1. General provisions

1. 1. Foreword

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, otherwise known as the General Regulation on Data Protection (hereinafter GDPR) lays down the legal framework applicable to the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and the recipients of data.

Subsequently, and to implement the modifications of the GDPR, law no. 78-17 of 6 January 1978 referred to as that on Data Processing, Files and Individual Liberties was amended by law no. 2018-493 of 20 June 2018 by order No. 2018-1125 of 12 December 2018 on data protection.

The regulations applicable to the protection of personal data thus include the following:

  • The GDPR;
  • The Data Processing, Files and Individual Liberties law as amended of the aforementioned texts;
  • The recommendations of the CNIL.

To properly understand this policy please note that:

  • The “Data Controller” means the natural or legal person who determines the purposes and means for the processing of personal data. Under this policy, the Data Controller is the RDAI Company;
  • The “data subjects” are the persons who can be identified, directly or indirectly, and their personal data are collected by the data controller, that is to say and in the context of this policy all RDAI corporate contacts for customers and prospects regardless of their status (employees or managers).

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable and easily accessible way.

1. 2. Definitions

  • “Personal data” means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific elements specific to their physical, physiological, mental, economic, cultural or social identity;
  • “Enriched data”: enriched personal data preclude the notion of "raw" personal data provided by the data subject. This is the data that is generated by the Data Controller. It may also be data deduced and/or derived created by the Data Controller on the basis of data "provided by the data subject".
  • “Processing of personal data” means any operation or set of operations carried out or not using automated processes and applied to personal data, such as the collection, recording, organization, retention, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, reconciliation or interconnection, as well as the locking, erasure or destruction of same;
  • “Personal data breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or processed by another way, or unauthorized access to such data.

1. 3. Purpose

To ensure that it operates properly, our company is required to implement personal data processing operations relating to our contacts with our customers, prospects and partners in the context of commercial relations and contracts concluded with them.
The purpose of this policy is to fulfil our obligation to provide information and to recall the rights of our contacts with our customers, prospects and partners in the processing of their personal data.

1. 4. General Principles

No processing is implemented by our company concerning data concerning you if it does not relate to personal data collected by or for its services or processed in connection with its services and if it does not meet the principles of the GDPR.
Any new processing, modification or deletion of existing processing will be brought to the attention of our contacts with our customers and prospects through a modification of this policy.

2. Identification of the processing operations concerned

2. 1. Categories of data collected and origin of data

The data is mainly collected directly from our contacts with customers and prospects of our company.

As a result, we only collect and use the data necessary to conclude or carry out contracts with our company, namely:

  • The identity of the person (s) in charge of a file or contacted for prospecting purposes (e.g.: title, surname, first name);
  • The professional contact details of the contact (s) in charge of a file or contacted for prospecting purposes (e.g.: professional email, professional postal address, fixed or mobile business telephone number, fax number);
  • Professional information about the contact (s) in charge of a file or contacted for prospecting purposes (e.g.: position, grade, function);
  • Technical data depending on the case in question (identification or connection data such as IP address or logs);
  • Images of the contacts in charge of a file or contacted for prospecting purposes (e.g.: in the case of access to our premises).

2. 2. Purposes of processing
 

Purposes Comment
Pre-contractual exchanges We process data from people who interact with us when we have approached the organisation to which they belong for prospecting purposes or when they have contacted us for a contract.
Contract and follow-up of the contract We process the data concerning our customer contacts as part of the follow-up of our contractual relations with them.
Billing, payment and accounting We process the data concerning our contacts with our customers and prospects as part of the billing and payment of orders.
Customer / prospect relationship management We process the data concerning our contacts with our customers and prospects in order to communicate with them about questions that they are liable to to ask us during the current or future fulfilment of a contract with our company.
Customer and Prospect Directory management We maintain a directory for our customers and one for our prospects, which implies the inclusion of our main contacts with them.
Organization of events by our company We process the data concerning our contacts with our customers and prospects when we invite them to events that we organize or co-organize.
Sending newsletters or news feeds When the addresses to which we send our newsletters or news feeds are not contact addresses, we use the data concerning our contacts with our customers and prospects.
Third party access management We process the data of contacts accessing our premises in order to secure such access (e.g.: keeping a register, access badges, etc.).
Video surveillance of third-party personnel Some specific areas of our premises such as gates and fences are subject to video surveillance systems, which results in the processing of data concerning third parties that may be filmed.
Production of statistics We are liable to produce statistics regarding the data of our customers and prospects.


2.3. Retention period

We define the retention period for data concerning our contacts with our customers and prospects in light of the legal and contractual constraints by which we are governed, and failing same according to our needs.

As a matter of principle, the data relating to our customers and prospects must be kept for the time strictly necessary for the management of the commercial relationship. Specifically, we undertake to respect the following retention periods:

Processing Retention period
Contracts with our customers

5 years from their conclusion

10 years for contracts concluded electronically worth more than 120 euros

Commercial correspondence (purchase orders, delivery slips, invoices, etc.) 10 years from the end of the accounting year
Data processed for prospecting purposes

For customers: 3 years from the end of the commercial relationship (from the end of a contract or the last contact by the customer)

For prospects: 3 years after collection by the RDAI company or last contact from the prospect (request for documentation, click on a link in an email, etc.)

Video-protection camera images For a maximum of one month
Access to buildings For a maximum of one month
Technical data 1 year from collection
Cookies 13 months


The retention periods indicated in the preceding table are necessarily extended for the legal limitation period as evidence in case of litigation. In the latter case, the retention period is extended for the entire duration of the dispute.

After the set time limits, the data are either deleted or preserved after being anonymized, in particular for statistical purposes. The data can be kept in case of pre-litigation and litigation.

Please note that the deletion or anonymisation of data are irreversible operations and that the RDAI company is no longer able, thereafter, to restore them.

2.4. Legal basis

The processing of the data concerning our contacts with our customers and prospects as presented above is based on the following conditions of permissibility, which differ depending on whether the processing concerns customers or prospects:

Customers Pre-contractual or contractual fulfilment
Prospects Pre-contractual fulfilment or legitimate interest of RDAI.

 
2.5. Data recipients

Recipients of the data are natural or legal persons who receive the communication of personal data. The recipients of the data can therefore be employees of RDAI as well as external organizations.

We make sure that the data collected and processed in the context of our relations with our customers and prospects are accessible only to authorized internal and external recipients, and in particular, to the following recipients:

  • The personnel of the appropriate departments authorized to manage relationships with our contacts with our customers and prospects and their line managers;
  • Staff in support departments, namely the administrative departments, logistics and IT departments and their line managers;
  • Our service providers or support services (e.g.: IT service provider);
  • The competent authorities should we be required to share certain data with judicial officers, departments responsible for internal control procedures, etc. ;
  • In the case of a visit to our premises, the reception staff, who collect data in a register about visitors, whoever they are.

With regard to internal recipients, we decide which recipient is authorized to access what data according to a clearance policy and we ensure that they are subject to an obligation of confidentiality.

With regard to external recipients, please note that personal data concerning our contacts with our customers and prospects may be communicated to some of our service providers or to any authority legally entitled to know it (tax and social welfare authorities in particular). In this case, the RDAI Company is not responsible for the conditions in which the personnel of these authorities have access to and exploit the data.

3. Management of personal rights

3.1. Right of access and right to copy

Our customers and prospects have the right to ask us if we are actually processing data concerning their members (staff, manager, etc.) in the context of contracts concluded with them or prospecting messages that we send them.

They may also request that we provide them with a copy of the data about their members being processed.

However, if additional copies are requested, we may require our customers and prospects to support the cost of the new copy.

If requests by customers and prospects are made electronically, the information provided will be in an electronic form in common use, unless otherwise requested.

Our customers and prospects are informed that this right of access cannot relate to confidential information or data or for which the law does not authorize the communication.

The right of access must not be exercised in an abusive manner i.e. regularly requested for the sole purpose of destabilizing the proper performance of our services.

3.2. Right of rectification

Our customers and prospects have the right to ask us to rectify certain data concerning their staff that is obsolete or incorrect.

3.3. Right to erasure

Our customers can only invoke the right of erasure with regard to the data concerning their personnel in the following cases:

  • The contract has been terminated and is no longer effective between our company and the customer;
  • The staff members whose data is processed are no longer employees of one of our customers and therefore wish to be removed from our customer database.

Our prospects may invoke the right of erasure regarding the data of their staff to the extent that they have a right of objection to the receipt of prospecting messages.

3. 4. Right to limitation

Our customers and prospects are informed that this right is not intended to apply to the extent that the conditions required by the applicable regulations are not met with regard to the processing we carry out on the personal data of members of their staff with whom we discuss.

3.5. Right to portability

Our customers and prospects are informed that this right is not intended to apply to the extent that the conditions required by the applicable regulations are not met with regard to the processing we carry out on the personal data of members of their staff with whom we discuss.

3.6. Right of opposition

Customers and prospects have the right to oppose any commercial prospection by post, telephone or electronic means, including profiling in so far as it is linked to such prospecting.
In the specific case of prospecting by electronic means, it is possible at any time for customers and prospects to oppose such prospection by clicking on the link in the e-mail received. It is possible to oppose any prospection by sending a “stop” message to the number appearing in the e-mail received.

3.7. Exercising the rights of our contacts

To exercise their rights, our customers and prospects must contact us either in writing, by post or by email to the following addresses:

Me Eric Barbry
Racine Avocats
40 rue de Courcelles — 75008 Paris
Tel.: +33 (0)1 44 82 43 00 - dpo-rdai [at] racine.eu

 

We make every effort to respond to requests within a reasonable time and, at most, within one month of receiving the request.

However, should the processing of requests prove to be complex or we  simultaneously receive a large number of requests to exercise rights, the processing time may be extended to two months.

4. Additional provisions

4.1. Outsourcing

We are liable to involve any subcontractor of our choice in the processing of personal data concerning our contacts with our customers and prospects.

For the purposes of the GDPR, the subcontractor is any natural or legal person who processes personal data on behalf of the Data Controller. In practice, therefore, these are the service providers with whom RDAI works and who work on RDAI's personal data.

In this case, we ensure the subcontractor's compliance with its obligations under the GDPR.

We undertake to sign a written contract with all of our subcontractors and subject them to the same data protection obligations that we impose on ourselves. In addition, we reserve the right to audit our subcontractors to ensure that they comply with the provisions of the GDPR.

4.2 Register of processing operations

As the Data Controller, we undertake to maintain a record of all the processing activities performed.

This register is a document or application used to identify all the processing operations carried out by the RDAI company as Data Controller.

We undertake to provide the French Data Protection Authority (CNIL), on first request, with the information enabling it to verify the compliance of the processing operations with the Data Processing, Files and Individual Liberties regulations in force.

4.3. Security measures

We implement the technical physical or logical security measures that we believe are appropriate to address the unauthorized destruction, loss, alteration, or disclosure of data, be it accidental or illicit.

These measures mainly include:

  • Management of authorizations for data access;
  • Internal safeguard measures;
  • Conducting security audits and penetration tests;
  • The adoption of an information systems security policy;
  • The adoption of business continuity / recovery plans;
  • The use of a security protocol or solutions.

Whatever the case, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them by means with superior performance characteristics. No upgrade can lead to a downgrade in the level of security.

4.4. Data Breach

We undertake to notify the French Data Protection Authority (CNIL) of any data breach that we may undergo in accordance with the conditions prescribed by the regulations regarding personal data.

Our contacts with our customers and prospects are informed of any data breach that could pose a high risk to their privacy.

5. Contacts

5.1. Data protection officer

We have designated a data protection officer who can be contacted at the following address for any questions regarding data processing: dpo-rdai [at] racine.eu">dpo-rdai [at] racine.eu.

5.2 Right to submit a complaint to the CNIL

Our contacts with our service providers have the right to lodge a complaint with a supervisory authority, namely French Data Protection Authority (CNIL) in France, if they consider that the processing of personal data concerning them is not compliant with the European Data Protection Regulation, at the following address:

CNIL — Service des plaintes
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Tel.: +33 (0)1.53.73.22.22


5.3. Update

This policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations of the French Data Protection Authority (CNIL) or standard uses.
Any new version of this policy will be brought to the attention of our customers and prospects by any means we choose including electronic (by e-mail or online display for example).

5.4. For further information
For further information, please contact our data protection officer at the following email address: dpo-rdai [at] racine.eu
For more general information on the protection of personal data, please consult the website of the French Data Protection Authority (CNIL) www.cnil.fr.