DERRIENNIC ASSOCIES (the “Firm”) may, in the course of its activities, process your personal data in accordance with applicable legislation.
This policy provides you with information on how your personal data is processed by the Firm.
This policy, which is accessible on our website, is updated regularly to take into account legislative and regulatory developments, and any changes in the organization of the Firm or in the processing it performs.
This policy is accompanied by a specific information notice for each processing operation carried out on your personal data, which will be made available to you as soon as possible and, in the event that we collect your data directly from you, at the time of such collection.
This policy was updated on 8 June 2020.
I – Who are we ?
The Firm, when acting as data controller, is responsible for the personal data you provide us with.
In order to protect your privacy and your personal data in the most effective way possible, we have appointed a data protection officer. This person, who is the main point of contact for the supervisory authority, is responsible for ensuring that we process your data in accordance with the applicable legislation.
You can contact our Data Protection Officer at https://derriennic.com/contact/.
II – What are our commitments ?
We are committed to ensuring the highest possible level of protection for the persons whose personal data we process (the “data subjects”). The protection of personal data, particularly those of our clients, is all the more important to us in view of our obligations in terms of professional secrecy.
We undertake to comply with the applicable regulations for all processing of personal data that we carry out. Thus, we undertake to respect the following principles:
- We process your personal data in a lawful, fair and transparent manner;
- We collect your personal data for specific, explicit and legitimate purposes and will not process them in a way incompatible with those purposes;
- We ensure that the personal data processed are adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- We make our best efforts to ensure that personal data is accurate and, where necessary, kept up to date. We will take all reasonable steps to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is deleted or rectified without delay;
- We will keep your personal data in a form that permits your identification only for as long as is necessary for the purposes of the processing;
- We process your personal data in such a way as to ensure an appropriate level of security for such data.
These commitments are manifested as follows:
- We respect your privacy and your rights;
- We ensure that the protection and security of your personal data is at the centre of our concerns;
- We consider each processing operation taking into account the principles of data protection, in order to comply with the principle of data protection by design;
- We will not use your personal data for purposes that have not been brought to your attention;
- We do not consider that your personal data should be stored for an unlimited period of time;
- We will not share or sell your personal data to third parties;
- We are committed to securing and protecting your personal data. To this end, we only work with trusted partners;
- We respect your rights and will make our best efforts to satisfy your requests, as long as they are well-founded.
III – What personal data do we process ?
We remind you that personal data is information relating to an identified or identifiable natural person, such as an e-mail address, your first and last name, your IP address, etc.
We collect your personal data via the contact form on this website and by other means. In some cases, we collect your personal data directly from you. In other cases, your personal data is provided to us by a third party.
Examples of personal data that we may process:
- identification data, such as your first and last name, your address, your telephone number, your e-mail address;
- application data, such as your CV, diplomas, professional experience, if you wish to apply for a position with the Firm;
- all data relating to your case, such as the contracts you have entered into, your marital status, or data relating to criminal convictions and offences, if you are a client of the Firm and depending on the case you entrust to the Firm;
- data relating to an order or a service provided to us, if you are a supplier or service provider of the Firm.
IV – For what purposes are your personal data processed ?
The processing of personal data carried out by the Firm has an explicit, legitimate and specified purpose.
For example, your personal data may be processed for the following purposes:
– If you are a client or prospect, we may process your personal data for the following purposes:
- the management of our relationship with you;
- organising, registering and inviting you to the Firm’s events;
- the management of your case;
- the collection of debts;
- the prevention of money laundering and the financing of terrorism and the fight against corruption;
– If you submit an application for a position with the Firm, we may process your data in order to manage your application.
– If you subscribe to one of our newsletters, we may also process your personal data in order to send you the newsletter by e-mail.
– If you are one of our suppliers or service providers, we may also process your data to manage our relationship with you.
The purpose of the processing will be communicated to you on a case-by-case basis, for each processing we carry out on your personal data.
V – How do we ensure the lawfulness of our processing operations ?
We systematically ensure, when we process your personal data, that the processing has a “legal basis”.
We always process your personal data according to one of the following legal bases:
– Where you have concluded a contract with the Firm, and the performance of that contract requires us to process your personal data, the legal basis for the processing is the performance of the contract. For example, this could be the case if you are a client of the Firm and you entrust us with one of your cases.
– Where the processing is necessary for the performance of pre-contractual measures taken at your request, our legal basis is based on those pre-contractual measures. For example, this is the case when you submit an application for a position to us, which requires us to study your CV in order to take a decision on your application.
– Where the processing is necessary for the legitimate interests we pursue, our legal basis is those legitimate interests. For example, the processing of your personal data for canvassing purposes may be carried out for the purposes of the legitimate interests pursued by the Firm.
– We may also process your personal data on another of the legal bases listed in the applicable legislation or regulations.
VI – How long do we keep your personal data ?
The Firm will keep your personal data only for as long as it is necessary for the purposes for which it is processed and in accordance with applicable law. Thus, the length of time we keep your personal data depends on the purpose for which they are processed:
- Customer Relationship Management: 5 years from the end of the customer relationship
- Organization, registration and invitation to events: 3 years from the end of the relationship with the data subject if the data subject is a customer and 3 years from the last contact if the data subject is a prospect
- Case management: 5 years from the end of the customer relationship
- Debt collection: until full recovery of the debt or 5 years from the end of the relationship with the debtor
- Prevention of money laundering and terrorist financing and the fight against corruption: until our legal or regulatory obligation is fulfilled
- Billing: 10 years from the end of the accounting year concerned
- Accounting: 10 years from the end of the accounting year concerned
- Managing your applications for a position: 2 years from the last contact with the candidate
- Sending our newsletter: Until the end of the subscription
- Relationship management with service providers and suppliers: 5 years from the end of the relationship
- Replying to requests sent to us through the contact form on the site: the time required to respond to the request
VII – Who can access your personal data ?
Authorised persons within the Firm and, in certain cases, its data processors (our “trusted service providers”), may access your personal data. We make our best efforts to ensure that the number of such persons remains as small as possible and maintain the confidentiality and security of your personal data.
We only provide our trusted service providers with the information they need to provide the service and ask them not to use your personal data for other purposes. We always make every effort to ensure that all our trusted service providers with whom we work maintain the confidentiality and security of your data. We also make sure that when our relationship with a trusted service provider comes to an end, that service provider deletes your personal data without delay.
We select our trusted service providers with great care, ensuring that they provide sufficient guarantees, including expertise, reliability and resources, to implement the technical and organisational measures to meet the requirements of applicable legislation, including the security of processing. In this respect, we ensure that our trusted service providers process personal data only on our documented instructions. We also ensure that their staff is committed to confidentiality or is subject to an appropriate legal obligation of confidentiality.
We may require our trusted service providers to provide a service that requires the processing of your personal data, for example in the following cases:
– the hosting of our website;
– the storage of your personal data;
– maintenance of our equipment/software.
Where appropriate, we ensure that the use of these trusted service providers does not breach our obligation to maintain the confidentiality of the information submitted to them.
For each processing we carry out on your personal data, we will inform you about the identity and role of our trusted service providers.
VIII – Where do we keep your personal data ?
Your data is stored in the European Union (EU) and the European Economic Area (EEA) by the Firm and its trusted service providers. However, depending on the processing, your data may also be transferred to a country outside the EU and the EEA, for example if the processing of your case, as a client, requires such transfer to a third party entity.
When transferring data outside the EU and the EEA, we ensure that the data is transferred securely and in accordance with applicable law. Where the country to which the data is transferred does not have protection comparable to that in the EU, we use “appropriate or adequate safeguards”.
These appropriate or adequate safeguards are a means of ensuring that your personal data is protected even when it leaves the EU. These appropriate safeguards may, for example, include the use of standard contractual clauses adopted by the European Commission.
In case of transfer of your personal data to entities located in the United States of America, we may also use the “Privacy Shield”, (a self-certification mechanism for companies established in the United States that has been recognized by the European Commission as providing an adequate level of protection for personal data transferred by a European entity to companies established in the United States). This mechanism is therefore considered to provide legal guarantees for such data transfers.
On a case-by-case basis, we will inform you of our intention to transfer personal data to a third country, whether or not there is an adequate decision by the Commission and, if so, the reference to the appropriate safeguards and the means to obtain a copy of them or the place where they have been made available.
IX – What are your rights as a data subject and how can you exercise them?
Depending on the processing operations to which your data are subject, you may have the following rights:
- the right to obtain confirmation from us whether or not personal data concerning you are being processed (right of access). If this is the case, you can access your personal data and obtain information such as the purpose of the processing, the categories of personal data concerned, etc… ;
- the right to obtain from us the rectification of inaccurate personal data concerning you (right of rectification) ;
- the right to obtain the deletion of your personal data, provided that one of the reasons justifying this right applies (right of erasure);
- the right to obtain the restriction of the processing, where one of the reasons justifying the exercise of this right applies (right to restriction of processing);
- the right to object, on grounds relating to your particular situation, to certain processing of personal data (right to object).
To exercise these rights, you can contact us at the following address: https://derriennic.com/contact/.
In order for us to process your request satisfactorily, you will need to prove your identity, by any means whatsoever. In case of doubt on our part, we may ask you for additional information, including the transmission of a copy of your identity card, signed by you.
We will do our best to respond satisfactorily to your requests. Whatever our answer, we will send it to you within one month, but our response time may be extended by a further two months depending on the complexity and number of requests.
If, for any reason whatsoever, you feel that our response is unsatisfactory, we inform you that you may file a complaint with the competent supervisory authority.
X – What information will we provide you ?
Each time the Firm carries out processing operations on your personal data, it brings to your attention:
- the identity of the data controller;
- the purpose of the processing;
- the rights you have regarding this processing;
- a link to this policy.
This information will be made available to you as soon as possible and, in the case of direct collection of your data, at the time of collection.
Some of our obligations of professional secrecy may limit your right to information: if your personal data is covered by confidentiality by virtue of an obligation of professional secrecy incumbent on us, and if we have obtained it through indirect collection, we may not proceed with your information.
XI – How do we hand the Security of your personal data ?
The Firm attaches great importance to the protection of your personal data and takes all reasonable precautions to this end. We ask our partners who manage your data on our behalf to do the same.
We constantly do our best to protect your personal data. As soon as we receive your data, we apply strict procedures and security measures (technical and organisational) to prevent unauthorised access.