Personal data protection policy
Customer and contact persons

Data is mainly collected directly from our contacts with customers and prospects.

Consequently, we only collect and use the data necessary for the conclusion or performance of contracts with our company, namely :

• identity of the contact person(s) in charge of a file or contacted for prospecting purposes (e.g. title, surname, first name);
• professional contact details of the person(s) in charge of a file or contacted for prospecting purposes (e.g. professional e-mail, professional postal address, professional fixed or mobile telephone number, fax number);
• professional details of the contact person(s) in charge of a file or contacted for prospecting purposes (e.g. position, grade, function);
• technical data depending on use (identification or connection data such as IP address or logs);
• images of the contact person(s) in charge of a file or contacted for prospecting purposes (e.g. in the case of access to our premises).

Pre-contractual exchanges
We process the data of people who interact with us when we have approached the structure to which they belong for prospecting purposes or when they have contacted us to enter into a contract with us.

Contract and follow-up
We process the data of our customers' contact persons as part of the follow-up of our contractual relations with them.

Invoicing, payment and accounting
We process the data of our contacts with customers and prospects for the purposes of invoicing and paying for orders placed.

Customer/prospect relationship management
We process the data of our customer and prospect contacts in order to communicate with them in the context of questions they may ask us in connection with the current or future performance of a contract with our company.

Customer and prospect directory management
We keep an up-to-date customer and prospect directory, which includes the names of our main contacts.

Organization of events by our company
We process the data of our customers and prospects when we invite them to events that we organize or co-organize.

Third-party access management
We process the data of our contacts accessing our premises in order to secure access to them (e.g. keeping a register, access badges, etc.).

Video-surveillance of third-party personnel
Certain specific areas of our premises, such as gates and fences, are subject to video-surveillance, resulting in the processing of the data of third parties likely to be filmed.

Production of statistics
We may produce statistics on our customers' and prospects' data.

We define the length of time we keep data on our contacts with customers and prospects in the light of the legal and contractual constraints imposed on us and, failing that, according to our needs.

As a matter of principle, data relating to our customers and prospects must be kept for the time strictly necessary to manage the commercial relationship. More specifically, we undertake to respect the following retention periods: 

Contracts concluded with our customers
5 years from date of conclusion
10 years for contracts concluded electronically over 120 euros

Commercial correspondence (purchase orders, delivery notes, invoices, etc.)
10 years from the end of the accounting period

Images from video protection cameras
For a maximum period of one month

Access to buildings
For up to one month

Technical data
1 year from date of collection

Cookies
See Cookies Policy

The periods indicated in the table above are necessarily extended for the legal period of prescription as evidence in the event of litigation. In the latter case, the retention period is extended for the duration of the dispute.

Once this period has elapsed, the data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes.

Please note that deletion or anonymization are irreversible operations and that SENEF is no longer able to restore them.

The processing of the data of our contacts with our customers and prospects as presented above is based on the following conditions of lawfulness, which differ depending on whether the processing concerns customers or prospects:

Customers
Pre-contractual or contractual performance

Prospects
Pre-contractual performance or legitimate interest of SENEF

Recipients of data are natural or legal persons who receive personal data. Data recipients may therefore include both SENEF employees and external organizations.

We ensure that data collected and processed in the context of our relations with our customers and prospects is only accessible to authorized internal and external recipients, and in particular to the following recipients:

• the staff of the departments responsible for managing relations with our customers and prospects and their line managers;
• support staff, i.e. administrative, logistics and IT services and their line managers;
• our service providers or support services (e.g. IT service provider);
• the competent authorities, should we be required to share certain data with judicial officers, departments responsible for internal control procedures, etc. ;
• in the event of a visit to our premises, the reception staff, who collect the data of all visitors in a register.

As far as internal recipients are concerned, we decide which recipient will have access to which data according to an empowerment policy, and ensure that they are subject to an obligation of confidentiality.

With regard to external recipients, we inform you that the personal data of our contacts with our customers and prospects may thus be communicated to some of our service providers or to any authority legally empowered to know (tax and social authorities in particular). In this case, SENEF is not responsible for the conditions under which the personnel of these authorities have access to and use the data.

We may use any subcontractor of our choice to process the personal data of our customers and prospects.

Within the meaning of the RGPD, a processor is any natural or legal person who processes personal data on behalf of the controller. In practice, this therefore means the service providers with whom SENEF works and who intervene in SENEF's personal data.

In this case, we ensure that the processor complies with its obligations under the RGPD.

We undertake to sign a written contract with all our subcontractors and impose on them the same data protection obligations that we impose on ourselves. In addition, we reserve the right to audit our subcontractors to ensure that they comply with the provisions of the RGPD.

In our capacity as data controller, we undertake to keep an up-to-date register of all processing activities carried out where required by law.

This register is a document or application that lists all the processing operations carried out by SENEF as data controller.

We undertake to provide the CNIL, at its first request, with information enabling it to verify the compliance of data processing with current data protection regulations.

We implement the physical or logical technical security measures we deem appropriate to protect against the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.

These measures include the following:

• data access authorization management ;
• internal safeguards ;
• identification process ;
• conducting security audits and penetration tests ;
• the adoption of an information systems security policy ;
• the adoption of business continuity/disaster recovery plans;
• the use of protocol or security solutions.

In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.

We undertake to notify the CNIL of any data breach that we may suffer, in accordance with the conditions laid down in the regulations governing personal data.

Our contacts with customers and prospects are informed of any data breach that could pose a high risk to their privacy.