CUSTOMER AND CONTACT DATA POLICY FOR ASSESS MANAGER GROUP WEBSITES
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR) sets out the legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
As part of its business, Assess Manager processes personal data relating to its clients and contacts.
For a better understanding of this policy, it is specified that :
- “Client(s)” refers to any individual or legal entity who is an Assess Manager client;
- “Contact(s)”: refers to any natural or legal person who has dealings with Assess Manager but who is not a client (prospects, relations, partners, etc.);
- “Data controller”: refers to the natural or legal person who determines the purposes and means of processing personal data. For the purposes of this policy, the data controller is Assess Manager;
- “Processor”: refers to any natural or legal person who processes personal data on behalf of the data controller. In practice, this means the service providers with whom Assess Manager works and who handle the personal data it processes;
- “Data subjects”: refers to persons who can be identified, directly or indirectly. They are referred to herein as “client” or “contact”;
- “recipients” refers to the natural or legal persons who receive personal data. Data recipients may therefore be both internal recipients and external bodies (support service providers, the judicial administration and its auxiliaries, professional bodies, etc.).
Article 12 of the GDPR requires data subjects to be informed of their rights in a concise, transparent, comprehensible and easily accessible manner.
In order to meet its needs, Assess Manager implements and operates the processing of personal data relating to its clients and contacts.
The purpose of this policy is to meet Assess Manager’s obligation to provide information and to formalise the rights and obligations of its clients and contacts with regard to the processing of their personal data.
This personal data protection policy is intended to apply to the processing of the personal data of Assess Manager clients and contacts.
This policy relates only to the processing for which Assess Manager is responsible and to data described as “structured”.
The processing of personal data may be managed directly by Assess Manager or through a sub-contractor specifically appointed by it.
This policy is independent of any other document that may apply within the contractual relationship between Assess Manager and its clients and contacts, in particular its general terms of business or its cookies policy.
4. GENERAL PRINCIPLES & COMMITMENT
Assess Manager will not process client and contact data if it does not relate to personal data collected by or for its services or processed in connection with its services and if it does not comply with the general principles of the GDPR.
Any new processing, modification or deletion of existing processing will be brought to the attention of customers and contacts by means of an amendment to this policy.
5. TYPES OF DATA COLLECTED
|Non-technical data(depending on use)
|Identity and identification (surname, first name, date of birth, pseudonym, customer number) Contact details (e-mail, postal address, telephone number): in particular for sending newsletters and delivering newspapersPersonal/professional data where necessaryBanking data where necessary (in the case of online subscriptions, online sales)
|Technical data(depending on use)
|Identification data (IP address)Connection data (logs, token in particular)Acceptance data (click)Location data
Assess Manager does not process sensitive data within the meaning of Article 9 of the RGPD, with the exception of data included in Article 9.2 f), i.e. data necessary “for the establishment, exercise or defence of legal claims or whenever the courts are acting in their judicial role “.
6. ORIGINS OF DATA
Assess Manager collects the data of its clients and contacts from :
- data supplied by the client (paper form, order form) ;
- business cards
- electronic forms filled in by the client;
- registration or subscription to our online services (website, social networks, etc.);
- registration for events organised by Assess Manager;
- lists provided by the organisers of events or conferences in which we take part; – exchanges via social networks.
Exceptionally, we may rent databases.
Data may also be collected indirectly via specialist companies or via Assess Manager partners and suppliers. In this case, Assess Manager takes great care to ensure the quality of the data it receives.
7. PURPOSES OF PROCESSING
Depending on the case, Assess Manager processes your data for the following purposes:
- customer relationship management (CRM) ;
- contact relationship management (CRM);
- management of events organised by Assess Manager (conferences, breakfasts, webinars, etc.);
- sending our newsletters or information feeds;
- user account management;
- answering questions put to us (by telephone or online);
- sending greetings and other congratulations from Assess Manager;
- improving our services;
- meeting our administrative obligations;
- video-surveillance for personal and property security purposes;
- organisation of competitions;
- community management;
- compiling statistics.
8. LEGAL BASIS
The purposes of the processing described above are based on the following conditions of lawfulness:
|Pre-contractual or contractual performance
|Legitimate interests and, where required by law, consent
9. DATA RECIPIENTS
Assess Manager ensures that data is only accessible to authorised internal or external recipients.
|– authorised staff of the marketing department, departments responsible for handling customer relations and canvassing, administrative departments, logistics and IT departments and their line managers;- Authorised staff of departments responsible for auditing (statutory auditors, departments responsible for internal audit procedures, etc.);
|– External recruitment firm – Service providers or support services (e.g. translation service, IT service provider, reprographics, etc.) – Judicial administration, court officers, colleagues, experts, agents, bailiffs, investigators, etc. – Ordinary bodies – Administration – Authorised staff of subcontractors
The recipients of clients’ and contacts’ personal data within Assess Manager are subject to an obligation of confidentiality.
Assess Manager decides which recipient will have access to which data in accordance with an authorisation policy.
Assess Manager is in no way responsible for any damage of any kind that may result from unlawful access to personal data.
All accesses concerning the processing of personal data relating to customers and prospective customers are subject to traceability measures.
In addition, personal data may be communicated to any authority legally authorised to have access to it. In this case, Assess Manager is not responsible for the conditions under which the staff of these authorities have access to and use the data.
10. RETENTION PERIOD
The duration of data retention is defined by Assess Manager in the light of its legal and contractual obligations and, failing that, according to its needs and in particular according to the following principles:
|Data relating to clients
|For the duration of the contractual relationship with Assess Manager, plus 5 years for promotion and canvassing purposes, without prejudice to retention obligations or limitation periods
|Data relating to members and users
|For as long as is necessary to carry out the services provided by Assess Manager and 5 years after the last intervention given the specific nature of the company’s businessCookies: 13 months
|Data relating to contacts and prospects
|5 years from the date of collection by Assess Manager or the last contact from the prospect/contact
|5 years from collection
|Deleted as soon as the transaction is completed, except with the client’s express agreementIf the transaction is disputed: retained for 13 months following the debit date
|Fight against money laundering
|5 years from the date of collection
After the set time limits, the data is either deleted or kept after being anonymised, in particular for statistical purposes. It may be kept for pre-litigation and litigation purposes.
Clients and contacts are reminded that deletion or anonymisation are irreversible operations and that Assess Manager is not subsequently able to restore them.
11. RIGHT OF ACCESS (RIGHT TO COPY)
Clients and contacts traditionally have the right to ask Assess Manager for confirmation as to whether or not data relating to them is being processed.
Clients and contacts also have a right of access, subject to compliance with the following rules:
- the request must be made by the individual him/herself and accompanied by a copy of an up-to-date identity document;
- be made in writing to the following address: 26 rue Kervégan – 44 000 Nantes – France or to the following email address: email@example.com.
Clients and contacts have the right to request a copy of their personal data being processed from Assess Manager. However, in the event of a request for an additional copy, Assess Manager may require clients and contacts to bear the cost of this.
If clients and contacts submit their request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.
Customers and contacts are informed that this right of access may not relate to information or data that is confidential or for which communication is not authorised by law.
The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilising Assess Manager.
12. UPDATING AND RECTIFICATION
Assess Manager responds to requests for updates :
- automatically for on-line changes to fields that can be technically or legally updated;
- on written request from the person themselves, who must provide proof of their identity.
13. RIGHT TO ERASURE
The right to erasure of customers and contacts will not apply in cases where the processing is carried out to meet a legal obligation.
Apart from this situation, customers and contacts may request the deletion of their data in the following limited cases:
- personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
- the data subject objects to processing that is necessary for the purposes of the legitimate interests pursued by Assess Manager and there is no compelling legitimate reason for the processing;
- the data subject objects to the processing of his/her personal data for canvassing purposes, including profiling;
- the personal data has been processed unlawfully.
In accordance with legislation on the protection of personal data, customers and contacts are informed that this is an individual right that can only be exercised by the person concerned in relation to his or her own information: for security reasons, the department concerned will therefore have to verify your identity in order to avoid any communication of confidential information about you to anyone other than you.
14. RIGHT TO LIMITATION
Clients and contacts are informed that this right is not intended to apply insofar as the processing carried out by Assess Manager is lawful and all personal data collected is necessary for the performance of the commercial contract.
15. RIGHT TO PORTABILITY
Assess Manager grants the right to data portability in the specific case of data communicated by clients or contacts themselves, on online services offered by Assess Manager and for purposes based solely on the consent of the persons concerned. In this case, the data will be communicated in a structured, commonly used and machine-readable format.
16. AUTOMATED INDIVIDUAL DECISION
Assess Manager does not make automated individual decisions.
As part of an algorithm implemented on its site, Assess Manager offers a decision-making tool in order to target the most relevant applications as effectively as possible.
However, the decision to recruit or promote internally rests exclusively with the Client.
The tools offered on the Assess Manager website are only intended to assist Clients and should not be considered as anything other than that.
17. POST MORTEM RIGHTS
Clients and Contacts are informed that they have the right to formulate directives concerning the conservation, deletion and communication of their post-mortem data. The communication of specific post-mortem directives and the exercise of their rights can be made by e-mail to the address: firstname.lastname@example.org or by post to the following address: Assess Manager, 26 rue Kervégan – 44 000 Nantes – France, together with a copy of a signed identity document.
18. OPTIONAL OR COMPULSORY RESPONSES
Clients and contacts are informed on each personal data collection form of the compulsory or optional nature of their responses by the presence of an asterisk.
Where responses are mandatory, Assess Manager will explain to clients and contacts the consequences of not responding.
19. RIGHT OF USE
Clients and Contacts grant Assess Manager the right to use and process their personal data for the purposes set out above.
However, the enriched data resulting from Assess Manager’s processing and analysis work, otherwise known as enriched data, remains its exclusive property (usage analysis, statistics, etc.).
Assess Manager informs its clients and contacts that it may involve any sub-contractor of its choice in the processing of their personal data.
In this case, Assess Manager will ensure that the sub-contractor complies with its obligations under the GDPR.
Assess Manager undertakes to sign a written contract with all its subcontractors and imposes the same data protection obligations on subcontractors as it does. In addition, Assess Manager reserves the right to audit its subcontractors to ensure compliance with the provisions of the RGPD.
Assess Manager is responsible for defining and implementing the physical or logical technical security measures it deems appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.
These measures mainly include
- management of access rights to data ;
- internal backup measures
- identification processes
- conducting security audits and penetration tests;
- the adoption of an information systems security policy; – the adoption of business continuity/disaster recovery plans; – the use of a security protocol or solutions.
To this end, Assess Manager may be assisted by any third party of its choice to carry out vulnerability audits or intrusion tests at the intervals it deems necessary.
In any event, Assess Manager undertakes, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
In the event of subcontracting all or part of the processing of personal data, Assess Manager undertakes to contractually impose security guarantees on its subcontractors by means of technical data protection measures and the appropriate human resources.
22. DATA BREACH
In the event of a personal data breach, Assess Manager undertakes to notify the CNIL in accordance with the conditions laid down in the RGPD.
If the said breach poses a high risk to clients and contacts and the data has not been protected, Assess Manager will :
- notify the clients and contacts concerned;
- provide the clients and contacts concerned with the necessary information and recommendations.
23. DATA PROTECTION OFFICER
Assess Manager has appointed a Data Protection Officer.
The details of our data protection officer are as follows:
Name: Virginie LOISEL – Data Protection Officer
E-mail address: email@example.com
Tel: 33 2 28 23 00 44
24. DATA PROCESSING REGISTER
Assess Manager is not required to set up a data processing register.
25. RIGHT TO LODGE A COMPLAINT WITH THE CNIL
Customers and contacts concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil in France, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address
Cnil – Service des plaintes
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel: 33 1 53 73 22 22
This policy may be amended or modified at any time in the event of changes to legislation, case law, Cnil decisions and recommendations or practices.
Any new version of this policy will be brought to the attention of clients and contacts by any means chosen by Assess Manager, including electronically (e.g. by e-mail or online).
27. FOR FURTHER INFORMATION
For further information, please contact our Data Protection Officer at the following e-mail address: firstname.lastname@example.org.
For more general information on the protection of personal data, please visit the CNIL website at www.cnil.fr.