Disclaimer: This is a translated version. In case of discrepancies, the original French version shall prevail.
Who are we?
Fenritec
Simplified joint-stock company (SAS) with share capital of €30,000.00
Address
3 Allée des Lilas
54650 Saulnes
France
SIREN: 894 082 031, registered with the RCS of Val de Briey
1. Glossary
Client: a legal entity or natural person registered in one of Fenritec’s information systems.
Contract: the contractual framework, whether formalized in writing or not, of which this Charter forms an integral part.
Personal Data (or Personal Data/Information or Data): information relating to an identified or identifiable natural person, who can be identified directly or indirectly by reference to a name, an identification number, or to one or more factors specific to them, as defined by the Regulation, including metadata.
Data Subject: the natural person to whom the Personal Data relate.
Service: the service(s) entrusted to the Service Provider by the Client under the Contract.
Parties: the Client and the Service Provider as defined in the Contract.
Service Provider: a legal entity or natural person who may be required to participate in a Processing of Personal Data in relation to the Contract.
Regulation: all laws and regulations applicable in France regarding the protection of Personal Data, including Law No. 78-17 of January 6, 1978, as amended in 2004 (“Informatique et Libertés”), the GDPR, and subsequent texts.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, applicable from May 25, 2018.
Processing: any operation or set of operations performed on Personal Data, regardless of the process used, including collection, recording, storage, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as locking, erasure or destruction, or any operation designated as “Processing” by the Regulation.
Personal Data Breach: a breach of security leading accidentally or unlawfully to the destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2. Purpose
This Charter defines the conditions under which Fenritec may carry out Processing in the context of performing the Contract, whether (i) Personal Data obtained from the Client or (ii) data collected from third parties or directly from Data Subjects.
This Charter comes into force upon registration with a Fenritec service and, failing that, as soon as any “Personal Data” are received or access to said “Data” is granted to the Service Provider or any person acting on its behalf, and remains applicable until the end of the Processing(s), materialized by the definitive deletion of the “Personal Data,” under the conditions provided for in this Charter, or failing that with the prior, express and written agreement of the controller within the meaning of the Regulation.
Where applicable, this Charter shall prevail over any other contractual documents governing the Processing of Personal Data signed or even simply exchanged between the Parties.
In the context of their contractual relationship, the Parties undertake to comply with the Regulation in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, applicable from May 25, 2018 (hereinafter, the “European Data Protection Regulation”).
3. Purpose limitation
Fenritec processes Data exclusively for the purposes defined in the Contract or made necessary by its performance, and must comply with the obligations incumbent upon it under the Regulation and this Charter.
Fenritec ensures compliance with this Charter by its personnel and by its own subprocessors or joint controllers.
It will provide the Client, upon first request, with the list of subprocessors or joint controllers involved in the Processing.
As of the date of this document, Fenritec delegates the hosting of its IT infrastructure (data centers) to:
- OVH S.A.S., registered with the RCS of Lille Métropole under number 424 761 419.
- Scaleway S.A.S., registered with the RCS of Paris under number 433 115 904.
Fenritec reserves the right to add other hosting providers to this list provided that the main parent company has its registered office in France or the European Union and is subject to the GDPR. As soon as such a change is made, the client shall be notified.
4. Rules for the use of “Personal Data”
4.1. Personal Data Regulation
Fenritec (i) acknowledges being aware of the Regulation applicable on the date of signing this Charter, (ii) undertakes to remain informed of changes to the Regulation for the duration of the relationship with the Client, and (iii) ensures compliance therewith.
In particular, Fenritec declares that it:
· has appointed a Data Protection Officer (“DPO”) and undertakes to provide their name to the Client and the supervisory authority whenever required by the Regulation;
· has created a dedicated contact form for any question or complaint relating to “Personal Data” in order to respond to the Client’s requests;
· keeps up to date a record for all categories of Personal Data Processing carried out on behalf of the Client, including a description of technical and organizational security measures.
As of July 21, 2021, the DPO is Mr. Nicolas Philippe Schwartz.
4.2. Purpose of the processing
Fenritec undertakes not to use Personal Data for purposes other than those expected and specified in the Client contract and in this Charter.
4.3. Confidentiality of Personal Data
Fenritec takes all appropriate precautions to preserve the confidentiality of Personal Data and, in particular, undertakes not to:
· Copy documents and information media entrusted to it, except for those necessary for the Processing of Personal Data, in which case the Service Provider shall inform the Client;
· Disclose Personal Data to other persons—private or public, natural or legal—except at the request of authorized third parties following a justified official procedure, and only after verifying the legal basis and informing the Client;
· Transfer, rent, transmit or make available to any third party, for any reason or in any capacity whatsoever, the Personal Data provided to it by the Client or by a third party at the Client’s instruction.
4.3.1 Advertising exceptions
We may use advertising pixels provided by third-party ad platforms.
These trackers may be activated when you access our site via certain marketing campaigns, identified by the presence of a utm_source parameter in the URL (for example, utm_source=facebook, utm_source=x, etc.).
Activation of these pixels is based exclusively on your consent, collected in advance via our cookie banner. Unless and until you give your consent, no advertising pixel is installed or triggered.
These trackers allow the relevant platforms to:
- measure the performance of our advertising campaigns,
- compile statistics on visitors’ browsing and interactions,
- serve, where applicable, personalized advertising on their services.
Each third-party pixel provider remains responsible for the processing it performs on your data once collected. For more information, please refer directly to their respective privacy policies.
You can withdraw or modify your consent at any time via our cookie management banner. You can also exercise your rights (access, rectification, objection, erasure) with us under the terms described in this Charter.
4.3.1.1 X Ads (formerly Twitter Ads)
We use the advertising pixel provided by X Corp. (formerly Twitter) to measure the effectiveness of our campaigns and optimize our communications.
This pixel may be triggered when you access our site via certain advertising campaigns and only if the URL contains the utm_source=x parameter.
Installation and use of this tracker are based on your consent, collected in advance via our cookie management banner. If you do not accept advertising cookies, the X Ads pixel will not be activated.
The pixel allows X Corp. to collect information relating to your browsing on our site (for example: pages visited, actions performed) and, where applicable, to associate it with your X user account. These data are used for statistical tracking and for serving personalized ads on the X platform.
For more information on X Corp.’s data processing, please consult the privacy policy available at the following address: https://business.twitter.com/fr/help/ads-policies.html
4.4. Integrity and security of Personal Data
4.4.1. Security measures
In accordance with the Regulation, Fenritec undertakes to take all security measures and all appropriate precautions to ensure the backup, preservation and integrity of the Personal Data processed, both in transit and at rest in its databases and file systems.
Among these measures, Fenritec will implement and maintain throughout the term of the Contract all technical, logical, organizational and physical security means to ensure that Personal Data Processing has a level of security appropriate to the risk and consistent with the state of the art, enabling, among other things, as needed, to:
· pseudonymize and encrypt Personal Data;
· ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
· restore the availability of Personal Data and Processing within appropriate timeframes in the event of a physical or technical incident;
· test, analyze and regularly evaluate the effectiveness of technical and organizational measures to ensure the security of processing;
· preserve and ensure secure access and interfaces when accessing or exchanging with the Client’s Information System;
· prevent Personal Data from being distorted, misused or fraudulently used, damaged or disclosed to unauthorized persons.
Fenritec will report to the CNIL any breach involving a major risk directly impacting a client, and any personal data breach it has suffered, within a maximum of 72 hours after its detection.
If the incident poses a high risk to the privacy of the data subjects, Fenritec will also notify the client within the same time limits.
Fenritec declares that it has implemented and continues to implement technical and organizational security measures to ensure a level of security appropriate to the risks incurred, within the framework of an Information Systems Security Policy (ISSP/PSSI).
4.4.2 Control measures
The Client reserves the right, under the conditions indicated below, to carry out any verification it deems useful via (a) a questionnaire, (b) an on-site audit, (c) a penetration test, to ascertain Fenritec’s compliance with the above rules and to allow the Client to conduct a privacy impact assessment for the persons whose Personal Data are subject to the Processing. Execution of the request may be subject to billing depending on the workload requested.
For routine questions, please use the support section when logged in.
a. Questionnaire
The Client may send the Service Provider, before and during performance of the Contract, a questionnaire or summary statement to be completed, intended to collect information relating to the Processing. This request must be justified by:
- understanding of the information systems and processes likely to impact any Personal Data; and/or
- security or reliability requirements for the Processing of Personal Data.
Fenritec will complete the questionnaire or summary statement honestly and accurately and return it to the Client within a maximum of thirty (30) calendar days from receipt.
b. On-site audit
Throughout the performance of the Contract, Fenritec will retain and preserve, in accordance with best practices, the information and documents necessary to respond to an audit request as described below. This information and documentation will be kept and archived so that the Client may, at most once per year and subject to at least thirty (30) calendar days’ prior notice, appoint any independent third-party auditor designated by the Parties to carry out an audit. The designated auditor must, by express written declaration, sign a confidentiality undertaking.
The audit mission will cover verification of the Processing’s compliance with the provisions of this Charter in one of the following areas:
- application of security and backup procedures for Personal Data;
- control of the physical and logical security of the servers on which the Data are processed;
- traceability of Personal Data flows and the location of their hosting, backup and processing sites.
If anomalies are found, the audited party undertakes to correct them, at its own expense, so as to bring the Processing into compliance with the state of the art at the time and with the applicable Regulation, within a reasonable period.
4.5. Transfer of Personal Data
Unless expressly authorized by the Client through the implementation of safeguards compliant with the Regulation, Fenritec shall not carry out any transfer or Processing of Personal Data outside the European Union, including hosting, backup and archiving of the database containing the Personal Data.
Accordingly, the servers and all tools used in the context of the Processing of Personal Data, including the administration and access console, implemented as part of the Processing must be located within the European Union. Failing this, the Client reserves the right to terminate the Contract with immediate effect.
4.6. Duration of the Processing
Fenritec undertakes not to retain Personal Data that are not necessary for the performance of the services beyond a reasonable period compliant with the Regulation. By way of indication, Fenritec actively retains connection and user action logs for a period of 3 months and, upon request from judicial authorities, provides archived logs for a period of 1 year.
Beyond this period, and only after returning to the Client the Personal Data collected in the context of the Processing, Fenritec undertakes to delete said data unless they must be archived in accordance with applicable provisions and in particular those provided by the Commercial Code, the Civil Code and the Consumer Code.
The client may ask Fenritec to delete all of its Personal Data, in accordance with the GDPR. Fenritec will send a destruction certificate to the Client within seven (7) calendar days following said operation.
Fenritec will refer to the Client without delay in case of doubt about retention rules and will provide all information necessary for a prompt decision.
Store:
- Billing information (i.e., addresses, first and last name, etc.) is retained for 10 years after the close of the current fiscal year, in accordance with legal provisions.
Fenritec Alpha:
- Permanently deleted data are retained on our servers for a period of 7 days to 1 month to allow the user to request a restoration;
- The system may use your documents to generate additional thumbnails in the application (e.g., previews of photos, PDFs, etc.) in order to improve the user experience.
Login:
- Information provided at registration is retained by Fenritec for 3 months after a deletion request and is available to authorities for 1 year, in accordance with legal provisions.
4.7. Return of Personal Data
At any time, upon simple request from the Client, Fenritec will return the Personal Data, whatever their medium, as well as copies and any related documents and, in particular, (i) the documentation necessary for the operation of said data and (ii) for the Processing, subject to the Service Provider’s intellectual property rights in said Processing.
5. Notification obligations
5.1 Obligation to notify in case of non-compliance with the Client’s instructions
If Fenritec is unable to comply with the instructions specified in the Client’s contract for any reason whatsoever, it must inform the Client without delay, in which case the latter shall have the right to terminate the Contract without compensation or notice if the seriousness of the breach so justifies.
5.2 Obligation to notify in case of Client’s non-compliance with the Regulation
If Fenritec considers that the Client’s instructions constitute a violation of the Regulation, it must inform the Client without delay.
5.3 Obligation to notify in case of a Personal Data Breach
In the event of a Personal Data Breach, Fenritec undertakes to inform the Client as soon as possible after becoming aware of it by email, in compliance with the notification procedures provided for in Articles 33 and 34 of the GDPR, and to attach to the Client all useful documentation to enable the Client, if necessary, to notify this Personal Data Breach to the competent supervisory authority.
If it is not possible for Fenritec to provide all information simultaneously to the Client, Fenritec will provide the information progressively without undue delay.
Nevertheless, Fenritec may notify the competent local supervisory authority (e.g., the CNIL in France) of the Personal Data Breach as soon as possible and at the latest within 72 hours after becoming aware of it.
This notification made by Fenritec will contain at least all the elements described in Article 33 of the GDPR.
5.4 Obligation to notify in case of requests from competent authorities regarding the Processing
In the event of a request from the competent authorities concerning the Processing—and unless there is a mandatory public-order requirement—Fenritec undertakes (i) to inform the Client without delay and at the latest within forty-eight (48) hours and (ii) not to transmit any information without first consulting with the Client and obtaining its express authorization.
Fenritec also undertakes to inform the Client of:
- any audit of its activity related to the Services by an administrative, tax and/or judicial authority. Where applicable, the results of such an audit must be communicated to the Client as soon as possible;
- any request or complaint received directly from a person whose Personal Data have been processed by Fenritec.
More generally, any sanction relating to the methods of Processing Personal Data affecting Fenritec or a subsequent subprocessor must be notified to the Client without delay.
6. Client information and cooperation
Fenritec assists the Client, during and after expiry of the Contract, with any steps and procedures required by the Regulation, notably in the following situations:
- conducting a privacy impact assessment carried out as part of the Processing;
- an audit by a Competent Authority, to respond to any request for information and supporting documents relating to the Processing or to any injunction to take actions to comply with the Regulation;
- a request from an individual or a group of individuals wishing to exercise their right of access to their Personal Data, in order to take into account within five (5) business days any requests for modification, rectification, deletion, objection and portability of Personal Data addressed to Fenritec directly or via the Client;
- a request from an individual or a group of individuals wishing to exercise the right not to be subject to automated individual decision-making (including profiling);
- notification of any potential security breach to the Competent Authority.
If the data subject contacts the Service Provider to exercise the above rights, the Service Provider will communicate to the Client, no later than the next business day, the request made by the data subject together with all information relevant to resolving the request.
Fenritec’s indication that it complies with a code of conduct within the meaning of Article 40 of the GDPR or that it holds a certification mechanism as referred to in Article 42 of the GDPR does not release it from the obligations of this Charter.