Personal Data Protection policy

Personal Data Protection

To ensure all stakeholders’ personal data is protected, Efalia, the Data Controller, implements the following principles:

• From the design of products and services, the principles of “Privacy by Design” and “Privacy by Default” are applied to ensure that the products and services offered include the appropriate security protection processes and that they are implemented automatically.
• When performing its activities, Efalia implements technical and organisational measures to ensure the protection of personal data when held by Efalia.

1. Processing purposes

Personal data may be collected within the framework of several different processing operations, with the aim of:

• Replying to requests submitted via the forms or the available contact methods,
• Contacting the user about customer satisfaction surveys or market studies, with a view to market research, the communication of information or invitations to events,
• Personalising interactions with our websites, facilitating browsing and compiling statistics about the use of our websites,
• Developing a partnership,
• Processing transactions with the various contacts at Efalia as part of a contract or purchase,
• Collecting user feedback about all of Efalia’s services,
• Applying for a job at Efalia,
• Analysing the use of Efalia’s websites and services for trend monitoring, marketing and advertising purposes,

Efalia implements data processing operations to provide an appropriate response to the requests submitted, except for the prospecting activities, which are based on the prior consent of users.

Viewing the website, filling in the forms, receiving messages and taking part in Efalia prospecting campaigns are of course optional. The data that must be entered on the forms allows us to re-contact users and meet their needs as effectively as possible.

2. Collection and use of personal data

Efalia undertakes only to collect the data strictly necessary for the performance of its activities, in this context:

1. Personal data is collected directly from users and is used only for the explicit purposes that have been brought to their attention.
2. In the event that optional data is requested, Efalia will clearly inform users about the personal data required to perform the selected service and any data (optional) voluntarily provided by them.
3. Personal data may be used to offer other services to users, only if they have confirmed their acceptance thereof.
4. Personal data provided by stakeholders:

• is used by Efalia only as part of its services as a Data Controller;
• is not used for prospecting, including profiling;
• is retained in France in secure data centres;
• may be transmitted to French or European service providers as part of subcontracted services.

3. Relevance of the data

Efalia collects and processes personal data in an honest and lawful manner. The data collected by Efalia may include the following categories:

• Identity (surname, first name, contact details)
• Private life (contact details, hobbies when indicated on a CV)
• Professional life (position, post, company)
• Connection data (cookies)
• Location data (based on the IP address used to connect to the website)

Efalia makes sure that the data are updated throughout the processing so that they do not become obsolete.

4. Limited retention of data

Efalia does not keep the personal data longer than required for the purposes of processing, while respecting the legal and statutory limits applicable.

• If the data subject is a Customer, the data will be retained for the term of the contract, and for three years after its expiry, unless there are specific legal constraints.
• If the data subject is a Prospect, the data will be retained for three years from the date of the last contact, unless there are specific legal constraints.
• If the data subject is an applicant for a vacancy at Efalia, the application data will be retained for two years, unless you are hired by Efalia.

5. Limited access to data

In connection with the access management policy, only duly authorised recipients can access the information required for their activity. Efalia defines the rules of access and confidentiality applicable to the personal data processed.

6. Security

Efalia determines and implements the means required to protect the processing of personal data, to avoid any access by an unauthorised third party and prevent any loss, corruption or disclosure of data.

7. Cookies

In order to optimise and improve the quality of the services proposed to you and ensure they meet your expectations, Efalia is likely to use cookies. By accessing and browsing Efalia’s websites, users are asked for their consent to the implementation and use of cookies on their browser. By accepting, the user acknowledges that they have read the information provided concerning the use of these cookies, and the means available to disable them.

8. Data Protection Officer (DPO)

Efalia has appointed a Data Protection Officer (DPO). The DPO ensures compliance with the GDPR at Efalia, supports the teams during processing, helps to analyse requests linked to personal data protection, and informs and raises the awareness among employees.

The DPO has the organisational measures and means required to manage Efalia’s compliance.

9. Notification and exercising of the rights of data subjects

Before processing the data, Efalia informs the data subjects and guarantees the exercise of their rights under the GDPR.

The user and legal persons, within the framework of the activities included in the processing purposes implemented by Efalia as the Data Controller, may at any time request to exercise the rights described in Chapter 3 of the European GDPR Regulation:

• Right of access: data subjects may obtain information about the personal data being processed;
• Right of rectification: data subjects may request the updating of their personal data or have their personal data rectified.
• Right of objection: data subjects may object to processing operations.
• Right to erasure: data subjects may request the erasure of their personal data
• Right to limitation: data subjects may request the suspension of the processing of their personal data
• Right to portability: data subjects may request to retrieve their personal data to make use thereof.

To exercise these rights, data subjects may contact:

• using the contact forms on the company website https://www.efalia.com
• the Efalia DPO, by sending a letter to: DPO Efalia 210, avenue Jean Jaurès 69007 LYON, France or by sending an email to: donneespersonnelles@efalia.com.

With regard to the right of access, the user  and legal persons (companies) may also, at any time, ask about:

• the identity and contact details of the data controller and, where appropriate, the data controller’s representative,
• the contact details of the data protection officer,
• the personal data held by Efalia and the collection method,
• the purposes of the processing for which the personal data is collected and the legal basis for the processing,
• the recipients or categories of recipients of the personal data, if any,
• where applicable, the fact that the data controller intends to carry out a transfer of personal data to a third country or an international organisation.

In order to check the legitimacy of the request, a signed message accompanied by a photocopy of a valid identity document bearing your signature may be requested as well as the contact details of the applicant, in order to respond to the request.

When responding, Efalia will provide additional information in order to justify their fair and transparent processing of the data.

In the event of a security incident affecting the personal data (destruction, loss, alteration or disclosure), Efalia undertakes to comply with the obligation to notify personal data breaches, in particular to the French Data Protection Agency, CNIL.