Private policy

Private policy

Last update: April 2023

 

We attach great importance to the protection of your Personal Data and carefully monitor compliance with privacy regulations, in particular European Regulation No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Law No. 78-17 of 6 January 1978, known as the "French Data Protection Law " as amended in 2018 (the ‘Applicable Legislation ‘).

 

We invite you to read carefully this privacy policy (the ‘Policy’), as it contains important information about how we collect, use and disclose some of your Personal Data in order to meet your needs and to improve the quality of the services we provide. This Policy applies to all types of Personal Data, regardless of the form in which it is collected (e.g., electronic, paper, etc.), and to all types of processing, whether manual or automated. Its scope includes the Personal Data of our partners, subcontractors, consultants, clients, users, prospects and suppliers, and more generally of any third party whose Personal Data we process in the course of our business.

 

The Policy is divided into two parts as it includes:

 

Who are we?

The Solution and the Site are provided to you by EASYPICKY, a French simplified joint stock company, registered with the Trade and Companies Register of Montpellier under number 831 341 549, having its registered office at 72 Boulevard Pénélope, 34000 Montpellier (‘we’, ‘our’ or ‘us’).

You can contact our data protection officer at the following email address: [email protected]

 

Definitions

To help you better understand the Policy, please refer to the definitions given below which will be used throughout our Policy:

Informed Consent means any freely given, specific and informed indication of the Data Subject's agreement to the processing of his/her Personal Data.

Personal Data means any information relating to an identified or identifiable natural person.

Sensitive Data or Special Categories of Data include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data intended to identify a natural person, data relating to health or data relating to the sex life or sexual orientation of a natural person.

Purpose of Processing means the primary purpose for which we collect and process Personal Data

Data Subject means an identified or identifiable natural person.

Data Controller means the person who determines the Purposes of Processing and the means of a Processing.

Processing (‘process’ or ‘processing’) means any operation or set of operations performed on Personal Data, whether or not by automated means, including, without limitation, collection, recording, organisation, storage, access, adaptation, modification, retrieval, consultation, use, disclosure, communication, making available, alignment, combination, blocking, deletion, erasure or destruction.

Third Party means a third party or business partner which, in connection with your actual or potential use of the Solution, discloses Personal Data to us on your behalf or receives or accesses Personal Data on our behalf, such as suppliers, subcontractors  and other service providers.

You, your, or User means the natural person whose Personal Data is collected for processing hereunder, and who is a Data Subject as defined in the Applicable Legislation

 

 

EASYPICKY acts as a Data Controller in two cases:

When it enters into a relationship with prospects and when it enters into a contractual relationship with its partners, clients  and suppliers

Generally speaking, some processing operations  are common to all of EASYPICKY's activities

 

Part 1: General Privacy Policy

When it collects Personal Data on its site, for various reasons

Part 2: Privacy Policy of the Site"

 

 

 

 

GENERAL PRIVACY POLICY

How do we collect your Personal Data ?

We collect your Personal Data n through various means, including:

 

  1. What Personal Data do we collect?

The Personal Data we collect are the following:

  • When we contact you in the context of a commercial prospecting or participation in an external event: name, first name, postal address, position, email address, telephone number and any exchange with you;
  • When you are included in our mailing list: email address, name, first name;
  • When you become our client : name, first name, postal address, position, email address, telephone number and any exchange with you;
  • When you become our partner: name, first name, postal address, position, email address, telephone number and any exchange with you;
  • When you become our supplier: name, first name, postal address, position, email address, telephone number, order data, bank details;
  • During the management of requests to exercise rights: name, first name, email address, subject of the request, follow-up, data on the applicant

 

 

 

Details     

We respect the principles of minimisation and accuracy when collecting your Personal Data: thus, we ensure that the Personal Data we collect is relevant, adequate and not excessive in relation to the Purposes of Processing and its possible use. This means that only information that is necessary and relevant to the purposes sought can be collected and processed.

 

 

 

 

 

 

 

 

  1. What are the Purposes of Processing?

Commercial prospecting

To exchange with you on quotations, commercial proposals, etc., to answer your solicitations to contact you and follow our list of prospects;

 

 

 

 

 

 

Details

 

Personal Data will not be further processed in a manner incompatible with these Processing Purposes.

 

Participation in external events

To manage solicitations to intervene or participate in these events and to collect information on visitors to the event;

E-mailing of information about EASYPICKY

To manage e-mail lists, prepare and send messages, receive replies;

Follow-up and management of the commercial relationship

To exchange with you on quotations, commercial proposals, etc., to sign contractual documents, to exchange information by e-mail or telephone for the good follow-up of the contract, to allow invoicing, to follow up in case of unpaid invoices and to manage the possible amicable recoveries and the litigations;

Manage partnerships

To manage the partnership, sign contractual documents, exchange information by e-mail or telephone and communicate on the partnership;

Manage suppliers

To be able to source our suppliers, place orders and pay suppliers;

Management of requests to exercise rights

Receive requests via the dedicated e-mail, process, follow up and respond to requests, manage the history of requests.

 

 

  1. What is the legal basis for processing your Personal Data?

 

We only process Personal Data on a specifically identified legal basis, namely:

 

  1. What security and confidentiality measures do we put in place to protect your Personal Data ?

 

Technical and organisational measures implemented

We protect Personal Data collected, used, stored and disclosed by taking the necessary technical and organisational measures to ensure its security, integrity and absolute confidentiality. Technical and organisational measures in accordance with applicable standards are implemented to prevent accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access, or any other form of unlawful or unauthorised processing. We implement these measures at the earliest stages of the design of processing operations, so as to protect the principles of confidentiality and data protection (‘Privacy by design’) from the outset. By default, we ensure that Personal Data is processed to protect privacy (e.g., by limiting its accessibility to only those who need to have access to it), so that Personal Data is not accessible to an indeterminate or excessive number of persons (‘Privacy by default’).

Selection of providers and partners

We choose service providers and partners which offer sufficient guarantees to implement technical and organisational measures that are at least as protective.

Documentation

We establish and maintain the necessary documentation to demonstrate compliance with all of our obligations under the Applicable Legislation.

Personal Data breach

Where required by Applicable Legislation, we will notify the User and any Data Subject as well as the competent supervisory authority of any Personal Data breach within the legally required timeframe after becoming aware of it. We undertake to implement technical and organisational security measures to limit the impact of any Personal Data breach and to ensure that it does not recur.

Impact assessment

Before collecting, using, storing or disclosing Personal Data in a new system or project, we carefully define the Purposes of Processing and assess the privacy risks. Where the processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, we will carry out a privacy impact assessment prior to its implementation and refrain from the processing if this  assessment reveals an incompatibility with the principles of the Applicable Legislation.

 

  1. How long do we keep your Personal Data?

We retain Personal Data for as long as necessary for the purposes for which they were collected and processed, after which we archive them for the applicable retention period as set forth in our retention policy. The purposes of such archiving and the corresponding retention periods are set out below:

 

Commercial prospecting

3 years from the last active contact from the prospect

Participation in external events

3 years from the last active contact from the Data Subject

E-mailing of information about EASYPICKY

 

3 years from the last active contact from the Data Subject

Follow-up and management of the commercial relationship

For the duration of the contract, plus 5 years from the end of the contract for probationary purposes

For invoicing: for the duration of the contract, plus 10 years in accordance with EASYPICKY's legal obligations

Manage partnerships

For the duration of the contract, plus 5 years from the end of the contract for probationary purposes

Manage suppliers

For the duration of the contract, plus 5 years from the end of the contract for probationary purposes

Management of requests to exercise rights

Data are kept for the calendar year of the request, plus five years.

The identity documents that may be communicated are :

  • Immediately deleted when the request validly addressed to the referent did not require the communication of an identity document;
  • Deleted 1 year after receipt of the application in all other cases

 

Any Third Party processing Personal Data on our behalf will retain them only as long as necessary for the purposes for which they were collected and processed and for other compatible purposes, which may include:

All reasonable steps are taken to ensure that Personal Data is kept in a sufficiently accurate and up-to-date form at each stage of processing.

We encourage Data Subjects to help us keep your Personal Data up to date by exercising your rights, including access and rectification.

  1. What are your rights as a Data Subject?

We are receptive to requests relating to your Personal Data and, in accordance with the Applicable Legislation, we give you the possibility of accessing, rectifying, restricting and erasing your Personal Data. We also allow you to object to the processing of your Personal Data and to exercise your right to portability.

To exercise your rights, please use the contact information provided above. You also have the right to lodge  a complaint with the competent authority for the control of Personal Data, the ‘Commission Nationale de l'Informatique et des Libertés (https://www.cnil.fr/fr/plaintes)’ if you consider  that we have not respected your rights.

 

Right of access

We will provide access to all Personal Data relating to a Data Subject in accordance with the Applicable Legislation, the Purposes of Processing, the categories of Personal Data processed, the categories of recipients, the duration of data retention, the rights of rectification, deletion or restriction of the Personal Data consulted if applicable, etc.

Right of data portability

We may also provide a copy of any Personal Data we maintain in a compatible and structured format to enable the exercise of the right to data portability to the extent relevant under applicable law.

Right of rectification

Data Subjects may ask us to rectify, amend, delete any incomplete, outdated or inaccurate Personal Data.

Right to erasure (‘right to be forgotten')

Data Subjects may request the deletion of their Personal Data (i) if such Personal Data is no longer necessary for the purposes of the data processing, (ii) the Data Subject has withdrawn his or her consent to the processing based solely on such consent, (iii) the Data Subject has objected to the processing, (iv) the processing of the Personal Data is unlawful, or (v) the Personal Data must be deleted to comply with a legal obligation applicable to us.

Right of limitation

Data Subjects may request the limitation of their Personal Data (i) in case of a challenge to the accuracy of the Personal Data in order to allow us to verify such accuracy, (ii) if the Data Subject wishes to limit the Personal Data rather than delete it despite the fact that the processing is unlawful, (iii) if the Data Subject wishes us to retain the Personal Data because it is needed for his or her defence in the context of claims.

Right to withdraw consent

Where the processing of Personal Data is based on the consent of the Data Subject, the Data Subject may withdraw his or her consent at any time, without the lawfulness of the processing based on the consent being affected prior to the withdrawal.

Right to object

The Data Subject may also object to the processing of his or her Personal Data at any time when his or her data is used for marketing purposes to send targeted advertising, or object to the sharing of his or her Personal Data with Third Parties, or when the processing is based on the legitimate interest we have, unless we can justify legitimate grounds that outweigh the rights and freedoms of the Data Subject or the establishment, exercise or defence of legal claims.

Digital heritage

Data Subjects have the right to define directives (general or specific) concerning the use of their Personal Data after their death.

Profiling

We do not make any fully automated decision that has a legal effect or significant impact on a Data Subject based on profiling activity that person, except as required or permitted by applicable law, the performance of a contract, or the consent of the Data Subject, and appropriate safeguards are in place to protect the Data Subject's rights.

 

  1. To whom may we communicate your Personal Data?

Internal use: our employees

Your Personal Data may be processed by our employees, within the limits of their respective responsibilities, exclusively for the purposes set out in this Policy. In this case, our employees are committed to respecting the confidentiality of Your Personal Data.

Disclosure to Third Parties

Personal Data is disclosed to Third Parties only to the extent that there is a legal justification for such sharing (e.g., the data subject has given consent, disclosure is necessary to perform a contract, pursuit of a legitimate purpose that does not infringe the data subject's fundamental rights, including the right to privacy). Disclosure is made on a strictly limited "need to know" basis with respect to the legal basis. If disclosure is necessary to comply with a legal obligation (e.g., for a government agency or police force/security service) or in connection with legal proceedings, Personal Data may generally be provided as long as the disclosure is limited to what is legally required and, if permitted by law, the Data Subject has been informed of the situation.

Our Data Processors

We rely on trusted service providers based in France to host our Solution (OVH). These hosting services offer industry-leading scalability, data availability, security and performance, with a documented business continuity plan. For the purposes outlined in this Policy, we also use services provided by several specialised companies including Hubspot, WALAAXY, Microsoft, INEXTENSO.

Administrative and judicial authorities

We may be required to communicate Personal Data to the competent administrative and judicial authorities in the context of legal requests.

 

  1. Is your Personal Data  transferred outside the European Union?

In order to carry out the Purposes of Processing described in this Policy, we may use service providers located outside the European Union.

If the transfer takes place to a third country where the legislation has not been recognised as offering an adequate level of protection of Personal Data, we ensure that adequate measures are put in place in accordance with the Applicable Legislation, and in particular, where necessary, that standard contractual clauses or equivalent ad hoc clauses are included in the contract that we conclude with the sub processor.

  1. How do we handle complaints?

 

 

 

We are committed to resolving legitimate privacy concerns of Data Subjects. We investigate all claims of potential or actual violations of this Policy or Applicable Legislation that come to our attention and will take all reasonable steps to limit their impact.

Details

In the event of a complaint that is not satisfactorily resolved, we will cooperate with the appropriate data protection supervisory authorities and comply with their advice to resolve any outstanding complaint. If we or the data protection supervisory authorities determine that our company or one or more of our employees has not complied with the Policy, we will take appropriate steps to remedy the effects of such non-compliance and promote future compliance.

 

 

  1. Policy Change

We may modify, supplement or update this Policy to take into account any legal, regulatory, jurisprudential and/or technical developments. In the event of significant changes to the terms of this Policy (i.e., relating to the legal basis, the Purposes of Processing, or the exercise of rights), we undertake to inform you by any written means at least thirty (30) days before the effective date. Any access to the Site after this period will be subject to the terms of the new Policy. Any Data Subject whose Personal Data  is subject to this Policy acknowledges that the only version of the Policy that is binding is the one that is online.

 

 

 

SITE PRIVACY POLICY

 

 

  1. How do we collect your Personal Data?

We collect your Personal Data in several ways:

 

  1. What Personal Data do we collect?

The Personal Data we collect on the Site are the following:

  • When you contact us: identification Data (first name, last name, professional email and optionally, telephone number). Technical Data (time stamp, subject of the request, follow-up, follow-up, statistics). We may also collect and process other Personal Data via the message you leave us in the free text field;
  • When you make an appointment with us: first name, last name and email address;
  • When you apply for a job offer: the Personal Data included in your CV and cover letter, i.e. first name, last name, date of birth, postal address, diplomas, studies and professional experience, a photograph;
  • When you subscribe to the newsletter: the email;
  • For the management and technical administration of the Site: time stamps, IP address, technical data relating to the equipment and browser used by the Users, cookies

 

 

Details     

We respect the principles of minimisation and accuracy when collecting your Personal Data: thus, we ensure that the Personal Data we collect is relevant, adequate and not excessive in relation to the Purposes of Processing and its possible use. This means that only information that is necessary and relevant to the purposes sought can be collected and processed.

 

 

 

 

 

  1. What are the Purposes of Processing?

Site Management

Preparation of content publication

Putting the contact forms online

Management of the operation and security of the Site

Technical administration in connection with service providers (maintenance, hosting, domain name registrar)

Production of audience statistics

 

 

 

 

 

 

 

 

 

 

Details

 

Personal Data will not be further processed in a manner incompatible with these Purposes of Processing.

 

Recruiting

Receipt and registration of applications sent to EASYPICKY via the Site

Management of recruitment procedures

Answers to the applicants

Creation of a CV library

Commercial prospecting

Commercial exchanges

Responses to solicitations on the Site

Contact us

Follow-up of prospects

Newsletter management

Preparation of contents

Subscription management

Management of electronic mailings

Management of requests received via the contact form and appointment booking of the Site

Receipt of requests via the site's contact form and requests for appointments

Management of responses and requests for appointments with the relevant departments of EASYPICKY

Integration of the person's contact details in Hubspot

Contact initiation with the person

 

  1. What is the legal basis for processing your Personal Data?

 

We only process Personal Data on a specifically identified legal basis.

For the Purposes of Processing carried out via the Site, it is:

 

  1. What security and confidentiality measures do we put in place to protect your Personal Data?

 

Technical and organisational measures implemented

We protect Personal Data collected, used, stored and disclosed by taking the necessary technical and organisational measures to ensure its security, integrity and absolute confidentiality. Technical and organisational measures in accordance with applicable standards are implemented to prevent accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access, or any other form of unlawful or unauthorised processing. We implement these measures at the earliest stages of the design of processing operations, so as to protect the principles of confidentiality and data protection (‘Privacy by design’) from the outset. By default, we ensure that Personal Data is processed to protect privacy (e.g., by limiting its accessibility to only those who need to have access to it), so that Personal Data is not accessible to an indeterminate or excessive number of persons (‘Privacy by default’).

Selection of providers and partners

We choose service providers and partners who offer sufficient guarantees to implement technical and organisational measures that are at least as protective.

Documentation

We establish and maintain the necessary documentation to demonstrate compliance with all of our obligations under Applicable Legislation.

Personal Data breach

Where required by Applicable Legislation, we will notify the User and any Data Subject as well as the competent supervisory authority of any Personal Data breach within the legally required timeframe after becoming aware of it. We undertake to implement technical and organisational security measures to limit the impact of any Personal Data breach and to ensure that it does not recur.

Impact assessment

Before collecting, using, storing or disclosing Personal Data in a new system or project, we carefully define the Purposes of Processing and assess the privacy risks. Where the Processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, we will carry out a privacy impact assessment prior to its implementation and refrain from the Processing if this assessment reveals an incompatibility with the principles of the Applicable Legislation.

 

  1. How long do we keep your Personal Data?

We retain Personal Data for as long as necessary for the purposes for which it was collected and processed, after which we archive it for the applicable retention period as set forth in our retention policy. The purposes of such archiving and the corresponding retention periods are set out below:

 

Site Management

Data on the preparation of publications (orders, follow-up, editorial content) are kept for five years from the date of publication.

Data relating to exchanges with service providers are kept for five years after the end of the contract

Recruiting

2 years for a candidate for employment

Commercial prospecting

3 years from the last active contact from the prospect

Newsletter management

As long as the data subject does not unsubscribe

Management of requests received via the contact form and appointment booking of the Site

The data collected via the webforms are kept for a maximum period of:

  • 5 years from receipt if the person becomes a client
  • 3 years for a prospect
  • 2 years for a candidate for employment

 

Any Third Party processing Personal Data on our behalf will retain it only as long as necessary for the purposes for which it was collected and processed and for other compatible purposes, which may include:

All reasonable steps are taken to ensure that Personal Data are kept in a sufficiently accurate and up-to-date form at each stage of processing.

We encourage Data Subjects to help us keep your Personal Data up to date by exercising your rights, including access and rectification.

  1. What are your rights as a Data Subject?

We are receptive to requests relating to your Personal Data and, in accordance with the Applicable Legislation, we give you the possibility of accessing, rectifying, restricting and erasing your Personal Data. We also allow you to object to the processing of your Personal Data and to exercise your right to data portability.

To exercise your rights, please use the contact information provided above. You also have the right to lodge  a complaint with the competent authority for the control of Personal Data, the “Commission Nationale de l'Informatique et des Libertés (https://www.cnil.fr/fr/plaintes)” if you consider that we have not respected your rights.

Right of access

We will provide access to all Personal Data relating to a Data Subject in accordance with the Applicable Legislation, the Purposes of Processing, the categories of Personal Data processed, the categories of recipients, the duration of data retention, the rights of rectification, deletion or restriction of the Personal Data consulted if applicable, etc.

Right of data portability

We may also provide a copy of any Personal Data we maintain in a compatible and structured format to enable the exercise of the right to data portability to the extent relevant under applicable law.

Right of rectification

Data Subjects may ask us to correct, amend, delete any incomplete, outdated or inaccurate Personal Data.

Right to erasure

(‘right to be forgotten')

Data Subjects may request the deletion of their Personal Data (i) if such Personal Data is no longer necessary for the purposes of the data processing, (ii) the Data Subject has withdrawn his or her consent to the processing based solely on such consent, (iii) the Data Subject has objected to the processing, (iv) the processing of the Personal Data is unlawful, or (v) the Personal Data must be deleted to comply with a legal obligation applicable to us.

Right of limitation

Data Subjects may request the limitation of their Personal Data (i) in case of a challenge to the accuracy of the Personal Data in order to allow us to verify such accuracy, (ii) if the Data Subject wishes to limit the Personal Data rather than delete it despite the fact that the processing is unlawful, (iii) if the Data Subject wishes us to retain the Personal Data because it is needed for his or her defence in the context of claims.

Right to withdraw consent

Where the processing of Personal Data is based on the consent of the Data Subject, the Data Subject may withdraw his or her consent at any time, without the lawfulness of the processing based on the consent being affected prior to the withdrawal.

Right to object

The Data Subject may also object to the processing of his or her Personal Data at any time when his or her data is used for marketing purposes to send targeted advertising, or object to the sharing of his or her Personal Data with Third Parties, or when the processing is based on the legitimate interest we have, unless we can justify legitimate grounds that outweigh the rights and freedoms of the Data Subject or the establishment, exercise or defence of legal claims.

Digital heritage

Data Subjects have the right to define directives (general or specific) concerning the use of their Personal Data after their death.

Profiling

We do not make any fully automated decision that has a legal effect or significant impact on a Data Subject based on profiling activity that person, except as required or permitted by applicable law, the performance of a contract, or the consent of the Data Subject, and appropriate safeguards are in place to protect the Data Subject's rights.

 

 

  1. To whom may we communicate your Personal Data?

Internal use: our employees

Your Personal Data may be processed by our employees, within the limits of their respective responsibilities, exclusively for the purposes set out in this Policy. In this case, our employees are committed to respecting the confidentiality of Your Personal Data.

Disclosure to Third Parties

Personal Data are disclosed to Third Parties only to the extent that there is a legal justification for such sharing (e.g., the data subject has given consent, disclosure is necessary to perform a contract, pursuit of a legitimate purpose that does not infringe the data subject's fundamental rights, including the right to privacy). Disclosure is made on a strictly limited "need to know" basis with respect to the legal basis. If disclosure is necessary to comply with a legal obligation (e.g., for a government agency or police force/security service) or in connection with legal proceedings, Personal Data may generally be provided as long as the disclosure is limited to what is legally required and, if permitted by law, the Data Subject has been informed of the situation.

Our Data Processors

We rely on trusted service providers based in France for hosting (OVH). These hosting services offer industry-leading scalability, data availability, security and performance, with a documented business continuity plan. For the purposes outlined in this Policy, we also use services provided by several specialised companies including Salesforce, Hubspot, WALAAXY, Google, Microsoft.

Administrative and judicial authorities

We may be required to communicate Personal Data to the competent administrative and judicial authorities in the context of legal requests.

 

  1. Are your Personal Data transferred outside the European Union?

In order to carry out the Purposes of Processing described in this Policy, we may use service providers located outside the European Union.

If the transfer takes place to a third country where the legislation has not been recognised as offering an adequate level of protection of Personal Data, we ensure that adequate measures are put in place in accordance with the Applicable Legislation, and in particular, where necessary, that standard contractual clauses or equivalent ad hoc clauses are included in the contract that we conclude with the sub processor.

  1. Links to Third Party websites

The Site may contain hyperlinks to Third Party websites (including social networking sites). Please note that if you follow these links, the websites and services provided will be governed by their own terms of use and privacy policies. We will not be held responsible for the non-conformity of their terms of use and privacy policies with the Applicable Legislation.

 

Details

We advise you to review the privacy policies and terms of use applicable to these websites before providing your Personal Data and using these websites

 

  1. How do we handle complaints?

We are committed to resolving legitimate privacy concerns of Data Subjects. We investigate all claims of potential or actual violations of this Policy or Applicable Legislation that come to our attention and will take all reasonable steps to limit their impact.

 

Details

In the event of a complaint that is not satisfactorily resolved, we will cooperate with the appropriate data protection supervisory authorities and comply with their advice to resolve any outstanding complaint. If we or the data protection supervisory authorities determine that our company or one or more of our employees has not complied with the Policy, we will take appropriate steps to remedy the effects of such non-compliance and promote future compliance.

 

  1. Policy Change

We may modify, supplement or update this Policy to take into account any legal, regulatory, jurisprudential and/or technical developments. In the event of significant changes to the terms of this Policy (i.e., relating to the legal basis, the Purposes of Processing, or the exercise of rights), we undertake to inform you by any written means at least thirty (30) days before the effective date. Any access to the Site after this period will be subject to the terms of the new Policy. Any Data Subject whose Personal Data is subject to this Policy acknowledges that the only version of the Policy that is binding is the one that is online.

BY VISITING THE SITE, CONTACTING US, SUBSCRIBING TO THE NEWSLETTER AND GENERALLY USING THE FUNCTIONALITIES AVAILABLE ON THE SITE, YOU AGREE TO THE TERMS AND CONDITIONS MENTIONED IN THIS POLICY.

  1. The cookies present on the Site

We use cookie technologies on the Site to enable us to evaluate and improve the functionalities of the Site and the Solution. We may also use cookies for advertising or analytical purposes, subject to your consent and choice, using our cookie settings tool.

Details

For more information on how we use cookies, please see our cookie policy available  here

 

 

EASYPICKY'S PRIVACY POLICY AS A DATA PROCESSOR

EASYPICKY acts as a Data Processor in only one case:

When it processes data collected within the Solution on behalf of its clients

 "Privacy Policy of the Solution"

 

 

PRIVACY POLICY OF THE SOLUTION

How do we collect your Personal Data?

We collect your Personal Data in several ways:

 

  1. What Personal Data do we collect?

 

The Personal Data we collect on the Solution are the following:

  • When you create a User account: Identification and contact information (last name, first name, business phone number, business email address, password);
  • When you use the Solution: all the usage data of the Solution (connection data, data filled in on the free text fields)

 

Details     

We respect the principles of minimisation and accuracy when collecting your Personal Data: thus, we ensure that the Personal Data we collect is relevant, adequate and not excessive in relation to the Purposes of Processing and its possible use. This means that only information that is necessary and relevant to the purposes sought can be collected and processed.
  1. Who is the Data Controller?

When you create a User Account or as part of the operation of the Solution, the Data Processor is the client whose use of the Solution involves the processing of your Personal Data, and we act as a Data Processor on behalf of that Data Controller (the ‘Initial Processing’). In this context, we only follow the instructions of the Data Controller.

In some cases concerning also your Personal Data processed within the framework of the operation of the Solution, we act as a Data Controller, for example when we process data for the purposes of prevention and detection of fraud and malware, management of security incidents, creation of statistics, and improvement of the Solution (‘Further Processing’). Such Further Processing is compatible with the Initial Processing given (among other things) the link between the two (use and improvement of the Solution), the nature of the Personal Data involved (absence of Sensitive Data), the limited consequences of the Further Processing for the Data Subjects, and the existence of appropriate safeguards that we implement as part of such processing.

 

  1. What are the Purposes of Processing?

 

 

Provide the Solution

 

Delivering the Solution to clients

Manage the forms of the Solution

Train the Users

Hosting clients data

Resolve bugs and incidents

Anonymise Personal Data

 

Details

 

Personal Data will not be further processed in a manner incompatible with these Processing Purposes.

 

 

  1. What is the legal basis for processing your Personal Data?

 

We only process Personal Data on a specifically identified legal basis.

For the Solution, it is:

 

  1. What security and confidentiality measures do we put in place to protect your Personal Data?

 

Technical and organisational measures implemented

We protect Personal Data collected, used, stored and disclosed by taking the necessary technical and organisational measures to ensure its security, integrity and absolute confidentiality. Technical and organisational measures that comply with applicable standards are implemented to prevent accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access, or any other form of unlawful or unauthorised processing. We implement these measures at the earliest stages of the design of processing operations, so as to protect the principles of confidentiality and data protection (‘Privacy by design’) from the outset. By default, we ensure that Personal Data is processed to protect privacy (e.g., by limiting its accessibility to only those who need to have access to it), so that Personal Data is not accessible to an indeterminate or excessive number of persons (‘Privacy by default’).

Selection of providers and partners

We choose service providers and partners who offer sufficient guarantees to implement technical and organisational measures that are at least as protective.

Documentation

We establish and maintain the necessary documentation to demonstrate compliance with all of our obligations under Applicable Legislation

Personal Data Breach

Where required by Applicable Legislation, we will notify the User and any Data Subject as well as the competent supervisory authority of any Personal Data breach within the legally required timeframe after becoming aware of it. We undertake to implement technical and organisational security measures to limit the impact of any Personal Data breach and to ensure that it does not recur.

Impact assessment

Before collecting, using, storing or disclosing Personal Data in a new system or project, we carefully define the Purposes of Processing and assess the privacy risks. Where the Processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, we will carry out a privacy impact assessment prior to its implementation and refrain from the Processing if this assessment reveals an incompatibility with the principles of the Applicable Legislation.

 

  1. How long do we keep your Personal Data?

We retain Personal Data for as long as necessary for the purposes for which it was collected and processed, after which we archive it for the applicable retention period as defined in our retention policy. The retention periods are set forth below:

 

Provide the Solution

The data is kept for the duration of the contract concluded with the client, then it is anonymised

 

Any Third Party processing Personal Data on our behalf will retain it only as long as necessary for the purposes for which it was collected and processed and for other compatible purposes, which may include:

All reasonable steps are taken to ensure that Personal Data is kept in a sufficiently accurate and up-to-date form at each stage of processing.

We encourage you to help us keep your Personal Data up to date by exercising your rights, including access and rectification.

  1. What are your rights as a Data Subject?

We are receptive to requests relating to your Personal Data and, in accordance with the Applicable Legislation, we give you the possibility of accessing, rectifying, restricting and erasing your Personal Data. We also allow you to object to the processing of your Personal Data and to exercise your right to data portability.

To exercise your rights, please use the contact information provided above. You also have the right to lodge  a complaint with the competent authority for the control of Personal Data, the ‘Commission Nationale de l'Informatique et des Libertés (https://www.cnil.fr/fr/plaintes)’ if you consider  that we have not respected your rights.

 

Right of access

We will provide access to all Personal Data relating to a Data Subject in accordance with the Applicable Legislation, the Purposes of Processing, the categories of Personal Data processed, the categories of recipients, the duration of data retention, the rights of rectification, deletion or restriction of the Personal Data consulted if applicable, etc.

Right of data portability

We may also provide a copy of any Personal Data we maintain in a compatible and structured format to enable the exercise of the right to data portability to the extent relevant under applicable law.

Right of rectification

Data Subjects may ask us to rectify, amend, delete any incomplete, outdated or inaccurate Personal Data.

Right to erasure (right to be forgotten)

Data Subjects may request the deletion of their Personal Data (i) if such Personal Data is no longer necessary for the purposes of the data processing, (ii) the Data Subject has withdrawn his or her consent to the processing based solely on such consent, (iii) the Data Subject has objected to the processing, (iv) the processing of the Personal Data is unlawful, or (v) the Personal Data must be deleted to comply with a legal obligation applicable to us. The deletion of a User's Personal Data may cause major malfunctions of the Solution.

Right of limitation

Data Subjects may request the limitation of their Personal Data (i) in case of a challenge to the accuracy of the Personal Data in order to allow us to verify such accuracy, (ii) if the Data Subject wishes to limit the Personal Data rather than delete it despite the fact that the processing is unlawful, (iii) if the Data Subject wishes us to retain the Personal Data because it is needed for his or her defence in the context of claims.

Right to withdraw consent

Where the processing of Personal Data is based on the consent of the Data Subject, the Data Subject may withdraw his or her consent at any time, without the lawfulness of the processing based on the consent being affected prior to the withdrawal.

Right to object

The Data Subject may also object to the processing of his or her Personal Data at any time when his or her data is used for marketing purposes to send targeted advertising, or object to the sharing of his or her Personal Data with Third Parties, or when the processing is based on the legitimate interest we have, unless we can justify legitimate grounds that outweigh the rights and freedoms of the Data Subject or the establishment, exercise or defence of legal claims.

Digital heritage

Data Subjects have the right to define directives (general or specific) concerning the use of their Personal Data after their death.

Profiling

We do not make a fully automated decision that has a legal effect or significant impact on a data subject based on profiling activity that person, except as required or permitted by applicable law, the performance of a contract, or the consent of the Data Subject, and appropriate safeguards are in place to protect the Data Subject's rights.

 

  1. To whom may we communicate your Personal Data?

Internal use: our employees

Your Personal Data may be processed by our employees, within the limits of their respective responsibilities, exclusively for the purposes set out in this Policy. In this case, our employees are committed to respecting the confidentiality of Your Personal Data.

Disclosure to Third Parties

Personal Data is disclosed to Third Parties only to the extent that there is a legal justification for such sharing (e.g., the data subject has given consent, disclosure is necessary to perform a contract, pursuit of a legitimate purpose that does not infringe the data subject's fundamental rights, including the right to privacy). Disclosure is made on a strictly limited "need to know" basis with respect to the legal basis. If disclosure is necessary to comply with a legal obligation (e.g., for a government agency or police force/security service) or in connection with legal proceedings, Personal Data may generally be provided as long as the disclosure is limited to what is legally required and, if permitted by law, the Data Subject has been informed of the situation.

Our Data Processors

We rely on trusted service providers based in France for hosting (OVH). These hosting services offer scalability, data availability, security and industry-leading performance, with a documented business continuity plan. In the context of the purposes set out in this Policy, we also use the services provided by several specialised companies, including APPKNOX, SENTRY, Microsoft and Click Up.

Administrative and judicial authorities

We may be required to communicate Personal Data to the competent administrative and judicial authorities in the context of legal requests.

 

  1. Is your Personal Data transferred outside the European Union?

In order to carry out the Purposes of Processing described in this Policy, we may use service providers located outside the European Union.

If the transfer takes place to a third country where the legislation has not been recognised as offering an adequate level of protection of Personal Data, we ensure that adequate measures are put in place in accordance with the Applicable Legislation, and in particular, where necessary, that standard contractual clauses or equivalent ad hoc clauses are included in the contract that we conclude with the subprocessor.

  1. How do we handle complaints?

We are committed to resolving legitimate privacy concerns of Data Subjects. We investigate all claims of potential or actual violations of this Policy or Applicable Legislation that come to our attention and will take all reasonable steps to limit their impact.

If a Data Subject lodges a complaint about the processing of his or her Personal Data or that of another person and the complaint is not satisfactorily resolved, we will cooperate with the appropriate data protection supervisory authorities and comply with the advice of those authorities to resolve any outstanding complaint. If we or the data protection supervisory authorities determine that our company or one or more of our employees has not complied with this Policy, we will take appropriate steps to remedy the effects of such non-compliance and promote future compliance.

  1. Policy Change

We may modify, supplement or update this Policy to take into account any legal, regulatory, jurisprudential and/or technical developments. In the event of significant changes to the terms of this Policy (i.e., relating to the legal basis, the Purposes of Processing, or the exercise of rights), we undertake to inform you by any written means at least thirty (30) days before the effective date. Any access and use of the Solution after this period will be subject to the terms of the new Policy. Any Data Subject whose Personal Data is subject to this Policy acknowledges that the only version of the Policy that is binding is the one that is online.

 

BY CREATING A USER ACCOUNT AND GENERALLY USING THE SOLUTION, YOU AGREE TO THE TERMS AND CONDITIONS OUTLINED IN THIS POLICY.

 
contact us
FR / EN
Contact
Newsletter
Meet us
LinkedIn Scroll down