Personal data protection policy

1.  General provisions

 1.1.   Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR) sets out the legal framework for the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.

Subsequently, and in order to implement the changes of the RGPD, the law n°78-17 of January 6, 1978 known as Informatique et libertés was amended by the law n°2018-493 of June 20, 2018 by the ordinance n°2018-1125 of December 12, 2018 relating to data protection.

The regulations applicable to the protection of personal data thus include the following texts:

- the RGPD ;

- the French Data Protection Act (Loi Informatique et Libertés), as updated by the aforementioned texts;

- the recommendations of the CNIL.

For a good understanding of the present policy it is specified that :

- the "data controller" means the natural or legal person who determines the purposes and means of processing personal data. Under the present policy, the person in charge of processing is MSC CONCEPT;

 - the "data subjects" are the persons who can be identified, directly or indirectly, by reference to the personal data collected by the data controller, i.e., within the framework of the present policy, all the contacts of MSC CONCEPT related to its customers and prospects whatever their status (employees or managers).

Article 12 of the RGPD requires that the persons concerned are informed of their rights in a concise, transparent, understandable and easily accessible way.

1.2.   Définitions

- Personal data" means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

- enriched data": enriched personal data is opposed to the notion of "raw" personal data provided by the data subject. It is data that are generated by the data controller. It can also be inferred and/or derived data created by the controller on the basis of data "provided by the data subject";

- processing of personal data" means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

- Personal Data Breach" means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed.

1.3    Purpose

In order to ensure the proper functioning of our company, we are required to process personal data relating to our contacts with our customers, prospects and partners in the context of commercial relations and contracts concluded with them.

The purpose of this policy is to meet our obligation to provide information and to remind you of the rights of our contacts with our customers, prospects and partners regarding the processing of their personal data.

1.4.   General principles

No processing is carried out by our company on data concerning you if it does not concern personal data collected by or for its services or processed in relation to its services and if it does not comply with the general principles of the GDPR.

Any new processing, modification or deletion of an existing processing will be made known to our customers and prospects by means of an amendment to this policy.

2.  Identification of treatments

2.1.   Categories of data collected and origin of data 

The data is mainly collected directly from our contacts with customers and prospects of our company.

Consequently, we only collect and use the data necessary for the conclusion or execution of contracts with our company, namely

- identity of the contact person(s) in charge of a file or contacted for prospecting purposes (e.g.: title, surname, first name);

- professional contact details of the person(s) in charge of a file or contacted for prospecting purposes (e.g. professional email, professional postal address, professional fixed or mobile telephone number, fax number);

- professional information of the contact person(s) in charge of a file or contacted for prospecting purposes (e.g.: position, grade, function);

- technical data according to the case of use (identification or connection data such as IP address or logs);

- images of the person(s) in charge of a file or contacted for prospecting purposes (e.g. in the case of access to our premises).

 

2.2.   Purposes of the processing

Purposes

Comment

Pre-contractual exchanges

We process the data of people who interact with us when we have approached the structure to which they belong for prospecting purposes or when they have contacted us to contract with us.

Contract and follow-up

We process the data of our customers' contact persons within the framework of the contractual relations between us and our customers.

Billing, payment and accounting

We process the data of our contacts with our customers and prospects within the framework of the invoicing and the payment of the carried out orders.

Customer/prospect relationship management

We process the data of our customers and prospects in order to communicate with them in the context of questions they may ask us in connection with the current or future performance of a contract with our company.

Management of the customer and prospect directory

We maintain a directory of our customers and a directory of our prospects, which implies the mention of our main contacts with them.

Organization of events by our company

We process the data of our customers and prospects when we invite them to events that we organize or co-organize.

Sending newsletters or information feeds

When the addresses to which we send our newsletters or news feeds are not contact addresses, we use the data of our contacts with our customers and prospects.

Access management for third party personnel

We process the data of our interlocutors accessing our offices in order to secure access to them (e.g.: keeping a register, access badges...).

Video surveillance of third party personnel

Some specific areas of our offices, such as gates and fences, are subject to video surveillance, which results in the processing of data of third parties who may be filmed.

Realization of statistics

We may perform statistical analysis of our customers' and prospects' data.

2.3.   Shelf life

We define the period of conservation of the data of our interlocutors with our customers and prospects with regard to the legal and contractual constraints which weigh on us and, failing that, according to our needs.

As a matter of principle, data relating to our customers and prospects must be kept for the time strictly necessary to manage the commercial relationship. More specifically, we undertake to respect the following retention periods: 

Treatment

Shelf life

Contracts concluded with our customers

5 years from their conclusion

10 years for contracts concluded by electronic means of more than 120 euros

Commercial correspondence (purchase orders, delivery notes, invoices, etc.)

10 years from the end of the accounting period

Data processed for prospecting purposes

For customers: 3 years from the end of the commercial relationship (from the end of a contract or the last contact from the customer)

For prospects: 3 years from their collection by MSC CONCEPT or from the last contact from the prospect (request for documentation, click on a link contained in an e-mail, etc.)

Images from video protection cameras

For a maximum period of one month

  • Access to the buildings

For a maximum period of one month

Technical data

1 year from the date of collection

Cookies

13 months

The periods indicated in the previous table are necessarily extended for the legal period of prescription as evidence in case of litigation. In the latter case, the retention period is extended for the duration of the dispute.

After the set time limits, the data is either deleted or kept after being anonymized, notably for statistical purposes. They can be kept in case of pre-litigation and litigation.

It is reminded that the deletion or the anonymization are irreversible operations and that MSC CONCEPT is not able to restore them afterwards.

2.4.   Legal basis

The processing of data of our contacts with our customers and prospects as presented above is based on the following conditions of lawfulness, which differ depending on whether the processing concerns customers or prospects:

Clients

Pre-contractual or contractual performance

Prospects

Pre-contractual execution or legitimate interest of MSC CONCEPT

2.5.   Beneficiaries of the data

The beneficiaries of the data are the natural or legal persons who receive communication of personal data. The beneficiaries of the data can be employees of MSC CONCEPT as well as external organizations.

We make sure that the data collected and processed within the framework of our relations with our customers and prospects are only accessible to authorized internal and external beneficiaries, and in particular to the following beneficiaries: 

- the personnel of the competent services authorized to manage the relationship with our contacts with our customers and prospects and their hierarchical managers;

- the personnel of the support services, i.e. the administrative, logistic and IT services and their line managers;

- our service providers or support services (e.g. IT service provider);

- the competent authorities in the event that we are required to share certain data with judicial officers, departments in charge of internal control procedures, etc. ;

- in the event of a visit to our offices, the reception staff, who collect the data of all visitors in a register.

For internal recipients, we decide which recipient will have access to which data according to a clearance policy and ensure that they are subject to a confidentiality obligation.

Regarding external beneficiaries, we inform you that the personal data of our contacts with our customers and prospects may be communicated to some of our service providers or to any authority legally entitled to know (tax and social authorities in particular). In this case, MSC CONCEPT is not responsible for the conditions in which the staff of these authorities have access to and use the data.

3.  Management of people's rights

3.1.   Right of access and right to copy

Our customers and prospects have the right to ask us whether we are indeed processing data about their members (staff, managers, etc.) in the context of contracts concluded with them or in the context of prospecting messages that we send them.

They may also ask us to provide them with a copy of their members' data that is being processed.

However, if additional copies are requested, we may require our customers and prospects to bear the cost of providing the additional copy.

If requests from our customers and prospects are made electronically, the information requested will be provided in a commonly used electronic form unless otherwise requested.

Our customers and prospects are informed that this right of access may not relate to information or data that is confidential or for which the law does not allow disclosure.

The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilizing the proper performance of our services.

3.2.   Right of rectification

Our clients and prospects have the right to ask us to rectify certain data concerning their personnel that are obsolete or erroneous.

3.3.   Right to delete

Our customers can only invoke the right to delete their personnel data in the following cases :

- the contract has been terminated and is no longer in effect between our company and its customer;

- staff members whose data is processed and who are no longer employed by one of our customers and who therefore wish to be deleted from our customer database.

Our prospects may invoke the right to delete their personnel data insofar as they have the right to object to receiving marketing messages.  

3.4.   Right to limitation

Our customers and prospects are informed that this right is not intended to apply to the extent that the conditions required by the applicable regulations are not met with respect to our processing of the personal data of their staff members with whom we interact.  

3.5.   Right to portability

Our customers and prospects are informed that this right is not intended to apply to the extent that the conditions required by the applicable regulations are not met with respect to our processing of the personal data of their staff members with whom we interact.   

3.6.   Right to object

Customers and prospects have the right to object to any commercial prospecting by post, telephone or electronic means, including profiling insofar as it is linked to such prospecting.

In the particular case of electronic prospecting, it will be possible at any time for customers and prospects to object to such prospecting by clicking on the link in the e-mail sent. By SMS, it is possible to object to any prospecting by sending "stop" to the number appearing in the message received.

3.7.   Exercising the rights of our interlocutors

To exercise their rights, our customers and prospects must contact us either in writing or by post or by email at the following addresses : nathalie@mscconcept.com.

Nathalie Six

MSC Concept / Espace Ombrage

19/21 allées de l’Europe

92110 Clichy - France

We make every effort to respond to requests within a reasonable period of time and, at best, within one month of receiving the request.

However, in the event that the processing of requests proves to be complex or we are faced with a large number of requests to exercise rights simultaneously, the processing time may be extended to two months.

4.  Additional provisions

4.1.   Subcontracting

We may use any subcontractor of our choice to process the personal data of our contacts with our customers and prospects.

In the sense of the GDPR, the processor is any natural or legal person who processes personal data on behalf of the controller. In practice, this means the service providers with whom MSC CONCEPT works and who intervene on MSC CONCEPT's personal data.

In this case, we ensure that the processor complies with its obligations under the GDPR.

We undertake to sign a written contract with all our subcontractors and impose on them the same data protection obligations that we impose on ourselves. In addition, we reserve the right to audit our processors to ensure their compliance with the provisions of the GDPR.

4.2    Register of treatments

We commit ourselves, as data controller, to keep an updated register of all processing activities carried out when required by law.

This register is a document or application allowing to list all the processing activities implemented by MSC CONCEPT as a data controller.

We commit ourselves to provide to the CNIL, at first request, the information allowing it to verify the conformity of the processing to the IT and freedom regulations in force.

4.3.   Safety measures

We implement such physical or logical technical security measures as we deem appropriate to protect against accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.

These measures include primarily:

- management of authorizations for access to data; 

- internal backup measures; 

- identification processes;

- Conducting security audits and penetration tests;

- the adoption of an information systems security policy;

- adoption of continuity / disaster recovery plans;

- the use of a security protocol or solutions.

In any case, we undertake, in the event of a change in the means to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.

4.4.   Data breach

We undertake to notify the CNIL of any data breach that we may suffer under the conditions prescribed by the regulations on personal data.

Our contacts with our customers and prospects are informed of any data breach that could pose a high risk to their privacy.

5.  Contacts

5.1.   Right to file a complaint with the CNIL

Our contacts with our service providers have the right to lodge a complaint with a supervisory authority, namely the Cnil in France, if they consider that the processing of personal data concerning them does not comply with the European data protection regulations, at the following address :

CNIL – Service des plaintes

3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07

Phone : 01 53 73 22 22

5.2.   Evolution

The present policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations of the CNIL or practices.

Any new version of this policy will be brought to the attention of our customers and prospects by any means we choose, including electronically (for example, by e-mail or online).

5.3.   For more information

For further information, you can contact the person in charge of personal data at the following e-mail address: nathalie@mscconcept.com.

For more general information on the protection of personal data, you can consult the Cnil website www.cnil.fr/en/home