objection by which you may object to the Processing of your Personal Data for reasons related to your particular situation, knowing that in case of prospecting, including profiling operations that would be related to such prospecting, you have a right of absolute opposition.
7.2 You may exercise your rights with our data protection officer (i) by email to the following address: firstname.lastname@example.org or (ii) by post to the following address: EKINO – Data Protection Officer – 157 rue Anatole France – 92300 Levallois-Perret. In any event, in case of reasonable doubt as to the identity of the person making such a request for the exercise of his/her rights, the company may always request that it be provided with additional information necessary to confirm the identity of the Data Subject and request, where the situation so requires, the photocopy of an identity document bearing the signature of the holder.
We will respond as soon as possible and in any event within a maximum period of one month from the receipt of the request. If necessary, we may extend this period by two months, given the complexity and the number of requests, and we will inform you of this specifically.
7.3 Please be informed that pursuant to Articles L.223-1 et seq. of the Consumer Code, you may, if you are a consumer, object at any time to be solicited by telephone, by registering for free on the website “www.bloctel.gouv.fr“.
8 -HOW IS YOUR PERSONAL DATA SECURED?
8.1 The company shall implement appropriate organisational and technical security measures, in particular with regard to the categories of Personal Data processed, the state of knowledge, the implementation costs and the nature, scope, context and purposes of the Processing and the risks, the degree of likelihood and severity of which varies, for the rights and freedoms of natural persons, to protect your Personal Data against malicious intrusion, loss, alteration or disclosure to unauthorised third parties, and more generally to protect the security and confidentiality of such Personal Data and ensure a level of security appropriate to the risk.
Due to the difficulties inherent in carrying out an activity on the Internet and the risks that you are aware of, resulting from the electronic transmission of data, the company cannot, however, be bound by an obligation of result.
In the event of difficulties, the company shall make its best efforts to mitigate the risks and take all appropriate measures, in accordance with its legal and regulatory obligations (corrective actions, inform the Cnil and, where applicable, the data subjects, …).
8.2 When developing, designing, selecting and using our services offered on the Website which are based on the Processing of Personal Data, the company takes into account the right to the protection of Personal Data by default and as soon as they are designed (Privacy by design and by default principles).
8.3 The access to Personal Data about you is limited to our employees or partners, and more generally the Recipients referred to above, who are authorised and need to know the data in the performance of their duties. All employees who have access to your Personal Data are bound by a confidentiality obligation and are subject to sanctions if they do not comply with these obligations.
8.4 If all or part of the Processing of Personal Data is carried out by third party processors, the company contractually imposes on its third party data processors security guarantees and in particular confidentiality with regard to the Personal Data to which they may have access (appropriate technical and organisational measures for the protection of such Data).
9 – ARE YOUR PERSONAL DATA TRANSFERRED OUTSIDE OF THE EUROPEAN UNION?
9.1 Your Personal Data is preferably processed in the European Union.
9.2 As part of the aforementioned purposes, some of your Personal Data may, however, be transferred to third parties established in countries outside the European Union (for example, entities of the HAVAS VIVENDI Group, Data Processors of the company involved in the aforementioned Processing, your home company if established outside the European Union, etc.).
Some of these entities receiving your Personal Data are considered to ensure a sufficient level of protection of Personal Data because they are established in a country whose Personal Data protection regulations have been recognized as ensuring an adequate level of protection of the Personal Data (adequacy decisions of the European Commission https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
In addition, if the country of the entity receiving your Personal Data does not provide an adequate level of protection for that Personal Data, we ensure that appropriate security and confidentiality measures are taken to ensure that your Data is protected.
Therefore, in these cases, you are informed that transfers of your Personal Data to other entities outside the European Union are governed by the provision of appropriate safeguards such as the conclusion, with the Recipients of such Data, of contractual clauses consistent with the European Commission’s recommendations to ensure that appropriate safeguards are in place in relation to the protection of such Data.
Please be informed that transfers of Personal Data outside the European Union are lawful if (i) the transfer is necessary for the performance of a contract between the Data Subject and the Controller or the implementation of pre-contractual measures taken at the request of the Data Subject, if (ii) the transfer is necessary for the conclusion or performance of a contract entered into in the interests of the Data Subject between the Controller and another natural or legal person, or if (iii) the Data Subject has explicitly consented to the proposed transfer, after having been informed of the risks that such transfer might involve for him/her due to the absence of an adequacy decision and appropriate safeguards.
A copy of the reference documents referred to in this paragraph may be obtained (exempt from any commercial information considered sensitive or confidential or covered by business secrecy), from the contact person mentioned in paragraph above “What are your rights and how can you exercise them?”.
10 – WHAT ARE THE LINKS TO THIRD PARTY WEBSITES?
10.1 Regardless of any considerations specific to the functioning of cookies, please be informed that our digital media may provide links to third party websites, including social networking websites. We do not control the activity of these websites and the policies they apply regarding the protection of your Personal Data and your rights, and we cannot control them. We invite you to examine the guarantees offered by these websites before any interaction with them. In this respect, your attention is drawn to the fact that the personal data protection policy of these websites may be different from that of the company and that it is your responsibility to read it.
10.2 If you post content disclosing your Personal Data on the Internet, and in particular on social networks, including the social media pages of the company, such content may be accessible to any Internet user, and collected or exploited by third parties, for purposes that are not our responsibility. In any event, the company cannot be held liable in the event that the Personal Data Processing implemented via one of these third-party websites contravenes the applicable legal and regulatory provisions.
11.3 We invite you to consult it regularly.
12 – MANAGEMENT OF COOKIES
12.1 Cookies and other trackers or similar technologies may be installed and/or read in your browser when you visit the Website in accordance with our Cookies Policy. For more information on the management of cookies, please consult our dedicated Cookies Policy.