GDPR Policy

IP / IT & Data Protection

1. Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter GDPR), establishes the legal framework applicable to the processing of personal data.

The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects, and data recipients.

In the course of our activities, we are required to process personal data. For a clear understanding of this policy, it is specified that:

  • the “data controller”: Oneida Associés;
  • the “data processor”: refers to any natural or legal person who processes personal data on behalf of, under the instructions of, and under the authority of Oneida Associés;
  • the “data subjects”: refers to Oneida Associés’ clients and/or contacts;
  • the “recipients”: refers to natural or legal persons who receive personal data from Oneida Associés. Data recipients may therefore include both Oneida Associés employees and external organizations (partners, exhibitors, banking institutions, speakers, etc.).

The GDPR, in its Article 12, requires that data subjects be informed of their rights in a concise, transparent, intelligible, and easily accessible manner.

2. Purpose

The purpose of this policy is to fulfill the information obligation to which Oneida Associés is subject under the GDPR (Article 12) and to formalize the rights and obligations of its clients and contacts regarding the processing of their personal data.

3. Scope

This policy is intended to apply to the implementation of all personal data processing related to Oneida Associés’ clients and contacts.

Oneida Associés makes every effort to ensure that data is processed within a precise internal governance framework. That being said, this policy only covers processing for which Oneida Associés is the data controller and therefore does not cover processing that would not be created or operated outside the governance rules set by Oneida Associés (so-called “wild” processing or shadow IT).

Personal data processing may be managed directly by Oneida Associés or through a data processor specifically designated by Oneida Associés.

This policy is independent of any other document that may apply within the contractual relationship between Oneida Associés and its clients or contacts.

4. General Principles and Data Collection

No processing of client and contact data is implemented within Oneida Associés unless it relates to personal data collected by or for our services or processed in connection with our services, and unless it complies with the general principles of the GDPR.

Oneida Associés’ use cases are as follows:

Push media

All commercial and sales follow-up activities.

Prospecting, generally by email, SMS, telephone, etc.

Data is collected, depending on the use case, via opt-in or opt-out.
Events

Physical events organized by Oneida Associés or in which Oneida Associés participates or sponsors.

Data is generally collected during event registration (directly or via a partner) or during the event itself (newsletter, questionnaire, business card, dedicated mobile applications, etc.).

 

Social media

 All social selling operations. These notably include the collection of data related to registrations, posts, likes, replies and forwards, comments, reviews, etc.
Cookies See our cookie policy on this matter: click here.

 

This list is intended to be as exhaustive as possible; any new use case, modification, or deletion of existing processing will be brought to the attention of clients and contacts through an amendment to this policy.

5. Types of Data Collected

Non-technical data

(depending on use cases)

• Identity and identification (last name, first name, date of birth)

• Contact details (email, postal address, phone number)

• Personal / professional life when necessary

• Banking data if necessary
Technical data

• Identification data (IP address)

• Connection data (including logs and tokens)

• Acceptance data (click)

 

(depending on the use case) • Location data

6. Data Origin

Data relating to our clients and contacts is generally collected directly from them (direct collection). Collection can also be indirect, via specialized companies or via Oneida Associés’ partners and suppliers (indirect collection). In this case, Oneida Associés takes the utmost care to ensure the quality of the data communicated to it.

7. Purposes and Legal Bases

Depending on the case, Oneida Associés processes your data for the following purposes:

  • client relationship management (CRM);
  • contact relationship management (CRM);
  • community management;
  • user account management (including managing unsubscription, re-subscription, and opt-out requests);
  • service subscription; event organization;
  • opt-in and newsletter management;
  • retention of data related to legal security obligations.

These purposes are based on the performance of the contract concluded with its clients and on Oneida Associés’ legitimate interest in possessing data concerning its users and contacts.

8. Data Recipients – Authorization & Traceability

Oneida Associés ensures that data is only accessible to authorized internal or external recipients.

Internal Recipients External Recipients
  • authorized consultants responsible for client relationship management and prospecting,
  • administrative staff and their hierarchical superiors;
  • authorized personnel responsible for internal control procedures.
  • partners, external companies, or group subsidiaries;
  • authorized personnel of data processors.

Recipients of clients’ and contacts’ personal data within Oneida Associés are subject to a confidentiality obligation.

Oneida Associés determines which recipient may access which data according to an authorization policy.

Furthermore, personal data may be communicated to any legally

authorized authority to access it. In this case, Oneida Associés is not responsible for the conditions under which the personnel of these authorities access and use the data.

9. Retention Period

The data retention period is defined by Oneida Associés in light of the legal and contractual constraints it faces, and failing that, according to its needs, and notably according to the following principles:

Processing Retention Period
Client Data For the duration of contractual relations with Oneida Associés, extended by 3 years for animation and prospecting purposes, without prejudice to retention obligations or limitation periods
Data relating to members and users

For the period necessary for the performance of services provided by Oneida Associés and 1 year after the last intervention.

Cookies: 13 months
Contact and Prospect Data 3 years from their collection by Oneida Associés or from the last contact originating from the prospect / contact
Technical Data 1 year from their collection
Banking Data

Deleted as soon as the transaction is completed, unless expressly agreed by the

client in case of transaction dispute: retained for 13 months in archive following the debit date.

 

After the specified periods, data is either deleted or retained after being anonymized. It may be retained in case of pre-litigation and litigation. Clients and contacts are reminded that deletion or anonymization are irreversible operations and that Oneida Associés will subsequently no longer be able to restore them.

10 . Right of Confirmation and Right of Access

Clients and contacts have the right to request confirmation from Oneida Associés as to whether or not data concerning them is being processed.

Clients and contacts also have a right of access, which is subject to compliance with the following rules:

  • the request originates from the person themselves and is accompanied by an up-to-date copy of an identity document;
  • the request is made in writing to the following address: dpo@oneida-associes.com

Clients and contacts have the right to request a copy of their personal data being processed by Oneida Associés. However, in the event of a request for an additional copy, Oneida Associés may require clients and contacts to bear the financial cost.

If clients and contacts submit their data copy request electronically, the requested information will be provided to them in a commonly used electronic format, unless otherwise requested.

Clients and contacts are informed that this right of access cannot apply to confidential information or data for which the law does not authorize disclosure.

The right of access must not be exercised abusively, i.e., regularly for the sole purpose of destabilizing the service concerned.

11 . Update and Rectification

Oneida Associés fulfills update requests:

  • automatically for online modifications to fields that can be technically or legally updated;
  • upon written request from the person themselves, who must provide proof of identity.

12 . Right to Erasure

The right to erasure for clients and contacts will not be applicable in cases where processing is carried out to meet a legal obligation.

Outside of this situation, clients and contacts may request the erasure of their data in the following limited cases:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing;
  • the data subject objects to processing necessary for the purposes of the legitimate interests pursued by Oneida Associés, and there are no compelling legitimate grounds for the processing;
  • the data subject objects to the processing of their personal data for direct marketing purposes, including profiling;
  • the personal data has been unlawfully processed.

In accordance with personal data protection legislation, clients and contacts are informed that this is an individual right that can only be exercised by the data subject concerning their own information: for security reasons, the relevant service will therefore need to verify your identity to prevent any communication of confidential information concerning you to anyone other than yourself.

13. Right to Restriction

Clients and contacts are informed that this right is not intended to apply insofar as the processing carried out by Oneida Associés is lawful and all collected personal data is necessary for the performance of its services.

14 . Right to Data Portability

Oneida Associés grants the right to data portability in the specific case of data communicated by clients and contacts themselves, concerning online services offered by Oneida Associés itself, and for purposes based on the performance of the contract binding the client to Oneida Associés. In this case, the data will be communicated in a structured, commonly used, and machine-readable format.

15 . Automated Individual Decision-Making

Oneida Associés does not engage in automated individual decision-making.

16. Post-Mortem Rights

Clients and contacts are informed that they have the right to formulate directives concerning the retention, erasure, and communication of their post-mortem data. The communication of specific post-mortem directives and the exercise of their rights are carried out by email to the address: dpo@oneida-associes.com or by postal mail to the following address: 24, rue Cambacérès, 75008 Paris, accompanied by a copy of a signed identity document.

17. Optional or Mandatory Nature of Responses

Clients and contacts are informed on each personal data collection form whether responses are mandatory or optional by the presence of an asterisk.

In cases where responses are mandatory, Oneida Associés explains to clients and contacts the consequences of not providing a response.

18. Right of Use

Oneida Associés is granted by clients and contacts a right to use and process their personal data for the purposes set out above.

However, enriched data resulting from Oneida Associés’ processing and analysis work, otherwise known as enriched data, remains the exclusive property of Oneida Associés (usage analysis, statistics, etc.).

19. Subcontracting

Oneida Associés informs its clients and contacts that it may engage any data processor of its choice for the processing of their personal data.

In this case, Oneida Associés ensures that the data processor complies with its obligations under the GDPR.

Oneida Associés undertakes to sign a written contract with all its data processors and imposes on them the same data protection obligations as itself. Furthermore, Oneida Associés reserves the right to conduct audits of its data processors to ensure compliance with GDPR provisions.

20 . Security

It is up to Oneida Associés to define and implement the technical security measures, whether physical or logical, that it deems appropriate to combat the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of data.

These measures primarily include:

  • access management for data;
  • internal backup measures;
  • identification processes;
  • conducting security audits;
  • adopting business continuity/disaster recovery plans;
  • using a security protocol or solutions.

21 . Data Breach

In the event of a personal data breach, Oneida Associés undertakes to notify the CNIL under the conditions prescribed by the GDPR.

If the said breach poses a high risk to clients and contacts and the data has not been protected, Oneida Associés will:

  • notify the affected clients and contacts;
  • communicate the necessary information and recommendations to the affected clients and contacts.

22 . GDPR Referent

Oneida Associés has appointed a GDPR referent, responsible for answering all questions that may arise regarding the protection of personal data.

The contact details of the Data Protection Officer are as follows:

In the event of new personal data processing, Oneida Associés will first consult the GDPR referent.

If clients and contacts wish to obtain specific information or ask a particular question, they may contact the GDPR referent, who will provide a response within a reasonable timeframe given the question asked or information required.

In case of any issue encountered with the processing of personal data, clients and contacts may contact the designated GDPR referent.

23. Processing Register

Oneida Associés, as the data controller, undertakes to keep an up-to-date register of all processing activities carried out.

This register is a document or application that lists all processing operations implemented by Oneida Associés, as the data controller.

Oneida Associés undertakes to provide the supervisory authority, upon request, with the information allowing said authority to verify the compliance of the processing with the current data protection regulations.

24 . Right to Lodge a Complaint with the CNIL

Clients and contacts concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they believe that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:

CNIL — Complaints Department
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22

25 . Evolution

This policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations from the CNIL, or changes in practices.

Any new version of this policy will be brought to the attention of clients and contacts by any means defined by Oneida Associés, including electronic means (e.g., email or online distribution).

26. For more information

For any other general information on personal data protection, you can consult the CNIL website www.cniI.fr.