This Personal Data Protection Policy applies to the provision and the sales of the Services.
It is established pursuant to Articles 26 and 28 of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "GDPR").
The purpose of this policy is to provide YOU with information regarding the Processing of the Personal Data which you are required to provide via our Services.
Please read this document carefully.
1. Role of the Parties in relation to the Processing
In the context of the performance of the Agreement, the Subscriber subcontracts the Personal Data Processing operations, for which it is the data controller, to Trace One, which acts as a subcontractor for these processing operations.
2. Description of the Processing
As part of the provision of the Services, Trace One is authorized to process, on behalf of the Subscriber, the Personal Data necessary for the provision of said Services.
Trace One undertakes to process the Personal Data solely in the context of the performance of the Agreement on behalf of the Subscriber for (i) the sole purpose(s) that is/are the subject of the subcontract as described in Annex 1 hereto and (ii) in accordance with the instructions of the Subscriber.
Trace One undertakes not to misuse the Personal Data transmitted, stored or processed on behalf of the Subscriber.
3. Technical and organizational security measures
In order to be able to demonstrate its compliance with the GDPR, Trace One undertakes to adopt internal rules and implement measures for its tools, products, applications or services that respect, in particular, the principles of protection of Personal Data by design and data protection by default.
Trace One undertakes to implement and constantly maintain appropriate technical and organizational measures (security measures, technical standards, good practices, etc.) to ensure the security and protection of Personal Data and in particular to prevent, whether accidentally or unlawfully, the destruction, loss, alteration, unauthorized disclosure or access, in particular when the Processing involves the transmission of Personal Data via a network under its control, as well as against any form of unauthorized or illegal Processing.
4. Collected data
By using our Services, YOU are required to provide us with certain information, notably Personal Data, in particular when YOU fill in the information relating to your subscription or when YOU contact the support service by telephone or by email.
Please be aware that your first name, last name, position, email address, chosen identifier, password and, depending on the Services, payment details constitute mandatory information without which the Trace One Solutions cannot be provided.
We may also ask YOU to provide us with additional information relating to your activity.
5. Purpose of use of your Personal Data
Trace One processes your Personal Data in order to:
- perform the agreements entered into for the provision of the Service(s) including, in particular:
- the administrative and accounting management of your files as well as the management of our relationship with YOU (for example, the support activities)
- the technical creation and the management of your account for the Service(s),
- the management of the Trace One’s Solutions and the security of their information system,
- the management of information requests; in particular, the management of requests for access, deletion, correction, portability to your Personal Data, as well as requests for limitation and opposition to the processing of your Personal Data.
These Processing are essential to the performance of the Agreement under which the Services are provided to YOU.
- offer YOU commercial packages for products or services similar to those we provide to YOU (YOU have the right to ask us at any time to stop contacting YOU for marketing purposes by writing to us at the address indicated in Article 9 below), and to contact YOU to invite YOU to take part in our client surveys. This Processing is carried out in the legitimate interest of Trace One, for the development of its commercial activity.
- analyse the browsing history of the Users in order to improve the quality of our Services and to monitor and inspect our Solutions to test and improve their security and performance. This Processing is carried out in the legitimate interest of Trace One, to analyse how the Solutions are used and to improve their quality. No automated decision will be taken based on the Personal Data that YOU provided to Trace One for the purposes described above.
- analyse Your User journey to improve the Service, to provide YOU support during your navigation on Trace One Solutions, and to send YOU personalized messages related to Trace One Solutions.
6. Recipient and sharing of your Personal Data
6.1 Recipient of Personal Data
Trace One warrants that it:
- Restricts access to Personal Data to only those authorized recipients who need to have access to such data;
- Imposes confidentiality and security obligations on any subsequent subcontractor’s equivalent to those contained in this agreement;
- Takes all reasonable steps to ensure that subcontractors comply with data protection law;
- Takes reasonable steps to ensure the reliability of all authorised recipients with access to Personal Data; and
- Does not disclose any Personal Data to any other person without prior authorisation except in the case of a request from a regulatory, administrative, regulatory and/or judicial authority.
6.2 Sharing of Personal Data
Trace One may be required to share your information with the following parties:
- all companies in the Trace One Group, in order to ensure the performance and development of our Services (for example, for the purposes of client relationship management and for accounting purposes),
third parties, in order to ensure the performance of the Services (for example, for maintenance, development, payments). Such third parties are allowed access to your information to the extent necessary to the performance of their respective duties in our name and on our behalf and are under an obligation not to divulge such information or to use it for any other purposes. YOU can find the list of those subcontractors here;
- third parties with whom YOU have a relationship and to whom YOU have agreed that we may transmit your information (for example, the Retailers YOU work with, the persons with whom YOU have chosen to share your Data on the Trace One Solution Network),
- any legal authority when so required by law, applicable regulations or a court decision,
- third parties such as consultants, for the purposes of fulfilling our audit responsibilities,
- another company, in the event that we should wish to sell our activity or part of our activity and/or assets. Such company shall be authorised to use your information, but only with due regard to confidentiality,
- third parties, under any relevant legal and regulatory requirements.
7. Transfer of Personal Data
With respect to Users based in the European Union, Trace One stores your information, including your Personal Data, in the European Union.
This is particularly the case for the information sent to some of our subcontractors located outside the European Union or to our subsidiary in the United States or in the United Kingdom.
In the event that your information is transferred outside the European Union, we shall set up all the appropriate guarantees so that the Processing is carried out in accordance with European Union regulations on the protection of personal data.
Thus, any transfer of Personal Data to a third country will only take place if:
- the third country is a country which, in the opinion of the European Commission, provides an adequate level of protection for Personal Data; or
- Trace One meets the following conditions:
- Trace One enters into a data transfer agreement that includes the Standard Contractual Clauses drawn up by the European Commission and Trace One ensures the existence and application of technical and organizational measures that guarantee a sufficient level of protection and confidentiality, in compliance with the regulations;
- The transfers carried out fall within the exception regime referred to in Article 49 of the GDPR.
Upon request, we can provide YOU with a list of the appropriate guarantees set up by Trace One in the context of such transfers.
8. Personal Data retention periods
The Personal Data relating to YOU which is processed for the purposes of the performance of the Agreement is stored for the duration of our contractual relationship with YOU, increased by the duration of the applicable legal limitation period.
The Personal Data relating to YOU which is processed for the purposes of the development of the commercial activity of Trace One are stored for 3 years from the end of the commercial relationship.
9. Your Rights
YOU have the right to access and to request rectification of the information relating to YOU, and to have such Personal Data deleted, to request the restriction of the Processing, as well as a right to the portability of your Personal Data. When the Processing of your Personal Data is based on your consent, in particular when you agree to receive Trace One advertisements, YOU have the right to withdraw consent at any given moment by clicking on the unsubscribed link or sending a request on the address specify below. YOU also have the right to give us specific instructions for the Processing of your Personal Data in the event of your death.
YOU can access the Personal Data relating to YOU and exercise your rights with respect to the Processing of such data by contacting our Legal Department at the following address: firstname.lastname@example.org or Service Juridique, Le Belvédère, 1-7 cours Valmy, 92800 Puteaux,France. YOU may also, on legitimate grounds, object to the Processing of the Personal Data relating to YOU. YOU have the right to lodge a complaint with a supervisory authority with respect to the Processing of your Personal Data. For further information on your rights, please refer to the website of the French Data Protection Authority (CNIL).
If YOU are entering into this Agreement on behalf of a legal entity, YOU undertake to forward this Personal Data Protection Policy to all Users before they connect to the Services.
For the purposes of this Personal Data Protection Policy, the following capitalised terms and expressions shall have the meanings ascribed to them below, whether used in the singular or plural form:
“Agreement” means the contractual documents as defined in Article 16 of the General Terms and Conditions, including any amendment made in accordance with the provisions of the General Terms and Conditions. The Agreement constitutes the legal basis for the processing of data in accordance with the provisions of Article 6 of the GDPR.
“Personal Data”, they have the meaning assigned to them by the GDPR (Article 4). They are any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” has the meaning assigned to it by the GDPR (Article 4). It means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
“Service(s)” the personal, non-exclusive and non-transferable right to access to and use the Trace One Solution(s), which are accessible online within the Trace One Solution(s) by the Users, and associated hosting and maintenance in accordance with the terms and conditions of the Agreement.
“Trace One Solution” means the Trace One Solution(s) accessible via Internet, which YOU have subscribed, as defined in the Specific Terms and Conditions, the related Documentation and their updates provided as part of the Services during the term of the Agreement.
“User(s)” means any user, Subscriber’s employee or supplier, authorized to use the Trace One Solution(s).
“YOU” or the “Subscriber” means the identified legal entity and/or individual person who is an employee and acting on behalf of the legal entity and who accepts the Agreement and benefits from the Services under the Agreement.
Annex 1 – Description of Personal Data Processing realized by Trace One as subcontractor
Personal Data category
- Data relating to the identity of the User (title, surname, first name(s), professional email address, identification code, password, photograph, function, etc.)
- Connection data for the use of Trace One solutions.
Processing necessary for the performance of the Agreement:
1/the administrative and accounting management of your files, as well as the management of the relationship we have with YOU (for example, support activities),
2/creating and managing your account for the Service(s),
3/managing Trace One Solutions and the security of their information system,
4/the management of requested information, in particular the management of requests relating to access, deletion, correction, portability of your Personal Data, as well as requests to limit or oppose the processing of your Personal Data.
Processing related to the development of Trace One's commercial activity:
1/Propose commercial offers for products or services similar to those we provide to YOU;
2/Analyse the user experience in order to improve the quality of our Services, and to monitor and perform checks on our Solutions to test and improve their security and performance
3/Analyse Your user experience in order to improve the Service, to provide support to You while You are browsing the Trace One Solutions, and to send You personalized messages about the Trace One Solutions.
The Personal Data collected and processed for the purpose of executing the Agreement is kept for the duration of the contractual relationship with YOU, plus the duration of the applicable legal statute of limitations.
Personal Data collected and processed for the purpose of developing Trace One's commercial activity is kept for 3 years from the end of the contractual relationship.