Data Protection Policy -
as part of its business activities.
has established this Data Protection Policy to keep all relevant parties informed of
this commitment. All commitments and practices undertaken by
can therefore be
consulted at any time by any natural person, whether they work for the company or not.
1. Preamble and general policy statement
is committed to processing all collected data in accordance with the relevant
legislation on data protection (French Law N°78-17 of 6 January 1978, as amended, and the
General Data Protection Regulation (EU) 2016/679 of 27 April 2016, hereafter referred to
jointly as “the Legislation”).
This Data Protection Policy applies to:
- Recipients of services provided by
- Professionals partnered with
- Natural persons who are clients or prospects of
- Employees of
- Applicants seeking to join
- Users of the
2. In the interest of ensuring understanding of this policy, SONAMIA sets out the
- ‘Processing’ personal data means any operation or set of operations which is performed on
personal data, such as collection, structuring, storage, alteration, or disclosure.
- ‘Personal data’ means any information relating to an identified human being (natural person),
who can be identified, directly or indirectly, by reference to an identifier such as a name, phone
number or e-mail address.
- ‘Data subject’ means a person who can be identified by processed data.
- ‘Controller’ means the entity which decides how personal data are to be used by determining
the purposes and the means of the processing of personal data.
- ‘Processor’ means the entity which processes personal data on behalf of the controller. The
specific tasks entrusted to the processor are set out in a written contract, which also verifies the
processor’s technical and organisational safeguards allowing it to process the personal data
entrusted to it, in accordance with the Legislation.
- ‘Recipient’ means an entity to which personal data can be disclosed.
3. SONAMIA’s commitments as a controller
is a controller of data collected via its business activities and, as such, undertakes
the following commitments:
- Personal data are processed only for explicit and legitimate purposes determined by the
relevant business activity, as stated explicitly each time data are collected and in accordance
with Article 29 of the EU Regulation.
- In order to apply the principle of data minimisation, personal data collected and processed are
only those deemed absolutely useful.
thereby applies the concept of privacy by
default, which protects data subjects from excessive data collection.
- Personal data are kept no longer than is necessary for the operations for which it was
collected, taking into account the nature of these operations as well as all legal requirements
does not disclose or sell personal data to third parties, except for legitimate
recipients and for predefined purposes only, as determined when the data were collected.
entrusts personal data to processors chosen based on appropriate technical and
organisational safeguards, in order to guarantee the protection of all personal data entrusted to
them as per its instructions.
provides clear and transparent information to all data subjects, prior to data
collection and on a regular basis, in particular on how data are to be processed, whether
questions on forms are required or optional, what data protection rights they have and how they
can effectively exercise these rights, and who the recipients are.
- Whenever required by the Legislation, explicit, informed, active, and unambiguous consent to
personal data collection will be requested of the data subject.
- Appropriate technical, logistical, organisational, and legal security measures have been
defined based on a risk analysis of the different data processing categories.
support services and contracted processors have implemented these measures in order to ensure
the protection of your personal data.
- Whenever required by the risks related to data processing,
will carry out a private
life and data protection impact assessment for the data subjects in order to take appropriate
measures to counter these risks.
and its processors are committed to the development of tools and systems that
insofar as is possible comply with the Legislation and can best protect the privacy of all data
subjects. Respect for these principles is integrated right from the design and development stage.
and its processors are committed to monitoring any and all possible violations of
your data privacy. In the event of such a violation,
and its processors will take all
protective and corrective measures and inform without undue delay the French National
Commission on Information Technology and Liberties (the ‘CNIL’) as well as, where
applicable, the data subjects in question.
staff have been or are in the process of being trained on the personal data
protection principles as defined in the Legislation, through regularly scheduled training sessions
adapted to their work and responsibilities.
Staff can access only the data necessary for their work. Access to sensitive data requires
specific authorisation and additional checks.
4. The Data Protection Officer (DPO)
The Data Protection Officer, when one is designated, ensures that:
- All personal data processing operations performed within the company are logged and kept up
- All practices comply with the Legislation, including when the Legislation is modified;
staff are trained on legal requirements and good practices in personal data
- Data subjects can effectively exercise their rights.
The Data Protection Officer can be contacted at the following addresses:
- E-mail address:
- Postal address:
44124 Vertou Cedex
5. Purposes of data processing
processes personal data for the following main purposes:
- Managing its client portfolio and prospect list;
- Providing online services to professionals (B2B) via its company website, partner websites or
- Managing human resources and recruitment;
- Managing external professional contacts, including informational content for professionals
and the general public;
- Conducting statistical analyses of business operations;
- Prospecting professionals or other natural persons, provided
has secured their
The abovementioned processing operations are necessary to carry out contracts between data
, to pursue legitimate interests including meeting legal requirements.
or to keep professional contacts informed of
’s activities. In some cases, processing
is a direct consequence of the explicit consent of a data subject.
6. Recipients of personal data
determines specific recipients on a case-by-case basis for each processing
operation outlined in “5. Purposes of data processing”. Recipients are chosen based on their
roles and their authorisation to receive personal data in view of the predetermined purposes.
Access to personal data is allowed only on a “need to know” basis whenever possible, in order
to apply the principle of data minimisation.
7. Storage period for personal data
will store your personal data for the necessary duration of the business relationship
After this period, in accordance with the Legislation, personal data may, as appropriate:
- Be deleted;
- Be rendered irreversibly anonymous;
- Be archived.
8. Security measures and personal data protection
Data security relies on protective measures to prevent the following:
- Destruction, loss, alteration or unauthorised disclosure of processed personal data, and
unauthorised access to such data, either intentionally or accidentally.
In order to ensure the security of your personal data,
and its processors have
implemented appropriate technical and organisational measures, taking into account the state of
the art, cost, type, scope, context, and purposes of processing in order to ensure a risk-adapted
In particular, and whenever necessary, the following security measures are taken:
- Deploying the necessary resources to ensure continuous confidentiality, integrity, availability,
and resilience of our systems and processing operations;
- Deploying the necessary resources to restore availability and access to personal data without
undue delay in case of physical or technical incidents;
- Implementing a process to regularly test, assess and evaluate the effectiveness of technical and
organisational measures that ensure security of processing.
and its processors have developed appropriate security features consistent with the
state of the art and binding standards to ensure the protection of your personal data.
Additional enhanced security features protect web pages from which your data is collected.
9. Rights of data subjects
As per the General Data Protection Regulation, data subjects have the following rights:
- Right of access: the right to obtain from
confirmation as to whether or not
personal data are being processed, and access to this personal data;
- Right to rectification: the right to obtain the rectification of inaccurate personal data
concerning the data subject. The right to rectification is complementary to the right of access.
- Right to erasure (‘right to be forgotten’): the right to obtain the erasure of personal data
concerning the data subject for a reason provided for in the Legislation;
- Right to restriction of processing: the right to obtain restriction of processing of personal data
for a reason provided for in the Legislation;
- Right to data portability: the right to receive the personal data concerning the data subject
, or the right to request
transmit those data to another
controller for a reason provided for in the Legislation;
- Right to object: a data subject may also object to the processing of personal data based for any
For more information about the meaning of your rights, please consult the dedicated section on
the CNIL website:
To exercise your rights as a data subject, you can contact the Data Protection Officer of
at the following addresses:
- E-mail address:
- Postal address:
Délégué à la Protection des Données
(Data Protection Officer)
44124 Vertou Cedex
To facilitate user requests and in particular to shorten processing times,
data subject, when sending a request to exercise their rights, to:
- Mention the right(s) they wish to exercise;
- Mention clearly their full name and contact details to use when responding;
- Include a copy of their ID.
10. The strict boundaries of your consent
respects the strict boundaries of your consent when processing your personal data.
Your explicit consent will be requested in the cases stipulated by the Legislation.
will request your explicit consent before any processing operation for which the
Legislation requires it. Data subjects can withdraw their consent at any time by contacting
or the DPO.
11. Lodging complaints with the CNIL
As a data subject, you may lodge a complaint with a supervisory authority for data protection.
In France, this supervisory authority is the National Commission on Information Technology
and Liberties, or the CNIL. Here is how to contact them:
- Telephone Number: +33 (0)1 53 73 22 22
- Postal Address:
3 Place de Fontenoy
75334 Paris Cedex 07
12. Transfer of personal data outside the European Union
does not transfer personal data outside the European Union.
Cookies are small pieces of data stored on your and other Internet users’ browsers by specific
websites to send to or collect information from the browser, such as session ids, language
preferences or dates. When visiting
websites, be advised that cookies may be
stored on your browser. To find out more about cookies, including how to manage or block
them, please consult the section “Cookies”.
14. Changes to Data Protection Legislation
Data protection legislation may change over time.
is committed to reflecting any
change in the Legislation by a change in this Data Protection Policy and to informing data
subjects before implementing any change that could impact personal data.
This Data Protection Policy was published on 25 May 2018