PRIVACY AND DATA PROTECTION POLICY
In order to share this policy with the various stakeholders, STERIGENE has defined this Data Protection Policy so that any individual (whether an employee or not) who may or may not use STERIGENE’s services in the context of the services provided may, at any time, take note of the commitments made and practices implemented by STERIGENE with regard to the personal data entrusted to it.
1. General commitment in principle
STERIGENE undertakes to process all data collected in a manner that complies with applicable data protection laws (Law No. 78-17 of 6 January 1978 as amended and the General European Regulation 2016/679 of 27 April 2016 on data protection, both of which are hereinafter referred to as the “Regulation”).
This general data protection policy addresses:
• The Beneficiaries of STERIGENE’s services,
• Professionals, partners of STERIGENE,
• Natural persons who are customers or prospects of STERIGENE,
• Employees of STERIGENE,
• Candidates wishing to join STERIGENE,
• Internet users browsing the STERIGENE website.
2. Definitions and terminology according to the Regulation
• Personal data processing is an operation or an organised set of operations carried out on personal data (collection, structuring, storage, modification, communication, etc.).
• Personal data is information that makes it possible to identify a human being (natural person), either directly (e.g. surname/first name) or indirectly (e.g. telephone number, contract number, acronym).
• The data subject is the person who can be identified by the data used when processing personal data.
• The controller is the person who decides how the personal data will be processed, in particular by determining what the data will be used for and what tools will be used to process it.
• The processor is the person who performs operations on the data on behalf of the controller, and signs a contract with the controller, who entrusts him with certain tasks and ensures that he has the technical and organisational guarantees that would him to process the personal data entrusted to him in accordance with the regulations.
• The recipient is the person who receives the authorised disclosure of the personal data.
3. STERIGENE’s commitment as data controller
STERIGENE is responsible for the processing implemented in the context of its business activities and, in this capacity, makes the following commitments:
• Personal data is used only for explicit, legitimate and specified purposes (objectives) in connection with its various activities, as mentioned each time such data is collected, in accordance with Article 29 of the European Regulation.
• We do not communicate or transfer personal data to third parties, but only to authorised recipients within the strict framework of the defined purposes.
• We entrust personal data to subcontractors selected based on appropriate technical and organisational guarantees, in order to guarantee the protection of the data entrusted to them under STERIGENE’s instructions.
• Data subjects shall be informed in advance and on a regular basis, in a clear and transparent manner, in particular about the purpose for which their data will be used, the optional or obligatory nature of their answers in the forms, the data protection rights they have and the arrangements for the effective exercise of those rights, and of the recipients.
• Whenever required by the Regulation, the data subject’s explicit, informed, active and unequivocal consent is obtained for the processing of his or her personal data.
• To ensure that the personal data collected is protected, appropriate security measures are implemented by STERIGENE, its support services and its contracted subcontractors.
• STERIGENE and its subcontractors are committed to preventing any possible and exceptional data violation and to taking all protective and corrective measures following a violation by informing the CNIL and, where applicable, the persons concerned in a timely manner.
At STERIGENE, all employees and stakeholders are aware or are in the process of being made aware of the principles of data protection in accordance with the regulations, through regular information adapted to their business and responsibilities.
Employees only have access to the information necessary for their business. Sensitive data is subject to specific clearances and controls.
4. Data Protection Officer
Given the size of the company, STERIGENE did not consider it appropriate to appoint a data protection officer. A steering committee ensures compliance with the Regulations and rules described in this Privacy and Data Protection Policy.
In particular, the steering committee shall ensure that:
• a register of personal data processing operations carried out within the company is established and updated
• practices comply with regulations and changes in regulations,
• all STERIGENE teams are aware of the requirements and good practices for personal data protection,
• data subjects can effectively exercise their rights.
The steering committee dedicated to data protection can be reached at the following address:
– By email: firstname.lastname@example.org
– By post:
Comité de pilotage RGPD
2 RUE ANDRE CITROEN
5. How the data you entrust to us is used
STERIGENE uses personal data for the following main purposes:
• To manage its customer portfolio and prospect ranges,
• To provide online services to professionals (B to B) via services accessible from their providers’ websites or via mobile applications,
• Human resources and recruitment management,
• To manage external professional contacts, including information for professionals and the general public,
• Statistical analysis of its activities,
• Commercial canvassing of professionals and other natural persons, subject to their consent,
• To implement continuing vocational training programmes.
The above processing operations are necessary for the execution of a contract drawn up between a data subject and STERIGENE or in order to pursue a legitimate interest, such as the satisfaction of a legal obligation or the provision of information to business contacts about STERIGENE’s activities, or in certain cases based on the explicit consent of the data subject.
6. Recipients of the data you entrust to us
On a case-by-case basis, STERIGENE determines the recipients of the data according to their missions and their
entitlement to receive the data for the purposes described in the “Use of data” section above. As a matter of principle,
only those who require the personal data in the course of their duties have access to the data.
7. Retention period for personal data
Data is not kept beyond the period necessary for the operations for which it was collected, taking into account the nature of the operations and the requirements of the law and legal regulations.
STERIGENE has established rules concerning the length of time that the personal data of the persons concerned is kept, in order to limit the retention to a strictly necessary period of time; as an example we can cite the following cases:
• Personal data collected from the parties involved in the implementation of projects and contracts:
o Retention period: for the duration of the project and the contract, then the data is archived for a minimum of 10 years
• Personal data collected from employees during the course of their careers within the company:
o Legal administrative duration provided for by law
At the end of the fixed period, and as the case may be, the personal data shall be subject, in compliance with the applicable Regulation, to one of these measures:
8. Security measures implemented to protect data entrusted to us
Data security relates to the measures taken to protect data from the following:
• the destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or processed, whether accidental or unlawful.
In order to guarantee the security of personal data, STERIGENE and its subcontractors shall implement the appropriate technical and organisational measures, with regard to the state of knowledge, costs, nature, scope, context and purposes of the processing operations in order to ensure a level of security appropriate to the risks. In particular and whenever necessary, the following measures have been taken:
• encryption of personal data
• the deployment of means to guarantee the confidentiality and integrity of data
9. Your rights on reported data
Each data subject shall have the following rights:
• to access your data (right of access): the data subject may ask STERIGENE directly whether it holds any information
about him or her, and request a list of the data,
• to request their rectification (right to rectification): the data subject may request the rectification of inaccurate
information concerning him/her. The right to rectification completes the right of access,
• to request the erasure of his/her data (right to erasure): the data subject may request the deletion of information
relating to him/her, for a reason provided for in the Regulation,
• to request the limitation of the processing of his/her data (right to restrict processing): the data subject may obtain the
limitation of the processing of his/her data, for a reason provided for by the Regulation,
• to request the portability of his/her data (right to portability): the data subject may request to receive the data he/she has provided to STERIGENE, or request from STERIGENE that they be transferred to another controller for a reason provided for in the Regulation,
• to provide advance guidance on the disposal of his/her data after his/her death.
The data subject may also object, on legitimate grounds, to the processing, dissemination, transmission, storage or hosting of his or her data.
For more information on the meaning of these rights; the CNIL has created a section dedicated to understanding your rights: https://www.cnil.fr/fr/comprendre-vos-droits.
To exercise these rights, the data subject may contact STERIGENE:
– By email: email@example.com
– By post:
Comité de Pilotage RGPD
2 RUE ANDRE CITROEN
In order to facilitate the procedures and in particular to speed up the processing time, STERIGENE asks that each data subject, when sending a request to exercise their rights, to:
• Indicate which right(s) he/she wishes to exercise
• Clearly state the surnames / first names / contact details to which he/she would like to receive answers
• Attach a copy of proof of identity
10. Complaints to the CNIL
Each data subject has the right to lodge a complaint with a data protection supervisory authority.
In France, this authority is the CNIL, whose contact details are as follows:
– Website: https://www.cnil.fr/
– Phone: +33 (0)1 53 73 22 22
3 Place de Fontenoy
75334 PARIS CEDEX 07