The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It aims to strengthen the rights individuals have over their personal data and to better protect said personal data.
SAREG, a subsidiary of SR Conseil Group, has always thought it important to protect its clients’ and employees’ data. Our GDPR compliance is permanently maintained with the support of DPO CONSULTING.
Personal data protection policy
As part of its business, the simplified joint-stock company (société par actions simplifiée) SAREG, whose registered office is located at 101 TDM DES FRENES, 74110 Morzine, France, and registered in the Thonon Trade and Companies Register under number B 499 453 256, is required to process personal data.
- French Data Protection Act (“Loi Informatique et Libertés”) of 6 January 1978, amended in 2004
- General Data Protection Regulation (GDPR) (EU 2016/679 of the European Parliament and of the Council of 27 April 2016)
- Personal data: Any information relating to a data subject, in particular referring to an identifier such as a name, identification number, ID card number, salary, health records, bank account information, driving or consumption habits, location data, online identifier, etc. The term “personal data” includes sensitive personal data.
- Data processing: Any operation or set of operations, whether done using automated or non-automated processes, performed on personal data, such as collecting, accessing, saving, copying, transferring, storing, combining, modifying, structuring, making available, disclosing, recording, destroying, whether or not by automatic, semi-automatic or other means. This list is not exhaustive.
- Data controller: A natural or legal person who, individually or jointly, decides what personal data are collected, why and how they are collected and processed.
- Processor: Any natural or legal person, public authority, department or other body that processes Personal Data on behalf of the Data Controller and according to its instructions (e.g. contractors or suppliers).
- Consent: Any free, specific, informed and unambiguous expression of will by which the Data Subject accepts, by a declaration or by a clear positive act, that personal data concerning them may be processed.
- Data transfer: When personal data is communicated, copied or moved over a network, or communicated, copied or moved from one medium to another, irrespective of the medium, to a country outside the European Union or to an international organisation, and said data are subject to processing or are intended to be processed after such transfer.Data Protection Officer (or “DPO”):This is the person in charge of personal data protection at SAREG, a subsidiary of SR Conseil Group. If you have any questions about the protection of your personal data, you can contact the DPO of SAREG, a subsidiary of SR Conseil Group, at the following address: firstname.lastname@example.org.
- Cookies: A cookie is a small file stored on your computer that allows you to move from one web page to another while retaining your browsing settings.
Purposes of processing and legal grounds
The processing of your personal data is carried out for specific purposes which correspond to different legal grounds.
Your personal data may be processed:
- As part of a contractual relationship between our company and yourself, your organisation or the organisation employing you, in which case the purposes of the processing must allow us to:
- Meet our contractual obligations, particularly in the area of human resources management (responding to a job offer, consulting a curriculum vitae, drawing up an employment contract, etc.);
- Carry out the work you, your organisation or the organisation employing you has entrusted us with to the best of our ability (management of client files, etc);
- Because you have given us your consent.This will be the case for our marketing activities in particular, for which this purpose will allow us, for example, to:
- Send you our newsletter and keep you informed of our news;
- Invite you to events;
- Provide you with offers identified as being able to meet your needs;
- As part of our legitimate interest: We consider that we have a legitimate interest in processing some of your personal data, in particular in the following cases:
- For recruitment (responding to a job offer, consulting a curriculum vitae);
- For production monitoring purposes;
- To resolve a dispute: we may need to process your personal data to respond to requests or defend our rights in a legal action;
- For administrative purposes (keeping schedules, training, calculating profitability, etc.);
- To follow up on the files of prospective or current clients;
- To provide as complete and relevant a response as possible to your request, regardless of the form it takes (telephone call, contact form, e-mail, fax, etc.);
- As part of our legal obligations: In some cases, we need to collect, transmit or retain some information about you to meet our own legal obligations, for example in relation to:
- Filling out and sending our notices of hiring (déclaration préalable à l’embauche, DPAE) for Urssaf;
- Sending administrative and tax documents, etc.
Recipients of the data
We may share your personal data with the following recipients:
- Our employees
Your personal data are intended for any employee of our company whose duties may require them to access to these data for the purposes set out above. The procedures in force within our company aim to guarantee individualised access to your personal data, thus limiting an employee’s access to only those data necessary for the performance of their duties and the accomplishment of our work.
All employees of our company are contractually bound to discretion and professional secrecy. These obligations of discretion and professional secrecy continue after an employee’s employment contract is terminated.
- Our service providers and processors:
We may transfer some of your personal data to our service providers and processors if it is necessary for the performance of their tasks. This will be the case, for example, for our hosting platform providers when providing IT services. These service providers are selected with regard to the guarantees presented in terms of personal data protection and are contractually supervised in accordance with the provisions of Article 28 of the GDPR.
- Fraud detection and prevention entities.
Our processing and storage platforms are hosted in data centres located in France.
In order to provide certain services, SAREG may transfer some of your personal data to its processors. SAREG naturally undertakes to take appropriate measures to maintain the level of confidentiality and security of your personal data during its transfer and receipt.
In any case, your personal data will not be transmitted outside the European Union.
If the data is transferred to Processors located outside the European Union, in a country that is not adequately regulated under Personal Data Protection Regulations (CNIL), the contractual relationship with this Processor is framed by adopting an appropriate contractual mechanism.
SAREG stores your personal data:
- In compliance with its legal obligations and/or the recommendations of the French Data Protection Authority (CNIL) regarding retention periods;
- In relation to its contractual obligations and the requirements applicable to the purposes of the processing;
- At least for the time necessary to carry out the purposes for which they were collected.
Without prejudice to the exercise of your rights to rectification, erasure, restriction of processing or object.
Beyond the agreed time limits, SAREG will delete your personal data from its system or anonymise them so that they can no longer be used to identify you.
If you have any questions about the time limits for storing your personal data or if you notice a breach by SAREG in this area, we undertake to do everything we can to make the necessary corrections as soon as possible after receiving your request, which should be sent to the following e-mail address: email@example.com.
Automated individual decision-making
SAREG does not use your personal data for processing that results in automated individual decision-making.
Your personal data belongs to you, and as such you have a number of rights. Thus, in accordance with current data protection laws and regulations, you have the following rights with regard to your personal data:
- Right of access or information: (Article 15 of the GDPR)
You have the right to consult and obtain a copy of your personal data processed by SAREG. You will therefore be able to access the following information:
- the purposes of the processing;
- the categories of Data;
- the recipients or categories of recipients to whom the Data have been or will be disclosed;
- where possible, the intended retention period of the Data or, where this is not possible, the criteria used to determine this period;
- the existence of the right to request that SAREG rectifies or deletes your Data, or to restrict the processing of your Data, or the right to object to such processing;
- the right to lodge a complaint with the French Data Protection Authority (CNIL);
- where we do not collect the Data from you, any available information as to their source;
- the existence of automated decision-making, including profiling, and, at least in such cases, relevant information about the underlying logic and the significance and intended consequences of such processing for you.
It is specified that your right to obtain a copy of your personal data must not infringe on the rights and freedoms of others.
- Right to rectification: (Article 16 of the GDPR)
If you notice any inaccuracies in your personal data, you have the right to ask SAREG to rectify this information as soon as possible. You can also have your personal data completed, including by providing an additional declaration.
- Right to erasure: (Article 17 of the GDPR)
You can get SAREG to delete your personal data as soon as possible if one of the following reasons applies:
- your data are no longer needed for the purposes for which they were collected or processed;
- you have withdrawn your consent for the processing of such data and there is no other legal basis for the processing;
- you exercise your right to object under the conditions set out below and there is no compelling legitimate grounds for the processing;
- your data has been unlawfully processed;
- your data must be deleted to comply with a legal obligation;
- your data has been collected from a child.
You can ask SAREG to restrict the use of your personal data in the following cases:
- While the data controller is verifying the accuracy of your data after you have challenged the accuracy of your data;
- Where the processing of your data is unlawful and you prefer to exercise your right to restriction of processing rather than your right to erasure;
- Where SAREG no longer needs your data to carry out a processing operation but it is still necessary for you to establish, exercise or defend legal claims;
- When you have objected to the processing of your data under the conditions set out below (see “Right to object”) and that SAREG will check whether the legitimate grounds it pursues prevail over yours.
- Right to data portability: (Article 20 of the GDPR)
You can request that SAREG transmits the personal data you have provided in a structured, commonly used and machine-readable format to yourself or to another controller, without SAREG objecting if:
- Your data is processed based on consent or on a contract;
- Your data is processed using automated processes.
- Right to object: (Article 21 of the GDPR)
For reasons relating to your particular situation, you may object to the processing of your personal data at any time if:
- The processing in question is necessary to perform a task in the public interest or to exercise official authority vested in SAREG;
- The processing in question is necessary for the purposes of the legitimate interests pursued by SAREG, unless SAREG demonstrates that there are compelling legitimate grounds for processing your data which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
You may also object to the processing of your personal data when they are processed:
- For prospecting or profiling purposes;
- For statistical, scientific or historical research purposes, unless the data processing is necessary to perform a task carried out in the public interest.
You can find more information about your rights on the website.
To exercise these rights, you can send your request:
- By e-mail to our DPO at the following address firstname.lastname@example.org;
- Using this form;
- By post to the following address:
SAREG filiale de Groupe SR Conseil
101 Taille de Mas des Frênes – BP28
A reply will be sent to you within one month from the date your request was received, at the latest. If necessary, SAREG may extend this period by two months and inform you of this, taking into account the complexity and/or the number of requests.
If there is reasonable doubt as to the identity of the person submitting the request, a photocopy of an identity document may be requested.
Lodging a complaint
We make every effort to ensure that our data protection policy complies with the GDPR, and to guarantee the security of these data and your rights regarding your personal data. However, you are entitled to lodge a complaint with the competent supervisory authority, the in the event that you find a breach related to this regulation.
SAREG implements appropriate technical and organisational measures, given the nature of the data and the risks involved in processing them, to preserve the security and confidentiality of your personal data.
These measures may include practices such as limited access to data for service personnel, contractual guarantees when using an external service provider, regular reviews of practices and procedures, and physical and/or computerised security measures (secure physical access, computer authentication process, anti-virus software, etc.).