Personal data protection policy

1. PURPOSE AND SCOPE

The purpose of this policy is to provide a framework for the processing of personal data collected by Nexira. It is addressed to all Nexira Group personnel, to its subcontractors, as well as to third parties insofar as Nexira collects their personal data.
In accordance with the applicable legal and regulatory provisions, in particular French Data Protection Act no.78-17 of 6 January 1978, and the European Data Protection Regulation no. 2016/679/EU of 27 April 2016 (applicable since 25 May 2018) (“GDPR”), Nexira is committed to protecting the personal data of its customers, employees, partners and other stakeholders that it collects and processes as part of its activities.

2. DEFINITIONS

Personal data: “any information relating to an identified or identifiable natural person. “
Processing of personal data: “An operation or set of operations which relates to personal data, regardless of the process used (collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, viewing, use, disclosure by transmission, distribution or otherwise making available, reconciliation or interconnection, limitation, erasure or destruction). “
Data controller (DC): “The data controller is the legal entity (company, local authority, etc.) or natural person who determines the purposes and means of data processing, i.e. the objective and the way in which it is processed. “
Data Protection Officer (DPO): “The Data Protection Officer is in charge of enforcing compliance with the European data protection regulation in the organisation that appointed them to cover all processing carried out by that organisation. “
Subcontractor: “The natural or legal person, public authority, department or other body which processes personal data on behalf of the data controller

3. ROLES AND RESPONSIBILITIES

Nexira is the data controller.
A Data Protection Officer has been appointed (Frédéric DUCLUSEAU, Risk Management Director), who has a specific e-mail address (dpo@nexira.com).

4. PERSONAL DATA PROCESSING

Nexira may collect and process the following personal data (partial list):

  • Identification data: surname, first name, date and place of birth, gender, photograph, video;
  • Contact details: home address, email address, telephone number;
  • Transactional data: bank details, invoice amount and date;
  • Connection data: IP address, cookies;
  • Private or professional data: family status, qualifications, etc.

The purposes of processing this data include, but are not limited to:

  • Recruitment;
  • Personnel administration;
  • Career management and staff mobility;
  • Training management,
  • Monitoring of suppliers and service providers;
  • Customer and lead management;
  • In-house and external Nexira communications;
  • Visitor reception management.

All personal data processing has a legal basis (consent, performance of a contract with Nexira, compliance with a legal obligation, etc.) and is governed by specific, precise and legitimate purposes. Only data that is adequate, relevant and limited to what is necessary for the purposes for which it is to be used must be collected. If data is to be used for purposes other than those defined, Nexira undertakes to inform the persons concerned in order to obtain their consent.

In addition, Nexira commits to making sure the collected personal data is accurate and up to date, and reserves the right to contact the persons concerned to make sure that is the case.

Personal data is kept for a period strictly necessary for the purposes for which it was collected, and in accordance with legal obligations. It is then deleted or anonymised so that it can be used without infringing the rights of individuals.

Personal data processing activities are listed in a Personal Data Processing Register, which, for each activity, indicates the recipients, purposes, legal basis, the categories of personal data and persons concerned, the retention periods and the security measures. The register is the responsibility of the DPO and is updated regularly.

5. OBLIGATIONS OF SUBCONTRACTORS

Nexira may transfer personal data to third parties for technical reasons or to comply with legal obligations. Subcontractors are required to comply with the obligations in terms of security, confidentiality and documentation of the processing of personal data that they carry out on behalf of Nexira, in accordance with the GDPR, and more specifically Article 28 “Subcontractors”. Subcontractor undertakes to:

  • Only process personal data based on documented instructions from the data controller and solely for the purposes for which the data processing has been subcontracted;
  • Make sure the persons authorised to process personal data receive the necessary training and undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
  • Provide data subjects with information relating to the data processing carried out by the Data Controller and to assist the Data Controller in processing requests from data subjects to exercise their rights: right of access, rectification, erasure and opposition, right to restrict processing, right to data portability, right not to be subject to an automated individual decision;
  • Delete all personal data or return them to the data controller at the end of the service, including existing copies;
  • Implement appropriate technical and organisational measures to provide a level of security appropriate to the risk to the rights and freedoms of individuals;
  • Inform the data controller without undue delay, and no later than 48 hours of becoming aware of a personal data breach;
  • Provide Nexira the name and contact details of its Data Protection Officer;
  • Keep a written Register of all personal data processing activities carried out on behalf of the data controller;
  • Not to recruit another subcontractor without a specific or general prior written authorisation from the data controller. If the other subcontractor does not fulfil its data protection obligations, the original subcontractor remains fully liable for the performance of the subcontractor’s obligations to the data controller;
  • If the subcontractor uses a subsequent subcontractor from a third country (outside the EU), the subcontractor undertakes to use data transfer mechanisms that comply with the provisions of Articles 44 et seq. of the GDPR: (1) an adequacy decision from the European Commission, (2) appropriate safeguards such as the signature of Standard Contractual Clauses from the European Commission, (3) binding corporate rules, (4) derogations permitted by the GDPR and in agreement with Nexira;
  • Make available to the data controller all the information necessary to prove compliance with the obligations laid down in Article 28 of the GDPR and allow and contribute to audits, including inspections, carried out by the data controller or another auditor appointed by the data controller.
  • Considering the nature of the processing and the information available to the subcontractor, to assist the data controller with any data protection impact assessments and with consulting the supervisory authority prior to processing in the event of an impact assessment indicating a high risk.

6. TRANSFERS OUTSIDE THE EUROPEAN UNION

If data is transferred outside the European Union, Nexira makes sure a sufficient and appropriate level of data protection is in place, in compliance with the GDPR legal framework.

7. DATA PROTECTION MEASURES

Nexira undertakes to implement all appropriate physical, technical and organisational security measures to guarantee the confidentiality, integrity and availability of the data. These measures include the use of firewalls, access controls, regular back-up procedures, etc. These security measures are regularly reviewed and adjusted to take into account changes in risks and the sensitivity of the collected data.

If data is transferred to subcontractors, Nexira makes sure they comply with European regulations on the protection of personal data, in particular by formalising a contract defining the obligations of the parties in terms of data protection.

8. RESPECT FOR PEOPLE’S RIGHTS

Nexira ensures that data subjects are informed of the collection of their personal data in a transparent and comprehensible manner, and that their consent is obtained if necessary. Everyone has the right, on legitimate grounds, to object to the processing of their data, except when required by law.

Nexira undertakes to facilitate the exercise of individuals’ rights concerning their personal data: right of access, rectification, erasure, limitation of processing, portability and opposition.
To exercise your rights, or if you have any questions about Nexira’s personal data protection policy, you can send a request to the attention of our Data Protection Officer at the following address: dpo@nexira.com. After having verified the identity of the applicant and identified the data concerned, Nexira undertakes to respond to requests within one month.
The persons concerned also have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL), the French personal data protection authority, at the following postal address: 3 Place de Fontenoy – TSA 80715, 75334 Paris Cedex 07, by telephone by dialling 01 53 73 22 22, or on the www.cnil.fr website.

9. PERSONAL DATA BREACHES

As personal data is confidential, access to it is restricted to Nexira employees and service providers who need to know it in order to carry out their mission. Persons who have access to personal data are bound by an obligation of confidentiality and may be subject to disciplinary measures and/or other sanctions if they fail to comply with such obligations.

If a personal data breach (illegitimate access, unwanted modification or disappearance of data) occurs, Nexira’s DPO will alert the CNIL within 72 hours if the breach is likely to generate a risk to the rights and freedoms of the persons concerned. In the event of high risks, the persons concerned will be informed in accordance with the conditions laid down by the regulations. Every data breach will be recorded in the Personal Data Breach Register.

10. CONTROLS AND CONTINUOUS IMPROVEMENT

Regular in-house checks on data processing will be carried out to make sure they comply with applicable regulations, are effective, and that the measures taken are appropriate to the identified threats and the sensitivity of the data. These checks will make it possible to quickly correct any identified non-compliances and ensure that people’s rights are respected. External audits may also be conducted.

Continuous improvement also requires the involvement of everyone involved, and Nexira employees will be given training courses to make them more aware of their responsibilities in terms of personal data protection and improving practices.

This Policy may be modified by NEXIRA at all times, especially as a result of changes to legislation and/or regulations and in-house data protection policies.