Why do we collect and use personal data?
We collect personal data directly from you or through your employer or an authorized person for:
- ensure the execution of a contract or the general conditions of an Apave online service (follow-up of the contract, preparation and execution of the intervention and service; quality control);
- to comply with our legal or regulatory obligations;
- to fulfil specific purposes after obtaining your explicit and positive consent;
- our legitimate interests such as personalising our offers according to your needs, ensuring the security of our information system.
Some examples: we can send you via your email address a reminder notification of your accreditation or certification renewal; we can inform you of new applications or services available for your industry.
Also, if you contact us, we will keep a record of your application to enable us to deal with it as best we can.
What personal data do you provide to us or do we collect?
When you wish to access the online services to which you have subscribed, you provide the following personal data: name, surname, business e-mail address, business telephone number.
We also store your consents to receive information, for example the news you subscribe to, and your withdrawals of consent to processing you have previously consented to.
To fulfil a specific purpose, we collect health data, particularly in the area of outreach and certain training courses. Preliminary decisions will be made as appropriate.
When do we disclose your personal data to third parties?
We will only disclose your personal data to third parties in the following cases:
- To the internal departments of the Apave Group in charge of the execution of the finalities.
- For external processing purposes : we transmit this data to trusted persons who process it on our behalf, according to our instructions, in compliance with the RGPD and in compliance with any other appropriate security and confidentiality measures. In particular, we use service providers to safeguard and host the data.
- For legal or regulatory reasons : We may share personal data to comply with legal, regulatory and administrative obligations, to detect, prevent or investigate fraudulent activity, to prevent or investigate breaches of confidentiality, to protect the confidentiality of personal data, and to protect the confidentiality of information; This includes fraudulent activities, security breaches, technical problems and external audits and evaluations by authorities (or their representatives).
How do we store and secure your personal data?
We implement appropriate and necessary organisational and technical security measures against unauthorised access, modification, disclosure or destruction of the data we store. The Information Systems Security Policy (ISSP) can be forwarded to you for further details of the measures.
These measures include the following:
- Only collect data that is necessary for the stated, explicit and legitimate purposes.
- Apave employees, subcontractors, service providers and contacts who need access to personal data to carry out their roles, functions and responsibilities :
- are authorized and have access that is strictly reserved for them ;
- are aware of and/or trained in their roles, functions and responsibilities;
- have signed a confidentiality agreement and have been informed of the risks and sanctions in case of breach of this obligation.
- We encrypt data where necessary.
- We carry out internal audits and audits of our suppliers processing personal data on behalf of Apave.
When we outsource specific processing activities, we ensure that these subcontractors comply with the same obligations and provide sufficient guarantees that the data processing is carried out in accordance with the law; the implementation of appropriate technical and organisational measures to ensure that the processing of personal data complies with the requirements of the applicable regulations. An agreement on the outsourcing of personal data will then be formally concluded.
We retain personal data for the duration of the business relationship and then archive or delete it. In some cases, we reserve the right to keep personal data for a longer period, in particular to prevent possible litigation and to meet our legal and regulatory obligations.
For data processed in the context of consent-based processing, we delete it as soon as consent is withdrawn.
We do not transfer personal data outside the European Union. In the event that we are required to do so for the purposes of a contract, we undertake to put in place appropriate safeguards and to obtain prior consent for the transfer. In any event, we remain responsible for our obligations with respect to such personal data.
How to exercise your personal data rights?
In accordance with the law transposing the General Regulation on the protection of personal data, you have rights that we are obliged to respect:
- A right to information about the processing of your data in a clear, fair and transparent manner;
- A right of access to your personal information: you have the right to obtain from us confirmation as to whether or not your data is being processed, the purposes for which it is being processed, the recipient of the data, the possible transfer of the data, and a copy of the data;
- A right to rectify inaccurate or incomplete data: you can obtain from us the rectification of your data if it turns out to be erroneous or inaccurate;
- A right to object to certain processing operations, in particular those aimed at commercial prospecting;
- A right to withdraw consent to data processing, without the effects of this withdrawal being retroactive;
- A right to erase your data that has been unlawfully processed: you have a right to be forgotten only when the processing of your data does not concern the performance of the contract and you have terminated the contract;
- A right to portability allowing you to receive in a usable format your data provided in order to transmit them to another provider. Data portability only applies to data that you have provided to us about yourself and only if the processing is based on consent or contract;
- A right to restrict processing;
- A right to give instructions on the retention, erasure and disclosure of your data after your death.
To exercise your rights, simply contact the DPO at firstname.lastname@example.org, or by post at Apave for the attention of the DPO at 6 Rue du Général Audran 92412 Courbevoie. You may also file a complaint with a Data Protection Control Authority, in France the CNIL.
How do we manage personal data breaches?
We take personal data breaches very seriously.
In the event of a breach of your personal data that may pose a risk to your rights and freedoms, Apave's DPO will notify the CNIL of the breach as soon as possible, and if possible within 72 hours of becoming aware of it. Apave will also inform the person concerned as soon as possible in accordance with the provisions of article 34 of the RGPD.
Review and update our data protection policy
We are committed to handling personal data in accordance with the applicable legal provisions.
We are also committed to protecting your privacy.
(Updated on 20/11/2019)