Personal data management policy

Collection of personal data

The information that the [name of the client] is required to collect comes from their voluntary communication by natural persons by entering on online forms (available from the site [www.lienverslesite.com]). The optional or compulsory nature of the data is indicated on each form. These email addresses can be used to meet your needs and send you information (newsletter). However, you may object to the receipt of these emails by sending your request via the contact form.

The [client's name] undertakes that the collection and processing of personal data, carried out from this site, comply with law n ° 78-17 of 6 January 1978 as amended relating to data processing. , files and freedoms as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 applicable on May 25, 2018. Thus, unless otherwise stipulated directly mentioned on the data entry form, the addresses electronic data collected are not subject to any transfer to third parties by [name of client].

The destination of the information collected is specified on each online form.

Each form or teleservice limits the collection of personal data to what is strictly necessary (data minimization) and indicates in particular:

  • what are the objectives of collecting this data (purposes);
  • whether these data are mandatory or optional for the management of your request;
  • who will have access to it (only the [name of the client] in principle, unless specified in the form when transmission to a third party is necessary to manage your request);
  • your Computer and Freedoms rights and how to exercise them with the [client's name].

Personal data collected as part of the services offered on [client's name] websites are processed according to secure protocols and allow [client's name] to manage requests received in its computer applications.

Personal information collected as part of the services offered by the community is kept in accordance with the rules prescribed by the departmental archives, by the law of 1978 and for a period justified by the purpose of their processing. The services of [client's name] have computer resources intended to manage your file, your requests as well as the services provided to you.

The information recorded is reserved for the use of the services concerned and can only be communicated to the staff of [name of the client] and to the authorized recipients.

In accordance with Articles 15 to 23 of the General Data Protection Regulations, you have the right to access and rectify information concerning you - You can also define the fate of your data after your death, by contacting Data Protection Officer. You can also, for legitimate reasons, oppose the processing of data concerning you, unless this right has been excluded by a legislative provision.

A copy of the personal data concerning you can be delivered to you, at your request and against reimbursement of the reproduction costs thereof. However, the Department has the possibility of opposing manifestly abusive requests, in particular by their number, their repetitive or systematic nature.

Requests to exercise the right of access, rectification, opposition and deletion can be made:

  • either in writing, the applicant sends a signed letter accompanied by a copy of an identity document to the following address:
    [Full postal coordinates]
  • either by email directly via the form "exercise your rights over your personal data"

Since the entry into force of the European Data Protection Regulation (REGULATION (EU) 2016/679) on May 25, 2018, any user has the right:

  • to oppose profiling
  • to request the restriction of processing
  • lodge a complaint with a supervisory authority (In France: CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - Telephone: 01.53.73.22.22 - www.cnil.fr)

The 11 principles of the personal data management policy

The following 11 principles constitute the personal data management policy of [name of client].

Principle 1 - Responsibility

The [client's name] is responsible for the processing of personal data that he implements directly or indirectly in France and abroad. Consequently, he must strictly comply with the law on the Protection of Personal Data but also with the GDPR.
In accordance with legal requirements, he must complete all the formalities necessary for the implementation of the processing of personal data, whether these data concern his users or his agents.

Principle 2 - Determination of the purposes of the collection of personal data

The [client's name] must determine the purposes for which it collects personal data.
The data is collected for specific, explicit and legitimate purposes, and not to be further processed in a manner incompatible with these purposes; further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered, in accordance with Art.89 GDPR, paragraph 1, to be incompatible with the original purposes (limitation of purposes);

Article: 6, 26 of the GDPR.

Principle 3 - Transparency and lawfulness of collection

The [client's name] does not collect personal data without the knowledge of the data subjects. Likewise, the [client's name] does not collect personal data when the data subjects have a legitimate objection.
The data is collected lawfully in accordance with Article 6 of the GDPR.
The [client's name] provides the data subjects, from whom it collects their personal data, information on the purpose of the processing, the identity of the controller, the legal basis for the processing, the retention period and the scope of their rights in accordance with Articles 13 and 14 of the GDPR.

Principle 4 - Limitation of the collection of personal data and data quality

The [client's name] is limited to collecting only the personal data necessary to achieve the stated purposes. The data are adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization);

Article: 25 of the GDPR

The data provided by users must be accurate and, if necessary, the [client's name] will implement all necessary and reasonable measures to update them.

Article: 16 of the GDPR

Principle 5 - Limitation of the retention of personal data

The [client's name] ensures that the personal data he processes are updated while respecting the intended purposes. The retention periods must not exceed those necessary to achieve the intended purposes.
These storage periods are

  • either issued by the Departmental Archives or the Archives of France,
  • or specified in legislative and / or regulatory texts.

These durations, or the elements making it possible to determine them, are brought to the attention of users.

Principle 6 - Physical and logical security of personal data

The [client's name] determines and implements the means necessary to protect personal data processing systems to avoid any malicious intrusion and prevent any loss, alteration or disclosure of data to unauthorized persons.
The [name of the client] determines and implements security measures to guarantee the confidentiality of the data:

Article 34 of the Data Protection Act.
Article 32 of the GDPR - Security of processing

The [client's name] requires its subcontractors and partners to provide sufficient guarantees to ensure the security and confidentiality of personal data (signature of confidentiality clauses).

Principle 7 - Personal data breach

In the event of a security breach, the [client's name] must notify the supervisory authority within 72 hours and must document all elements relating to the breach.
When a personal data breach is likely to generate a high risk for the rights and freedoms of a natural person, the controller communicates the personal data breach to the data subject as soon as possible.

Article 33 of the GDPR - Notification to the supervisory authority of a personal data breach
Article 34 of the GDPR - Communication to the data subject of a personal data breach

Principle 8 - Human rights - Information

The [name of the client] will implement the necessary means to inform any person who requests it of the existence of personal data concerning him and of the use which is made of it.

It implements the necessary means to guarantee users and agents access to personal data concerning them when they request it. He takes all measures to rectify or delete erroneous information.

Each treatment is the subject of complete information to the user or agent and must at least indicate the following elements:

  • The identity and contact details of the controller, and where applicable those of his representative;
    • Where applicable, the contact details of the data protection officer;
  • The purposes pursued by the processing for which the data are intended
  • The legal basis for the processing
  • The categories of data concerned by the collection for processing
  • the categories of recipients of personal data, including in non-member states of the European Union or in international organizations;
  • If necessary, additional information, in particular when personal data is collected without the knowledge of the data subject.
  • The retention period of personal data or, when this is not possible, the criteria used to determine this period;
  • The existence or not of an automated decision
  • The existence of the right to request from the controller access to personal data, their rectification or erasure, and the limitation of the processing of personal data relating to a data subject (The [name of the client] are not not affected by the right to restriction of processing)
  • The right to lodge a complaint with the National Commission for Informatics and Freedoms and the contact details of the commission;

Principle 9 - Implementation of the personal data management policy

The [client's name] must provide its users and agents with precise information on the personal data management policy and the principles that make it up.
The [client's name] determines and implements all the useful and necessary operational measures to enable its services to apply the principles of the personal data management policy.
In this sense, the [client's name] educates and trains its departments on the principles applicable to the management of personal data and promotes good practices.

Principle 10 - Respect for the stated principles

The [client's name] has a Data Protection Officer who ensures compliance with the rules for the collection and processing of personal data set out in this document.
Anyone must be able to contact the Data Protection Officer on the principles set out above.

Principle 11 - Sustainability of the personal data management policy

For the purposes of the sustainability of its personal data management policy, the [client's name] regularly ensures that its constituent principles are consistent with developments in technology, law and the needs of users and users. third.

Data Controller [indicate the name of the data controller]
[contact details]

Personal Data Protection Officer Personal Data Protection Officer
[name, address, phone, email]

[The following block must be duplicated for each of the site forms and adapted]

Specificity of the treatment [indicate the name of the form]

The information collected about you is subject to computer processing, to which you consent, the purposes of which are [Indicate the purpose].

This is a proactive action by the [name of the client], data controller, aimed at [indicating the purpose of the form]. The processing is necessary for the performance of a public interest mission (Article 6-1-E of the GDPR).

The categories of personal data that may be processed within the framework of this form are as follows: [specify the personal data collected]. Mandatory data is indicated by a mention in brackets.
Your information is stored in a country of the European Union with an adequate level of protection.

The information recorded is intended for the services of [name of the client / specify the service] and can only be communicated, if necessary, to duly authorized recipients and intervening strictly within the framework of your file, namely professional bodies, contracted partners, service providers.

The data is automatically deleted after three months.

In accordance with article 39 and following of the law "Informatique et Libertés" of January 6, 1978 amended, you have the right to access and rectify information concerning you. You can also define the fate of your data after your death , by writing to the Data Protection Officer - [DPO contact details] or by e-mail to [DPO e-mail].

You can also, for legitimate reasons, oppose the processing of data concerning you, unless this right has been excluded by a legislative provision.

Since the entry into force of the European Data Protection Regulation (REGULATION (EU) 2016/679) on May 25, 2018, all users have the right:

  • To oppose profiling
  • To request the restriction of processing
  • To lodge a complaint with a supervisory authority (In France: CNIL: 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - Telephone: 01.53.73.22.22 - www.cnil.fr