PREAMBLE

Ensuring the protection of Personal Data collected for the purposes of its business is of particular importance to Sharework.

In this context, Sharework agrees to comply with the provisions of the current regulations relative to the protection of personal data and, in particular, the Data Protection Act, in its current version on the date hereof and the EU Regulation 2016/679 of 27 April 2016, known as the "GDPR".  

In doing so, Sharework offers its services within a secure and clear legal framework, after implementing a Personal Data security approach to minimize the risk of data breach and, in the event of an incident, provide an effective and timely response.

GENERAL USER DECLARATIONS

Generally, the User is a natural person, acting on behalf of his employer, his instructing party, his partner, his management company, his executive bodies.

In order to avoid any misunderstanding, and as far as he is concerned, the User informs Sharework:

(i) For Users who are legal entities :

• That it is a legally constituted company, in good standing with regard to the applicable legislation applicable and that its legal representative, or its management company, has all the powers and qualities to sign and implement this contract;
• That the signature of this contract has been duly authorized, if necessary, by the competent bodies;
• That the signature and execution of this contract does not and will not result in any breach, termination or modification of any contract or act to which it is a party and that this contract is not in conflict with any provision of such contract or act.

(ii) For Users who are natural persons:

• That he has the full capacity to enter into and implement this contract on his own, in particular that he has been duly authorized by his employer, instructing party, partner, management company and executive bodies;
• That the signature and execution of this contract does not and will not result in any breach, termination or modification of any contract or act to which he is a party and that this contract is not in conflict with any provision of such contract or act.

Article 1 // PURPOSE

The purpose of this Charter is to present the User with the terms of the current Privacy Policy at Sharework regarding the collection, use, processing, storage and protection of the collected Personal Data. 

The Privacy Policy is part of the General Terms and Conditions (www.sharework.co/legal-terms/terms-of-use-en).

Article 2 // DEFINITIONS

Client Company: this is the company or legal entity on behalf of which the User acts when using Sharework.

Customer Data: this is the data that the User transmits to Sharework, allowing it access to its CRM (subject to compatibility) or any other Data Source, so that the latter can analyze it in order to ensure its secure sharing with the Designated Third Party who has become a User. This Customer Data will remain the property of the Client Company.

Collected Data: Any data imported by Sharework from the Customer Data for the purpose of delivering the service, 

Personal Data: Any personal data as defined by the General Data Protection Regulation (« GDPR »), including all data likely to facilitate the identification of a User but also personal data collected by the User and stored in his Data Source, of which he has authorized the transfer to Sharework for processing purposes.

Personal Data of Prospects and Customers of the Client Company:  Any Personal Data from the Collected Data related to prospects and customers of the Client.

Personal Data of Employees or Collaborators of the Client Company: Any Personal Data from the Collected Data related to employees or collaborators of the Client Company. 

The Designated Third Party: this is the User's target company which will be invited to share the Sharework network by the User, in order to implement an analysis of their Customer Data to extract the Relevant Data that is common to them.

Data Source: Any source of data that the user connects to Sharework with the intent to share some of this data to Designated Third Party. Data sources are usually CRM (Customer Relationship Management software) or CSV files, and Sharework regularly integrates new Data Sources. 

Relevant Data: this is Customer Data whose comparative analysis between two Users has shown that sharing them between these two Users would be relevant, i.e. likely to foster the creation of a synergy between companies; this includes, for example, common customers, common prospects, etc.  ‍

Special Agreement: any contract that maybe signed between the User and Sharework. These contracts could be considered as Special Conditions of Sale and Use;‍

The Application developed by Sharework: this is the software developed by Sharework, in SaaS mode, to which the User will be able to connect through secure and dedicated access and through which it will be able to use Sharework services.

DPO: Responsible for the processing of collected and processed personal data (Data Protection Officer).

Article 3 // ACCEPTANCE OF THE USER

By purchasing or benefiting from a Sharework service, the duly authorized User acknowledges having read this Charter, and, as for the General Conditions (www.sharework.co/legal-terms/terms-of-use-en), having fully understood and accepted its content.

Article 4 // DEVELOPMENT OF THE CHARTER IN TIME

In order to meet its legal obligations in terms of confidentiality and to provide its Users with a secure and efficient service, Sharework reserves the right to make changes to this Policy at its discretion, in particular to ensure compliance with applicable law.  

This privacy policy can be checked at any time at the address www.sharework.co/legal-terms/privacy-policy-en. 

Consequently, the User is encouraged to regularly check the Privacy Policy, in order to be informed of its latest changes.

Article 5 // REMINDER OF THE LEGAL FRAMEWORK

5.1. Principles relating to the processing of personal data

Article 5 of EU Regulation 2016/679 of 27 April 2016, known as the "DGPS", defines the principles relating to the processing of personal data.

Roughly, according to this text, the collection, processing and storage of Personal Data must comply with the following principles:

• Lawfulness, fairness, transparency: the person whose Personal Data is collected must be informed of it (collection and purpose) and agree to it;
• ‍Purpose limitation: the purpose of the collection and processing of Personal Data must be legitimate and clearly stated;
• Minimization of data: collection must be limited to the Personal Data necessary for the purposes for which they are processed;
• Accuracy:  action must be taken to allow for the modification, deletion, rectification of collected data that has become inaccurate;
• ‍Storage limitation: the data are stored for a limited period of time, in accordance with the purpose of the processing operation, of which the concerned person is informed;
• Integrity and confidentiality: the officer must take all necessary action to protect the collected and processed data.

5.1. Focus on the lawfulness of the processing operation

Article 6 of EU Regulation 2016/679 of 27 April 2016, known as the "DGPS", deals with the lawfulness of the processing.

In summary, for the processing to be lawful, it is necessary, as required, that:

• The User whose Personal Data is collected and processed, for a specific purpose, has expressly agreed to this;
• Collection and processing are necessary for the implementation of a contract;
• Collection and processing are legally required;
• The collection and processing are justified by the protection of a person's vital interests;
• The collection and processing are necessary for the carrying-out of a mission of public interest or in the exercise of public authority;
• The collection and processing are necessary for the achievement of legitimate and private interests of the processing officer and a third party.  

Article 6 // DATA PROCESSING MANAGER / DATA PROTECTION OFFICER (DPO)

6.1. Identification of the DPO

Sharework has appointed Mr. Alexandre Sadones as the Data Protection Officer (DPO). He can be contacted for any question:

• By email, at the following address: team@sharework.co
• By post, at the following address: Sharework Company - 26 rue Henry Monnier 75009 Paris

6.1. Missions and resources of the DPO 

The main mission of the DPO is to ensure that Sharework's Privacy Policy and the internally implemented resources are in compliance and in adequacy with the current legal and regulatory requirements.  

Todo this, in particular, he:

• Defines the purposes and methods of the processing operation;
• Decides on the technical and organizational methods to be implemented to ensure and be able to demonstrate, at any time, that the processing is carried out in accordance with the current law;
• Decides on the technical and organizational methods to be implemented to ensure and be able to demonstrate, at any time, that the appropriate actions have been taken to guarantee a level of security appropriate to the risk;
• Alerts the competent supervisory authority in the event of any violation of Personal Data within 72hours of its discovery;
• Alerts the User of the violation of his Personal Data when it is likely to highly threaten his rights and freedoms.

The DPO has the necessary resources and the capacity to work with Sharework teams to assist them and raise their awareness on the GDPR themes.

Article 7 // COLLECTED AND PROCESSED PERSONAL DATA

7.1. Summary

‍

7.2. Personal Data Security

The technical resources implemented to protect Personal Data are the following:

• Encryption of data at rest;
• SSL encryption of all incoming and outgoing communications in the database;
• Method for authenticating the User through an individual password stored in a non-reversible manner in the form of a hash computed via the bcrypt algorithm, version 2a
• Systematic access control within the application

Control mechanisms are simultaneously implemented in the process of developing and providing services:

• Systematic code review including security elements to be verified
• Regular review of access controls within the infrastructure hosting the services

7.3. Transmission of data to third parties

Personal Data may be transmitted to the following third parties:

• The names, first names and emails of the User's employees housed in his Data Source may be transmitted to Designated Third Parties for which the User has explicitly validated the transfer, for the purpose of establishing contact between the sales teams of the concerned companies.

The User, who collects the Personal Data housed in his Data Source, remains responsible for informing the persons concerned of the transfer and processing of said data by Sharework, whose responsibility, as subcontractor of the processing, can only be engaged within this limit.

 In any case, Sharework cannot not sell any personal data to third parties.

Article 8 // USER'S RIGHTS

To exercise his rights as listed below, the User must contact the DPO at one of the addresses listed in Article 6.1. and provide him with any useful information to clearly identify him.

More specifically, the User must provide proof of his identity, his email address and, if need be, the reference of his Special Agreement or his customer account.

The DPO must reply to the User by email to the address provided by the User in his request within thirty (30) days of receipt of the request. 

If the DPO fails to comply with this procedure, the User will be free to refer the matter to the competent authority, as designated in Article 55 of EU Regulation 2016/679 of 27 April 2016, known as the "GDPR".

8.1. Right of access

The User has the right to obtain confirmation from the DPO that Personal Data concerning him/her are or are not processed and, when they are, access to said data.

Furthermore, and more particularly, the User may question the DPO about:  

• The purpose of the processing operation;
• The type of Personal Data concerned;
• The recipients of the Personal Data in the event of a transfer;
• The storage life or any element allowing it to be determined in case of uncertainty;
• The source of the collection if the Personal Data is not collected from the person it concerns

8.2. Right of rectification

The User has the right to obtain from the DPO that he or she modify or complete the collected Personal Data.

8.3. The right to oblivion

The User may, with certain exceptions (article 17.3 of the DGPS), also request the deletion of Personal Data concerning him/her when:

• They have become outdated with regard to the purpose of the processing operation to which they are subject;
• The User withdraws the consent initially given;
• The User objects to the processing (article 21 GDPR);
• The Personal Data have been unlawfully processed;
• Personal Data must be deleted in order to comply with a legal obligation to which the processing officer is subject;
• Personal Data has been collected as part of the information company services offered to children.

8.4. Right to limitation of processing

The User may request that the processing of the Personal Data collected concerning him/her be limited if:

• In the event of a dispute about the accuracy of the Personal Data, processing is limited for the duration of the inspection carried out by the DPO for this reason;
• The processing is unlawful and the User requests that the processing be limited (and not the right to oblivion);
• The processing officer no longer needs the personal data for processing purposes, but they are still necessary for the concerned person to establish, exercise or defend legal rights;
• The concerned person objected to the processing operation under Article 21(1) during the verification as to whether the legitimate grounds pursued by the officer prevail over those of the concerned person.

The User will be informed, by email, by Sharework, of the termination of the limitation, when the time comes.

8.5. Right to data portability

The User will receive all the Personal Data collected and processed concerning him/her, in a structured format, commonly used and readable on machines, upon request.

The User may also request the portability of his Personal Data to another entity.

8.6. Right to object

The User may, at any time, object to the processing of his Personal Data based on consent.

The DPO is not bound by this objection when there are legitimate and compelling reasons for processing which prevail over the interests and rights and freedom of the User, or for the establishment, exercise or defense of legal rights.

The User may also object to the processing of his Personal Data when the purpose pursued is prospecting or profiling for the purpose of prospecting.

8.7. Right not to be the subject of a decision based exclusively on automated processing

The User, except with his consent in particular, has the right not to be the subject of a decision based exclusively on automated processing, including profiling, which produces legal effects concerning him or significantly affecting him in a similar manner.

The DPO therefore agrees to take the necessary action to guarantee the User that his right not to be the subject of a decision based exclusively on automated processing is respected.