Ensuring the protection of Personal Data collected for the purposes of its business is of particular importance to Sharework.
In this context, Sharework agrees to comply with the provisions of the current regulations relative to the protection of personal data and, in particular, the Data Protection Act, in its current version on the date here of and the EURegulation 2016/679 of 27 April 2016, known as the "RGPD".
In doing so, Sharework offers its services within a secure and clear legal framework, after implementing a Personal Data security approach to minimize the risk of data breach and, in the event of an incident, provide an effective and timely response.
GENERAL USER DECLARATIONS
Generally, the User is a natural person, acting on behalf of his employer, his instructing party, his partner, his management company, his executive bodies.
In order to avoid any misunderstanding, and as far as he is concerned, the User informs Sharework:
(i) For Users who are legal entities :
- That it is a legally constituted company, in good standing with regard to the applicable legislation applicable and that its legal representative, or its management company, has all the powers and qualities to sign and implement this contract;
- That the signature of this contract has been duly authorized, if necessary, by the competent bodies;
- That the signature and execution of this contract does not and will not result in any breach, termination or modification of any contract or act to which it is a party and that this contract is not in conflict with any provision of such contract or act.
(ii) For Users who are natural persons:
- That he has the fullcapacity to enter into and implement this contract on his own, in particular that he has been duly authorized by his employer, instructing party, partner, management company and executive bodies;
- That the signature and execution of this contract does not and will not result in any breach, termination or modification of any contract or act to which he is a party and that this contract is not in conflict with any provision of such contract or act.
Article 1 // PURPOSE
Article 2 // DEFINITIONS
- Personal Data: All data likely to facilitate the identification of a User but also personal data collected by the User and stored in his CRM, of which he has authorized the transfer to Sharework for processing purposes. These include his first and last name, his e-mail address and telephone number.
- DPO: Responsible for the processing of collected and processed personal data (Data Protection Officer).
- Customer Data: this is the data which the User transmits to Sharework, allowing access to its CRM (subject to compatibility),so that the latter can analyze it in order to ensure its secure sharing with the Designated Third Party who has become a User. This Customer Data will remain the property of the Client Company.
- The Designated Third Party: this is the User's target company that will be invited to join the Sharework network so as to implement the analysis of their Customer Data in order to extract the Relevant Data which they have in common.
- Relevant Data: this is Customer Data whose comparative analysis between two Users has shown that sharing it between these two Users would be relevant, i.e. likely to foster the creation of a synergy between companies; this includes, for example, common customers, common prospects, etc.
- Special Agreement: any contract that may be signed between the User and Sharework. These contracts could be considered Special Conditions of Sale and Use;
- The Application developed by Sharework: this is the software developed by Sharework, in SaaS mode, to which the User will be able to connect through secure and dedicated access and through which he will be able to use Sharework services.
Article 3 // ACCEPTANCE OF THE USER
By purchasing or benefiting from a Sharework service, the duly authorized User acknowledges having read this Charter, and, as for the General Conditions, having fully understood and accepted its content.
Article 4 // DEVELOPMENT OF THE CHARTER IN TIME
In order to meet its legal obligations in terms of confidentiality and to provide its Users with a secure and efficient service, Sharework reserves the right to make changes to this Policy at its discretion, in particular to ensure compliance with applicable law.
Article 5 // REMINDER OF THE LEGAL FRAMEWORK
5.1. Principles relating to the processing of personal data
Article 5 of EU Regulation 2016/679 of 27 April 2016, known as the "DGPS", defines the principles relating to the processing of personal data.
Roughly, according to this text, the collection, processing and storage of Personal Data must comply with the following principles:
- Lawfulness, fairness, transparency: the person whose Personal Data is collected must be informed of it (collection and purpose) and agree to it;
- Purpose limitation: the purpose of the collection and processing of Personal Data must be legitimate and clearly stated;
- Minimization of data: collection must be limited to the Personal Data necessary for the purposes for which they are processed;
- Accuracy: action must be taken to allow for the modification, deletion, rectification of collected data that has become inaccurate;
- Storage limitation: the data are stored for a limited period of time, in accordance with the purpose of the processing operation, of which the concerned person is informed;
- Integrity and confidentiality: the officer must take all necessary action to protect the collected and processed data.
5.1. Focus on the lawfulness of the processing operation
Article 6 of EU Regulation 2016/679 of 27 April 2016, known as the "DGPS", deals with the lawfulness of the processing.
In summary, for the processing to be lawful, it is necessary, as required, that:
- The User whose Personal Data is collected and processed, for a specific purpose, has expressly agreed to this;
- Collection and processing are necessary for the implementation of a contract;
- Collection and processing are legally required;
- The collection and processing are justified by the protection of a person's vital interests;
- The collection and processing are necessary for the carrying-out of a mission of public interest or in the exercise of public authority;
- The collection and processing are necessary for the achievement of legitimate and private interests of the processing officer and a third party.
Article 6 // DATA PROCESSING MANAGER / DATA PROTECTION OFFICER (DPO)
6.1. Identification of the DPO
Sharework has appointed Mr. Alexandre Sadones as the Data Protection Officer (DPO).
He can be contacted for any question:
- By email, at the following address: firstname.lastname@example.org
- By post, at the following address: Sharework Company - 26 rue Henry Monnier 75009 Paris
6.1. Missions and resources of the DPO
Todo this, in particular, he:
- Defines the purposes and methods of the processing operation;
- Decides on the technical and organizational methods to be implemented to ensure and be able to demonstrate, at any time, that the processing is carried out in accordance with the current law;
- Decides on the technical and organizational methods to be implemented to ensure and be able to demonstrate, at any time, that the appropriate actions have been taken to guarantee a level of security appropriate to the risk;
- Alerts the competent supervisory authority in the event of any violation of Personal Data within 72hours of its discovery;
- Alerts the User of the violation of his Personal Data when it is likely to highly threaten his rights and freedoms.
The DPO has the necessary resources and the capacity to work with Sharework teams to assist them and raise their awareness on the RGPD themes.
Article 7 // COLLECTED AND PROCESSED PERSONAL DATA
3 months after the end of the service or contract, unless expressly requested by the User
Identify the User;
Track the file;
Identify the User;
Track the file
Generation of non-reversible keys for correspondence from contacts stored in CRM
Clear data: no storage
Keys for correspondence: 3 months, unless expressly requested by the User
Transmission of the contact details of a CRM user to a Designated Third Party
Clear data: no storage
Keys for correspondence: 3 months, unless expressly requested by the User
7.2. Personal Data Security
The technical resources implemented to protect Personal Data are the following:
- Encryption of data at rest;
- SSL encryption of all incoming and outgoing communications in the database;
- Method for authenticating the User through an individual password stored in anon-reversible manner in the form of a hash computed via the bcrypt algorithm, version 2a
- Systematic access control within the application
Control mechanisms are simultaneously implemented in the process of developing and providing services:
- Systematic code review including security elements to be verified
- Regular review of access controls within the infrastructure hosting the services
7.3. Transmission of data to third parties
Personal Data may be transmitted to the following third parties:
- The names, first names and emails of the User's employees housed in his CRM may be transmitted to Designated Third Parties for which the User has explicitly validated the transfer, for the purpose of establishing contact between the sales teams of the concerned companies.
The User, who collects the Personal Data housed in his CRM, remains responsible for informing the persons concerned of the transfer and processing of said data by Sharework, whose responsibility, as subcontractor of the processing, can only be engaged within this limit.
In any case, Sharework cannot not sell any personal data to third parties.
Article 8 // USER'S RIGHTS
To exercise his rights as listed below, the User must contact the DPO at one of the addresses listed in Article 6.1. and provide him with any useful information to clearly identify him.
More specifically, the User must provide proof of his identity, his email address and, if need be, the reference of his Special Agreement or his customer account.
The DPO must reply to the User by email to the address provided by the User in his request within thirty (30) days of receipt of the request.
If the DPO fails to comply with this procedure, the User will be free to refer the matter to the competent authority, as designated in Article 55 of EU Regulation 2016/679 of 27 April 2016, known as the "RGPD".
8.1. Right of access
The User has the right to obtain confirmation from the DPO that Personal Data concerning him/her are or are not processed and, when they are, access to said data.
Furthermore, and more particularly, the User may question the DPO about:
- The purpose of the processing operation;
- The type of Personal Data concerned;
- The recipients of the Personal Data in the event of a transfer;
- The storage life or any element allowing it to be determined in case of uncertainty;
- The source of the collection if the Personal Data is not collected from the person it concerns
8.2. Right of rectification
The User has the right to obtain from the DPO that he or she modify or complete the collected Personal Data.
8.3. The right to oblivion
The User may, with certain exceptions (article 17.3 of the DGPS), also request the deletion of Personal Data concerning him/her when:
- They have become outdated with regard to the purpose of the processing operation to which they are subject;
- The User withdraws the consent initially given;
- The User objects to the processing (article 21 RGPD);
- The Personal Data have been unlawfully processed;
- Personal Data must be deleted in order to comply with a legal obligation to which the processing officer is subject;
- Personal Data has been collected as part of the information company services offered to children.
8.4. Right to limitation of processing
The User may request that the processing of the Personal Data collected concerning him/her be limited if:
- In the event of a dispute about the accuracy of the Personal Data, processing is limited for the duration of the inspection carried out by the DPO for this reason;
- The processing is unlawful and the User requests that the processing be limited (and not the right to oblivion);
- The processing officer no longer needs the personal data for processing purposes, but they are still necessary for the concerned person to establish, exercise or defend legal rights;
- The concerned person objected to the processing operation under Article 21(1) during the verification as to whether the legitimate grounds pursued by the officer prevail over those of the concerned person.
The User will be informed, by email, by Sharework, of the termination of the limitation, when the time comes.
8.5. Right to data portability
TheUser will receive all the Personal Data collected and processed concerning him/her, in a structured format, commonly used and readable on machines, upon request.
The User may also request the portability of his Personal Data to another entity.
8.6. Right to object
The User may, at any time, object to the processing of his Personal Data based on consent.
The DPO is not bound by this objection when there are legitimate and compelling reasons for processing which prevail over the interests and rights and freedom of the User, or for the establishment, exercise or defense of legal rights.
The User may also object to the processing of his Personal Data when the purpose pursued is prospecting or profiling for the purpose of prospecting.
8.7. Right not to be the subject of a decision based exclusively on automated processing
The User, except with his consent in particular, has the right not to be the subject of a decision based exclusively on automated processing, including profiling, which produces legal effects concerning him or significantly affecting him in a similar manner.
The DPO therefore agrees to take the necessary action to guarantee the User that his right not to be the subject of a decision based exclusively on automated processing is respected.