This policy applies to all processing of personal data carried out by the company.
II. COLLECTION PURPOSE
The company undertakes to collect and process personal data fairly and lawfully.
The processing operations carried out by the company serve explicit, legitimate and determined purposes. The data collected are not used for any other purpose.
The defined purpose determines the data’s relevance. Only the appropriate data strictly needed to achieve the purpose will be collected and processed.
These purposes are therefore compatible with our core competencies.
The company’s employees have been made aware of these new obligations.
III. INFORMATION ABOUT INDIVIDUALS
In accordance with this policy, each data collection document complies with the law and informs the person from whom personal data are collected of:
- The identity of the data controller and, where appropriate, that of their representative;
- The purpose of the processing operation for which the data are intended;
- The mandatory or optional nature of their replies;
- Recipients or categories of recipients of the data;
- The rights of individuals with regard to the processing of data;
- The existence, where applicable, of transfers of personal data and the country of destination;
- The storage period.
IV. RECIPIENTS OF THE COLLECTED DATA
The recipients designate any person authorised to receive data, whether they are the company’s employees or a third party’s employees.
V. DATA STORAGE
The purpose of the processing operation is to determine the data storage period, which must not exceed the period required for this purpose.
The data collected from our employees are kept for the legal period required by social and tax regulations.
Data on customers or prospects used for business purposes only, may be kept for a period of three years from the end of the business relationship or on the expiry date of a contract or the last contact with a prospect.
The company determines and implements the means required to protect the processing of personal data in order to prevent any access by an unauthorised third party and to prevent any data loss, alteration or disclosure.
For example, computer rooms are controlled in closed rooms with access restricted to identified employees, and in the event of a fire, they are protected by specific equipment (Gas) in each room.
All IT servers are hosted by the company in France and are only accessible via logins and passwords.
“Administrator” passwords are only known to ISD members.
Data are backed up on physical media (LTO) which are stored in a restricted access room.
The data users can access depend on their position in the company, with the IT department managing various profiles).
The company’s personal data protection policy is thus organised around logical, physical or organisational measures.
VII. DATA INFRINGEMENT MANAGEMENT
If any data breach has been detected, it is the responsibility of the processing manager or any person with knowledge of such an event to inform our DPO and the ISD within 24 hours of the infringement detection.
As soon as the information is received, the ISD (Information Systems Director) will formulate an appropriate action plan. After approval by the processing manager, our DPO will carry out the required corrective actions and provide the appropriate information.
In particular, our DPO will inform any person whose personal data has been intercepted in any way by an unauthorised third party, of the incident, within 72 hours at the most.
VIII. USE OF YOUR PERSONAL DATA
The company complies with the obligations of the Data Protection Act and the European Data Protection Regulation (GDPR). Processing operations are set up for the three types of individuals involved:
- With regard to our employees: these processing operations are used to comply with legislation in our capacity as an employer;
- With regard to our customers: these processing operations are carried out under a business contract requiring us to collect and process personal data under this contract;
- With regard to our prospects: these processing operations are carried out in order to know them and make us known to them but also to regularly send them news and information about our products, brands, operations and/or media likely to arouse your interest.
IX. MANAGEMENT OF COMPLAINTS AND EXERCISE OF INDIVIDUAL RIGHTS
In accordance with the law, the exercise of your rights to access, query, change, oppose and correct information is carried out by e-mail or post sent to our DPO (Christophe DAMBREVILLE – Marck & Balsan 74, rue Villebois Mareuil 92230 Gennevilliers – email@example.com).
If you identify any error in these data or if you consider them incomplete or ambiguous, you may also ask us to correct, complete or clarify them.
Your requests must be accompanied by a photocopy of an identity document together with your signature.
The processing of personal data is recorded in a register kept by our DPO (Data Protection Officer).
XI. DATA TRANSFER
Any personal data collected are exclusively reserved for Marck & Balsan.
The company reserves the right to send the personal data of the individuals involved in order to comply with its legal obligations and, in particular, if it is required to do so by judicial requisition.
The company hereby undertakes not to transfer your data held by it outside the European Economic Area other than for the transfers required for the performance of a contract (e.g. Contract with Egencia).
For any request for information relating to this personal data protection policy, you can contact our DPO (Christophe DAMBREVILLE – firstname.lastname@example.org).