Security policy: Personal data (GDPR)
- 1. Introduction
- 2. Objective
- 3. Impact
- 4. General Principles
- 5. Personal Data Collection
- 6. Types of collected data
- 7. Purposes and legal basis
- 8. Recipients of the data – authorization and traceability
- 9. Retention period
- 10. Right of confirmation and right to access
- 11. Updating and adjustments
- 12. Right to deletion
- 13. Right to restrictions
- 14. Right to portability
- 15. Automated individual decision
- 16. Post Mortem Right
- 17. Mandatory and optional responses
- 18. The right to use data
- 19. Outsourcing
- 20. Security
- 21. Violation of data
- 22. Violation of data
- 23. Evolution
- 24. For more information
Data Protection Policy
Otherwise known as the General Data Protection Regulation (GDPR), the European Parliament and Council law 2016/679, admitted on 27th April 2016, concerning the protection of people in respect to personal data protection and the free circulation of this data, sets out the legal framework that is applicable to personal data processing within the European Union.
The GDPR reinforces the rights and obligations of those responsible for the processing of data, subcontractors, and any others who may be involved.
In the case of web site use, accessible at these addresses https://www.wimi-teamwork.com/, www.wimi-armoured.com, Cloud Solutions (or the business) processes the personal data of its clients and prospective clients.
For a good understanding of the current policy, it is outlined that:
- Clients and prospective clients: Refers to any natural or legal person who has had contact of a commercial nature with the business.
- Responsible party for data processing: Refers to the natural or legal person who determines the purposes for and methods of personal data processing. Under the current policy, the business is the responsible party.
- The subcontractor: Refers to all people who process personal data on behalf of the business. In practical terms, this refers to all service providers that the business works with and who take part in data processing (CRM solutions, technical providers, freelancers, etc.).
- The persons concerned: Refers to the people who can be directly or indirectly identified as part of the business’ commercial and marketing activity, i.e. all clients and prospective clients.
- The recipients: Refers to the natural or legal persons who receive the personal data. The recipients of the data can be employees of the business or of external organisations (partners, banking establishments, contributors, etc.).
The GDPR states in article 12 that all persons concerned must be informed of their rights in a concise, transparent, understandable and easily accessible manner.
In order to function well, the business must process and utilise its clients’ and prospective clients’ personal data.
The current policy sets out to satisfy this need for information and also to formalize the rights and obligations of its clients and prospective clients regarding the processing of their personal data.
The current policy on personal data protection is applied when the processing of clients’ and prospective clients’ personal data is put into action.
The current policy only includes data processing for which the business is responsible and is therefore not aimed at data processing that is not created or utilised by the business itself. (untouched processing).
The processing of personal data can be managed directly by the business or by means of a subcontractor, specifically appointed by the business.
This policy is independent from all other documentation that may apply within the contractual relationship between the business and its clients and prospective clients.
4. General Principles
No data processing is put into place in the business concerning the data of its clients and prospective clients if it does not relate to personal data collected by or for our services in accordance with our services and if it does not fit within the general guidelines of GDPR.
5. Personal Data Collection
5.2 Types of data
The business collects the necessary personal data to utilise in its websites and services (eg. Wimi, Wimi Armoured) as well as market research.
5.3 Origin of data
The clients’ or prospective clients’ data come from data collected in registration forms and contact via the website but equally via market research and purchase of customer databases.
5.4 Mandatory data
The mandatory data is indicated in these forms by an asterisk. In its absence; the benefits of collecting this data are not realised.
6. Types of collected data
6.1 Non-technical data
The business notably collects the following data:
– Identification data (Name, email address, telephone number) ;
– Banking data (if the prospective client becomes a client) ;
6.2 Technical data
The business collects data regarding the client’s connection to the service: (eg. Time, type of device, browser language,…).
7. Purposes and legal basis
According to each case, the business processes your data for the following purposes:
- Management of registration and subscription to the services
- Management of the connection to the services
- Management of the newsletter
- Management of the user’s discovery of the service
- Communication with the support services
- Communication of important information concerning our services
- Management of orders for deregistration and unsubscribing to the service
- Management of questions regarding the user’s rights with regard to their data
- Management of questions about contact and assistance
- Management of the accounting and billing
- Management of the conservation of legal and secure data
- Management of the outstanding debts and disputes
- Improvement of our provided services thanks to the customer satisfaction survey
- Management of the client, user and prospective client relationships including the segmentation and specific targeting to best meet the needs of users
- Development of statistics in order to optimize our services
The client is informed that the collection of their personal data is necessary for the completion of the contract with the company;
8. Recipients of the data – authorization and traceability
The business assures that the data is only accessible to the internal recipients or authorised external individuals.
|Internal recipients||External recipients|
|– The authorized staff in marketing, business services, services relating to the client/business relationship, administrative services, logistics services and information services as well as their superiors.
– The authorized staff in management services (Account manager, internal account management services etc.)
|– Partners, external organisations or affiliates of the same group of partner businesses
– Agencies, paralegals and departmental officers as part of their debt collection
– The business’ subcontractors and, particularly, the authorized staff using the personal data of these subcontractors.
The recipients of the clients’ and prospective clients’ data within the business are bound to confidentiality.
The business decides the internal recipients who are authorized to receive the data.
The policy of authorization is regularly put into place and takes into account the arrival and departure of the business’ employees having access to data.
The business is in no way liable for damage of any kind that may result from unlawful access to personal data.
If an employee realises that they have access to data to which they should not, it is their obligation to immediately inform the responsible person;
All access to the processing of clients’ and prospective clients’ personal data is subject to a traceability measure.
On the other hand, personal data may be communicated to any authority that is legally entitled to know of it. In this case, the business is not responsible for the conditions in which the personal data is accessible to and utilized by these authorities.
9. Retention period
The retention period of data is defined by the business in view of the legal and contractual constraints to which it is subject and notably according to the following principals:
|Processing||Data retention period|
|Client data||the clients’ data is retained throughout their entire use of the Wimi service.|
|Client data in market research||The clients’ data is retained for a maximum of 3 years after the cancellation of their subscription to the Wimi service.|
|Prospective client data||the prospective clients’ data is retained for a maximum of 3 years after the last contact made by the prospective client.|
|Technical data||IP addresses and client/prospective client logs are retained for one year after their last connection or the last usage of the software.|
|Banking data||Banking data is deleted, in principal, once the transaction has been made, unless the client agrees for the data to be retained.
Nevertheless, for evidentiary purposes, banking data can be retained for 13 months in the archive after the date of the last transaction.
|Cookies||Cookies can be retained for a period of 13 months.|
The data used to establish proof of contract or data that is retained for compliance with obligations is subject to a policy of intermediate archiving for the necessary period to serve the function for which it has been retained, in accordance with existing provisions.
Once the deadlines are passed, the data is deleted or retained anonymously, primarily for statistical use.
Clients and prospective clients are reminded that the removal or anonymization is an irreversible task and that the business will not be able to restore it.
10. Right of confirmation and right to access
Clients and prospective clients have the right to ask the business for confirmation that their data is or is not processed.
Clients and prospective clients also have the right to access the data, with respect to the following rules:
- The request comes from the person themselves and is accompanied by an up to date ID
- The request is written to the following address: 112 Rue Réaumur, 75002 Paris, France or by email to: email@example.com
Clients and prospective clients have the right to request a copy of their personal data subject to processing with the business. In the case of a request for a supplementary copy, the business takes care of the cost for clients and prospective clients.
If clients or prospective clients request a copy of their data by electronic means, the requested information will be provided to them in electronic form, unless they request otherwise.
Clients and prospective clients are finally informed that this right of access cannot relate to confidential information or data which is not allowed to be communicated.
The right of access cannot be exercised in an abusive way. That is to say, it cannot be performed on a regular basis with the sole purpose of disruption.
11. Updating and adjustments
In order to allow for regular updates of the personal data collected by the business, clients and prospective clients are obliged to satisfy the requests of the business for any updates.
In cases of changes to clients’ or prospective clients’ information by the business, the clients will be immediately informed.
The clients and prospective clients are informed that the business will not make any “convenience” modifications, only substantial modifications about civil status, identity and contact details will be made.
12. Right to deletion
The clients’ and prospective clients’ right to deletion is not applicable in cases where data processing is put into place to meet legal obligations.
Other than these scenarios, clients and prospective clients can request deletion of their data in the following cases:
– The personal data is no longer necessary for the reasons for which it was collected ;
– When the individual concerned withdraws their consent upon which the processing is based and there is no other legal basis for the processing of data. ;
– The individual concerned objects to the processing of their data for legitimate reasons or there is no compelling legitimate reason to continue processing data. ;
– The individual concerned objects to the processing of their personal data for prospecting purposes including profiling ;
– The personal data has been subject to unlawful processing.
Conforming to the legislation on the protection of personal data, clients and prospective clients are informed that it is an individual right that can only be exercised by the personal concerned with regard to their own information. For security reasons, the person concerned will have to confirm their identity in order to avoid any communication of confidential information relating to another person to you.
13. Right to restrictions
Clients and prospective clients are informed that they do not have the right to restrict the processing of their personal data where the processing is lawful and where all the personal data that is collected is necessary to the completion of the business contract.
14. Right to portability
When business relations with the business end, the clients can, on request, exercise their right to portability on the data that only they themselves have communicated to the business via the online form. This data will be sent to them in a commonly used, structured and readable format.
15. Automated individual decision
The business uses profiling techniques to find commercial prospects. As such, the individual concerned gives their explicit consent for the use of their data in profiling.
16. Post Mortem Right
Clients and prospective clients are informed that they have the right to formulate guidelines for the storage, deletion and communication of their post mortem data. The communication of specific post-mortem guidelines and right are carried out by email to firstname.lastname@example.org or by post to the following address: 112 Rue Réaumur, 75002 Paris, France, accompanied by a signed copy of ID.
17. Mandatory and optional responses
Clients and prospective clients are made aware of the mandatory or optional responses on each personal data collection form by the presence of an asterisk.
In cases where responses are mandatory, the business explains the consequences of the absence of a response to clients and prospective clients.
18. The right to use data
The company is granted the right to use and process clients’ and prospective clients’ data for the purposes listed above.
However, enriched data which is the result of the business’ processing and analysis, otherwise known as enriched data, remains the exclusive property of the business (usage analysis, statistics, etc.).
The business informs its clients and prospective clients that it can conduct any outsourcing that it may wish regarding personal data processing.
In this case, the business assures that the subcontractor will respect the rules of GDPR. The business only calls upon reputable subcontractors who respect the laws regarding the protection of data and strictly conform to GDPR requirements.
It is up to the business to define and put in place technical, physical or software security measures that are considered appropriate to combat against the accidental or unlawful destruction, loss, alteration or the non-authorized disclosure of data.
Principle features of these measures include:
- Management of authorization for access to data
- The use of encrypted SSL protocols for the transmission of data between user devices and the business’ servers
- Data hosting on French data centers which have a maximum-security level
- Regular and systematic security patching on infrastructure components
To do this, the business can be assisted by any third-party organisation of its choice, as it deems necessary for vulnerability audits or intrusion tests.
Apart from cases of urgency or imminent risk, the employees will be informed in advance about these audits and will be required to take the adapted protection methods that they will have been previously notified of.
In these instances, the business will replace the means of data protection with those of a higher performance quality, in order to assure the confidentiality and security of your personal data. No business developments or evolutions can lead to a regression in the level of security.
In the case of third-party outsourcing of the entirety of the personal data, the business contractually imposes security guarantees to the subcontractors by means of technical data protection measures and appropriate human means.
21. Violation of data
In the case of the violation of personal data, the business will notify the CNIL (The French Data Protection Authority) in line with the regulations of GDPR.
If the said violation brings a heightened risk for the clients and prospective clients and the data is not protected, the business:
- Will advise the clients and prospective clients concerned
- Will send the clients and prospective clients concerned the necessary information and recommendations.
22. Right to lodge a complaint with the CNIL
Clients and prospective clients who are concerned by the processing of their personal data are informed of their right to lodge a complaint with the relevant overarching authorities, like the CNIL, if it is deemed that the processing of personal data is not conforming to the European legislation on data protection, to the following address:
CNIL – Service des plaintes
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel : 01 53 73 22 22
The current policy may be modified or adjusted at any moment in the case of legal or jurisprudential developments or in the case of decisions or recommendations made by the CNIL.
24. For more information
For all additional information, you may contact the following services:
For any other, more general information on personal data protection, please consult the CNIL website at the following address: www.cnil.fr