We want to work with you, our customers, partners, service providers, suppliers and trainees, in confidence, so this policy sets out what we do as a data controller with the personal data of individuals.
This document tells you what personal data we collect and that you provide to us, why we do so, when we disclose it to third parties, how we store it, secure it, and how you can exercise your rights to your data.
If you have any questions about this policy, please contact our Data Protection Officer (DPO) at firstname.lastname@example.org.
Why do we collect and use personal data?
We collect personal data directly from you or through your employer or an authorised person in order to:
- Ensure the execution of a contract or the general conditions of an Apave online service (contract follow-up, preparation and execution of the intervention and service; quality control)
- To comply with our legal or regulatory obligations
- To fulfil specific purposes after obtaining your explicit and positive consent
- Our legitimate interests such as personalising our offers according to your needs, ensuring the security of our information system
Some examples: we may send you via your email address a reminder of your accreditation or certification renewal; we may inform you of new applications or services available for your sector of activity.
In addition, if you contact us, we will keep a record of your enquiry to enable us to deal with it in the best possible way.
What personal data do you provide to us or do we collect?
When you contact us, or ask us to contact you again for the services you are interested in, you agree to provide us with the following personal data: surname, first name, e-mail address, telephone number, information shared by yourself, such as your job title, activity, cookies.
In order to provide our services, we collect personal and professional identification data such as surname, first name, business telephone number, date of birth (trainees and professional training), business e-mail address, signature, job title, photograph if applicable; data relating to technical skills; financial data relating to billing.
We also use personal data generated as a result of the training: the attendance sheet, date of issue of the certificate, training evaluation, authorisations and titles. When you have completed a training course, we inform you of the need for renewal in order to help you maintain your qualification.
When you wish to access the online services to which you have subscribed, you provide the following personal data: surname, first name, business e-mail address, business telephone number.
We also store your consents to receive information, for example the news you subscribe to, as well as your withdrawals of consent to processing to which you had previously consented.
In order to fulfil a specific purpose, we may collect health data, particularly in the field of radiation and certain training courses. Further details will be provided where appropriate.
When do we disclose your personal data to third parties?
We only pass on your personal data to third parties in the following cases :
- To the internal departments of the Apave group in charge of carrying out the purposes
- For external processing purposes: we transmit this data to trusted persons who process it on our behalf, according to our instructions, in compliance with the RGPD and in compliance with all other appropriate security and confidentiality measures. In particular, we use service providers to provide data storage and hosting.
- For legal or regulatory reasons: we may share personal data to comply with legal, regulatory and administrative obligations, to detect, prevent or investigate fraudulent activities, security breaches or technical problems, or for external evaluations and audits by authorities (or their representatives).
How do we store and secure your personal data?
We implement the necessary and appropriate organisational and technical security measures against unauthorised access, modification, disclosure or destruction of the data we store. The Information System Security Policy (ISSP) can be provided to you for further details of the measures.
These measures include the following:
- Only collect data that is necessary for the stated, explicit and legitimate purposes
- Apave's employees, subcontractors, service providers and contacts who need access to personal data to carry out their roles, functions and responsibilities :
- are authorized and have access that is strictly reserved for them
- are aware of and/or trained in their roles, functions and responsibilities
- have signed a confidentiality agreement and have been informed of the risks and sanctions in case of breach of this obligation
- We encrypt data where necessary
- We conduct internal audits and audits of our suppliers processing personal data on behalf of Apave.
Where we subcontract specific processing activities, we ensure that these subcontractors comply with the same obligations and provide sufficient guarantees that appropriate technical and organisational measures have been implemented so that the processing of personal data meets the requirements of the applicable regulations. An agreement on the outsourcing of personal data will then be formally concluded.
We retain personal data for the duration of the business relationship and then archive or delete it. In some cases, we reserve the right to keep personal data for a longer period, in particular to prevent possible litigation and to meet our legal and regulatory obligations.
For data processed in the context of consent-based processing, we delete it as soon as consent is withdrawn.
We do not transfer personal data outside the European Union. In the event that we are required to do so for the purposes of a contract, we undertake to put in place appropriate safeguards and to obtain prior consent for the transfer. In any event, we remain responsible for our obligations with respect to such personal data.
How to exercise your rights regarding personal data?
In accordance with the law transposing the General Regulation on the protection of personal data, you have rights that we are required to respect:
- A right to information about the processing of your data in a clear, fair and transparent manner
- A right of access to your personal information: you have the right to obtain from us confirmation as to whether or not your data is being processed, the purposes for which it is being processed, the recipient of the data, the possible transfer of the data and a copy of the data
- A right to rectify inaccurate or incomplete data: you can obtain from us the rectification of your data if it turns out to be erroneous or inaccurate
- A right to object to certain processing operations, in particular those aimed at commercial prospecting
- A right to withdraw consent to data processing, without the effects of this withdrawal being retroactive
- A right to erase your data that has been unlawfully processed: you have a right to be forgotten only when the processing of your data does not concern the performance of the contract and you have terminated the contract
- A right to portability allowing you to receive in a usable format your data provided in order to transmit them to another provider. Data portability only applies to data that you have provided to us about yourself and only if the processing is based on consent or contract
- A right to restrict processing
- A right to give instructions on the retention, erasure and disclosure of your data after your death
To exercise your rights, simply contact the DPO at email@example.com, or by post at Apave for the attention of the DPO at 191 rue de Vaugirard 75738 Paris cedex 15. There is also the possibility of lodging a complaint with a Data Protection Control Authority, in France the CNIL.
How do we handle personal data breaches?
We take data breaches very seriously.
In the event of a breach of your personal data that may pose a risk to your rights and freedoms, Apave's DPO will notify the CNIL of the breach as soon as possible, and if possible within 72 hours of becoming aware of it. Apave will also inform the person concerned as soon as possible in accordance with the provisions of Article 34 of the RGPD.
Review and update of our data protection policy
We are committed to processing personal data in accordance with the legal provisions in force.
This policy will be reviewed as the law evolves. You will be regularly informed of this update.
(Updated on 20/11/2019)