Section 1 – Version and date of applicability
To comply with the principle of transparency, this privacy statement is the version of the first of Decembre 2020 implemented the same day. It does not replace a previous version with regard to its initial version. This privacy statement may be modified or supplemented at any time, in particular in order to comply with any legislative, regulatory, jurisprudential or technological development
Section 2 – Context
This privacy statement describes why and how we collect and use personal data, and provide information about the rights of data subjects. It applies to personal data which is transmitted to us either directly by the persons concerned, or indirectly. We may only use the personal data transmitted to us for one or more of the purposes described in this declaration or for any other purpose duly indicated at the time of collection. It allows us to inform you and help you exercise your rights, so we kindly ask you to take note of it.
Personal data relates to any information relating to an identified or identifiable natural person. oppScience collects and processes personal data for different purposes. The means of collection, the legal bases for processing, use, disclosure and retention period are varied because they are specific to each purpose.
Our goal is to be transparent about why and how we process personal data when we collect and use it. To find out more about our personal data processing activities, we invite you to refer to the relevant sections of this declaration.
Section 3 – Legal basis
The data that oppScience collects is subject to processing, if you have consented to it and have not withdrawn this consent, or if the processing is based on at least one of the following legal grounds:
- necessary for the performance of a contract,
- falls within the legitimate interest of oppScience,
- is subject to a legal obligation to which oppScience may be subject (order of a judge for example),
- necessary for the performance of a public interest mission,
- necessary for the protection of a vital interest which concerns you.
Section 4 – Security implementation
We attach great importance to the security of your data. Strategies, procedures and training covering data protection, confidentiality and security have been defined and are implemented within oppScience. These measures are regularly reviewed and updated to ensure that the data transmitted to us is protected against destruction, loss, alteration and unauthorized disclosure.
The personal data collected is treated in compliance with the “IT and liberties” law of January 6, 1978 modified by the law of June 20, 2018 relating to the protection of personal data taken in application of EU regulation 2016/679. This regulation is more commonly called “General Data Protection Regulation” with the French acronym RGPD.
In the event of a data breach, the controller undertakes to notify the CNIL and any persons concerned in accordance with articles 33 and 34 of the GDPR.
Section 5 – Recipients and data processing
Depending on the processing, the recipients can be internal or external, in both cases to the extent necessary for the performance of the tasks entrusted to them.
Internally: the recipients are the employees of our company who carry out tasks serving the purposes of the processing by means of technical devices controlled by our company or our subsidiaries.
Externally: the recipients are the employees of our service providers (ex: accounting firm, subcontractor, partner) who carry out tasks serving the purposes of the processing by means of technical devices that they master or that they offer by the fact of the very nature of their service.
The treatments carried out internally and externally are likely to be of different types, such as: collection, recording, organization, structuring, conservation, extraction, consultation, use, storage available, reconciliation, limitation, deletion, anonymization, pseudonymization or encryption.
Section 6 – Data transfer
oppScience applies the RGPD regulations, and as such, in the eventuality that data transfers to countries to which the European Commission would not have recognized as adequate had to be carried out, in any case they will be operated and supervised in a way that protects the personal data of the persons concerned.
A transfer can be carried out by
- Derogation provided in Article 49 of the GDR (contractual obligation serving the interests of a data subject, for example).
- The use of a contract that conforms to standard contractual clauses (STCs)
- The use of Binding Corporate Rules (BCR)
Section 7 – Duration of treatments
The treatments carried out by our company are only for a limited period. In the general case, it is therefore the time necessary to achieve the objectives pursued. In some cases longer treatments may be required by European Union law or applicable national law or by a contractual provision.
In the absence of contrary provisions:
Customer data is kept for the duration of the contractual relationship with oppScience, increased by 5 years corresponding to legal requirements
Data relating to contacts and prospects is kept for 3 years from the collection or last contact from the contact or prospect.
Section 8 – Exercise your rights
To exercise your rights it is necessary to prove your identity, several cases are possible and supporting documents will be requested by email or post. The request cannot be the subject of a mandate it must come from you exclusively.
In the absence of unfounded, excessive or repetitive demand the exercise of your rights is free. Otherwise you will have to pay a reasonable fee based on the administrative or organizational costs incurred.
The following rights are acquired by the persons concerned with regard to their personal data:
– The right of access (to know the details of the data, the treatments and their purposes)
– The right to rectify (correct any inaccuracies noted or report a change)
– The right to erasure (also called the right to be forgotten: in compliance with the legal provisions, the persons concerned can request the deletion of their data)
– The right to limit (freeze all or part of the data processing)
– The right to portability (receive in a structured format the data which you have provided to us)
– The right to object (stop all or part of the data processing)
For more information concerning the exercise of your rights please go to this address: https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre3
Section 9 – Contact the right contact
In order to simplify the process for requesting to exercise your rights, we invite you to contact firstname.lastname@example.org by email or by post:
14 Avenue Trudaine
To file a complaint, you must contact the CNIL on the internet https://www.cnil.fr/fr/plaintes/internet
Or by post: CNIL Complaints Service, 3 Place de Fontenoy – TSA 80 751 75334 Paris cedex 07