This page describes how Cegid processes the personal data collected from data subjects (clients, prospects…).
If you have any questions or concerns regarding this page, please contact firstname.lastname@example.org
This document is likely to evolve, where necessary in order to implement the obligations imposed by the legislation on personal data protection. The notions concerning personal data protection used in this document have the meaning given in the GDPR, notably in accordance with Article 4 of the GDPR.
General principles on personal data protection
When Cegid acts as data controller
According to article 5 of the GDPR, Cegid ensures that personal data are:
- processed fairly and lawfully;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and not excessive in relation to the purposes for which they are collected and processed;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary for the purposes for which the data were collected;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
When Cedig acts as data processor
According to article 28 of the GDPR, Cegid ensures that:
- the purposes of the processing of data are described in the contract signed between Cegid and the client;
- the client’s personal data are processed for the purpose for which they were originally collected and is solely acting on its instructions in accordance with the terms of the contract;
- the deletion of personal data is carried on under the conditions laid down in the contract, unless the applicable law requires the preservation of personal data.
Purpose and legal basis of personal data processing
When Cegid acts as data controller
For internal needs, Cegid collects personal data for purposes such as:
- management of customer and prospects contact;
- management of commercial contracts;
- management of Cegid’s staff and recruitment;
- creation of user accounts;
- development and management of services to which the client subscribed.
Depending on these different purposes, Cegid ensures that at least one of the following at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which Cegid is subject;
- processing is necessary in order to protect the vital interests of a natural person;
- processing is necessary for the purposes of the legitimate interests pursued by Cegid except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.
When Cegid acts as data processor
It may be necessary for Cegid to access and process personal data provided by its clients within the framework of completion of offers and services to which the customer subscribes.
The access and processing are organized by a contract containing specific clauses for data protection signed between Cedig and the client.
Cegid processes personal data only on behalf of the client in accordance with the provisions of the contract.
Security and notification of personal data breaches
Cegid is certified ISO 27001 with regard to its Information Security Management System on the following scope: “Application hosting services in a Cloud environment, containing data provided by the clients”.
This certification guarantees the implementation of a certified security policy applied to the processes and workflow of Cegid during the duration of the SaaS service issued to the client.
All employees of Cegid are subject to an IT charter annexed to the internal regulation for ensuring an appropriate level of security.
According to articles 33 and 34 of the GDPR, personal data breaches shall be notified:
- when Cegid acts as data controller, to the French supervisory authority (CNIL) and if necessary, to data subjects concerned by the breach;
- when Cegid acts as data processor, to its clients concerned by the breach in accordance with the contract signed between Cegid and its clients.
Rights of the data subject
When Cegid acts as data controller
Under the conditions set forth in articles 15 and 22 of the GDPR, data subjects have the right to:
- access their personal data processed by Cegid;
- request the rectification, erasure or restriction of processing of personal data carried out by Cegid;
- in certain circumstances, object to the processing of their personal data;
- request the portability of personal data;
- withdraw their consent when it is the legal basis of the processing.
All requests related to those rights shall be made by filling out the form “Data subject’s rights” available on this page.
Cegid reserves the right to ask for clarifications in relation to any request and to justify the identity of the requester.
In any event, Cegid actively recommends to contact the competent national supervisory authority for more information about the legislation on data protection, rights of data subjects and the possibility of lodging a complaint with this authority.
When Cegid acts as data processor
In the event Cegid receives a request from the data subject as part of the realization of the contract between Cegid and the client, Cegid will communicate this request to the client at the earliest from its receipt and, taking into account the nature of the processing and the terms of the contract, will assist the client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights.
The client remains nevertheless responsible for replying to the data subject concerned.
Information to be given to the data subject
When Cegid acts as data controller
When collecting personal data, Cegid undertakes to provide data subjects with at least the following information, to the extent possible and regardless of the processing carried out:
- the contact information of the controller;
- the purposes of the processing;
- the recipients;
- transfers of data to third countries;
- the length of time the data are to be stored;
- the possibility to request the exercise of rights which can be applied pursuant to the applicable legislation;
- the right to submit a complaint with the supervisory authority.
When Cegid acts as data processor
Pursuant to article 13 of the GDPR, the controller has the responsibility to inform data subjects.
In accordance with the terms of the contract, Cegid provides its clients, acting as data controllers, with any information that might help them to enforce article 13 of the GDPR.
Cooperation of Cegid with its clients and with the supervisory authority
According to article 28 of the GDPR and its contractual engagements, Cegid undertakes to cooperate with its clients in order to assist them to comply with their legal obligations pursuant to articles 32 to 36 of the GDPR.
Generally speaking, Cegid undertakes to cooperate with the French supervisory authority (CNIL) where necessary and to take into account its recommendations.
Privacy by design regarding products and services
If Cegid plans to develop a new service or offer, Cegid, as software provider, will make every effort to introduce from the beginning of this project the principles for the protection of personal data (“privacy by design”) and help its clients to comply with the applicable legislation through functionalities and specific means.
Cegid staff awareness
All new Cegid employees must follow an awareness training concerning personal data protection.
More generally, Cegid will make every effort to offer its employees regular awareness raising with regard to personal data protection.
Awareness raising or more specific trainings may be conducted for employees working on a regular basis with personal data.
Governance of personal data protection
In order to have optimum control of personal data protection, Cegid has a dedicated governance.
A Data Protection Officer was designated in May 2018 and declared to the French supervisory authority (CNIL). The latter is in charge of the governance.
A strategic committee transversally supervises all the activities of Cegid with the support of an operational committee composed of the DPO and contact points within different departments of Cegid.
Records of processing activities
Pursuant to article 30 of the GDPR, Cegid maintains two records of personal data processing:
- a record describing the processing carried out as data controller;
- a record describing the processing carried out on behalf and on documented instructions of its clients acting as data controllers.
These records are made available to the CNIL upon request.
Cegid has taken into account the new mandatory contractual stipulations according to article 28 of the GDPR in all contracts concerned.
Therefore, specific contractual clauses on data protection and in compliance with the applicable legislation have been introduced to:
- client contracts (GTC /GTU);
- contracts between Cegid and its own data processors.
Effective Date: October 17th, 2018
Collection of information
We collect contact information such as name, email address, address, phone number and company name. Cegid reserves the right to obtain information on the provenance of its visitors to insure the development of its products and web sites. This information can be of geographical, statistical or other nature.
We use this information to:
- Fulfill your order
- Assess the needs of your business to determine suitable products
- Send you product or service information
- Respond to customer requests
- Administer your account
- Send you marketing communications
- Respond to your questions or concerns
- Improve our website and marketing efforts
We may receive information about you from other sources, including third parties from whom we have obtained data such as name, affiliated company, and phone number, and may combine this data with information we already have about you. This helps us to update, expand and analyze our records, identify new customers, and provide products and services that may be of interest to you. If you provide us personal information about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. If you believe that your personal information has been provided to us and would like to request that it be removed from our database, please contact us at the contact information below.
You may learn about and apply for positions at Cegid on the Career page of our corporate website. We may collect your name, email address, phone number and citizenship. We will use this information to evaluate and contact you about your candidacy.
We may share your information with third parties who provide services on our behalf to help with our business activities. These companies are authorized to use your personal information only as necessary to provide these services to us. These may include providing computing and networking infrastructure services.
In certain situations, Cegid may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
We may also disclose your personal information as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. If Cegid is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our website, of any change in ownership, uses of your personal information, and choices you may have regarding your personal information. We may also disclose your personal information to any other third party with your prior consent.
Access and choice
Upon request Cegid will provide you with information about whether we hold, or process on behalf of a third party, any of your personal information. To request this information please contact us at email@example.com or by contacting us by telephone or postal mail at the contact information listed below.
You may access, correct, or request deletion of your personal information by contacting us at firstname.lastname@example.org or by contacting us by telephone or postal mail at the contact information listed below. In certain circumstances we may be required by law to retain your personal information, or may need to retain your personal information in order to continue providing a service.
We will respond to these requests within a reasonable timeframe.
You may sign-up to receive newsletters or other communications from us. If you would like to discontinue receiving this information, you may update your email preferences by using the “Unsubscribe” link found in emails we send to you or by contacting us at email@example.com.
With the present document, Cegid reaffirms its commitment to insure the security and integrity of the data collected via this website. Personal information gathered via this website is stored in secured offices, on secured servers which are not accessible via the Internet. The security of your personal information is important to us. We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once it is received. If you have any questions about the security of your personal information, you can contact us at firstname.lastname@example.org.
We may retain your information for as long as your account is active or as needed to provide you services, comply with our legal obligations, resolve disputes and enforce our agreements.
We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Information related to the data collected through our service platforms
Cegid collects information under the direction of its Clients, and has no direct relationship with the individuals whose personal data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his query to the Cegid’s Client (the data controller). If requested to remove by the data controller, we will respond within a reasonable timeframe. Cegid may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our Clients.
We will retain personal data we process on behalf of our Clients for as long as needed to provide services to them. Cegid will retain this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. The use of information collected through our service shall be limited to the purpose of providing the service for which the Client has engaged Cegid.
Cookies and similar technologies
As is true of most websites, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.
Our website includes Social Media Features, such as the Facebook Like button, and Widgets, such as the Share this button or interactive mini-programs that run on our website. These Features may collect your Internet protocol address, which page you are visiting on our website, and may set a cookie to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our website. Your interactions with these Features are governed by the privacy statement of the company providing it.
We self-certify in compliance with :
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
Cegid (HR & Talent Management Solution business unit) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield List.
Cegid is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Cegid complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Cegid is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Cegid Corporation 1270 Avenue of the Americas – Suite 807 New York, NY 10020 T: +1 800.413.3521
Personal data collected through the forms provided on Cegid.com
Depending on the nature of the form, Cegid SAS, as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), may collect the following personal data: Surname, name, e-mail address, telephone number, position, company.
These personal data are processed by Cegid SAS for the purposes of management of its customer and prospects database and for commercial communications.
Cegid SAS and its subsidiaries and partners may also (i) be the recipients of those personal data for the purposes described above and (ii) transfer those data to third countries. You can contact Cegid for more information on this matter.
These data will only be stored for the necessary period to accomplish the object of the processing and you can exercise your rights in accordance with this policy by filling out the form “Data subject’s rights” available on this page.
Personal data collected in the context of the execution of Cegid SaaS offers
In order to deliver the required service, Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: surname, name, e-mail address, telephone number, position, company.
These personal data are processed by Cegid SAS for the purposes of user account management.
The activities on the platform (connection and use) are also registered by Cegid SAS (log). These data are registered in order to ensure the traceability and security of the data and they are stored for a maximum period of one year.
You can exercise your rights in accordance with this policy by filling out the form “Data subject’s rights” available on this page.
Data subject’s rights
n accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (« GDPR »), you have the right of access, rectification, data portability, restriction of processing, object and to erasure (“right to be forgotten”) concerning your personal data processing by Cegid.
To exercise your right, please complete the following form.
To lodge a complaint, please visit the website of your national supervisory authority