This page describes how Cegid processes the personal data collected from data subjects (clients, prospects…).

If you have any questions or concerns regarding this page, please contact dataprivacy@cegid.com

1. Introduction

The aim of this privacy policy is to introduce the rules related to the protection of personal data that Cegid Group (hereinafter « Cegid ») commits to respect as data controller and data processor. These rules were drafted following the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter « GDPR ») on the protection of individuals with regards to processing of personal data and on the free movement of such data, and repealing Directive 95/46/CE.

This document is likely to evolve, where necessary in order to implement the obligations imposed by the legislation on personal data protection.
The notions concerning personal data protection used in this document have the meaning given in the GDPR, notably in accordance with Article 4 of the GDPR.

2. General principles on personal data protection

When Cegid acts as data controller

According to article 5 of the GDPR, Cegid ensures that personal data are:

  • processed fairly and lawfully;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and not excessive in relation to the purposes for which they are collected and processed;
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary for the purposes for which the data were collected;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

When Cegid acts as data processor

According to article 28 of the GDPR, Cegid ensures that:

  • the purposes of the processing of data are described in the contract signed between Cegid and the client;
  • the client’s personal data are processed for the purpose for which they were originally collected and is solely acting on its instructions in accordance with the terms of the contract;
  • the deletion of personal data is carried on under the conditions laid down in the contract, unless the applicable law requires the preservation of personal data.

3. Purpose and legal basis of personal data processing

When Cegid acts as data controller

For internal needs, Cegid collects personal data for purposes such as:

  • management of customer and prospects contact (send marketing or product information, respond to customer requests, assess the needs of your business to determine suitable products…);
  • management of commercial contracts (fulfill order, billing, debt covering…);
  • management of Cegid’s staff, recruitment and careers (evaluate and contact the candidate…);
  • creation and administration of user accounts;
  • development and management of services to which the client subscribed.

Depending on these different purposes, Cegid ensures that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which Cegid is subject;
  • processing is necessary in order to protect the vital interests of a natural person;
  • processing is necessary for the purposes of the legitimate interests pursued by Cegid except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.

When Cegid acts as data processor

It may be necessary for Cegid to access and process personal data provided by its clients within the framework of completion of offers and services to which the customer subscribes.
The access and processing are organized by a contract containing specific clauses for data protection signed between Cegid and the client.
Cegid processes personal data only on behalf of the client in accordance with the provisions of the contract.

4. Security and notification of personal data breaches

Cegid is certified ISO 27001 with regard to its Information Security Management System on the following scope: “Application hosting services in a Cloud environment, containing data provided by the clients”.

This certification guarantees the implementation of a certified security policy applied to the processes and workflow of Cegid during the duration of the SaaS service issued to the client.

All employees of Cegid are subject to an IT charter annexed to the internal regulation for ensuring an appropriate level of security.

According to articles 33 and 34 of the GDPR, personal data breaches shall be notified:

  • when Cegid acts as data controller, to the French supervisory authority (CNIL) and if necessary, to data subjects concerned by the breach;
  • when Cegid acts as data processor, to its clients concerned by the breach in accordance with the contract signed between Cegid and its clients.

5. Rights of the data subject

When Cegid acts as data controller

Under the conditions set forth in articles 15 and 22 of the GDPR, data subjects have the right to:

  • access their personal data processed by Cegid;
  • request the rectification, erasure or restriction of processing of personal data carried out by Cegid;
  • in certain circumstances, object to the processing of their personal data;
  • request the portability of personal data;
  • withdraw their consent when it is the legal basis of the processing.

All requests related to those rights shall be made by filling out the form available on the following website : https://www.cegid.com/en/privacy-policy/

Cegid reserves the right to ask for clarifications in relation to any request and to justify the identity of the requester.

In any event, Cegid actively recommends contacting the competent national supervisory authority for more information about the legislation on data protection, rights of data subjects and the possibility of lodging a complaint with this authority.

You may sign-up to receive newsletters or other communications from Cegid. If you would like to discontinue receiving this information, you may update your email preferences by using the “Unsubscribe” link found in emails Cegid sends to you.

When Cegid acts as data processor

In the event Cegid receives a request from the data subject as part of the realization of the contract between Cegid and the client, Cegid will communicate this request to the client at the earliest from its receipt and, taking into account the nature of the processing and the terms of the contract, will assist the client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights.

The client remains nevertheless responsible for replying to the data subject concerned.

6. Information to be given to the data subject

When Cegid acts as data controller

When collecting personal data, Cegid undertakes to provide data subjects with at least the following information, to the extent possible and regardless of the processing carried out:

  • the contact information of the controller such as company name and email address;
  • the purposes of the processing;
  • the recipients;
  • transfers of data to third countries;
  • the length of time the data are to be stored;
  • the possibility to request the exercise of rights which can be applied pursuant to the applicable legislation;
  • the right to submit a complaint with the supervisory authority.

When Cegid acts as data processor

Pursuant to article 13 of the GDPR, the controller has the responsibility to inform data subjects.

In accordance with the terms of the contract, Cegid provides its clients, acting as data controllers, with any information that might help them to enforce article 13 of the GDPR.

7. Cooperation of Cegid with its clients and with the supervisory authority

According to article 28 of the GDPR and its contractual engagements, Cegid undertakes to cooperate with its clients in order to assist them to comply with their legal obligations pursuant to articles 32 to 36 of the GDPR.

Generally speaking, Cegid undertakes to cooperate with the French supervisory authority (CNIL) where necessary and to take into account its recommendations.

8. Privacy by design regarding products and services

If Cegid plans to develop a new service or offer, Cegid, as software provider, will make every effort to introduce from the beginning of this project the principles for the protection of personal data (“privacy by design”) and help its clients to comply with the applicable legislation through functionalities and specific means.

9. Cegid staff awareness

All new Cegid employees must follow an awareness training concerning personal data protection.

More generally, Cegid will make every effort to offer its employees regular awareness raising with regard to personal data protection.

Awareness raising or more specific trainings may be conducted for employees working on a regular basis with personal data.

10. Governance of personal data protection

To have optimum control of personal data protection, Cegid has a dedicated governance.

A Data Protection Officer was designated in May 2018 and declared to the French supervisory authority (CNIL). The latter oversees the governance.

A strategic committee transversally supervises all the activities of Cegid with the support of an operational committee composed of the DPO and contact points within different departments of Cegid.

11. Records of processing activities

Pursuant to article 30 of the GDPR, Cegid maintains two records of personal data processing:

  • a record describing the processing carried out as data controller;
  • a record describing the processing carried out on behalf and on documented instructions of its clients acting as data controllers.

These records are made available to the CNIL upon request.

12. Contractual policy

Cegid has taken into account the new mandatory contractual stipulations according to article 28 of the GDPR in all contracts concerned.

Therefore, specific contractual clauses on data protection and in compliance with the applicable legislation have been introduced to:

  • client contracts (GTC /GTU);
  • contracts between Cegid and its own data processors.

13. Contact

If you have any inquiries regarding this privacy policy, please send an e-mail to the following address: dataprivacy@cegid.com

14. Information sharing

Cegid may share necessary personal information with third parties only in the ways that are described in this privacy policy and/or the applicable client contract.

Moreover, Cegid may receive personal information from other sources, including third parties from whom Cegid has obtained data such as name, affiliated company, and phone number, and may combine this data with information Cegid already has. This helps us to update, expand and analyze its records, identify new customers, and provide products and services that may be of interest to you.

14.1 Service Providers

Cegid may share personal information with third parties who provide services:
-on Cegid’s behalf to help with its business activities (consulting, networking infrastructure services, subcontractors…);
-to help to manage contractual obligations (debts recovering…).

14.2 Legal disclosure

In certain situations, Cegid may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Cegid may also disclose your personal information as required by law, such as to comply with a subpoena or other legal process, when Cegid believes in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

15. Material Changes

We may update this Privacy Policy to reflect changes to our information practices. We encourage you to periodically review this page for the latest information on our privacy practices.

Effective Date : October 17th 2019

This Privacy Policy applies to HR & Talent Management Solution business unit and service, owned and operated by Cegid Corporation (collectively, “Cegid”, “We”, “Us”, or “Our”) in the U.S.A. It excludes the Retail business. This privacy policy describes how Cegid collects, uses, shares and secures the personal information you provide. It also describes the choices available to you regarding the use of, your access to, and how to update and correct your personal information.

16.1. Privacy Shield

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Cegid (HR & Talent Management Solution business unit) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield List.

Cegid is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Cegid complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Cegid is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

16.2 External sites

This website includes links to other websites whose privacy practices may differ from those of Cegid. If you submit personal information to any of those websites, your information is governed by their privacy policies. Cegid encourages you to carefully read the privacy policy of any website you visit.

16.3 Contact information

If you have any questions or concerns regarding this privacy policy, the practices of this site or your dealings with this site, please contact us using the information below:

Cegid Corporation 1270 Avenue of the Americas – Suite 807 New York, NY 10020 T: +1 800.413.3521

dataprivacy@cegid.fr.

Depending on the nature of the form, Cegid SAS, as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), may collect the following personal data: Surname, name, e-mail address, telephone number, position, company.

These personal data are processed by Cegid SAS for the purposes of management of its customer and prospects database and for commercial communications.

Cegid SAS and its subsidiaries and partners may also (i) be the recipients of those personal data for the purposes described above and (ii) transfer those data to third countries. You can contact Cegid for more information on this matter.

These data will only be stored for the necessary period to accomplish the object of the processing and you can exercise your rights in accordance with this policy by filling out the form “Data subject’s rights” available on this page.

In order to deliver the required service, Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: surname, name, e-mail address, telephone number, position, company.

These personal data are processed by Cegid SAS for the purposes of user account management.

The activities on the platform (connection and use) are also registered by Cegid SAS (log). These data are registered in order to ensure the traceability and security of the data and they are stored for a maximum period of one year.

You can exercise your rights in accordance with this policy by filling out the form “Data subject’s rights” available on this page.

The Web servers of Cegid Group websites automatically collect from the users of Cegid group sites (hereinafter referred to as “the sites”), the information relating to the use of the sites (as well as certain other information such as browser type and the operating system or IP addresses).
Cegid group websites may use cookies, small text files sent and stored on your computer that allow web servers to recognize users’ habits, facilitate their access to Cegid group sites, and allow the sites to compile global data that will improve the sites and their content.Cookies do not damage the computers or files. The cookies themselves cannot be used to discover the identity of the user.

The law states that we may only store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.

This site uses different types of cookies. Some cookies are placed by third-party services that appear on our pages.
At any time, you may change or withdraw your consent on our Privacy Policy page. www.cegid.com
Your consent applies to the following area: www.cegid.com

How to manage your cookies on your browser?

You have several options to delete the cookies.

Indeed, if most browsers are set by default and accept the installation of cookies, you have the option, if you wish, to choose to accept all the cookies, or reject them systematically or choose the ones you accept according to the issuer.
You can also set your browser to accept or refuse cookies on a case-by-case basis prior to their installation. You can also regularly delete cookies from your device via your browser.

For the management of cookies and your choices, the configuration of each browser is different. It is described in the help menu of your browser, which will allow you to know how to change your configuration on cookies.

However, if you set your browser to refuse the cookies or refuse the installation of a cookie, such deactivation could prevent the use of certain features of the Cegid group sites or prevent the access certain services, for which we cannot be held responsible.

We thank the users of the site to inform us of any omissions, errors, or corrections, by using our contact form.

Data subject’s rights

In accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (« GDPR »), you have the right of access, rectification, data portability, restriction of processing, object and to erasure (“right to be forgotten”) concerning your personal data processing by Cegid.

To exercise your right, please complete the following form.

To lodge a complaint, please visit the website of your national supervisory authority