Privacy Policy
Personal Data Protection Policy
Customer representatives and contacts
Personal Data Protection Policy
Summary
Voici le sommaire réécrit avec un espacement clair entre les titres et les numéros de page pour une meilleure lisibilité :
1. GENERAL PROVISIONS
- 1.1. Preamble
- 1.2. Definitions
- 1.3. Purpose
- 1.4. General principles
2. IDENTIFICATION OF PROCESSING OPERATIONS
2.1. Categories of data collected and origin of data
2.2. Purposes of processing and legal bases
2.3. Retention periods
2.4. Recipients of the data
3. MANAGEMENT OF INDIVIDUALS’ RIGHTS
3.1. Right of access and right to copy
3.2. Right to rectification
3.3. Right to erasure
3.4. Right to restriction
3.5. Right to data portability
3.6. Right to object
3.7. Exercising the rights of our contacts
4. ADDITIONAL PROVISIONS
4.1. Subcontracting
4.2. Processing register
4.3. Security measures
4.4. Data breach
5. CONTACTS
5.1. Data Protection Officer
5.2. Right to lodge a complaint with the CNIL
5.3. Changes
5.4. For further information
1. General provisions
1.1 Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter “GDPR”), sets out the legal framework applicable to the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, processors, data subjects and recipients.
Subsequently, and in order to implement the changes brought about by the GDPR, Law No. 78-17 of 6 January 1978, known as the Data Protection Act, was amended by Law No. 2018-493 of 20 June 2018 through Order No. 2018-1125 of 12 December 2018 on data protection.
The regulations applicable to the protection of personal data are therefore the following texts:
- the GDPR;
- the Data Protection Act, as amended by the aforementioned texts;
- the recommendations of the CNIL (French Data Protection Authority).
For a clear understanding of this policy, it is specified that:
- the “data controller” refers to the natural or legal person who determines the purposes and means of processing personal data. Under this policy, the data controller is Arkopharma;
- “data subjects” are persons who can be identified, directly or indirectly, by reference to personal data collected by the data controller, i.e., in the context of this policy, all Arkopharma contacts associated with its customers and prospects, regardless of their status (employees or managers).
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable and easily accessible manner.
1.2 Definitions
- “Personal data”: any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity;
- “processing of personal data”: any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, as well as blocking, erasure or destruction;
- ” al data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, al data transmitted, stored or otherwise processed.
1.3 Purpose
In order to function properly, our company is required to process personal data relating to our contacts with our customers, prospects and partners in the context of commercial relations and contracts concluded with them.
The purpose of this policy is to fulfil our obligation to provide information and to remind our customers, prospects and partners of their rights regarding the processing of their personal data.
1.4 General principles
Our company does not process any data concerning you unless it relates to personal data collected by or for its services or processed in connection with its services and unless it complies with the general principles of the GDPR.
Any new processing, modification or deletion of existing processing will be brought to the attention of our contacts with our customers and prospects through an amendment to this policy.
2. Identification of processing operations
2.1 Categories of data collected and origin of data
Data is mainly collected directly from our contacts with our company’s customers and prospects.
Consequently, we only collect and use data that is necessary for the conclusion or execution of contracts with our company, namely:
- identity of the contact person(s) in charge of a file or contacted for prospecting purposes (e.g. title, surname, first name);
- professional contact details of the contact(s) in charge of a file or contacted for prospecting purposes (e.g. professional email address, professional postal address, professional landline or mobile phone number, fax number);
- professional information of the contact(s) in charge of a file or contacted for prospecting purposes (e.g. position, rank, function);
- technical data depending on the use case (identification or connection data such as IP address or logs);
- images of the contact(s) in charge of a file or contacted for prospecting purposes (e.g. in the case of access to our premises).
2.2 Purposes of processing and legal bases
Purposes | Comment | Legal bases |
Pre-contractual exchanges | We process the data of individuals who interact with us when we have approached the organisation to which they belong for prospecting purposes or when they have contacted us. |
|
Contract and contract monitoring | We process the data of our contacts linked to our customers as part of the monitoring of the contractual relationships that bind us to them. |
|
Invoicing, payment and accounting | We process the data of our contacts at our clients for the purposes of invoicing and payment for orders placed. |
|
Management of our customer and prospect directory | We maintain a directory of our customers and a directory of our prospects, which includes the names of our main contacts within these groups. |
|
Organisation of events by our company | We process the data of our contacts at our customers and prospects when we invite them to events that we organise or co-organise. |
|
Sending newsletters or news feeds | When the addresses to which we send our newsletters or news feeds are not contact addresses, we use the data of our contacts at our customers and prospects. |
|
Management of third-party personnel access | We process the data of our contacts who access our premises in order to secure access to them (e.g. keeping a register, access badges, etc.). |
|
Video surveillance of third-party personnel | Certain specific areas of our premises, such as barriers and fences, are subject to video surveillance. |
|
Compilation of statistics | We may compile statistics based on data relating to our customers and prospects. |
|
2.3 Retention periods
We determine the retention period for data relating to our customers and prospects in accordance with the legal and contractual obligations to which we are subject and, failing that, according to our needs.
As a matter of principle, data relating to our customers and prospects must be retained for the time strictly necessary for the management of the commercial relationship. More specifically, we undertake to comply with the following retention periods:
Processing | Retention period |
Contracts concluded with our customers | 5 years from the date of conclusion. 10 years for contracts concluded electronically for more than £120. |
Commercial correspondence (purchase orders, delivery notes, invoices, etc.) | 10 years from the end of the financial year. |
Data processed for marketing purposes | For customers: 3 years from the end of the commercial relationship (from the end of a contract) or from the last contact made by the customer. For prospects: 3 years from the date of collection or the last contact from the prospect (request for documentation, click on a link contained in an email, etc.). |
CCTV images | For a maximum period of one month |
Access to buildings | For a maximum period of one month |
Technical data | 1 year from the date of collection |
Cookies | See the cookie policy |
The periods indicated in the table above are necessarily extended for the legal limitation period as evidence in the event of a dispute. In the latter case, the retention period is extended for the duration of the dispute.
Once the specified periods have expired, the data is either deleted or retained after being anonymised, in particular for statistical purposes. It may be retained in the event of pre-litigation and litigation.
It should be noted that deletion or anonymisation are irreversible operations and that Arkopharma is subsequently unable to restore the data.
2.4 Data recipients
Data recipients are natural or legal persons who receive personal data. Data recipients may therefore be Arkopharma employees or external organisations.
We ensure that the data collected and processed in the context of our relationships with our customers and prospects is only accessible to authorised internal and external recipients, in particular the following recipients:
- staff in the relevant departments authorised to manage relations with our customers and prospects and their line managers;
- support department staff, i.e. administrative, logistics and IT departments and their line managers;
- our service providers or support services (e.g. IT service providers);
- the competent authorities in the event that we are required to share certain data with legal assistants, departments responsible for internal control procedures, etc.;
- in the event of a visit to our premises, reception staff, who collect data on all visitors in a register.
With regard to internal recipients, we decide which recipient may have access to which data in accordance with an authorisation policy and we ensure that they are subject to a confidentiality obligation.
With regard to external recipients, we inform you that the personal data of our contacts with our customers and prospects may be communicated to some of our service providers or to any authority legally authorised to access it (in particular tax and social security authorities). In this case, Arkopharma is not responsible for the conditions under which the staff of these authorities access and use the data.
3. Management of personal rights
3.1 Right of access and right to copy
Our customers and prospects have the right to ask us whether we process data concerning their members (staff, managers, etc.) in the context of contracts concluded with them or prospecting messages we send them.
They may also request that we provide them with a copy of their members’ data that is being processed.
However, in the event of requests for additional copies, we may require our customers and prospects to bear the cost of producing these new copies.
If requests from our customers and prospects are made electronically, the information requested will be provided in a commonly used electronic format, unless otherwise requested.
Our customers and prospects are informed that this right of access cannot apply to confidential information or data, or to information or data that the law does not allow to be disclosed.
The right of access must not be exercised abusively, i.e. on a regular basis for the sole purpose of disrupting the proper performance of our services.
3.2 Right of rectification
Our customers and prospects have the right to ask us to rectify certain data concerning their personnel that is obsolete or incorrect.
3.3 Right to erasure
Our customers may only invoke the right to erasure with regard to their personnel data in the following cases:
- the contract has been terminated and is no longer in effect between our company and the customer;
- the members of staff whose data is being processed and who are no longer employed by one of our customers wish to be removed from our customer database.
Our prospects may invoke the right to erasure with regard to their staff’s data insofar as they have the right to object to receiving marketing messages.
3.4 Right to restriction
Our clients and prospects are informed that this right only applies in the following cases:
|
|
|
|
3.5 Right to portability
Our customers and prospects are informed that this right does not apply insofar as the conditions required by the applicable regulations are not met with regard to our processing of the personal data of their staff members with whom we interact.
3.6 Right to object
Customers and prospects have the right to object to any commercial prospecting by post, telephone or electronic means, including profiling insofar as it is related to such prospecting.
In the specific case of electronic marketing, customers and prospects may opt out at any time by clicking on the link in the email or by changing their preferences in their customer account on our website arkopharma.com. By SMS, it is possible to object to any marketing by sending “stop” to the number shown in the message received.
3.7 Exercising the rights of our contacts
To exercise their rights, our customers and prospects must contact us in writing, either by post or by email, at the following addresses: dpo@arkopharma.com
We do our utmost to respond to requests within a reasonable time frame and, at best, within one month of receiving the request.
However, in the event that the processing of requests proves complex or we are faced with a high number of requests to exercise rights simultaneously, the processing time may be extended to two months.
4. Additional provisions
4.1 Subcontracting
We may use any subcontractor of our choice to process the personal data of our contacts with our customers and prospects.
Within the meaning of the GDPR, a subcontractor is any natural or legal person who processes personal data on behalf of the data controller. In practice, this refers to service providers with whom Arkopharma works and who process Arkopharma’s personal data.
In this case, we ensure that the subcontractor complies with its obligations under the GDPR.
We undertake to sign a written contract with all our processors and impose on them the same data protection obligations that we impose on ourselves. In addition, we reserve the right to audit our processors to ensure their compliance with the provisions of the GDPR.
4.2 Register of processing activities
As data controller, we undertake to keep an up-to-date register of all processing activities carried out when required to do so by law.
This register is a document or application that lists all the processing operations carried out by Arkopharma as data controller.
We undertake to provide the CNIL, upon first request, with the information enabling it to verify the compliance of the processing operations with the regulations in force.
4.3 Security measures
We implement the technical, physical and logical security measures we deem appropriate to combat the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.
These measures mainly include:
- management of authorisations for access to data;
- internal backup measures;
- identification processes;
- conducting security audits and penetration tests;
- adoption of business continuity plans;
- use of a security protocol or solutions.
In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
4.4 Data breaches
We undertake to notify the CNIL of any data breach we may suffer under the conditions prescribed by the regulations on personal data.
Our contacts with our customers and prospects are informed of any data breaches that could pose a high risk to their privacy.
5. Contacts
5.1 Data Protection Officer
We have appointed a Data Protection Officer who can be contacted at the following address for any questions relating to data processing: dpo@arkopharma.com
5.2 Right to lodge a complaint with the CNIL
Our contacts at our service providers have the right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they believe that the processing of their personal data does not comply with European data protection regulations, at the following address:
CNIL – Complaints Department
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
5.3 Evolution
This policy may be amended or modified at any time in the event of changes in the law, case law, decisions and recommendations of the CNIL or practices.
Any new version of this policy will be brought to the attention of our customers and prospects by any means we choose, including electronic means (e.g. distribution by email or online).
5.4 For further information
For further information, please contact our Data Protection Officer at the following email address: dpo@arkopharma.com
For more general information on personal data protection, please visit the CNIL website at www.cnil.fr.
