PERSONAL DATA MANAGEMENT POLICY
The company Z#BRE (hereinafter “Z#BRE”) is very committed to the issue of management of personal data it may be required to process.
These conditions are intended to determine the guidelines that frame the processing of personal data by Z#BRE.
This policy applies to the processing of Data implemented by Z#BRE as Data Controller. This Privacy Policy may be modified at any time.
In this case, the new version will be communicated to Data Subjects by any means and will be automatically enforceable against them.
DEFINITIONS
Personal Data or Data: Any information relating to an identified or identifiable natural person (hereinafter referred to as the “Data Subject”) directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Data controller : The natural or legal person who determines the purposes and means of the processing.
Processor : The natural or legal person who processes personal data on behalf of the controller.
Recipient: the natural or legal person who receives personal data, whether or not a third party.
Third party: a natural or legal person, a public authority, a service or a body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Consent: any free, specific, informed and unambiguous expression of will by which the person concerned by the processing of personal data accepts, by a declaration or by a clear positive act, that personal data concerning him or her may be processed.
THE DATA COLLECTED
This personal data protection policy applies to all personal data processed by Z#BRE as data controller. This may include data concerning their employees, service providers, prospects, customers …
Z#BRE is likely to collect data such as: first and last name; email address; gender; telephone number; postal address; age / date of birth; billing data; prospecting; connection data …
GUIDING PRINCIPLES
Personal Data is processed by Z#BRE in accordance with the principles of lawfulness, fairness, transparency and proportionality.
Personal Data is collected for specific, explicit and legitimate purposes, and processed in an adequate, relevant and limited way to what is necessary with regard to the purposes for which they are used.
Personal Data is kept in a form that allows identification of the persons concerned for no longer than is necessary for the purposes for which it is processed.
INFORMING THOSE CONCERNED
When Personal Data relating to a Data Subject is collected from that person or from a third party, the Data Controller will be able to provide the following information in particular:
– the identity and contact details of the Data Controller.
– the purposes of the processing for which the Data is intended, and the legal basis for the processing.
– the recipients of the Data. – whether the Data Controller intends to transfer the Data to a country outside the EU.
– how long the Data will be kept or, where this is not possible, the criteria used to determine this period.
– where applicable, the implementation of a profiling mechanism or mass processing of personalized data
– where applicable, the source from which the Data originates
As far as possible and subject to other legal or contractual obligations, this information will be communicated at the time of collection or at the time of the first communication with the Data Subject.
THE RIGHTS OF THOSE CONCERNED
Data Subjects may exercise their right to request access to Data, rectification or deletion of Data, portability of Data to a Third Party, limitation of processing, as well as to object to Processing, by sending a request by e-mail to the following address: dpo@zbre.io.
All requests must be clear, precise and justified, accompanied by a copy of an identity document, and made in accordance with the applicable legal framework.
The Persons concerned may lodge a complaint with the CNIL :
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tél : 01 53 73 22 22 /Fax : 01 53 73 22 00
Or at www.cnil.fr/fr/plaintes or www.cnil.fr The Person concerned is informed that in the event of opposition to the Processing or if he/she transmits erroneous or fanciful Data, the services linked to the collection of the Data may not be rendered, the Data Controller not being able to incur any liability in this respect.
Furthermore, the collection of certain Data may be required for regulatory or contractual reasons. The person concerned is thus obliged to provide the Personal Data requested.
DATA RECIPIENTS
The Data collected will be processed by the employees of Z#BRE companies who are authorized according to their position to access and process said Data.
In some cases, the data collected may be processed by subcontractors or partners, and only to the extent necessary to perform the tasks entrusted to them.
Z#BRE strictly requires that its subcontractors or partners process Personal Data only to manage the services they are responsible for.
Z#BRE also requires these providers or partners to always act in compliance with applicable laws regarding the protection of personal data and to pay particular attention to the confidentiality of such data.
The data may be communicated by Z#BRE to the administration, courts, government services in compliance with legal and regulatory provisions.
DATA STORAGE
Personal Data is stored either in Z#BRE databases or in those of its service providers.
In some cases, and mainly for technical reasons or geographical positioning of its Customers, these databases may be stored on servers located outside the territory of the European Union.
DATA SECURITY
Personal Data is processed in such a way as to guarantee appropriate security by means of physical, technical or organizational measures appropriate to the state of the art, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. Depending on needs, risks, costs and the purpose of Processing, these measures may include pseudonymization and encryption of Data.
Each Data Controller implements a procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of Processing. In the event of a breach of Personal Data, each Data Controller will use its best efforts to notify the CNIL as soon as possible and, if possible, no later than 72 hours after becoming aware of the breach.
If this violation of Personal Data is likely to give rise to a high risk for the rights and freedoms of Data Subjects, the Data Controller will inform them by any means as soon as possible, unless the Data Controller has taken sufficient technical protection measures to stop the violation.
TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
Due in particular to the international dimension of Z#BRE’s activities and in order to optimize the quality of service, the information communications referred to above are likely to involve transfers of personal data to countries that are not members of the European Economic Area, whose legislation on the protection of personal data differs from that of the European Union.
In such cases, contractual, organizational and procedural measures relating to the personnel or companies concerned ensure an adequate level of protection, security and confidentiality of Personal Data.
In the event of a Transfer to a country whose legislation has not been recognized by the European Commission as providing an adequate level of protection within the meaning of the applicable Data Protection legislation, Z#BRE undertakes to sign a data transfer contract that includes the EU Standard Contractual Clauses as set out in European Commission Decision 2010/87/EU.