1.1 Introduction Numen Group places great value on protecting the personal data of its employees, clients and prospective clients, and is committed to maintaining their trust in the organisation. Naturally aware of the processing and protection of personal data of individuals to whom it has a duty of care within the scope of its activities, Numen Group recognises the importance of ensuring compliance with the national and European regulations in force and, therefore, of using personal data responsibly and assisting data subjects in the exercise of their corresponding rights, in order to guarantee that the privacy of all individuals is protected.
This policy applies to all departments of Numen Group. It formalises the commitments of Numen Group in respect of personal data protection, and forms part of our informative approach to practices for the implementation of the legislation in force.
1.2 Legal Framework We have put in place organisational measures and take action to guarantee our compliance with the legal and regulatory framework: the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the GDPR), applicable as of 25 May 2018, Law no. 78-17 of 6 January 1978, as amended (the French Data Protection Act), and all other applicable legislation or regulations relating to personal data.
In order to correctly apply the GDPR and the French Data Protection Act, we abide by the recommendations of the competent authorities, including the French Data Protection Authority (CNIL) and the European Data Protection Supervisor (EDPS, formerly “the G29”).
1.3 Issues and Objectives Numen Group is committed to ensuring that its personal data processing complies with the legislation and doctrines in force. The objective of the personal data protection policy is to present to clients, prospective clients, partners and employees of Numen Group: the general principles, organisation, compliance with the rights of data subjects, and management of outsourcing and third parties implemented by Numen Group as part of its compliance procedure.
1.4 Important Definitions “Personal data” means any information relating to an identified or directly or indirectly identifiable natural person. For example, this includes data making it possible to identify you (personally identifiable information): social security number, first name, surname, date and place of birth, residency identification number in an establishment, etc., and any information that may be linked to these latter. It may also include a set of information that is not inherently personally identifiable but, when combined, makes it possible to identify you as a specific individual. Data that is linked to personally identifiable information qualifies as personal data.
“Personal data processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data subject” shall mean a person whose personal data is processed by Numen Group. This may include our employees, partners, client contacts and prospective client contacts.
“Data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing. For example, Numen Group is the data controller with regard to the internal management of its employees.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller. Numen Group is a processor with regard to activities conducted on behalf of its clients.
2 DATA PROTECTION GOVERNANCE
2.1 Duties of the Data Privacy Officer In order to oversee and maintain our compliance with the regulations in force, we have incorporated the observance of the obligations and principles relating to personal data processing within our organisation.
We have designated a Data Privacy Officer (DPO) to act as an “orchestra conductor” for GDPR compliance. The DPO is familiar with our sphere of activity and the personal data protection legislation, has sufficient resources to exercise their duties and acts in a fully independent capacity.
The primary duties of the DPO are:
· Providing information and advice;
· Monitoring compliance with regulations and French law relating to data protection;
· Advising on and verifying the due performance of impact assessments relating to data protection;
· Handling any enquiries by data subjects;
· Cooperating with and being the point of contact for the French Data Protection Authority.
In the exercise of their duties, the DPO works in collaboration with employees and, in particular, with the information systems manager, whose responsibilities include computer processing security. Measures relating to compliance, risks of non-compliance or security are reported directly to the most senior level of management.
As part of our commitment to compliance, we have employed a consultancy firm specialising in cybersecurity and regulatory compliance, and together we have established a roadmap to sustain our regulatory compliance and increase our level of security.
In order to maintain our compliance over the long term, we regularly audit our organisation, practices and establishments to guarantee the observance of regulatory principles and obligations. In addition, our DPO keeps updated records of our processing activities as a processor and data controller.
In particular, these records contain:
– The names and contact details of the various stakeholders;
– The purpose of the processing;
– The categories of the data;
– The link to the PIA;
– The notification process in the event of a data breach;
– The archiving period;
– The data hosting location.
2.2 Duties of Data Privacy Contacts The DPO for Numen Group is supplemented by numerous personal data privacy contacts allocated at individual sites and in each internal department: the Human Resources Department, Information Systems Department, Marketing Department, Legal Department, Administration and Finance Department and Corporate Services Department.
This network of contacts facilitates local relaying of information and contributes to compliance measures according to individual responsibilities. Accordingly, the duties of data privacy contacts are: to keep records of processing within their domain, to annually review the occurrence of changes that may have affected the processing within their domain, to inform the DPO in the event of a personal data breach, and to submit the processing records to the DPO.
2.3 Contacting the DPO For more information about personal data processing or our compliance management, please contact our DPO:
· By email at firstname.lastname@example.org;
· Via the form on our official website: http://www.numen.fr/fr/rgpd-1/; or
· By post at this address: Numen sa, SERVICE DPO, 87 rue Saint Lazare, 75009 Paris – France.
3 COMPLIANCE WITH PERSONAL DATA PROTECTION PRINCIPLES
3.1 Lawfulness of Processing Numen Group is committed to ensuring the lawfulness of data processing undertaken as part of its internal and external activities. In order to comply with the principle of lawfulness, one or more legal bases for the personal data processing are determined, case by case, from the list provided under Article 6, first paragraph, of the European regulation.
The main legal bases for the activities of Numen Group are:
– The performance of contracts: for example, when a client outsources an activity to us;
– Compliance with our legal and regulatory obligations: for example, collecting tax information concerning our employees;
– The consent of data subjects: for example, when subscribing to the Numen Newsletter on our official website.
Where consent constitutes the legal basis for data processing, the teams at Numen Group exercise the utmost vigilance in order to guarantee that said consent is specific, unambiguous, freely exercised and notified upon receipt, and that it can be withdrawn where applicable.
3.2 Fair Processing Numen Group is committed to processing personal data under conditions that ensure you the greatest possible transparency. We will never process your personal data without your knowledge. Accordingly, we guarantee the fair processing of your information, in accordance with European law and your reasonable expectations.
3.3 Purpose Limitation
The personal data that we process shall always be used for purposes that are predetermined, explicit and legitimate in respect of our activities. In order to comply with the provisions of the European regulation, we have clearly, explicitly and exhaustively predefined the purposes of our activities as a data controller (for example, the management of Numen personnel).
With regard to our activities as a processor, our clients themselves have also defined the purposes of our operations (for example, the dematerialisation of client documents, DTP or digital safes) within a contractual framework. Accordingly, your data will never be processed for purposes that are incompatible with the initial purpose for which it was collected.
3.4 Data Minimisation The personal data entrusted to Numen Group is that which is strictly necessary for its activities. In accordance with the principle of personal data minimisation, only information that is relevant, adequate and limited to what is necessary in relation to the purposes for which it is processed shall be processed. In order to guarantee you the appropriate proportionality, we evaluate this principle on a case-by-case basis.
As part of certain activities as a processor, Numen Group is entrusted with personal data in both analogue and digital format. According to requirements, these outsourcing activities may include the conversion of physical documents to digital format, the production of cheques or any other management document, the production of loyalty cards, or data hosting under the SaaS model. Clients entrusting their personal data to Numen ensure that it is minimised in relation to the predetermined purpose of the processing.
As part its activities as a data controller, Numen Group guarantees its employees that the collection of their personal data is minimised in order to ensure strict compliance with its employer obligations and prerogatives.
3.5 Data Accuracy Numen Group pays special attention to the accuracy of data collected and stored as part of its activities as a data controller. Data is updated as necessary in order to correct any inaccuracies. As an employee or contact of Numen Group, you may submit a request to rectify your personal data to our DPO, accompanied by proof of your identity.
As a client of Numen Group, we wish to inform you that, as part of our outsourcing activities, we have put in place a process for the alteration and deletion of your personal data, in the event that you or a data subject wish to rectify, update or erase inaccurate information.
3.6 Transparency of Processing Numen Group guarantees that identifiable persons whose data it processes shall be informed. This information is provided to you in clear, simple and easily accessible terms, whatever the medium of communication: our official website, forms, IT charter, etc.
Where we collect your data directly from you, we ensure to provide you with the information listed under Article 13 of the European regulation, namely: the identity of the controller, the contact details of our DPO, the purposes and legal basis of the processing, the categories of personal data collected, the categories of recipients of your data, the period for which we shall store your data, the fact that we shall transfer your data outside of the European Union where applicable, and the rights to which you are entitled.
As a client, if you outsource the digitisation of personal data to us, for example, you are responsible for the information provided to data subjects. Numen Group will make every effort to assist with the communication of this information.
3.7 Data Archiving Limitation The archiving periods for personal data collected and processed by Numen Group are determined on a case-by-case basis, according to the purpose of the processing, the legislative provisions and the possibility of judicial remedy.
Numen stores personal data either in an active directory when it is currently being processed, or in an archive directory for the period necessary for compliance with the obligations and conditions stipulated by the legislation or with the recommendations of the supervisory authority or the European Supervisor. Personal data in paper format is stored in our archives and is subject to physical security measures.
As a processor, data that you entrust to us is stored in strict accordance with the period stipulated in our contract. Numen ensures compliance with this archiving period. Upon its expiry, your data is erased securely in order to prevent its retrieval. Where it is stored on analogue media, these are also destroyed in order to maintain confidentiality, and a certificate of destruction is provided to you.
3.8 Data Security Numen Group takes the necessary measures to guarantee the confidentiality, integrity and availability of processed data and to avoid the disclosure of said data to unauthorised third parties. In order to fulfil this obligation of security, all of our employees are subject to an obligation of confidentiality.
We are committed to privacy protection as of the design phase for our offers and products, in particular, through the implementation of data minimisation and appropriate security measures with regard to the state of the art and potential risks.
As part of data security risk assessment, we take account of risks, such as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed, which may result in physical, material or non-material damages incurred by data subjects.
Additionally, we implement security by default, which means the highest level of security is ensured by default when we conduct our processing activities, resulting in restricted access to and limited archiving of personal data.
We take action to ensure the highest possible level of security for your data and the processing thereof, on a technical, human and organisational level. In order to ensure this level of security, we abide by the recommendations of the National Cybersecurity Agency of France (ANSSI), French Data Protection Authority and other competent authorities.
For example, we are required to:
· Raise awareness and provide training for users;
· Authenticate users and manage their authorisations;
· Track access and manage incidents;
· Secure workstations;
· Protect the internal IT network;
· Secure servers and websites;
· Safeguard and plan ahead for business continuity;
· Oversee the maintenance and destruction of data;
· Protect the premises;
· Oversee IT development as appropriate;
· Implement cryptographic methods;
· Assess our level of security on a regular basis.
As a data controller, we may also be required to perform privacy impact assessments (PIAs) where the processing in question poses a risk to your privacy. In the event of these analyses, we use the methodology and PIA tool of the French Data Protection Authority.
Furthermore, we have documented our technical, organisational and security processes in order to demonstrate our compliance with and inform our employees of the necessary personal data protection.
As a processor, we help our clients guarantee compliance with their personal data protection obligations. We are at your disposal in the event that you wish to audit our information system in order to ensure that we provide sufficient guarantees. Where necessary, we will provide you access to the requisite documentation and assist your auditors.
In addition, we are committed to notifying you of any personal data breach of which we become aware, as required by the European regulation, and, where applicable, to notifying the competent supervisory authority as quickly as possible.
3.9 Data Recipients Whether or not these are third parties, your information is always transmitted to data recipients for legitimate purposes, in order to conduct our activities or to comply with our legal obligations. We neither sell nor lease out your personal data.
In the event that we grant access to our information systems to a third party, we only grant them the permissions needed to perform their work, according to the principles of need to know and least privilege. We track their activity and verify its compliance with their duties.
4 COMPLIANCE WITH THE RIGHTS OF DATA SUBJECTS
4.1 Your Rights With a view to empowering data subjects in respect of personal data protection and to granting them a greater degree of control, the GDPR has conferred new rights upon data subjects and consolidated other pre-existing rights.
In particular, these rights are as follows:
· The right to access personal data and information about the processing;
· The right to object to the processing;
· The right to rectification of data;
· The right to be forgotten, the right to restriction of processing;
· The right to data portability;
· The right to object to automated individual decision-making and profiling;
· The right to lodge a complaint with a supervisory authority.
We are committed to upholding these rights and the conditions for the exercise thereof provided for by the European regulation. We make every effort to fulfil requests as quickly as possible. In the majority of cases, requests that you send to us must be accompanied by documentary proof of your identity, failing which we cannot fulfil them (except, for example, where you are exercising your rights using the email address with which you subscribed to the newsletter).
In certain cases, where we operate in the capacity of data controller, you may contact us on the basis of your various rights: by requesting that we provide a copy of your personal data in our possession, by informing us of alterations or corrections to be made to the data in our possession, or by requesting the erasure or restriction of data processed, or termination of the processing, etc.
As an employee, you may contact us on the basis of your various rights under the conditions provided for by the European regulation: for example, by requesting information about alterations or corrections to be made to the data in our possession.
Where we operate in the capacity of processor, we are committed to providing the greatest possible assistance to our clients in order for you to fulfil incoming requests to exercise rights in respect of the processing that we undertake on your behalf.
4.2 Modalities for the Exercise of Rights With regard to our activities as a data controller, you may submit a request to exercise your various rights to our DPO using the email or postal address provided (in the section entitled “Contacting the DPO”).
With regard to our activities as a processor, we provide the greatest possible assistance to our clients in order for them to abide by their obligation to fulfil requests by data subjects to exercise their rights. In the event that said requests are sent to us, we forward them to you as quickly as possible via an appropriate channel.
5 PARTNER MANAGEMENT
5.1 Trusted Service Providers As a data controller, it may be necessary to outsource certain activities to service providers. Where this is the case, we make sure to use trusted service providers offering sufficient guarantees with regard to personal data protection and security.
Contracts govern our relationships with these service providers and our respective obligations in this regard, pursuant to the provisions of the European regulation and, in particular, Article 28. Accordingly, our processors are required to implement the appropriate technical and organisational measures for compliance with the European regulation and with this policy, and we reserve the right to perform audits in order to ensure that such measures have been implemented.
5.2 Further Partners and Transfers Outside of the European Union As a processor, Numen Group undertakes the majority of personal data processing within the European Union. However, we may use one or more other processors located outside of the European Union to perform predetermined processing operations.
In general, we outsource certain processing activities to our subsidiary, Numen Madagascar, but we may also use other entities. Such transfers outside of the European Union may contain personal data and may entail the disclosure, copying, retrieval or movement of data, etc.
Our clients are always informed of further processing, and we have put in place standard contractual clauses in order to provide this information systematically. In this regard, and where they are not located in a country providing a sufficient level of personal data protection, contracts signed with our clients give us a mandate to include, in the legal instruments that bind us to Numen Madagascar or another processor, the standard contractual clauses relating to personal data protection of 2010 provided by the European Commission.
Cookies allow Numen to see how the website is being used and enable us to improve and update the website based on data (for example, the number of users connected to the site) combined using cookies. The different types of cookies used on our website are: navigation cookies and cookies to analyse visitor traffic.
When you first visit one of our websites, a cookie panel will be displayed on your current webpage. By navigating to another page of the website or clicking on a feature of the website (an image, link, “search” button, etc.), you are registering your consent to the archiving of cookies on your terminal.
You may object to the archiving of cookies by configuring your browser settings (Internet Explorer, Safari, Firefox, Chrome, etc.) to notify you before any cookies are installed, or you may refuse the installation of all cookies if your browser has the relevant functionality. Refusal to authorise cookies may prevent the website from functioning correctly, by limiting certain uses or making certain services inaccessible.
5.4 Amendments to the Personal Data Protection Policy This Personal Data Protection Policy may be subject to future amendments. You may revisit this page to find out the date of the latest update by Numen Group.
In order to ensure transparency for our employees, clients and prospective clients, you shall be notified by email in the event that we make substantial amendments this policy.