Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“RGPD”) sets out the legal framework applicable to the processing of personal data.
The RGPD strengthens the rights and obligations of data controllers, processors, data subjects and data recipients.
For a better understanding of the present policy, it is specified that :
The purpose of this policy is to satisfy the information obligation to which naaia is bound pursuant to Article 12 of the RGPD and to formalize the rights and obligations of naaia’s customers, prospects and partners with regard to the processing of their personal data.
This policy applies to all processing of personal data relating to customers, prospects and partners.
naaia makes every effort to ensure that data is processed within the framework of precise internal governance. The processing of personal data may be managed directly by naaia or through a subcontractor specifically appointed by naaia.
This policy is independent of any other document that may apply within the contractual relationship between naaia and customers, prospects and partners.
The personal data processed by naaia is mainly collected from its customers, prospects and partners when using the Site, but also when executing the contracts that bind us.
We undertake to respect the principle of data minimization, which consists of collecting only the data strictly necessary for the purpose of the processing carried out by naaia.
Consequently, we only collect and use the following personal data:
Contact details: telephone, address
Prospects / Internal site visitors
Newsletter subscription and receipt of promotional offers
Manage unsubscribe and unsubscribe requests.
Consent if prospect
Legitimate interest if customer
|Prospects / Website visitors
identification data (IP address),
acceptance data (click).
|Technical data management
|Legitimate interest or consent depending on data
Identification (Last name, first name)
Contact details: e-mail, telephone
Managing and improving relationships ;
To enable the Site to function;
Respond to requests from users of the Site and provide them with any useful information (contact form);
Send publications, press releases and information to users at their request;
Prospecting and sales events.
naaia ensures that data is only accessible to authorized internal or external recipients.
authorized personnel in the relevant naaia (customer/prospect/partner relationship management), administrative and IT departments, as well as their line managers;
authorized staff of audit departments (statutory auditors, departments responsible for internal audit procedures, etc.).
any competent supervisory authority, accountants, court officers and ministerial officers;
the organization in charge of managing the “Do Not Contact” list;
authorized subcontractor personnel.
Recipients of customer, prospect and partner personal data are bound by a confidentiality obligation.
In addition, personal data may be communicated to any authority legally empowered to deal with it. In this case, naaia is not responsible for the conditions under which the staff of these authorities access and use the data.
The duration of data retention is defined by naaia with regard to the legal and contractual constraints which weigh on it and failing that according to its needs and in particular according to the following principles:
|For the duration of the contractual relationship with naaia, plus 5 years from the closure of the account or termination of the business relationship for data and documents relating to customer identity.
|Duration of statistical study
|Site usage data
For the duration of the services provided by naaia and 1 year after the last intervention
Cookies: 13 months
|Data relating to prospects
|3 years from the date of collection by naaia or last contact with the prospect
After the set deadlines, data is either deleted or kept after being anonymized, notably for statistical purposes. They may be kept for pre-litigation and litigation purposes.
Customers, prospects and partners are reminded that deletion or anonymization are irreversible operations and that naaia is subsequently unable to restore them.
You have the right to ask us whether we are processing your personal data. You can also ask us to provide you with a copy of your data being processed.
However, if additional copies are required, we may require you to pay the cost of the new copy.
If you submit your request electronically, the information requested will be provided in a commonly used electronic format, unless you request otherwise.
You are hereby informed that this right of access and copying does not apply to information or data that is confidential or for which communication is not authorized by law.
The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilizing the proper performance of our services.
You have the right to ask us to rectify any data concerning you that may be obsolete or incorrect. To do this, please specify the data to be corrected and the data to be replaced.
The right to erasure is not applicable in cases where processing is carried out to meet a legal obligation.
Apart from this situation, you may request the deletion of your data in the following limited cases:
You are informed that these rights are not intended to apply insofar as the conditions required by the applicable regulations for each of them are not fulfilled with regard to the processing of personal data by us.
You are entitled to exercise your right to object only to processing based on naaia’s legitimate interests, provided that you give a reason relating to your particular situation. In such a case, naaia may refuse your request if it has compelling legitimate reasons that override your personal interest and, in particular, the reason you gave for your request.
We inform you that you have the right to formulate directives concerning the conservation, deletion and communication of your post-mortem data.
The above rights may be exercised, at the option of the interested party, by e-mail to the following address: firstname.lastname@example.org
Please note that only the person concerned by the processing may exercise the rights set out above. In case of doubt, we may ask you for a copy of your current identity document. Failure to do so may result in your application being rejected.
We do our best to respond to requests within a reasonable time and, at best, within one month of receipt of the request.
However, if the processing of requests proves complex, or if we are faced with a large number of requests to exercise rights simultaneously, the processing time may be extended to two months.
We may use any subcontractor of our choice to process the personal data of our customers, prospects and partners.
Within the meaning of the RGPD, a processor is any natural or legal person who processes personal data on behalf of the controller. In practice, these are the service providers with whom we work and who handle the personal data we process;
In this case, we ensure that the processor complies with its obligations under the RGPD and undertake to sign a written contract with all our processors imposing on them the same data protection obligations that we impose on ourselves. In addition, we reserve the right to audit our subcontractors to ensure their compliance with the provisions of the RGPD.
We undertake, in our capacity as data controller, to keep an up-to-date register of all processing activities carried out, which includes the processing of data relating to our customers, prospects and partners.
This register is a document or application that lists all the processing operations we carry out as data controller.
We undertake to provide the CNIL, at its first request, with information enabling it to verify the compliance of data processing with current data protection regulations.
We implement the physical or logical technical security measures we deem appropriate to protect against the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.
These measures include the following:
In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of your personal data, to replace them with means of superior performance. No development can lead to a reduction in the level of safety.
We undertake to notify the CNIL of any data breach that we may suffer, in accordance with the conditions laid down in the regulations governing personal data.
Our contacts with customers, prospects and partners are informed of any data breach that could pose a high risk to their privacy.
We reserve the right to implement cross-border flows outside the EU of the data we process, of which you will be informed. In such a case, we will ensure that your rights are respected and, if necessary, we will sign one or more contracts with the recipient country(ies) to regulate these flows.
naaia has appointed an RGPD referent who can be contacted via the following email and postal addresses:
E-mail address: email@example.com
If customers, prospects and partners wish to obtain particular information or wish to ask a particular question, they will be able to contact the RGPD referent, who will give them an answer within a reasonable timeframe with regard to the question asked or the information required.
Customers, prospects and partners concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:
CNIL – Complaints department
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
The present policy may be modified or amended at any time in the event of changes in legislation, case law, CNIL decisions and recommendations or usage.
Any new version of the present policy will be brought to the attention of customers and contacts by any means defined by naaia, including electronic means (e.g. distribution by e-mail or online).