I - INTRODUCTION - IDENTITY OF THE DATA CONTROLLER
As a preliminary remark, capitalised terms are defined in Section II (2.1) below.
CYBERNANO – a simplified joint stock company having its registered office at 49, Boulevard d'Austrasie, Nancy (54000) and entered in the Trade and Companies Register of Nancy under number 794 460 881 – shall be deemed to be the Controller in relation to the Personal Data collected via the Website and the SaaS Platforms.
This charter relating to the processing of personal data (the “Charter”) is intended to provide anyone browsing the Website and/or planning to use one or more of the SaaS Platforms (the “Users”) with information regarding the procedures and purposes in relation to the Personal Data processing undertaken by CYBERNANO.
The Charter also aims to inform Users of the measures implemented by CYBERNANO to protect their Personal Data. The general purpose of the Charter is to inform Users of the regulations applicable to the Personal Data and to enable them to exercise their rights in this regard.
Ensuring compliance in relation to Personal Data protection is a priority for CYBERNANO.
CYBERNANO therefore intends to comply strictly with the relevant regulations in force, specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data (the “GDPR”) which came into force in France on 25 May 2018, the latest version in force of the “Information Technology and Liberties” law of 6 January 1978 which aims to provide a high degree of Personal Data protection in France in accordance with the European standards (based on the GDPR), and the recommendations of the French Data Protection Authority (CNIL).
Consequently, all Personal Data collected by CYBERNANO via the Website and the SaaS Platforms shall be used according to the terms and conditions set out in the Charter, in accordance with the regulations in force.
This Charter forms an integral part of the General Conditions for Use of the Website and of the General Conditions for Services relating to the SaaS Platforms.
II - DEFINITIONS - ESSENTIAL PRINCIPLES APPLICABLE TO PERSONAL DATA PROCESSING
2.1 Definitions
For the purposes of understanding and interpreting this Charter, the essential terms (in addition of those defined in I. above) are defined as set out below:
-
“Controller” means, in accordance with the regulations in force relating to Personal Data protection, the entity which determines the methods and purposes for Processing the Personal Data ;
-
“User” means any natural person browsing the Website and/or planning to use and/or using any of the SaaS Platforms ;
-
“Website” means the “shop front” website https://www.cybernano.eu/ and each website dedicated to an SaaS Platform, namely :
-
“SaaS Platforms” means the service platforms belonging to CYBERNANO which operate in SaaS (Software as a Service) mode, and refers to the following platforms in particular: easyQBD.
-
“Personal Data” means any information relating to an identified or identifiable natural person. An “identifiable natural person” is deemed to mean a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ;
-
“Sensitive Data” means the Personal Data revealing an alleged racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation ;
-
“Personal Data Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction ;
-
“Processor” means the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller ;
-
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Depending on context, the terms defined in this clause may appear in the singular or in the plural in this Charter.
2.2 Essential principles governing Personal Data protection
-
“Principle of Purpose Limitation”: the Personal Data must be collected for a clearly specified, lawful and legitimate purpose and shall not subsequently be processed in a way which is incompatible with this initial objective.
-
“Principle of Relevance”: the Personal Data collected must be relevant and strictly necessary in relation to the specific purpose(s) for which it was collected.
-
“Principle of Storage Limitation”: the Personal Data collected must not be stored for an indefinite period. A storage period for the Personal Data must be determined on the basis of the type of Personal Data and the purpose of the Processing undertaken.
-
“Security Principle”: the Controller must ensure the security and confidentiality of the Personal Data collected. The Controller must, in particular, ensure that only authorised persons have access to this Personal Data.
-
“Principle of Rights of Data Subjects”: persons whose Personal Data has been collected must be able to effectively exercise the rights allowing them to retain control over their Personal Data, meaning in particular the right of access, the right of rectification, the right of erasure (“right to be forgotten”), and, if applicable, the right to portability of Personal Data.
2.3 Rights of data subjects in relation to the collection of Personal Data
-
“Right of access”: the data subject shall have the right to obtain confirmation from the Controller as to whether or not Personal Data relating to him/her is being processed and, where that is the case, to obtain access to such personal data and to the relevant information relating to the processing undertaken (in particular the purposes and recipients of the Personal Data).
-
“Right of rectification”: the data subject shall have the right to obtain from the Controller, without undue delay, the rectification of inaccurate Personal Data concerning him or her.
-
“Right of Erasure” (or “Right to be Forgotten”) the data subject shall have the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay and the Controller shall have the obligation to erase it without undue delay where one of the following grounds applies:
-
the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
-
the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
-
the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR;
-
the Personal Data has been unlawfully processed;
-
the Personal Data has to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.
-
“Right to portability of Personal Data”: the data subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and to transmit that data to another Controller without hindrance from the Controller to which the Personal Data has been provided, where the Processing is based on consent and where the Processing is carried out by automated means.
III PERSONAL DATA PROCESSING UNDERTAKEN BY CYBERNANO AND ITS PURPOSES
CYBERNANO shall only collect Personal Data from Users which is relevant, adequate and within the limits of what is necessary having regard to the purposes for which this Personal Data is subject to Processing, in accordance with the Purpose Limitation and Relevance Principles defined above (see Article 2.2.)
These purposes are listed below:
-
to reply to questions from Users sent via the “CONTACT US” form;
-
to create an account enabling Users to use one or more of the SaaS Platforms;
-
to communicate with Users of SaaS Platforms to ensure they can use them efficiently;
-
to send newsletters by email (if the User has completed the form to subscribe to newsletters);
-
to ensure the quality of its services, in particular through the maintenance and improvement of its Website and SaaS Platforms;
-
to carry out research on User typology;
-
to produce anonymised statistical data for the purpose of communication regarding its services and ultimately to improve them;
-
to produce statistics, through the use of (tracking) cookies, relating to the Website’s use and traffic with a view to evaluating the interest shown in it by the general public and, in particular, by businesses and research stakeholders.
Having regard to the purposes listed above, the User will be required to disclose Personal Data to CYBERNANO.
CYBERNANO will effectively be required to use the User’s Personal Data, collected via the contact form on the Website, if that User’s questions are to be answered.
Further, the use by CYBERNANO of the User’s Personal Data, collected via the form used to set up a user account on the SaaS Platform, is required to enable the User to benefit from effective access to the SaaS Platform and to allow for efficient communication in relation to use of the SaaS Platform.
IV LEGAL BASIS FOR PERSONAL DATA PROCESSING UNDERTAKEN BY CYBERNANO
When browsing the Website and/or during use of the SaaS Platforms, the User is expressly informed of the purpose(s) listed above for which his/her Personal Data is collected, via the various forms and this Charter.
The legal basis for the Personal Data Processing listed in Section III above is therefore the prior consent of the User concerned.
The use of certain Personal Data collected via cookies is also based on the User’s consent (see X with regard to cookies).
This consent is confirmed by the User’s express acceptance (in particular by a box to be ticked by the User allowing CYBERNANO to collect the Personal Data entered by the User for the purpose(s) listed above).
Any fields marked with an asterisk (*) on the various forms available via the Website and the SaaS Platforms must be completed in view of the purposes for which they are processed. If the User does not provide this “required” Personal Data, CYBERNANO will be unable to process his/her request.
The other (optional) fields are intended to allow the User to clarify his/her request. The User is therefore at liberty to decide whether to provide some or all of his/her Personal Data.
V TYPES OF PERSONAL DATA PROCESSED
Having regard to the purposes cited above, CYBERNANO may process Users’ Personal Data as listed below:
-
Surname, first name;
-
Name of the company where the User works;
-
Role/position in the client company of CYBERNANO (where a business or entity has signed a contract with CYBERNANO to gain a right to use SaaS Platforms);
-
Email address and telephone number;
-
Log-in and browsing data for the Website or use data for the SaaS Platforms, in particular the IP address.
Having regard to the activities undertaken by CYBERNANO, a CRO (Contract Research Organisation) service provider essentially collaborating with businesses (BtoB commercial relations), CYBERNANO shall only collect a small amount of Personal Data.
Moreover, CYBERNANO shall not collect any Sensitive Data relating to Users.
VI MEASURES IMPLEMENTED TO SECURE PERSONAL DATA
CYBERNANO is implementing technical and organisational measures intended to ensure the security of the Processing of Users’ Personal Data and, generally, the confidentiality of such Personal Data.
Accordingly, CYBERNANO has put adequate measures in place, having regard in particular to the nature of the Personal Data processed, in order to maintain the security of such Personal Data, and in particular to avoid it being corrupted and/or damaged and/or to avoid it being accessed by unauthorised third parties, including in particular: protection of the premises of CYBERNANO, authentication processes and computer terminals protected by confidential user names and passwords, encryption of certain data, etc.
Further, CYBERNANO collaborates exclusively with a limited number of service providers, some of which are likely to process Personal Data as Processors, and have adequate skills and tools to ensure the security of the Personal Data and avoid it being disclosed to unauthorised third parties.
Moreover, in accordance with the applicable regulations, where an event occurs which may affect the Personal Data and is likely to be prejudicial to the rights of Users, CYBERNANO will inform the competent supervisory authority as soon as possible. Where there is an objectively high risk of a Personal Data Breach, CYBERNANO will notify the Users concerned, either individually or as a group, depending on the circumstances, as soon as possible.
Users should also note that the measures implemented by CYBERNANO to secure the Personal Data processed do not exempt the User from exercising vigilance with a view to avoiding any unauthorised access to his/her Personal Data, in particular, via his/her IT tools. Accordingly, the User shall implement adequate measures to protect access to his/her IT media (in particular computers, smart phones, tablets).
VII PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED
CYBERNANO will store the Personal Data of Users in an “active base” exclusively for the period necessary having regard to the proposed purposes, in accordance with the legal requirements and with the recommendations of the competent authorities.
The User’s Personal Data is stored by CYBERNANO for the duration of the commercial relations between CYBERNANO and the User and for a period of three (3) years from the most recent point of contact between CYBERNANO and the User.
At the end of the above period of three (3) years, CYBERNANO may, if it considers it relevant, store Users’ Personal Data in “temporary archives” for an additional period of ten (10) years, exclusively for the purposes of carrying out analysis relating to the typology of its client base of legal entities (by activity sector and by type of business) and to comply with its statutory, regulatory or legal obligations in relation to checks or disputes.
VIII RECIPIENTS OF PERSONAL DATA
CYBERNANO will under no circumstances send Users’ Personal Data to commercial or advertising stakeholders.
Users’ Personal Data shall be processed by the staff of CYBERNANO, who are highly aware of the importance of protecting the Personal Data and, generally, of the need to keep data relating to Users confidential.
CYBERNANO will not outsource the technical management relating to use of the SaaS Platforms.
CYBERNANO shall collaborate with a single service provider, namely:
-
the IT service provider responsible for hosting the Website and the SaaS Platforms: OVH (a simplified joint stock company (SAS) having its registered office at 2, rue Kellermann, Roubaix (59100) and entered in the Trade and Companies Register of Lille under number 424 761 419) ;
It should be noted, however, that in view of the contractual terms agreed with CYBERNANO, the above service providers is not authorised to access Personal Data of Users. Therefore, this service provider is not Processor as defined by the data protection regulations in force.
If the above service providers or, potentially, other service providers are required to access Users’ Personal Data, this would be exclusively for the purpose of ensuring the smooth, ergonomic and secure use of the Website or SaaS Platforms. In any event, Personal Data of Users will be accessed in accordance with the applicable regulations.
Further, Personal Data of Users may be transferred to a third party in the event of a total or partial disposal of assets, merger, absorption, acquisition or demerger and, generally, in the event that CYBERNANO undergoes a restructuring operation.
Lastly, CYBERNANO may be required to disclose the Personal Data of Users to third parties where such disclosure is required by law, a regulatory provision or a court decision, or if such disclosure proves to be necessary to ensure the protection and defence of legitimate interests.
IX TRANSFER OF PERSONAL DATA ABROAD
The Personal Data of Users collected by CYBERNANO is unlikely to be transferred outside the European Union.
X RIGHTS OF USERS - PROCEDURES FOR EXERCISING THE RIGHTS
In accordance with the regulations in force, any User may effectively exercise the rights he/she holds, namely:
-
Right of Access to the Personal Data (see Article 2.3);
-
Right of Rectification of the Personal Data (see Article 2.3);
-
Right to Erasure of the Personal Data (“right to be forgotten”) (see Article 2.3);
-
Right to object to the Processing of Personal Data;
-
Right to restriction of the Processing of Personal Data;
-
Right to Portability of the Personal Data (see Article 2.3);
-
Right to withdraw consent to the Processing of Personal Data undertaken on the basis of such consent;
-
Right to determine what happens to the Personal Data “post-mortem”.
To exercise the above rights, the User can send an email to CYBERNANO at the address: contact@cybernano.eu or send a letter to the address: 49, Boulevard d'Austrasie, Nancy (54000), France.
To ensure that CYBERNANO is able to reply quickly, the User must provide CYBERNANO with the following information: surname, first name, email address, correspondence address and the specific purpose of his/her request, which must be clearly set out.
CYBERNANO may request a copy of an identification document to check the User’s identity. A reply will then be sent to the User within a period of one (1) month following the date of receipt of the request.
Additionally, the User has the option of filing a claim with the French Data Protection Authority, CNIL (Commission Nationale de l’Informatique et des Libertés), including via its website: https://www.cnil.fr/.
CYBERNANO has appointed a member of its team as a personal data protection representative [TO DEFINE], IT engineer.
Independently of the exercise of their above rights, Users may contact this representative at the following address: .
XI COOKIES
According to the CNIL definition, a cookie is a small computerised tracking file, placed on a device and read when, for example, a website is accessed, an email is read or software or a mobile application is installed or used, irrespective of the type of device used (computer, smart phone, e‑reader, online games console, etc.).
Data collected via cookies does not directly identify the Users. It is used primarily to enable the Website and the SaaS Platforms to function correctly, so that Users can enjoy an enhanced user experience.
It is also used to produce statistics and measurements relating to the Website’s traffic.
CYBERNANO uses cookies on its Website:
-
cookies which are strictly necessary for the Website to function: these are essential to enable Users to browse the Website and to use the functions of the Website and of the SaaS Platforms.
These cookies are:
-
PHPSESSID: Variable used by the PHP language to keep track of sessions. The main purpose of this cookie is : Strictly Necessary
-
laravel_session: Variable used by the framework Laravel to identify a session instance for a user. The main purpose of this cookie is : Strictly Necessary
-
XSRF-TOKEN: This cookie is written to help with site security in preventing Cross-Site Request Forgery attacks. The main purpose of this cookie is : Strictly Necessary
The User can manage cookies at any time by changing the settings in the taskbar of his/her Internet browser.
XII INTERPRETATION - AMENDMENTS TO THIS CHARTER
Use of the term “in particular” or “including” in this Charter means that the list which follows is not comprehensive and therefore is not exhaustive.
This Charter may be amended at any time by CYBERNANO, in particular on the basis of changes to the regulations, to the Website and/or to the SaaS Platforms and, generally, to the activity of CYBERNANO. These amendments shall automatically apply to Users. Consequently, each User is invited to refer to this Charter regularly in order to familiarise him/herself with the latest version in force.
XIII REPRODUCTION PROHIBITED
This Charter has been drafted on a bespoke basis by Cabinet Grand Est Avocats located in Nancy. Any use or reproduction, by any party other than CYBERNANO, of the entire Charter or any of the clauses it contains, even partially or by means of amendment and/or adaptation, is prohibited.