Privacy policy
- PREAMBLE – DEFINITIONS
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the General Data Protection Regulation (hereinafter “GDPR”), establishes legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of data controllers, processors, data subjects, and recipients of data.
In the course of our activities, we process personal data.
For a better understanding of this Policy, the following terms are defined as follows:
- personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific elements related to their physical, physiological, genetic, mental, economic, cultural, or social identity;
- data subjects (hereinafter “Data Subjects”): individuals whose data are processed by CHR NUMERIQUE (excluding employees), including job applicants, clients, prospects, and suppliers;
- processing of personal data: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
- data controller: refers to the company CHR NUMERIQUE, Immeuble La Coursive, 60 Avenue Baron Lacrosse, 29850 GOUESNOU, hereinafter referred to as “CHR NUMERIQUE”;
- processor: refers to any natural or legal person who processes personal data on behalf of the data controller;
- recipients: refers to the natural or legal persons who receive personal data from the data controller.
- PURPOSE OF THE PRESENT POLICY
To ensure its proper operation, CHR NUMERIQUE is required to implement and manage personal data processing activities.
Article 12 of the GDPR requires that Data Subjects be informed of their rights in a concise, transparent, intelligible, and easily accessible form.
The purpose of this Policy is to fulfil our obligation to provide information and to remind you of the rights you have regarding personal data.
- SCOPE
This Policy applies to all personal data processing activities related to Data Subjects, with the exception of CHR NUMERIQUE employees (who are subject to a specific data protection policy).
This Policy only concerns processing activities for which CHR NUMERIQUE is the data controller.
The processing of personal data may be performed directly by CHR NUMERIQUE or by a specifically designated processor.
This Policy is independent of any other document that may apply within the contractual relationships between CHR NUMERIQUE and the Data Subjects.
- GENERAL PRINCIPLES & DATA COLLECTION
No processing is performed by CHR NUMERIQUE unless it involves personal data collected by or for our services or processed in connection with our services and complies with the general principles of the GDPR.
The use cases are as follows:
- Management and monitoring of the commercial relationship with our clients
All procedures related to the setup and monitoring of contracts, orders, subscriptions, deliveries, management of your client account, handling of complaints; sending personalized information and newsletters about our products and services and their evolution, about our news, and about your professional activities, when these information and newsletters are directly related to your subscriptions and are an integral part of your subscriptions; preparation of commercial statistics
- Management and monitoring of the commercial relationship with our suppliers and service providers
All procedures related to the setup and monitoring of contracts, orders, subscriptions, deliveries, and handling of complaints.
- Management of invoicing and accounting
All procedures related to invoicing and accounting for products or services.
- Debt collection and litigation management
All procedures aimed at enabling us to recover amounts owed to us
- Providing our products and services
All procedures related to the provision of our products and services and the execution of subscription contracts
- Management of applications
Monitoring of applications, evaluating the candidate’s ability to hold the proposed position, invitations to interviews.
- Contests
Any entertaining procedure aimed at awarding a prize to clients or prospects of CHR NUMERIQUE, whether performed directly by CHR NUMERIQUE or its partners. The collected data include those necessary for managing participation, identifying participants, and awarding prizes or gifts.
- Prospecting and marketing
All commercial procedures, follow-up of commercial relations; prospecting, usually by email, SMS, phone; sponsorship operations, promotional offers; conducting surveys, studies, satisfaction surveys, and product tests; improving your user experience with our products, services, websites, and/or applications; sending personalized information and newsletters about our products and services and their evolution, about our news, and your professional activities; analysis of your purchasing preferences.
- Events
Events organized by CHR NUMERIQUE or in which CHR NUMERIQUE participates or sponsors; data are generally collected during registration for the event (directly or via a partner) or during the event itself (form, questionnaire, business card, dedicated mobile applications, etc.).
- Social media
All social selling operations, including the collection of data related to registrations, posts, likes, replies and forwards, comments, reviews, etc.
- Cookies
Please refer to our Cookie Policy for more information.
- TYPES OF DATA COLLECTED
- Non-technical data (depending on use cases)
Identification (name, first name, etc.)
Landline/mobile phone numbers
Email address
Bank details
Photo, when you grant us this right
Personal/professional life, when necessary
Home address, when necessary
- Technical data (depending on use cases)
Identification data (IP)
Connection data (logs, etc.)
Acceptance data (click)
- ORIGINS OF DATA
Data relating to Data Subjects are generally collected directly from them (direct collection).
Collection may also be indirect:
- via specialized companies (purchase or rental of databases) or via partners and suppliers of CHR NUMERIQUE. In this case, CHR NUMERIQUE takes great care to ensure the quality of the data provided;
- via sponsorship. In this case, the sponsor ensures that they can provide us with personal data.
- PURPOSES AND LEGAL BASIS OF PERSONAL DATA PROCESSING
Depending on the case, CHR NUMERIQUE processes your data for the following purposes:
- supply of our products and services, performance of the subscription contract;
- management of the customer/prospect relationship, commercial prospecting;
- management of the supplier relationship, subscription to products or services;
- managing job applications;
- management of invoicing and accounting;
- management of complaints, pre-litigation and litigation;
- management of requests to unsubscribe and unsubscribe from newsletters;
- improving our products and services, satisfaction surveys, opinion polls, product and service tests;
- marketing and communication operations;
- marketing analysis ;
- statistics;
- archiving.
The processing performed by CHR NUMERIQUE under this Policy is all legally based on the performance of a contract or the legitimate interest of CHR NUMERIQUE.
Where necessary, CHR NUMERIQUE obtains the consent of the Data Subjects.
- DATA RECIPIENTS
CHR NUMERIQUE ensures that data are only accessible to authorized internal or external recipients.
- Internal recipients
Authorized personnel (in particular : Marketing & Communication department, the Sales department, HR department, Client relations and prospecting departments, administrative services, logistics and IT departments, as well as their hierarchical superiors).
Authorized personnel from the audit services (auditors, personnel in charge of internal control procedures, etc.).
- External recipients
Partners and service providers of CHR NUMERIQUE.
Affiliates of CHR NUMERIQUE or other entities belonging to the same corporate group.
Organizations, judicial auxiliaries, and legal officers, within the framework of debt collection.
Authorized personnel of subcontractors.
The recipients of personal data are bound by a confidentiality obligation.
Additionally, your personal data may be disclosed to any authority legally authorized to access it. In this case, CHR NUMERIQUE is not responsible for how such authorities access and use the data.
- DATA RETENTION PERIOD
The retention period for your data is determined by CHR NUMERIQUE according to its legal and contractual obligations, or in their absence, according to its needs and, in particular, based on the following principles:
- Client data
During the duration of the contractual relationship with CHR NUMERIQUE, extended by 3 years for marketing and prospecting purposes, without prejudice to retention obligations and limitation periods.
- Prospect data
3 years from their collection by CHR NUMERIQUE or the last contact from the prospect.
- Supplier and service provider data
During the duration of the contractual relationship with CHR NUMERIQUE, extended by the limitation periods and retention obligations.
- Data processed for managing contest participation
6 months from their collection.
- Data processed for commercial and marketing statistics
3 years after the end of the contractual relationship.
- Data processed for surveys, studies, satisfaction surveys, and product tests
2 years from their collection.
- Applications and recruitment
Immediate deletion if the candidate is not selected for the position.
Option to retain the CV for 2 years after the last contact with the candidate if informed.
- Technical data
1 year.
- Bank details
During the duration of the contractual relationship with CHR NUMERIQUE, extended by the limitation periods and retention obligations.
If required by law, these periods may be extended.
Furthermore, it is specified that if personal data are collected for multiple purposes, they will be retained until the longest retention or archiving period expires.
After the defined periods, data are either deleted or anonymized, particularly for statistical purposes. Data may be retained in case of pre-litigation or litigation.
It should be noted that deletion or anonymization is irreversible, and CHR NUMERIQUE will not be able to restore the data afterward.
- RIGHT TO CONFIRMATION AND ACCESS
You have the right to ask CHR NUMERIQUE for confirmation as to whether personal data concerning you are being processed.
You also have a right of access, subject to compliance with the following conditions:
- The request must come from the Data Subject, and there should be no doubt about their identity. Otherwise, CHR NUMERIQUE reserves the right to request any element that can verify their identity, such as a copy of an identity card or passport;
- The request must be made in writing to the DPO address indicated in Article 23 of this Policy.
You have the right to request a copy of your personal data processed by CHR NUMERIQUE. However, in the case of an additional copy request, CHR NUMERIQUE may charge for this cost.
If you submit your data copy request electronically, the requested information will be provided in a commonly used electronic format, unless otherwise requested.
This right of access cannot apply to confidential information or data, or where the law does not permit disclosure.
The right of access must not be abused, meaning that it should not be exercised frequently with the sole purpose of disrupting the service concerned.
- UPDATING – MODIFICATION AND RECTIFICATION
CHR NUMERIQUE responds to update requests:
- Automatically for online changes in fields that can be updated technically or legally;
- Upon written request from the Data Subject themselves, who must justify their identity.
- RIGHT TO ERASURE
The right to erasure will not apply in cases where processing is performed to comply with a legal obligation.
Outside of this situation, Data Subjects may request the deletion of their data in the following limited cases:
- Personal data are no longer necessary for the purposes for which they were collected or processed;
- The Data Subject withdraws consent on which the processing is based, and there is no other legal basis for the processing;
- The Data Subject objects to processing necessary for CHR NUMERIQUE’s legitimate interests, and there is no overriding legitimate reason for the processing;
- The Data Subject objects to the processing of their personal data for direct marketing purposes, including profiling;
- The personal data have been unlawfully processed.
In accordance with personal data protection legislation, this is an individual right that can only be exercised by the Data Subject regarding their own information. For security reasons, our services will therefore verify your identity to prevent confidential information concerning you from being communicated to someone else.
- RIGHT TO RESTRICTION
Data Subjects are informed that this right does not apply if the processing performed by CHR NUMERIQUE is lawful and the personal data collected is necessary to comply with the provisions of a contract.
- RIGHT TO DATA PORTABILITY
The right to portability can only be exercised in the specific case of data provided by the Data Subject themselves, on online services offered by CHR NUMERIQUE, and for purposes based solely on the consent of the individuals. In this case, the data will be provided in a structured, commonly used, and machine-readable format.
- RIGHT TO OBJECT AN AUTOMATED INDIVIDUAL DECISION
CHR NUMERIQUE does not perform any processing based on automated individual decision-making.
- POST-MORTEM RIGHTS
Data Subjects are informed that they have the right to formulate directives concerning the retention, deletion, and communication of their data after death. Specific post-mortem directives are addressed to the DPO (whose contact details are indicated in Article 23 of this Policy) by written request.
- OPTIONAL OR MANDATORY NATURE OF RESPONSES
Data Subjects are informed on each personal data collection form whether the responses are mandatory or optional.
- RIGHT OF USE
CHR NUMERIQUE is granted the right by Data Subjects to use and process their personal data for the purposes outlined above.
However, enriched data, which are the result of processing and analysis by CHR NUMERIQUE, remain the exclusive property of CHR NUMERIQUE (usage analysis, statistics, etc.).
- PROCESSOR
CHR NUMERIQUE may involve any processor of its choice in the processing of personal data.
In this case, CHR NUMERIQUE ensures that the processor complies with its obligations under the GDPR.
- TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
In the event of a transfer of personal data to a third country outside the European Union or to an international organization, CHR NUMERIQUE will ensure that such data are subject to an adequate level of protection in compliance with the regulations, in particular by using appropriate safeguards.
- SECURITY
It is the responsibility of CHR NUMERIQUE to define and implement technical, physical, or logical security measures that it deems appropriate to combat the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of data.
These measures include:
- The use of security measures for access to premises (office locks, badges, etc.);
- Security of access to our computers and smartphones;
- Login and password for our business applications;
- Authorization management for access to data;
- VPN for remote connections.
To achieve this, CHR NUMERIQUE may enlist the assistance of any third party of its choice to conduct vulnerability audits or penetration tests as often as it deems necessary.
Collected data are hosted by the provider OVHcloud, which guarantees the physical security of data through access controls at data centers. OVHcloud is certified ISO/IEC 27001, PCI-DSS, compliant for hosting health data in Europe, HDS compliance in France, HIPAA and HITECH compliance for hosting health data in the United States, GDPR, SOC I-II type 2, CSA STAR, CISPE, PSEE.
In any case, CHR NUMERIQUE undertakes, in case of changes in the means used to ensure the security and confidentiality of personal data, to replace them with higher-performance means. No evolution may result in a reduction in the level of security.
If the processing of personal data is partially or fully subcontracted, CHR NUMERIQUE undertakes to impose on its subcontractors contractual security guarantees through technical protection measures and appropriate human resources.
- DATA BREACH
In the event of a personal data breach, CHR NUMERIQUE undertakes to notify it to the supervisory authority competent under the conditions prescribed by the GDPR.
If said breach poses a high risk to Data Subjects, CHR NUMERIQUE will:
- Notify the Data Subjects whose data were breached;
- Provide them with the necessary information and recommendations.
- DATA PROTECTION OFFICER (DPO)
Our Data Protection Officer’s contact details are as follows:
Data Protection Officer (DPO)
SAS CHR Numérique
60 Avenue Baron Lacrosse, 29850 GOUESNOU
Email: dpo@chr-numerique.fr
If Data Subjects wish to obtain specific information or ask a specific question, they can contact the DPO at the above contact details.
- RECORD OF PROCESSING ACTIVITIES
CHR NUMERIQUE, as the data controller, undertakes to maintain an up-to-date record of the processing activities performed.
- RIGHT TO LODGE A COMPLAINT
in accordance with GDPR, Data Subjects are informed of their right to lodge a complaint with a supervisory authority, in particular in the EU Member State of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to him or her infringes the GDPR.
- EVOLUTION
This Policy may be amended or adjusted at any time.
Any new version of this Policy will be communicated to Data Subjects by any means defined by CHR NUMERIQUE, including online publication.