Data protection policy

The purpose of this policy is (1) to inform you about the way in which the SCR Group processes your Personal Data and, (2) with regard to the Personal Data entrusted to us by our Customers as part of the Services subscribed to, to define at least the respective obligations of the SCR Group and its Clients. The rules applicable to cookies are discussed in (3).

The terms “You”, “your” and “yours” designate visitors to the site https://www.acrsxm.sx/ (the “Visitors” / the “Site”) as well as customers and prospects who have subscribed to Services or being likely to be interested in our Services (the “Clients” / “Prospects”).

The terms “We”, “us”, “our” refer to Groupe SCR.

The “Services” are those that we offer on our Site and which are specified, for each Customer, in our quotes.

The “Applicable Regulation” refers to law n°78-17 of January 6, 1978 known as the “Informatique et Libertés” law in its latest version in force, and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to data protection (“GDPR”).

Any terminology relating to the protection of personal data has the meaning given in Article 4 of the GDPR. However, for the sake of clarity, we remind you of some definitions.

“Personal data” means personal data within the meaning of the Applicable Regulations, i.e. any information relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier ( IP address for example).

“Data Subject” means any identified or identifiable natural person whose Personal Data has been Processed.

“Data Controller” means any person who determines the means and purposes of the Processing.

“Subcontractor” means any person who processes Personal Data on behalf of the Data Controller in accordance with the instructions given by the Data Controller.

“Processing” means any operation or set of operations relating to personal data, regardless of the process used, such as collection, recording, organization, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as blocking, erasure or destruction.

“Personal Data Breach”: means a security breach resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of Personal Data transmitted, stored or otherwise processed, or unauthorized access to such Data.

1 The processing of your data by the SCR Group

1.1 Why and how do we process Your Data?

We process your Personal Data for the purposes of informing you about our Services (Visitors, Customers and Prospects), analyzing Site traffic (Visitors), commercial or non-commercial communication (Customers and Prospects), and more generally monitoring our contractual relationship (Customers). In this context, we are “Processing Managers” of your Data. The legal basis for these Processings is the legitimate interest of the SCR Group in ensuring its commercial development.

1.2 What Data do we process?

Visitors have no obligation to communicate their Data to us. However, during your visits, your IP address may be recorded (see paragraph 3 relating to Cookies).

If you fill out a contact form and/or contact us to tell us about your Project, we will essentially process the following Data: your first and last name, position/title, email address, and the name of your company.

If you have subscribed to Services with us, we may also process financial data to ensure payment of our invoices and monitor their collection.

1.3 Who are the recipients of this Data?

Authorized persons from the SCR Group’s sales and marketing department, as well as, where applicable, from the support department, are required to process your Personal Data and only have access to the Data that is necessary for them in the context of their functions. / missions. Our company’s employees have signed a specific confidentiality commitment.

We may also contract with reliable partners and subcontractors who may access, host and/or process some of your Personal Data on our behalf, according to our instructions and who contractually guarantee the security and confidentiality of your Data (such as technical service providers, recruitment firms, etc.).

The Personal Data of our Clients may also be transferred to authorized third parties subject to an obligation of confidentiality (auditors, consultants, lawyers, accountants, etc.) as part of the maintenance of its general accounts, but also in case of reorganization of the company or transfer to another legal entity, as part of audits carried out in matters of personal data protection and security, and/or to investigate or respond to a complaint or security threat. We are required to communicate documents (such as invoices, contracts, quotes, emails, etc.) containing your Personal Data to our accountants, auditors and our lawyers.

We may finally communicate your Personal Data in response to requests made by Courts or tribunals, government or law enforcement agencies, or when this is necessary to comply with applicable laws, injunctions or decisions of Courts and tribunals, or government regulations.

1.4 How long do we keep your data?

We only keep your Personal Data for as long as is necessary and proportional to the purpose for which it was collected.

For the management of our Customers and Prospects, Personal Data is kept on average for a maximum period of 3 years from the last exchange you had with our company and carried out at your initiative, or any other longer period which may be would impose on our company in application of legal provisions (archiving during the legal limitation period for example, in order to allow us to take action / ensure our defense in the event of litigation).

1.5 What are your rights ?

In accordance with the provisions of the Applicable Regulations, you have the right to access, rectify, delete data concerning you and the right to obtain a copy of the personal data that we hold in a structured electronic format (right to portability).

You also have the right to object for legitimate reasons to the processing of data concerning you, and to the use of this data for commercial prospecting purposes.

For any questions, additional information or complaints, you must contact us by sending an email to privacy@groupescr.fr. We may ask you to provide us with proof of identity if your request concerns the exercise of one of the rights conferred on you by the Applicable Regulations.

The exercise of your rights (in particular your rights of opposition or deletion of Data) must also be reconciled with the legal obligations as well as the legitimate interests pursued by the SCR Group.

We respond to your requests within one (1) month of receipt, it being understood that this period may be extended by two (2) months depending on the complexity of your request or in the event of an influx of requests in parallel, provided that we inform you.

In the absence of a response from us within a maximum period of three (3) months from your initial request or in the event of a dispute over the exercise of your rights, you have the option of submitting a complaint to the National Commission for Information Technology and Liberties.

1.6 Compliance with the rules relating to the transfer of Personal Data

The SCR Group does not transfer Personal Data to countries that do not ensure an adequate level of protection without first implementing one or other of the appropriate guarantees provided for by the Applicable Regulations to govern said transfer, in particular by using standard contractual clauses approved by the European Commission.

2 Processing carried out by the SCR Group on behalf of its Clients

As part of the Services, the SCR Group is entrusted by its Clients with access to and/or the Processing of Personal Data. The manner in which this Data Processing is contractually regulated is defined in this § 2 of the Confidentiality Policy, which supplements the stipulations, where applicable, agreed between the Parties on this specific subject or supplements the absence of stipulation on the subject in the contract.

2.1 Compliance with Applicable Regulations

The SCR Group and its Clients must each comply with the provisions of the Applicable Regulations for their respective scope of responsibility. The Client is the “Processing Manager or “RT” and the SCR Group is its “Subcontractor” or “ST” within the meaning of the Applicable Regulations. It is the Client who determines the means and purposes of the Processing which he carries out and for which he has requested our Services, such as, for example, the organization of promotional mailings aimed at the Client’s customers (Persons Concerned), the hosting of websites or applications (whether or not developed by us), etc.

2.2 Compliance with Customer instructions

The SCR Group will only act on the basis of clear and precise instructions from its Client which must specify in particular the categories of Personal Data that we must process, the processing operations that we are authorized to carry out (by default, all those which cover the definition of “Processing”), the retention period of the Data according to the categories of Data that we are required to process, the specific security measures to be put in place, depending on the nature of the data and the associated risks). In the absence of clear and written instructions from the Clients, we will under no circumstances be held liable due to the Clients’ failure to give their instructions. We do not exploit or use the Personal Data entrusted by our Clients for our own needs or on behalf of third parties not expressly authorized by our Clients.

2.3 Customer Obligations

You are required to inform the Data Subjects of their possibility of exercising their rights under the Applicable Regulations with their representative designated to handle these requests.

You must communicate to us spontaneously and in writing the contact details of your “data privacy” contact point or DPO so that we know to whom to redirect any requests or notifications regarding the protection of Personal Data. These requests must be sent, within the SCR Group, to privacy@groupescr.fr.

As Customers are solely responsible for the content of their website or the application, where applicable, developed, maintained or hosted by the SCR Group, it is their responsibility to verify that the databases containing Personal Data are complete, accurate and up to date. and guarantee the SCR Group against any recourse or action by third parties (including from an administrative authority such as the CNIL) brought against the SCR Group (including the payment of its reasonable legal fees). to ensure the defense of their rights).

Likewise, if Clients entrust us with the sending of commercial prospecting mailings or other promotional operations, they must also ensure beforehand that they have obtained the express consent of the Persons Concerned in cases where the Applicable Regulations do so. obliges and guarantees us against any recourse or action by third parties (including from an administrative authority such as the CNIL) brought against the SCR Group (including the payment of its reasonable legal fees for ensure the defense of their rights).

In all our communications, we particularly draw your attention to the fact that you must ensure that the exchange of files containing Personal Data is secure and at least protected by a password. Except in cases of justified emergency, any exception to the security measures agreed between Customers and the SCR Group must be the subject of a written request, specifying the nature, duration and impact analysis on this exception.

2.4 Technical protection measures – security

In accordance with the Applicable Regulations, the SCR Group and its Clients must each implement all appropriate technical and organizational measures to protect the Personal Data they process against accidental or unlawful destruction, accidental loss, alteration, unauthorized dissemination or access, in particular in the context of the transmission of data in a network, as well as against any other form of illicit processing.

For our part, we ensure:

1. implement technical and organizational security measures generally consistent with the state of the art as well as contractual instructions on the subject
2. help, as far as possible, our Clients to meet their obligations to respond to requests to exercise the rights of Data Subjects
3. that all data storage media containing Personal Data and all copies or reproductions thereof are carefully stored without allowing access to third parties except our (subsequent) authorized subcontractors
4. have our employees and any subcontractors involved in the processing of Personal Data sign a commitment to preserve the confidential nature of Personal Data and comply with Applicable Regulations

We are obviously available to your teams to provide you with any additional information. You must ensure that the technical and organizational security measures that we put in place meet your own security constraints and, failing that, give precise written instructions to the SCR Group on the additional security measures to be implemented. In the absence of specific instructions, SCR Group Customers recognize that the security measures we put in place are sufficient.

2.5 Cooperation and assistance – Audits.

We endeavor to promptly and appropriately handle all reasonable requests from our Clients regarding the Processing of Personal Data that we carry out on their behalf. We modify or delete, following instructions from our Clients and at the latter’s expense, the Personal Data of a Data Subject following in particular the exercise of their right of access and rectification or deletion, so that the Personal data processed is accurate and up to date.

We further provide reasonable assistance, at the Customer’s expense, if you require our assistance in responding to requests from the CNIL, carrying out risk assessments (PIA), investigations, inspections or audits. relating to the processing of Personal Data. We must each collaborate in a transparent manner, and communicate to each other all elements of information exchanged with the supervisory authority which would concern the Services or a possible failure on our part to fulfill our respective obligations, under penalty of forfeiture of the Client’s right to obtain a any compensation from us subsequently.

Any audit of a website or mobile application leading to vulnerability tests or attempted intrusion into a computerized data system will be the subject of a tripartite agreement between the Clients of the SCR Group concerned, the SCR Group and the third party responsible. to carry out the tests on behalf of the Client in question, specifying the duration of the tests, their nature, and releasing the SCR Group from any liability for the consequences induced by the tests ordered by the Client.

Audits will be organized with reasonable notice of at least 30 working days, except for emergency measures (proven or high probability case of Personal Data Violation, in which case this period may be reduced by mutual agreement between the Parties or by order of a judge). The SCR Group will immediately inform its Clients of any request of a legally binding nature for disclosure of Personal Data emanating from an administrative or police authority, unless the law or a judicial or administrative decision prohibits it from doing so.

2.6 Notification of Personal Data Violations.

The SCR Group and its Clients must notify each other, respectively, of any abuse, any accidental or unauthorized deletion, any modification, disclosure, or unauthorized access, proven or suspected, including, without limitation, penetration into the network or IT resources of the SCR Group, its subcontractors or its Clients with the aim of obtaining Personal Data or any other violation of the Applicable Regulations (“Personal Data Violation”). Notification of a Personal Data Violation will be made to the designated contact as soon as possible and at the latest within 72 hours following the event in question, accompanied by any useful information likely to enable the SCR Group or its Customers, if necessary, to notify this violation to the competent supervisory authority.

2.7 Right to repair and Liability.

The SCR Group may only be held liable to its Clients for direct and certain damages caused by a proven failure to fulfill its obligations as a “Subcontractor” (art. 28 of the Regulations), within the limit of the sums paid by its Clients for the Services concerned during the last four (4) months preceding the breach in question (unless otherwise provided in the contract concluded with the Client and expressly deviating from this article). This limitation does not apply to Data Subjects who have suffered certain material or moral damage due to a proven failure by the SCR Group to fulfill its obligations as a “Subcontractor”.

2.8 Subprocessors – Restrictions

Unless otherwise stated in our main contract, you authorize us to entrust the processing of Personal Data to subcontractors with sufficient guarantees, subject to complying with the restrictions described below.

Our possible Subcontractors (“sub-processors” within the meaning of the Applicable Regulations) will only access the Personal Data that you entrust to us and will only use them in accordance with our obligations under paragraph 2 hereof and of the contract which binds us. They are linked to the SCR Group by written agreements obliging them to offer a satisfactory level of protection. The SCR Group informs its Clients of any intention of substantial modification relating to the addition or replacement of Subcontractors.

2.9 Transfer of Personal Data to third countries.

The SCR Group does not carry out any transfer of Personal Data to countries outside the EU that do not ensure an adequate level of protection within the meaning of the Applicable Regulations without the Client’s consent and without first implementing one or the other appropriate guarantees provided for by the said Regulations to govern the said transfer, in particular by using standard contractual clauses approved by the European Commission. Customers undertake to facilitate the implementation of these guarantees and authorize the SCR Group to conclude Standard Contractual Clauses on their behalf.

3 Cookies

3.1 What are cookies and what are they used for?

The Visitor can decide to deactivate cookies upon first access to the Site. In the absence of opposition, the Visitor accepts the installation of cookies and their use under the following conditions.

Only the issuer of the cookie concerned is likely to read or modify the information contained therein.

Some cookies are essential to the use of the Site, others make it possible to optimize the use of the Site and personalize the content displayed. Thus, cookies allow:

• To measure and analyze attendance and use of the Site, its sections and Services offered, allowing the SCR Group to carry out studies and improve the interest and ergonomics of the Site
• To memorize the display preferences of the Visitor’s browser (language used, display parameters, operating system used, etc.) and to adapt the presentation of the Site during their visits, depending on the viewing hardware and software or reading devices that its terminal includes and which are used for navigation on the Site
• To memorize information relating, for example, to a form completed by the Visitor on the Site
• To implement security measures

3.2 Sharing the use of the terminal between several Visitors

If the terminal used by the Visitor is used by several people, and when the same terminal has several navigation software, the SCR Group cannot ensure with certainty that the functionalities and advertising intended for this terminal correspond to that of the use of the terminal by one of the Visitors and not by another. Sharing with other people the use of their terminal by the Visitor and the configuration of their browser settings with regard to cookies is their free choice and their responsibility.

3.3 Management and use of cookies

The Visitor can manage and modify the use of cookies at any time according to the possibilities mentioned below. The settings made may modify Internet browsing and the conditions of access and use of certain features of the Site which require the use of cookies. Thus, it is possible to manage cookies from the browser software or from interprofessional platforms.

Please note: taking unsubscription into account relies on a cookie. Consequently, if all cookies are deactivated or the Visitor changes terminal, the SCR Group will no longer know that this option has been chosen.

• Management of cookies from the browser software: the Visitor can configure his browser software so that cookies are saved in his terminal or that they are rejected, either systematically or depending on their issuer.
• To find out the terms and conditions applicable to the management of cookies stored in the browser, the SCR Group invites its Visitors to consult the help menu of their browser as well as the “Your traces” section of the CNIL (National Commission of Computing & Liberties) (https://www.cnil.fr/vos-libertes/vos-traces/les-cookies/).
• Online management of cookies from inter-professional platforms: it is also possible to connect to the Youronlinechoices site, offered by digital advertising professionals grouped within the European association EDAA (European Digital Advertising Alliance) and managed in France by the Interactive Advertising Bureau France. The Visitor can thus know the companies registered on this platform and which offer the possibility of refusing or accepting the cookies they use to adapt, according to the information they collect, the advertisements likely to be displayed on their browser: https://www.youronlinechoices.com/fr/controler-ses-cookies/
• This European platform is shared by hundreds of advertising professionals on the Internet and constitutes a centralized interface allowing the Visitor to express their refusal or acceptance of cookies as specified above.
• This procedure will not prevent the display of advertisements on websites visited by the Visitor. It will only block technologies that make it possible to adapt advertisements to your interests.

3.4 Shelf life of cookies:

The information collected by these cookies is retained for a maximum period of 13 months (in accordance with Applicable Regulations), unless deleted using the application settings on the Visitor’s terminal.