GDPR Policy
IP / IT & Data Protection
1. Preamble
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter “GDPR”) lays down the legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of the controllers, processors, data subjects and recipients of data.
As far as our activity is concerned, we are required to process personal data. For a good understanding of this Policy, the parties acknowledge that:
- the “controller” is Oneida Associés;
- “processor” means any natural or legal person who processes personal data under the instructions and authority and on behalf of Oneida Associés;
- “data subjects” refers to the clients and / or contacts of Oneida Associés;
- “recipients” refers to natural or legal persons who receive personal data from Oneida Associés. Recipients of data can therefore be employees of Oneida Associés as well as external organizations (partners, exhibitors, banks, stakeholders, etc.).
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable and easily accessible way.
2. Subject matter
The purpose of this Policy is to comply with the obligation of information that Oneida Associés shall implement pursuant to Article 12 of the GDPR and to formalize the rights and obligations of its clients and contacts with regard to the processing of their personal data.
3. Scope
This Policy applies when implementing any processing of personal data relating to clients and contacts of Oneida Associés.
Oneida Associés shall ensure that data is processed in the context of a specific internal governance. However, this Policy only deals with the processing for which Oneida Associés is a controller and therefore does not apply to processing that is not created or operated beyond the governance rules set by Oneida Associés (“wild treatment” or “shadow IT”).
Processing of personal data may be handled directly by Oneida Associés or through a processor specifically designated by Oneida Associés.
This Policy remains independent from any other document that may apply in the contractual relationship between Oneida Associés and its clients or contacts.
4. General principles & data collection
No processing shall be implemented within Oneida Associés concerning clients and contacts data if it does not relate to personal data collected by or for our services or processed in connection with our services and if does not meet the general principles of the GDPR.
Common cases of Oneida Associés are as follows:
|
Push Media |
Any sales strategy or commercial follow-up. Prospecting, usually by email, text message, phone, etc. Data is collected according to common cases in opt-in or opt-out. |
|
Events |
Physical events organized by Oneida Associés or to which Oneida Associés takes part or patronizes. Data is usually collected during registration to the event (directly or through a partner) or during the event (form, questionnaire, business card, smartphone applications,…). |
|
Social Media |
Any social selling approach. It includes data collection related to registrations, posts, likes, replies and forwards, comments, notices, etc. |
|
Cookies |
Please refer to our Cookie Policy: click here. |
This list is intended to be as exhaustive as possible, any new use, modification or deletion of an existing processing will be reported to the clients and contacts by a modification of this Policy.
5. Type of data collected
|
Non-Technical Data (common cases} |
• Identity and identification (name, surname, date of birth, client ID number) • Contact information (email address, postal address, phone number) • Private / Working life where necessary • Bank information where necessary |
|
Technical Data (common cases) |
• Identification data (IP address) • Login data (including logs and tokens) • Acceptance data (clicking) • Localization data |
6. Data origin
Data relating to our clients and contacts is usually collected directly from them (direct collection). Collection can also be indirect via specialized companies or partners and suppliers of Oneida Associés (indirect collection). In this case, Oneida Associés takes the greatest care to ensure quality of the data received.
7. Purposes and legal basis
Depending on the case, Oneida Associés processes your data for the following purposes:
- Customer Relationship Management (CRM);
- Contact Relationship Management (PRM); community management;
- management of user accounts (especially management of unsubscription requests, re-registration and unsubscribing);
- subscription to services; organization of events;
- management of opt-ins and newsletters ;
- retention of data relating to the statutory obligations of security.
These purposes are based both on the performance of the contract entered into between Oneida Associés and its clients and on its legitimate interest in having data about its users and contacts.
8. Data recipients – authorization and tracking
Oneida Associés ensures that the data is accessible to authorized internal or external recipients only.
|
Internal Recipients |
External Recipients |
|
– authorized consultants in charge of client relations and prospecting, administrative services, and their line managers; – authorized staff in charge of internal control procedures. |
– partners, external companies or subsidiaries of the same group of companies; – processors‘ authorized staff. |
Recipients of clients and contacts‘ personal data within Oneida Associés are subject to a confidentiality obligation.
Oneida Associés decides which recipient will have access to any data according to an authorization policy.
In addition, personal data may be communicated to any competent authority. In this case, Oneida Associés is not responsible for the conditions in which the personnel of these authorities has access to and use data.
9. Retention period
The data retention period is defined by Oneida Associés with regard to the legally and contractually binding constraints and, failing that, to its needs and especially according to the following principles:
|
Processing |
Retention Period |
|
Client Data |
For the duration of the contractual relationship with Oneida Associés, increased by 3 years for purposes of animation and prospecting, without prejudice to conservation obligations or limitation periods |
|
Users and Members Data |
During the period necessary for the performance of the services provided by Oneida Associés y and 1 year after the last intervention Cookies: 13 months |
|
Contacts and Prospects Data |
3 years from their collection by Oneida Associés or from the last contact from the prospect/contact |
|
Technical Data |
1 year as from their collection |
|
Banking Data |
Removed upon completion of the transaction, unless express agreement by the client Where the transaction is challenged: stored 13 months according to the debit date |
Upon termination of the set deadlines, data is either deleted or stored after being anonymized. Data can be stored in case of pre-litigation and litigation. Clients and contacts are reminded that deletion or anonymization are irreversible operations and that Oneida Associés is no longer able to restore them after that.
10 . Right to obtain confirmation and right of acces
Clients and contacts shall have the right to ask Oneida Associés for confirmation that data relating to them is or is not being processed.
Clients and contacts shall also have a right of access, subject to compliance with the following rules:
- the request shall come from the person itself, together with a copy of an up-to-date identity document;
- the request shall be made in writing to the following address: the e-mail address dpo@oneida- associes.com
Clients and contacts have the right to request a copy of their personal data processed by Oneida Associés. However, in the event of a request for an additional copy, Oneida Associés may require the payment of this cost by the clients and contacts.
If clients and contacts submit electronically their request for a copy of their data, the requested information will be provided in an electronic form commonly used, unless otherwise requested.
Clients and contacts are informed that this right of access cannot relate to confidential data or information, or data for which communication is not authorized by law.
The right of access shall not be overused, i.e. carried out regularly for the sole purpose of destabilizing the service concerned.
11 . Update – actualization & rectification
Oneida Associés satisfies update requests:
- automatically for online changes concerning fields that technically or legally can be updated;
- upon written request from the person itself who shall prove its identity.
12 . Right to erasure
The right to be forgotten for clients and contacts shall not apply in cases where the processing is implemented to meet a legal obligation.
Apart from this situation, clients and contacts may request the removal of their data in the following limiting cases:
- personal data is no longer necessary for the purposes for which it has been collected or otherwise processed;
- where the data subject withdraws the consent on which the processing is based and there is no other legal basis for processing;
- the data subject objects to the processing necessary for the legitimate interests pursued by Oneida Associés and that there is no compelling legitimate reason for the processing;
- the data subject objects to the processing of its personal data for the purposes of prospecting, including profiling;
- personal data has been subject to unlawful processing.
In accordance with the legislation on the protection of personal data, clients and contacts are informed that it is an individual right which can only be exercised by the data subject with regard to its own information: for security purposes, the service concerned shall therefore verify the identity of clients and prospects to avoid any disclosure of confidential information about them to another person.
13. Right to restriction
Clients and contacts are informed that this right is not intended to apply insofar as the processing operated by Oneida Associés is lawful and all the personal data collected is necessary for the performance of its services.
14 . Right to portability
Oneida Associés allows data portability in the specific case concerning data communicated by clients and contacts themselves, for online services offered by Oneida Associés itself and for the purposes based on the performance of the binding contract between the client and Oneida Associés. In this case data will be communicated in a commonly used, structured and machine-readable format.
15 . Automated individual decision
Oneida Associés does not make automated individual decisions.
16. Post-mortem right
Clients and contacts acknowledge that they have a right to provide guidelines regarding the retention, deletion and communication of their post-mortem data. Communication of specific post-mortem instructions and the exercise of their rights shall be provided by e-mail : dpo@oneida-associes.com or by post to the following address 24, rue Cambacérès, 75008 Paris along with a copy of a signed identity document.
17. optional or mandatory answers
Clients and contacts are informed that an asterisk specifies on each collection of personal data form the mandatory or optional nature of the answers.
In the case where answers are mandatory, Oneida Associés shall explain to clients and contacts the consequences of an absence of answer.
18. Right to use
Clients and contacts grant Oneida Associés the right to use and process their personal data for the purposes set out hereinabove.
However, enriched data arising from a processing and analysis work performed by Oneida Associés, otherwise known as enriched data, remains the exclusive property of Oneida Associés (usage analysis, statistics, etc.).
19. Processors
Oneida Associés informs its clients and contacts that it can involve any processor of its choice in the processing of their personal data.
In this case, Oneida Associés shall ensure compliance by the processor with its obligations under the GDPR.
Oneida Associés undertakes to enter into a written agreement with all its processors and imposes on the processors the same data protection obligations as itself. Furthermore, Oneida Associés reserves the right to audit its processors to ensure compliance with the provisions of the GDPR.
20 . Security
Oneida Associés shall define and implement technical security measures, physical or logical, that it considers appropriate against the destruction, loss, alteration or unauthorized disclosure of data in an accidental or unlawful manner.
These measures include mainly:
- management of authorizations for data access; internal safeguard measures;
- identification process; conducting security audits;
- adoption of continuity / business recovery plans; use of a protocol or security solutions.
21 . Data breach
In case of personal data breach, Oneida Associés undertakes to notify the CNIL in the conditions provided by the GDPR.
If this breach constitutes a high risk for clients and contacts and that data has not been protected, Oneida Associés shall:
- notify the relevant clients and contacts;
- communicate the necessary information and recommendations to the clients and contacts concerned.
22 . Data protection officer
Oneida Associés has appointed a Data Protection Officer responsible for handling all the issues that may arise concerning personal data protection.
The contact details for the Data Protection Officer are as follows:
- Postal address: 24 rue Cambacérès 75008 Paris
- E-mail address: dpo@oneida-associes.com
In case of new processing of personal data, Oneida Associés will first refer to the Data Protection Officer.
If clients and contacts wish to obtain particular information or ask a specific question, they will be able to contact the Data Protection Officer who will give them an answer in due time in relation to the question asked or the information required.
Should there be any issue arising from the processing of personal data, clients and contacts may contact the designated Data Protection Officer.
23. Record of processing activities
Oneida Associés, as a controller, undertakes to maintain a record of all processing activities performed.
This record is a document or application to identify all the processing implemented by Oneida Associés, as a controller.
Oneida Associés undertakes to provide the supervisory authority, on first request, with the information enabling this authority to ensure that the processing complies with data protection laws in force.
24 . Right to lodge a complain with the CNIL
Clients and contacts concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of personal data does not comply with the European Data Protection Regulation, to the following address:
CNIL— Service des plaintes
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel : +33 1 53 73 22 22
25 . Evolution
This Policy may be modified or amended at any time in the event of legal or case law developments, of the decisions and recommendations of the CNIL or uses.
Clients and contacts will be informed of any new version of this Policy by any means defined by Oneida Associés, including the electronic way (broadcasting by email or online for example).
26. More information
For any other more general information on personal data protection, please visit the CNIL website at the following address: www.cnil.fr.