1. PREAMBLE

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereafter GDPR), establishes the legal framework applicable to the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, processors, data subjects, and data recipients. In our activity, we are led to process personal data. For a clear understanding of this policy, it is specified that:

• "data controller": REFER;

• "processor": refers to any natural or legal person processing personal data on behalf of REFER;

• "data subjects": refers to REFER’s clients and/or prospects;

• "recipients": refers to natural or legal persons who receive personal data from REFER. Data recipients can be REFER employees as well as external organizations (partners, exhibitors, speakers, etc.).

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable, and easily accessible manner.

2. PURPOSE

This policy aims to fulfill the information obligation to which REFER is subject under the GDPR (Article 12) and to formalize the rights and obligations of REFER’s clients and prospects in terms of the processing of their personal data.

3. SCOPE

This policy applies in the context of all personal data processing activities related to clients and/or prospects.

REFER strives to ensure that data is processed within a precise internal governance framework. However, this policy only concerns the processing for which REFER is the data controller and does not cover processing not created or exploited outside the governance rules set by REFER (so-called "wild" processing or shadow IT).

Personal data processing may be managed directly by REFER or through a specifically designated processor.

This policy is independent of any other document that may apply within the contractual relationship between REFER and its clients and prospects.

4. TYPES OF DATA COLLECTED

NON-TECHNICAL DATA (AS APPLICABLE)

• Identification (name, first name, ...)

• Contact details (phone number, address...)

• Photo, when you grant this right

• Email address

• Personal/professional life (position, qualifications, career path, awards, level of education...)

  
  

TECHNICAL DATA (AS APPLICABLE)

• Identification data (IP address)

• Connection data (logs, in particular)

• Acceptance data (clicks)

• Location data

5. ORIGINS OF DATA

Data relating to our clients or prospects are generally collected directly from them (direct collection).

The collection can also be indirect:

• via specialized companies (purchase or rental of databases) or via REFER's partners and suppliers. In this case, REFER takes great care to ensure the quality of the data communicated to it;

• via sponsorship. In this case, the sponsor ensures that they can communicate the person's data to us.

6. PURPOSES AND LEGAL BASIS

Depending on the case, REFER processes your data for the following purposes:

• customer relationship management (CRM);

• prospect relationship management (PRM);

• community management;

• subscription to services;

• management of requests for unsubscription and deregistration;

• management of reports of behavior contrary to these policies;

• data retention related to legal security obligations;

• improvement of services and satisfaction surveys;

• behavioral analysis and targeting;

• statistics.

These purposes are based on REFER's legitimate interest in having data concerning its clients and prospects. Where necessary, REFER collects the consent of the individuals.

7. DATA RECIPIENTS – AUTHORIZATION & TRACEABILITY

REFER ensures that the data is accessible only to authorized internal or external recipients.

Internal recipients

• Authorized personnel from the marketing, sales, client and prospect relations, administrative, logistics, and IT departments, as well as their hierarchical superiors;

• Authorized personnel from departments responsible for control (auditors, internal control procedures services, etc.);

• Authorized personnel of the subcontractors.

• External recipients

• Partners, external companies, or subsidiaries of the same group of companies;

• Bodies, legal assistants, and ministerial officers in the context of their debt collection mission;

• -Authorized personnel of subcontractors.

Data recipients within REFER concerning clients and prospects' personal data are subject to a confidentiality obligation.

REFER decides which recipient can have access to which data according to an authorization policy.

All accesses concerning the processing of personal data of clients and prospects are subject to traceability measures.

Furthermore, personal data may be communicated to any legally authorized authority. In this case, REFER is not responsible for the conditions under which the personnel of these authorities access and use the data.

8. DATA RETENTION PERIOD

The data retention period is defined by REFER in light of legal and contractual constraints and, in the absence of such, according to its needs, particularly according to the following principles:

Processing: Data related to clients

• Retention duration: For the duration of contractual relations with REFER, plus 3 years for prospecting purposes, without prejudice to conservation obligations or statutes of limitations

Processing: Data related to members and users

• Retention duration: For the duration necessary for the provision of REFER's services and 1 year after the last intervention. Cookies: 13 months

Processing: Data related to prospects

• Retention duration: 3 years from their collection by REFER or the last contact from the prospect

Processing: Technical data

• Retention duration: 1 year

Processing: Banking data

• Retention duration: Deleted after the transaction is completed, unless the client expressly agrees

In case of a transaction dispute: retention for 13 months in archive following the debit date

Processing: Anti-money laundering

• Retention duration: 5 years

After the set periods, the data is either deleted or stored after being anonymized, particularly for statistical reasons. They may be stored in case of pre-litigation and litigation. Clients and prospects are reminded that deletion or anonymization are irreversible operations and that REFER is subsequently unable to restore them.

9. RIGHT TO CONFIRMATION AND RIGHT OF ACCESS

Clients and prospects have the right to request REFER to confirm whether or not data concerning them is being processed.

Clients and prospects also have the right of access, subject to the following rules:

• The request comes from the person themselves and is accompanied by a copy of a current identity document;

• It is made in writing to the following address: 7 PL DE L HOTEL DE VILLE, 93600 AULNAY-SOUS-BOIS or the email address gdpr@refer.social.

Clients and prospects have the right to request a copy of their personal data undergoing processing from REFER.

However, in the case of a request for an additional copy, REFER may require the client or prospect to bear the cost.

If clients and prospects submit their data copy request electronically, the requested information will be provided in a commonly used electronic format, unless otherwise requested.

Clients and prospects are informed that this right of access cannot extend to confidential information or data, nor to data for which the law does not allow disclosure. The right of access must not be exercised abusively, i.e., regularly for the sole purpose of destabilizing the concerned service.

10. UPDATE – CORRECTION AND RECTIFICATION

REFER meets update requests:

• Automatically for online changes on fields that technically or legally can be updated;

• Upon written request from the person themselves who must justify their identity.

11. RIGHT TO ERASURE

The right to erasure of clients and prospects is not applicable in cases where the processing is implemented to comply with a legal obligation.

Outside of this situation, clients and prospects can request the erasure of their data in the following limited cases:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

• When the individual withdraws consent on which the processing is based, and there is no other legal ground for the processing;

• The individual objects to a processing necessary for the purposes of the legitimate interests pursued by REFER and there is no overriding legitimate reason for the processing;

• The individual objects to the processing of their personal data for direct marketing purposes, including profiling;

• The personal data has been unlawfully processed.

In accordance with legislation on the protection of personal data, clients and prospects are informed that this is an individual right that can only be exercised by the person concerned in relation to their own information: for security reasons, the concerned service will therefore have to verify your identity to avoid any communication of confidential information concerning you to someone other than you.

12. RIGHT TO RESTRICTION

Clients and prospects are informed that this right does not apply insofar as the processing carried out by REFER is lawful and all the personal data collected are necessary for the execution of the commercial contract.

13. RIGHT TO DATA PORTABILITY

REFER acknowledges the right to data portability in the specific case of data provided by clients or prospects themselves, on online services offered by REFER itself and for purposes based on the sole consent of the individuals. In this case, the data will be communicated in a structured, commonly used and machine-readable format.

14. AUTOMATED INDIVIDUAL DECISION-MAKING

REFER does not engage in automated individual decision-making processes.

15. POST-MORTEM RIGHT

Clients and prospects are informed that they have the right to set guidelines regarding the storage, erasure, and communication of their data after death. The communication of specific post-mortem directives and the exercise of their rights are carried out by email to gdpr@refer.social or by postal mail to the following address: 7 PL DE L HOTEL DE VILLE, 93600 AULNAY-SOUS-BOIS, France, accompanied by a copy of a signed identity document.

16. MANDATORY OR OPTIONAL NATURE OF RESPONSES

Clients and prospects are informed on each personal data collection form about the mandatory or optional nature of responses by the presence of an asterisk. In cases where responses are mandatory, REFER explains to clients and prospects the consequences of not responding.

17. RIGHT OF USE

REFER is granted by clients and prospects a right of use and processing of their personal data for the purposes outlined above. However, enriched data, which are the result of processing and analysis work by REFER, otherwise known as enriched data, remain the exclusive property of REFER (usage analysis, statistics, etc.).

18. SUBCONTRACTING

REFER informs its clients and prospects that it may involve any subcontractor of its choice in the processing of their personal data. In this case, REFER ensures that the subcontractor complies with its obligations under the GDPR. REFER commits to signing a written contract with all its subcontractors and imposes on subcontractors the same data protection obligations as on itself. Furthermore, REFER reserves the right to conduct an audit with its subcontractors to ensure compliance with the GDPR provisions.

19. SECURITY

It is REFER's responsibility to define and implement the technical, physical, or logical security measures it deems appropriate to fight against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of data.

Among these measures are primarily:

• Management of authorizations for data access;

• The use of a protocol or security solutions.

20. DATA BREACH

In the event of a personal data breach, REFER commits to notifying the CNIL (French Data Protection Authority) under the conditions prescribed by the GDPR.

If such a breach poses a high risk to clients and prospects and the data has not been protected, REFER will:

• Inform the affected clients and prospects;

• Communicate the necessary information and recommendations to the affected clients and prospects.

21. DATA PROTECTION OFFICER

REFER has appointed a data protection officer.

The data protection officer's contact details are as follows:

• Name: Mr. Eric BARBRY, Racine Attorneys Paris;

• Email address: dpo@refer.social;

• Address: 40 rue de Courcelles, 75008 Paris;

• Phone: 01 44 82 43 00.

In the event of new personal data processing, REFER will consult the data protection officer in advance. If clients and prospects wish to obtain specific information or ask a particular question, they can contact the data protection officer who will provide an answer within a reasonable period considering the question asked or information required. In case of issues encountered with the processing of personal data, clients and prospects may contact the appointed data protection officer.

22. PROCESSING ACTIVITIES REGISTER

REFER, as the data controller, commits to maintaining an updated register of all processing activities carried out, if required by law.

This register is a document or application that lists all the processing activities implemented by REFER, as the data controller.

REFER commits to providing the control authority, upon first request, with information allowing the authority to verify the compliance of the processing with the current data protection regulation.

23. RIGHT TO LODGE A COMPLAINT WITH THE CNIL

Clients and prospects involved in the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they believe that the processing of personal data concerning them is not compliant with European data protection regulations, at the following address: CNIL – Complaints Service, 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07, Tel: 01 53 73 22 22.

24. EVOLUTION

This policy may be modified or adapted at any time in case of legal, jurisprudential developments, decisions and recommendations of the CNIL, or changes in practice. Any new version of this policy will be brought to the attention of clients and contacts by any means defined by REFER, including electronically (distribution by email or online, for example).

25. FOR MORE INFORMATION

For further information, you can contact the following services: gdpr@refer.social

For more general information on personal data protection, you can visit the CNIL website at www.cnil.fr.