Cabinet Bersay & Associés (hereinafter the “Firm”) respects the privacy of its contacts – established through files, assignments, partnerships, applications, etc. – and treats the personally identifiable information they submit as confidential. Such personal information is collected with all due diligence and in accordance with all applicable laws in the countries in which the Firm operates. The Firm acts as the data controller for the data it collects and processes.
The aim of this Data Protection Policy (hereinafter the “Confidentiality Policy”) is to provide information on how the Firm, as the data controller, collects and uses personal data (hereinafter the “Personal Data”) concerning persons (clients, suppliers, prospects, interns, associates, employees, applicants, etc.; hereinafter “You” or “Your”), on the one hand, and the means at their disposal to control the use of data and exercise their rights over it, on the other.
1 – Identity of the data controller
The Firm is data controller.
Its postal address is: 31 avenue Hoche, 75008 – Paris
Its contact email address is: firstname.lastname@example.org
2 – What Personal Data are collected?
The Firm only collects data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The Firm gathers information solely in order to operate effectively and give You the best possible experience, whether in business meetings, files, partnerships, applications, visits to our premises and access to our website, etc.
The specific type of Personal Data collected depends on the context of Your direct and/or indirect interactions with the Firm. Here are some typical examples of Personal Data that might be collected:
Personal details (name and surname, email address, postal address, telephone or fax number);
Financial details (payment information, billing address and bank account information);
Information on Your professional and personal life;
Demographic data (gender, country and preferred language).
If You submit Personal Data concerning another person, You acknowledge and accept that You have the person’s authorisation to allow the Firm to use the information in accordance with this Confidentiality Policy.
Electronic information: when You use or interact with the Site, the Firm receives and stores information generated by Your activity and the information collected electronically from Your browser or mobile device. For example, like many websites, the Firm obtains certain information when Your browser accesses our Site, including Your IP address, browser type, operating system, mobile network data, the pages viewed and access times. This information helps the Firm to communicate with You and understand You better.
3 – When are Personal Data collected?
The Firm may need to gather Personal Data from information directly supplied by You. These Personal Data are thus collected and processed when You:
Access the Site;
Sign up for newsletters;
Request information and forms;
Write to the Firm;
Respond to surveys, promotions and other communications;
Sign contracts with the Firm;
The Firm takes into account the principles of Personal Data minimisation, privacy by design and privacy by default. We therefore collect data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4 – On what basis are Personal Data collected?
Personal Data are processed by the Firm as permitted by the applicable regulations and under the following conditions in particular:
When You gave Your free, specific, informed and unambiguous consent to the processing of Your Personal Data;
When this is necessary for the performance of a contract or in order to take steps prior to entering into a contract when processing is begun for the purposes of: (i) producing, managing and tracking the files of its clients; (ii) recovery;
In order to comply with its legal or regulatory obligations when the Firm begins processing for the purposes of: (i) preventing money laundering and terrorist financing and combating corruption; (ii) billing; (iii) accounting;
When the legitimate interests of the Firm may justify processing by the Firm (e.g. computer security measures).
5 – Why are Personal Data collected?
Personal Data are collected for specified, explicit and legitimate purposes. Depending on the case, the Personal Data may be used for:
Managing client and prospect relations (files, assignments, partnerships, etc.);
Direct marketing and sales events (satisfaction surveys, analyses and statistics, etc.);
Organisation, registration and sending of newsletters and invitations to Firm events (information on the Firm, news themes, training, documentation, etc.).
The Firm is also likely to use Personal Data for any other purpose required by the legislation in force and for administrative purposes.
6 – Who are the recipients of the Personal Data?
The Personal Data are never sold.
Personal Data gathered by the Firm are only disclosed strictly in the following cases:
To subcontractors or third-party service providers acting on behalf of the Firm for specific processing in line with the purposes for which they were initially gathered, for activities such as the provision of services, direct marketing and sales events, managing client and prospect relations, organisation, registration and sending of newsletters and invitations to Firm events;
To the bodies in charge of supervision or inspection in accordance with the applicable regulations.
7 – How is the security of the Personal Data ensured?
The Firm shall ensure the protection and security of the Personal Data in order to guarantee their security and prevent them from being distorted, damaged, destroyed or disclosed to unauthorised third parties.
Everyone with access to the Personal Data is bound by an obligation of confidentiality.
The Firm’s service providers and subcontractors in particular are bound by security and confidentiality commitments prohibiting them from using the Personal Data for any purposes other than those for which the Firm shares the information with them; more specifically, they are not authorised to use the personal details of subscribers and/or representatives for commercial purposes or disclose them to other third parties.
Any transfer of Personal Data outside of the European Union is done in accordance with the applicable legal and regulatory provisions on the protection of personal data.
When the disclosure of Personal Data to third parties is necessary and/or authorised, the Firm ensures that these third parties guarantee the same level of protection of the Personal Data as that afforded by the Firm and demands contractual guarantees so that the Personal Data is processed exclusively for the purposes that You have previously agreed to, with the required confidentiality and security.
The Firm has technical and organisational measures in place to ensure that the Personal Data are kept secure for the length of time necessary to fulfil the purposes of the processing in accordance with applicable law.
In accordance with the applicable French and European regulations, in the event of a proven data breach likely to pose a risk to the rights and freedoms of the data subjects, the Firm undertakes to notify the competent supervisory authority and, when required by such regulations, the data subjects (either individually or collectively, as appropriate).
8 – For how long are the Personal Data kept?
The Firm keeps the Personal Data for the amount of time necessary to fulfil the purposes of the processing, subject to the legal possibilities of archiving, the obligations to keep certain Personal Data and/or anonymisation.
The Firm applies, in particular, the following storage periods for these broad categories of Personal Data:
In areas relating to accounting, they are kept for 10 years after the close of the financial year;
In areas relating to the prevention of money laundering or terrorist financing, the Personal Data are kept for 5 years after the end of the relationship with the Firm;
Clients’ Personal Data are kept for the duration of the contractual relationship plus 3 years for the purposes of sales events and direct marketing, without prejudice to storage obligations or limitation periods;
Prospects’ Personal Data are kept for a period of 3 years if they did not participate or register for any Firm events;
Applicants’ Personal Data are kept for the amount of time necessary to process the application and, in the event of a negative outcome, 3 years after the last contact (unless the applicant consents to a longer period);
The Personal Data in access databases are kept for 1 year after the last connection.
9 – What are the Personal Data rights and how are they exercised?
9.1 – Rights
Right of access to and rectification and erasure (or “right to be forgotten”) of Personal Data
The right of access allows confirmation to be obtained from the Firm as to whether or not the Personal Data are being processed, the conditions of any such processing and to receive an electronic copy thereof (for any additional copy, the Firm may require payment of a reasonable fee to cover the administrative costs incurred). You are also entitled to have Your Personal Data rectified by the Firm without undue delay. Subject to the exceptions provided for under the applicable law (e.g. storage necessary to comply with a legal obligation), You have the right to request from the Firm erasure of Your Personal Data without undue delay, when one of the following grounds apply:
The Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
You wish to withdraw Your consent on which the processing of Your Personal Data is based and where there is no other legal ground for the processing;
You believe and can prove that Your Personal Data have been unlawfully processed;
The Personal Data have to be erased by virtue of a legal obligation.
Right to restriction of Personal Data processing
The applicable regulations provide that this right may be invoked in the following cases in particular:
When the accuracy of the Personal Data is contested;
When it is proven that the processing of the Personal Data is unlawful and when You request restriction of processing instead of erasure;
When the Firm no longer needs the Personal Data but they are still relevant;
When You object to processing which is based on the legitimate interest of the Firm.
Right to portability of the Personal Data
When the Firm processes Personal Data on the basis of Your consent, You may withdraw this consent at any time by the means available to You to that end (see the procedure indicated in point 8.2 of this Confidentiality Policy). However, in accordance with applicable law, withdrawal only applies in the future and thus shall not affect the legality of processing before the withdrawal.
Right to lodge a complaint with a supervisory authority
If, in spite of the Firm’s efforts, You believe that the confidentiality of the Personal Data is not assured, a complaint may be lodged with a supervisory authority. A list of supervisory authorities is available on the website of the European Commission.
Right to decide what happens to the Personal Data after death
You have the right to make arrangements for what happens to Your Personal Data after Your death by giving general or specific guidelines. The Firm undertakes to follow these guidelines. In their absence, the Firm recognises the capacity of heirs to exercise certain rights, particularly the right of access, where necessary to settle the succession of the deceased; the right to object, in order to close User accounts; and to object to the processing of Personal Data.
9.2 – Procedure for exercising these rights
If You have any questions regarding this Confidentiality Policy and/or if You wish to exercise Your rights as set out above, please contact us by email at email@example.com, or by sending a letter, enclosing a copy of all identity documents, to:
Bersay & ASSOCIES, service des données personnelles, 31 avenue Hoche 75008 Paris
If the request is submitted electronically, the information will also be supplied electronically where possible, unless You expressly request otherwise.
If the Firm does not take action on Your request, it will inform you of the reasons for not taking action and You will have the possibility of lodging a complaint with a supervisory authority and/or seeking a judicial remedy. You can lodge Your complaint via the online complaints service on the website of the French Data Protection Authority (CNIL), or by post at: CNIL – 3 place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.
The Firm uses “cookies” to improve Your experience on the Site. They do not themselves contain Your Personal Data, unless You choose to provide such data (as part of an application, for example).
11 – Applicable law and jurisdiction
This Confidentiality Policy is subject to French law. In the event of a dispute and when an amicable settlement cannot be reached, the Paris Court of Appeal shall have jurisdiction, notwithstanding multiple defenders or the introduction of third parties.