1 What is GDPR ?
The RGPD (General Data Protection Regulation) of April 27, 2016 is a European regulation (directly applicable in all member states) on the protection of individuals with regard to the processing of personal data and on the free movement of such data, applicable since May 25, 2018.
Its aim is to protect the personal data of European citizens: employees, job applicants, insured persons, patients, customers, service providers, suppliers, business partners, etc., known as data subjects.
2 Who is affected by GDPR ?
Any organization, whatever its size, location or activity, can be involved.
Indeed, GDPR applies to any organization, public and private, that processes personal data on its behalf or not, as soon as:
- it is established in the European Union,
- or that its business directly targets European residents.
GDPR also concerns subcontractors who process personal data on behalf of other organizations.
Thus, when an organization processes or collects data on behalf of or for another entity (company, local authority, association, administration), specific obligations are imposed to guarantee the protection of the data entrusted to it.
3 Policy background and objectives
In the course of its activities, tomeris processes personal data.
The purpose of this policy is twofold:
- On the one hand, explain the main principles to be respected when processing data;
- Secondly, to provide customers with information about the processing of their data in the context of their relationship with tomeris.
This Privacy Policy governs the manner in which tomeris as data controller processes personal data collected (i) in the context of the tomeris.eu website (the “tomeris Site”) or during exchanges between tomeris and any person who is not a customer of tomeris and (ii) in the context of tomeris carrying out its business.
Tomeris undertakes to provide its employees with adequate information, training and assistance to enable them to fulfil their obligations with regard to the protection of personal data concerning the personal data they process in the course of their activities.
The present policy complements, but does not replace, the obligations relating to the protection of personal data already set out in contracts and other documents.
4 Definitions
Personal data: any information relating to an identified or identifiable natural person.
A person can be identified :
- directly (example: last name, first name)
- or indirectly (e.g. through an identifier (customer no.), a (telephone) number, biometric data, several specific elements specific to his or her physical, physiological, genetic, psychic, economic, cultural or social identity, but also voice or image).
The identification of a natural person can be carried out :
- from a single piece of data (e.g. social security number, DNA)
- by cross-referencing a set of data (e.g.: a woman living at such-and-such an address, born on such-and-such a day, subscribing to such-and-such a magazine and active in such-and-such an association)
Processing: any operation or set of operations that may or may not be performed using automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The processing of personal data is not necessarily computerized: paper files are also concerned and must be protected under the same conditions.
Data controller: the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of processing.
Sub-contractor: the natural or legal person, public authority, department or other body that processes personal data on behalf of the controller.
Consent: any free, specific, informed and unambiguous expression of will by which the data subject accepts, by means of a declaration or clear positive act, that personal data concerning him or her may be processed.
Personal data breach: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
5 Principles of personal data processing
5.1 The general principle: free circulation of personal data
In principle, the processing of personal data is not prohibited under European Union law. However, sensitive data (including health data, data relating to trade union membership, data relating to racial or ethnic origin, sexual orientation) may not be processed. There are, however, a few exceptions to this principle:
- When the consent given by the person concerned ;
- In application of obligations under labor law, social security law and social protection law;
- When vital interests are at stake ;
- Where processing is carried out in the context of the activities of foundations, non-profit associations or any other non-profit organization, ...
- When data have been made public by the data subject ;
- Where processing is necessary for the establishment, exercise or defense of legal claims;
- The processing is necessary for reasons of important public interest;
- The processing is necessary for the purposes of preventive medicine or occupational medicine;
- The processing is necessary for reasons of public interest in the field of public health;
- Processing is necessary for archival purposes in the public interest.
5.2 Legality of processing
Personal data is processed by tomeris in a lawful and fair manner with regard to the data subject.
The collection of personal data is thus always based on one (or more) of the following six legitimate grounds, enshrined in the GDPR:
Performance of a contract: recourse to this legal basis presupposes that the processing is objectively necessary for the performance of a contract between the organization processing the data and the data subject.
Compliance with a legal obligation: recourse to this legal basis is justified when the implementation of a processing operation is imposed on an organization by European or national legislation.
Safeguarding the vital interests of the individual: for example, when processing is necessary for humanitarian purposes, including tracking epidemics and their spread, or in cases of humanitarian emergency, including natural and man-made disasters.
Carrying out a mission in the public interest: this legal basis therefore primarily concerns processing carried out by public authorities. A public-interest mission, or one relating to the exercise of public authority, cannot be presumed by the organization implementing the data processing: to be validly founded, this mission must have a legal basis in the law to which the organization is subject.
Legitimate interest: recourse to this legal basis presupposes that the interests (commercial, property security, etc.) pursued by the organization processing the data do not create an imbalance to the detriment of the rights and interests of the persons whose data is processed.
Consent: consent is the data subject's agreement to the collection and use of his or her data. Consent is not necessarily a contract.
5.3 Loyalty and transparency
The principle of fairness requires tomeris to treat personal data fairly. Data may not be further processed in a way that is incompatible with the original purpose.
This principle gives rise to the principle of transparency: the collection of data must be accompanied by clear and precise information about the intended processing.
It is within this framework that tomeris operates this information for the benefit of its co-contractors, prospects and any other person coming into contact with tomeris for whatever purpose.
5.4 Purpose limitation
Personal data is collected by tomeris for specific, explicit and legitimate purposes and is not further processed in a way incompatible with these purposes.
5.5 Data minimization
Tomeris does not collect more personal data than is necessary to achieve the specified purposes, i.e. personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
5.6 Data accuracy
Tomeris takes all reasonable steps to ensure that inaccurate personal data is deleted or rectified without delay.
5.7 Storage restrictions
Personal data is kept by tomeris for no longer than is necessary for the processing concerned.
For example, as soon as the contract is terminated, the statute of limitations has expired, consent has been withdrawn, etc.
Beyond that, data will be destroyed or anonymized.
5.8 Integrity and confidentiality
Personal data are processed by tomeris in such a way as to guarantee protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Co-contractors are obliged to respect the integrity and confidentiality of data.
5.9 Liability
Tomeris is careful to document its processing operations and the precautions it takes with regard to the protection of personal data, in order to be able to demonstrate that it has complied with the principles set out above and that any subcontractors or recipients also comply with these rules.
6 Data Protection Officer (DPO)
Tomeris has no legal obligation to appoint a DPO, nevertheless, the data controller whose contact details are as follows, performs the functions of a DPO:
For the attention of the Data Protection Officer
Email : contact@tomeris.eu
This person is responsible for :
- Inform and advise tomeris employees of their obligations under data protection laws and regulations;
- Monitor compliance with legislation, regulations and internal rules on data protection, including the allocation of responsibilities and employee awareness and training;
- Cooperate with the supervisory authority (CNPD),
In addition, the DPO is :
- involved, in an appropriate and timely manner, in all matters relating to the protection of personal data;
- independent: it receives no instructions concerning the performance of its missions;
- to receive questions from data subjects concerning the processing of their personal data and the exercise of their rights;
- subject to professional secrecy or an obligation of confidentiality with regard to the performance of its duties.
7 Concerning the processing of customers' personal data
7.1 Processing of quotations, time sheets and invoices
| Process | Drawing up estimates, time sheets and invoices |
| Purpose | Delivering the expected customer service |
| Process rational | Contract/consent when prospect |
| Data category | Personal identification data, bank identification data, financial data |
| People concerned | Customers and prospects |
| Retention period | 11 years (legal statute of limitations) |
| Recipients | ACD, AED |
7.2 Drafting and delivery of deliverables
| Process | Drafting and delivery of deliverables |
| Purpose | Delivering the expected customer service |
| Process rational | Contract |
| Data category | Personal identification data, bank identification data, financial data |
| People concerned | Customers |
| Retention period | 11 years (legal statute of limitations) |
| Recipients | None |
7.3 Accounts receivable and payable processing
| Process | Customer and provider accounting |
| Purpose | Keeping the accounts up to date |
| Process rational | Legal obligation |
| Data category | Personal identification data, bank identification data, financial data |
| People concerned | Customers and providers |
| Retention period | 11 years (legal statute of limitations) |
| Recipients | None |
7.4 Processing messages by any means
| Process | Messages to tomeris |
| Purpose | Handle all types of mail, including social networks |
| Process rational | Contract / consent |
| Data category | Personal identification data, bank identification data, financial data |
| People concerned | Customers, prospects, providers |
| Retention period | 11 years (legal statute of limitations) |
| Recipients | None |
7.5 Website and cookie management
| Process | Website and cookie management |
| Purpose | Manage personal data collected on the site's contact page, manage cookie consent policy |
| Process rational | Consent |
| Data category | Personal identification data, electronic identification data (IP address), bank identification data, financial data |
| People concerned | Site visitors |
| Retention period | See cookie management |
| Recipients | None |
8 Security and confidentiality
Tomeris has adopted a number of necessary/adequate technical and organizational measures to protect personal data against unauthorized access, unlawful processing, accidental loss or damage, and unauthorized destruction :
The persons acting on behalf of tomeris are either security professionals and/or data protection professionals; as such, they are able to apply organizational measures and implement the necessary technical measures.
9 Customer rights
To exercise their rights, customers should contact the DPO.
The rights in question are as follows:
- Information
Tomeris informs its customers by means of this Policy or privacy statements/claims. - Access and rectification
Customers have the right to access and rectify their personal data in accordance with legal requirements. - Opposition
Customers may object to the processing of their data within the limits of the law. - Withdrawal of consent
When data is processed on the basis of consent, customers may withdraw their consent at any time, without calling into question past processing. - Deletion
Customers may obtain the deletion of their data or the restriction of processing in accordance with the law. - Portability
Customers may obtain communication of the data they have provided in electronic format or its transmission to a third party under the conditions set out in Article 20 of the General Data Protection Regulation. -
Limitation
If customers dispute the accuracy of the data used by tomeris or object to the processing of their data, the law allows tomeris to verify or review the request for a certain period of time. During this period, customers may ask tomeris to freeze the use of their data. In concrete terms, tomeris will no longer have to use the data, but will have to retain it. -
Complaint to the Data Protection Authority
Agents who have complaints about the processing of their personal data may lodge a complaint with the National Commission for Data Protection (CNPD) via the www.cnpd.lu website. Tomeris undertakes to provide customers with information on the measures taken following the exercise of any of these rights as soon as possible, and in any event, in accordance with the applicable regulations on the subject, within one month of receipt of the request. Translated with DeepL.com (free version)
10 Role and responsibilities
Each person within tomeris who processes personal data must ensure that it is processed in accordance with the rules and principles on personal data set out as part of this policy. Tomeris will be held responsible for any failure to comply with the GDPR.