Privacy Policy



Introduction

We are committed to protecting your privacy and ensuring the security of your personal information. This privacy policy informs you about how we collect, use, and safeguard your data in the context of your relationship with Inetum.
Your Personal Data will be processed in accordance with the provisions of current Personal Data protection regulations and, particularly:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC - General Data Protection Regulation (hereinafter referred to as GDPR)
  • any national legislation, of any country, that regulates the processing of Personal Data
  • or any regulation that modifies, develops, or replaces the previous ones.

Please refer to the last section of this document for standard GDPR terms usied in this policy.

Who is the Data controller of the Personal Data?

The company Inetum S.A.S. with registered office in 5-7 rue Touzet Gaillard 93400, Saint-Ouen – Paris -France.

What do we do with your personal data?

The following table lists out the data processing operations we perform, the data being processed for that purpose, the concerned categories of person, the legal basis of the data processing operation and the retention period.
“Consent” indicates that the data processing operation is only applicable to persons who have explicitely opted-in for it and as long as the person has not opted-out.
The Inetum group is considered as “controller” for all the following data processing operations:


Data processing operation Data being processed Data subject Legal basis Retention period
Send invitations to events and webinars Contact details Data subjects having opted-in for invitations Consent Opt-in renewal required after 2 years.
Send newsletter(s) Contact details Data subjects having opted-in for the concerned newsletter(s) Consent Opt-in renewal required after 2 years.
Send targeted marketing communications Contact details Segmentation information Data subjects having opted-in for the concerned communications Consent Opt-in renewal required after 2 years.
Management of registrations and participants to events and webinars Contact details Event/webinar participation details Data subjects having registered to the event or webinar. Contract 2 months after end of event or webinar
Audit of marketing activities Contact details Event/webinar participation details Data subjects having registered to the event or webinar. Legal obligation 5 Years or 10 Years according to local regulation
Customer Surveys Legitimate interest Data subjects having opted-in for the concerned surveys Consent Opt-in renewal required after 1 years.
Deals/Sales Contact Contact details Business contact Legitimate interest Opt-in renewal required after 2 years.
Project / service contract management Contact details Contract-related information (e.g. role) Data subjects from the customer who are playing a role in the contract Contract 1 year after complete termination of the contract
Management of legal disputes about project / service contracts Contact details Contract-related information (e.g. role) Data subjects from the customer who are playing a role in the contract Legitimate interest 5 Years or 10 Years according to local regulation

How can you exercise your data subject rights?

At any time, you may exercise a series of rights regarding the processing of your Personal data. We will inform you at the time of collection of the Personal data as they may be different according to the local regulations. These rights are inherent to each person and, therefore, are inalienable and are as follows as long as they are recognized in accordance with local regulation:

  • Right of access: The right to access Personal data processed by the Data controller according to Article 15 of the GDPR.
  • Right to rectification: The right to request that the Data controller rectify certain personal of the Data Subject according to Article 16 of the GDPR.
  • Right to object: The right to object to Processing based on consent or on the existence of a legitimate interest (including, but not limited to, the sending of commercial communications), according to Article 21 of the GDPR. In cases that the Processing is based on the existence of a legitimate interest, the Data Subject will have the right to request the balancing test carried out by the Data controller.
  • Right to erasure: The right to request that the Data controller deletes all or part of the Data Subject’s Personal data according to Article 17 of the GDPR. Please note that while the commercial and/or contractual relationship that we maintain with you continues to be in force, there is a series of Personal Data that is necessary for us to process in order to comply with the contract, so while it lasts we cannot delete, block or cancel them, because otherwise it would prevent us from complying with the contract.
  • Right to the limitation to the processing: The right to limit the Data Controller’s processing of your Personal data, provided that one of the conditions established in Article 18 of the GDPR are met.
  • Right to data portability: The right to receive the data you have provided to the Data controller in a structured, commonly used and machine-readable format and to have it transmitted to another Data controller (or have it transferred directly to the new Data controller, where technically feasible), according to Article 20 of the GDPR
  • Right to withdraw consent: For the types of processing identified in the section on Processing based on the consent from the Data Subject, without such withdrawal of consent having a retroactive effect, according to Article 7.3 of the GDPR.
  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or affects you significantly: The Data controller informs the Data Subject that, notwithstanding the fact that decisions are made based on automated systems, these decisions (i) either do not produce legal effects or significantly effect on the Data Subject; (ii) or are not taken exclusively in an automated manner.

The Data Protection Officer is a position defined by the GDPR, who assists the Data controller in Data Processing and with ensuring compliance with privacy regulations.
You can exercise your data subject rights by sending an email to the DPO of your local Inetum agency.

Area/Country Contact
France & Luxembourg dpo@inetum.fr
Iberia/Latam iberlatam.privacy.es@inetum.com
Belgium dpo@inetum-realdolmen.world
Africa & East dpo_emea@inetum.com

Will my data be shared with 3rd parties inside the EU or outside the EU?

Sharing within Inetum
Inetum comprises several subsidiaries which all respect the same policies of use and information security measures.
All Inetum subsidiaries conform to the GDPR regulation.
Platform hosting
Your data will be hosted by our Datacenter or partners’ Datacenter.
Our partners comply with the EU-U.S. Data Privacy Framework.
Your data will be stored in a European datacenter.
3rd Party marketing partner We do NOT share any of your data with 3rd party commercial partners
without your consent.

Can we change the terms of the Policy?

We may modify this Policy at any time, but we will always inform you of any significant change sending you a notice. Whenever we make minor changes to our Privacy Policy, we will update it with a new effective date that will be included in the document. Modifications will not apply retroactively and will be effective as of the date of publishing. We recommend that you regularly check the Policy that you can find on our websites.

What are your responsibilities?

You are responsible for all of the data you provide to us, for the veracity, accuracy, validity, updating, and authenticity of said data, as well as for the consent you give us so that your data may be used/processed. You are also responsible for third-party data you provide to us and for which, you undertake to obtain their consent and making available the information we usually provide our users for any data processing as well as our privacy policy.

You are responsible for regularly checking this Policy and any updates made to it. Further, if your job involves the processing of Personal Data, you are responsible for ensuring that you do so in accordance with the applicable privacy regulations and local legislation.

What definitions do I need to know in order to better understand the Policy?

We would like to provide you with the definition of some of the terms that you will find throughout this document:

  • Activities, Products and/or Services: Refers to invitations to commercial, informative, sports or recreational events, and commercial information on energy solutions, mobility, automotive assistance, insurance, finance, leisure, travel, home, sports, gastronomy, payment means and services, or telecommunications of third parties and through different channels.
  • Anonymization: use of a set of techniques aimed at removing the ability to associate data with an identified or identifiable natural person by means of a "reasonable" effort.
  • Binding Corporate Rules: Personal Data protection policies undertaken by a controller or processor established in the territory of a Member State for transfers or a set of transfers of Personal Data to a controller or processor in one or more third countries, within a corporate group or a union of undertakings engaged in a joint economic activity.
  • Communication of data: means any disclosure of data to a natural or legal person, public authority, service or other body, whether or not it is a Third Party.
  • Consent: free, unequivocal, specific and informed manifestation of will to the processing of Personal Data.
  • Cookies: Cookies are small files or devices that are installed in the user's browser in order to store, retrieve or update information. Through them, the editor of a website can try to know the preferences of users when browsing its website and customize the services offered based on those preferences. You can find more information in the Inetum Cookies Policy.
  • Data Controller: means the natural or legal person, public authority, service or body that decides what data to process, why and how. For the purposes of this Policy, any of the companies of the Inetum group.
  • Data Processor: a natural or legal person, public authority, service, or body that carries out a processing operation on behalf of a third party (the Data Controller). Sometimes it is Inetum, SA for all its subsidiaries or third-party suppliers since we have a centralized management of most of the matters related to organization and business.
  • Data Protection Officer: data protection specialist who informs and advises the Inetum group on the processing of Personal Data and related obligations under the GDPR.
  • Data Subject: for the purposes of this Policy, shall mean any natural person who is the owner of the processed data.
  • Inetum: Inetum company that acts as Data controller.
  • Inetum Group: group of companies for the purposes of Article 42 of the Commercial Code. More information at About us - Positive Digital Flow | Inetum.
  • International Transfers: those cases where Personal Data is processed outside the European Economic Area (EEA).
  • Personal Data: any information about a natural person that identifies him/her or makes him/her identifiable (first and last name, address, telephone number, e-mail address, etc.).
  • Processing: operation or set of operations performed on Personal Data or sets of Personal Data, whether or not, by automated procedures, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of enabling access, alignment or interconnection, restriction, erasure or destruction.
  • Pseudo-anonymization: means the processing of Personal Data in such a way that they can no longer be attributed to a Data Subject without the use of additional information, provided that such additional information is separately identified and is subject to technical and organizational measures designed to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
  • Profiling: means any form of automated processing of Personal Data consisting of using Personal Data to evaluate certain personal aspects of a natural person, to analyze or predict aspects relating to that natural person's professional performance, financial situation, health, personal preferences, interests, reliability, behavior, location or movements.
  • Recipient: means a natural or legal person, public authority, service, or other body to whom Personal Data is disclosed, whether or not it is a Third Party.
  • Standard Contractual Clauses: a mechanism that makes it possible, through the signing of a contract based on the model approved by the European Commission, to regulate international transfers of Personal Data to countries outside the European Economic Area.
  • Third Party: natural or legal person, public authority, service or body other than the Data Subject, the Controller, the Processor and the persons authorized to process the Personal Data under the direct authority of the Controller and/or the Processor.


Last updated: June 3rd, 2024