Disclaimer: This is a translated version. In case of discrepancies, the original French version shall prevail.
Who are we?
Fenritec
Simplified joint-stock company with share capital of €30,000.00
Address
3 Allée des Lilas
54650 Saulnes
France
SIREN: 894 082 031 RCS Val de Briey
1. Glossary
Client: legal or natural person registered in one of Fenritec’s information systems.
Contract: contractual set, written or not, of which this Charter forms an integral part.
Personal Data (or Data of a Personal Nature, or Data): information relating to an identified or identifiable natural person, directly or indirectly, by reference to a name, an identification number, or one or more elements specific to them, as defined by the Regulations, including metadata.
Data Subject: natural person to whom the Personal Data relates.
Service: service(s) entrusted to the Provider by the Client under the Contract.
Parties: the Client and the Provider as defined in the Contract.
Provider: legal or natural person who may be required to participate in the Processing of Personal Data in connection with the Contract.
Regulations: all applicable laws and regulations in France on the protection of Personal Data, including Law “Informatique et Libertés” No. 78-17 of January 6, 1978, as amended in 2004, the GDPR, and their subsequent texts.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, applicable as of May 25, 2018.
Processing: any operation or set of operations performed upon Personal Data, regardless of the method used, including collection, recording, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, linking or interconnection, as well as locking, erasure, or destruction, or any operation designated as “Processing” by the Regulations.
Personal Data Breach: breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
2. Purpose
This Charter defines the conditions under which Fenritec may perform Processing in the performance of the Contract, whether involving (i) Personal Data obtained from the Client or (ii) data collected from third parties or directly from the Data Subjects.
This Charter enters into force upon registration with a Fenritec service or, failing that, upon receipt of any “Personal Data” or access to such “Data” by the Provider or any person acting on its behalf, and remains applicable until the end of the Processing(s), materialized by the permanent deletion of “Personal Data” as provided by this Charter, or failing that, with the prior, express, and written consent of the Controller within the meaning of the Regulations.
This Charter shall prevail, where applicable, over all other contractual documents governing the Processing of Personal Data signed or even simply exchanged between the Parties.
In their contractual relations, the Parties agree to comply with applicable regulations on the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, applicable from May 25, 2018 (hereinafter, “the European Data Protection Regulation”).
3. Respect for Purposes
Fenritec processes Data exclusively within the purposes defined in the Contract or made necessary by its performance, and must comply with its obligations under the Regulations and this Charter.
Fenritec ensures compliance with this Charter by its staff and its subcontractors or joint controllers.
It will provide the Client, upon request, with the list of subcontractors or joint controllers involved in the Processing.
As of this document’s date, Fenritec delegates the hosting of its IT infrastructures (data centers) to:
- OVH S.A.S. registered with RCS Lille Métropole 424 761 419.
- Scaleway S.A.S. registered with RCS Paris 433 115 904
Fenritec reserves the right to add other hosting providers to this list as long as the parent company is headquartered in France or the European Union and subject to the GDPR. Any such change will be notified to the Client.
4. Rules for the Use of “Personal Data”
4.1. Personal Data Regulation
Fenritec (i) acknowledges awareness of the Regulations applicable on the date of signing this Charter, (ii) undertakes to stay informed of changes to the Regulations throughout the Client relationship, and (iii) ensures compliance.
In particular, Fenritec declares:
· having appointed a Data Protection Officer (“DPO”) and committing to disclose their name to the Client and the supervisory authority when required by law;
· having created a dedicated contact form for any questions or complaints regarding “Personal Data” to respond to Client requests;
· maintaining a register for all categories of Personal Data Processing carried out on behalf of the Client, with a description of technical and organizational security measures.
As of July 21, 2021, the DPO is Mr. Nicolas Philippe Schwartz.
4.2. Processing Purpose
Fenritec is prohibited from using Personal Data for purposes other than those expected and specified in the Client contract and this Charter.
4.3. Confidentiality of Personal Data
Fenritec takes all necessary precautions to preserve the confidentiality of Personal Data and, in particular, undertakes not to:
· Copy documents or media entrusted to it, except those necessary for Processing, in which case the Provider informs the Client;
· Disclose Personal Data to others, whether private or public, physical or legal persons, except upon request of authorized third parties under a justified official process, only after verifying the legal basis and informing the Client;
· Transfer, rent, transmit, or make available to any third party, for any reason, Personal Data provided by the Client or a third party on the Client’s instructions.
4.4. Integrity and Security of Personal Data
4.4.1. Security Measures
In accordance with the Regulations, Fenritec undertakes to take all necessary security measures to ensure the safeguarding, preservation, and integrity of processed Personal Data, both in transit and within its databases and file systems.
Such measures include, among others:
· pseudonymizing and encrypting Personal Data;
· ensuring confidentiality, integrity, availability, and resilience of systems and processing services;
· restoring availability of Personal Data and Processing promptly in case of incidents;
· testing and evaluating security measures regularly;
· ensuring security of access and interfaces in case of access to or exchange with the Client’s Information System;
· preventing misuse, fraud, damage, or unauthorized disclosure of Personal Data.
Fenritec will report to CNIL any major breach directly affecting a client or any Personal Data Breach within 72 hours of detection.
If the incident poses a high risk to the privacy of affected individuals, Fenritec will also notify the Client within the same timeframe.
Fenritec declares that it has implemented, and will continue to implement, technical and organizational security measures within an Information Systems Security Policy (ISSP).
4.4.2. Control Measures
The Client reserves the right, under the conditions indicated, to carry out any checks via (a) questionnaire, (b) on-site audit, or (c) penetration test, to verify Fenritec’s compliance and to enable the Client to conduct a privacy impact assessment. Execution of such requests may be billed depending on workload.
a. Questionnaire
The Client may send the Provider, before and during the performance of the Contract, a questionnaire or summary report to be completed, intended to collect information relating to the Processing. This request must be motivated by:
- understanding the information systems and processes likely to impact any Personal Data;
- and/or security or reliability needs required for Personal Data Processing.
Fenritec will complete the questionnaire or summary report sincerely and accurately and return it to the Client within thirty (30) calendar days of receipt.
b. On-site Audit
Throughout the performance of the Contract, Fenritec shall retain and preserve, according to best practices, the information and documents necessary to respond to an audit request. These will be archived so that the Client may, once per year at most, and with at least thirty (30) calendar days’ prior notice, appoint an independent third-party auditor jointly designated by the Parties to conduct an audit. The appointed auditor must, in a written declaration, sign a confidentiality agreement.
The audit mission shall cover verification of Processing compliance with this Charter in one of the following areas:
- application of security and backup procedures for Personal Data;
- control of physical and logical security of servers processing the Data;
- traceability of Personal Data flows and location of their hosting, backup, and processing sites.
In the event anomalies are identified, Fenritec undertakes to correct them at its own expense to render the Processing compliant with best practices and applicable Regulations, within a reasonable timeframe.
4.5. Transfer of Personal Data
Unless expressly authorized by the Client through safeguards compliant with the Regulations, no transfer or Processing of Personal Data outside the European Union by Fenritec shall take place, including hosting, backup, and archiving of the database containing Personal Data.
Thus, all servers and tools used in the Processing, including the administration and access console, must be located in the European Union. Otherwise, the Client reserves the right to terminate the Contract with immediate effect.
4.6. Duration of Processing
Fenritec shall not retain Personal Data unnecessary to the execution of services beyond a reasonable period in line with Regulations. For example:
- Connection and user action logs are retained actively for 3 months and archived for 1 year for judicial authorities upon request.
- After this period, and only after returning to the Client the Personal Data collected, Fenritec shall delete said data unless required to archive it under applicable laws (Commercial Code, Civil Code, Consumer Code, etc.).
The Client may request Fenritec to delete all its Personal Data, in accordance with GDPR. Fenritec shall issue a certificate of destruction within seven (7) calendar days of said operation.
Fenritec shall immediately refer to the Client in case of doubt about retention rules and provide all necessary information for a prompt decision.
Store:
- Billing information (addresses, names, etc.) is retained for 10 years after the end of the current accounting year, as required by law.
FDrive:
- Permanently deleted data remains on servers for 7 days to 1 month, allowing restoration requests;
- The system may generate additional thumbnails (e.g., photo/pdf previews) to enhance user experience.
Login:
- Registration data is retained for 3 months after deletion request and available to authorities for 1 year, as required by law.
4.7. Return of Personal Data
At any time, upon Client request, Fenritec will return the Personal Data, regardless of medium, along with copies and related documents, particularly (i) documentation necessary to operate such data and (ii) Processing materials, subject to the Provider’s intellectual property rights.
5. Notification Obligations
5.1. Obligation to Notify in Case of Non-compliance with Client Instructions
If Fenritec cannot comply with Client instructions for any reason, it must inform the Client immediately, in which case the Client may terminate the Contract without penalty or notice if the breach is serious.
5.2. Obligation to Notify in Case of Client Breach of Regulations
If Fenritec considers the Client’s instructions to be a violation of Regulations, it must notify the Client immediately.
5.3. Obligation to Notify in Case of Personal Data Breach
In the event of a Personal Data Breach, Fenritec shall inform the Client as soon as possible after becoming aware, by email, in compliance with notification procedures under Articles 33 and 34 GDPR, attaching all relevant documentation to enable the Client, if necessary, to notify the supervisory authority.
If Fenritec cannot provide all information simultaneously, it will provide it progressively without undue delay.
Nevertheless, Fenritec may notify the local supervisory authority (e.g., CNIL in France) of the Personal Data Breach as soon as possible and no later than 72 hours after becoming aware.
This notification by Fenritec shall include at least all the elements described in Article 33 GDPR.
5.4. Obligation to Notify in Case of Requests from Competent Authorities
If requested by competent authorities regarding Processing, except where prohibited by public order, Fenritec shall (i) inform the Client immediately and no later than 48 hours and (ii) not transmit information without prior exchange with the Client and express authorization.
Fenritec also undertakes to inform the Client of:
- any administrative, fiscal, or judicial audit of its activities related to Services. Audit results shall be communicated promptly;
- any request or complaint received directly from a person whose Personal Data has been processed by Fenritec.
More generally, any sanction related to Personal Data Processing affecting Fenritec or a downstream subcontractor shall be notified to the Client without delay.
6. Client Information and Cooperation
Fenritec assists the Client, during and after expiration of the Contract, with any procedure required by Regulations, including:
- conducting a privacy impact assessment relating to Processing;
- responding to requests from supervisory authorities for information, documentation, or compliance actions;
- responding within five (5) business days to any person exercising rights of access, modification, rectification, erasure, objection, or portability of Personal Data, whether requested directly or through the Client;
- responding to individuals exercising the right not to be subject to automated individual decisions (including profiling);
- notifying any potential security breaches to the supervisory authority.
If a Data Subject addresses such a request directly to the Provider, it shall forward the request and all relevant information to the Client no later than the next business day.
Fenritec’s adherence to a code of conduct under Article 40 GDPR or possession of a certification mechanism under Article 42 GDPR does not exempt it from the obligations of this Charter.