Privacy policy & cookies

1. Introduction

The purpose of this policy is to present the rules relating to the protection of personal data, as data controller and data processor, that Cegid and its subsidiaries (hereinafter “Cegid”) undertake to comply with for all processing of personal data covered by this policy. These rules are in particular in application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter “GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

This document is subject to change, in particular when necessary to meet the obligations of the legislation on the protection of personal data. We therefore encourage you to visit our dedicated page regularly: https://www.cegid.com/fr/politique-de-confidentialite/

The concepts concerning the protection of personal data used in this document have the same meaning as that given by the GDPR.

 

2. Compliance with the general principles on the protection of personal data

• When Cegid acts as a data controller

Cegid guarantees that personal data is:

• processed in a lawful, fair and transparent manner;
• collected for specified, explicit and legitimate purposes, and are not further processed in a manner incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
• accurate and, if necessary, kept up to date;
• kept for a period not exceeding that necessary in relation to the purposes for which they are processed;
• processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures appropriate to the risks.

• When Cegid acts as a data processor

Cegid guarantees that it complies with the obligations signed in the data processing agreement.

 

3. Purpose and legal bases for the processing of personal data

For its internal purposes, Cegid collects personal data for the purposes of:

• management of customer and prospect contacts (sending marketing information, information on products or Group news, in-depth and responding to the needs of customers or prospects, producing statistics, etc.);
• management of its commercial contracts (management of orders, invoicing, collection, etc.);
• management of Cegid personnel, recruitment and careers (examining and contacting candidates, etc.);
• create and administer user accounts;
• To carry out and manage the services subscribed to by its customers (e.g. ticket management and recording of support calls).

Depending on these different purposes, Cegid ensures that one of the following conditions is met:

• the consent of the natural person has been collected for one or more specific purposes;
• the processing is necessary for the performance of a contract to which a natural person is a party or for the performance of pre-contractual measures taken at the request of that natural person;
• the processing is necessary for compliance with a legal obligation to which Cegid is subject;
• the processing is necessary for the purposes of the legitimate interests pursued by Cegid, unless the interests or fundamental rights and freedoms of the natural person concerned prevail.

The purposes not detailed in this section are detailed in the dedicated information presented to the data subjects when the personal data is collected.

 

4. Security and Data Breach Notification

Cegid implements appropriate technical and organisational measures to guarantee a level of security adapted to the risks.

Cegid has certifications (including ISO 27001) for its Information Security Management System for the delivery of a service allowing the hosting of applications containing data provided by customers in a Cloud environment.

Within their respective scopes, these certifications guarantee the implementation of a certified security policy applied to Cegid’s processes and workflows throughout the life of the SaaS service delivered to the customer.

More generally, Cegid’s employees are subject to an IT charter annexed to the internal regulations to ensure an appropriate level of security.

Pursuant to Articles 33 and 34 of the GDPR, any data breach will be notified:

• when Cegid acts as data controller, to the French supervisory authority (CNIL) and, if necessary, to the natural persons affected by the said breach;
• when Cegid acts as a data processor, to its customers affected by such breach of the terms of the contract between Cegid and its customers.

 

5. Rights of individuals

• When Cegid acts as a data controller

Under the conditions of Articles 15 and 22 of the GDPR, natural persons have the right to:

• access the personal data concerning them and processed by Cegid;
• request the rectification, erasure or limitation of the processing of their personal data carried out by Cegid;
• under certain conditions, object to the processing of their personal data;
• request the portability of personal data;
• where consent is the legal basis for processing, withdraw consent;
• define directives relating to the fate of their personal data in the event of death (in application of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms).

Requests related to these rights can be made by completing the form available on the following page: https://www.cegid.com/fr/privacy-policy/

Cegid reserves the right to request clarification on any request and to justify the identity of the requester.

An unsubscribe method is also available in our email marketing communications. In any case, Cegid recommends contacting the CNIL to find out more about the regulations relating to the protection of personal data, the rights of natural persons and the possibility of filing a complaint with this authority: https://www.cnil.fr/

• When Cegid acts as a data processor

In the event that Cegid receives a request from a natural person concerned by the processing of his or her personal data in the context of the performance of the contract between Cegid and its client, Cegid will communicate this request to its client as soon as possible from its receipt and, taking into account the nature of the processing and under the conditions established in the contract, will assist its client, by appropriate technical and organisational measures, to the greatest extent possible, to fulfil its obligation to comply with these requests.

The customer remains responsible for the response to be given to the natural person concerned.

 

6. Information for natural persons

• When Cegid acts as a data controller

Cegid undertakes to provide the natural persons concerned with at least the following information, as far as possible and regardless of the processing carried out:

• the contact details of the data controller and its Data Protection Officer;
• the purposes of the processing and its legal basis;
• the recipients;o transfers outside the EU if applicable;
• the retention period;
• the possibility of requesting the exercise of the rights that may be exercised under the applicable regulations;
• the right to lodge a complaint with the supervisory authority (in particular the CNIL).

• When Cegid acts as a data processor

The responsibility for informing natural persons lies with the data controller.

Under the conditions set out in the contract, Cegid provides its customers acting as data controller with all useful information to enable it to comply with this obligation.

 

7. Transfers outside the European Union

The data collected may be processed outside the European Union. Thus, in accordance with data protection legislation, Cegid is prohibited from transferring Personal Data, without putting in place the appropriate tools to supervise these transfers pursuant to Article 46 of the GDPR, except:

• of the European Union, or
• of the European Economic Area, or
• countries recognised as having an adequate level of security by the European Commission.

In particular, Cegid can call on its subsidiary Cegid Atlas in Morocco for processing related to:

• Recoveries,
• the technical means to ensure the support of its solutions,
• Feature development.

In the context of commercial relations, data transfers may also be made between Cegid France and its subsidiaries in Canada, the United States and China.

These transfers are based on the European Commission’s Standard Contractual Clauses.

 

8. The recipients of the data

Cegid may share personal data with third parties only under the conditions set out in this document and/or the applicable contract.

• Service Provider

• Cegid may share personal data with third parties providing a service, in particular in the following cases:
• on behalf of Cegid in the context of the performance of the customer contract (hosting, consulting, sub processor, etc.) under the conditions set out therein;
• to support Cegid in the execution of the financial and administrative conditions of the contract (collection, invoicing, etc.);
• for the production of marketing communications on behalf of Cegid;
• for support in the development of new products or services

• Distribution and/or sales partners

Cegid has developed a network of partners (distributors, publishers, etc.) for several of its offers to help it supply and develop its products.

Depending on the offer that interests the contact or is likely to be of interest to him, Cegid may be required to share the contact details of this contact with a relevant partner.

• Cegid subsidiaries and stakeholders

Cegid may share personal data with the companies of the Cegid Group or its shareholders for the purposes mentioned in this policy.

• Public authorities

In some cases, Cegid may be compelled to share personal data in the context of a request from a public authority, a subpoena or any legal request pursuant to applicable laws. In this case, Cegid will provide the data necessary to respond to this request, in particular when Cegid believes in good faith that such sharing is necessary to protect your rights, ensure your safety or that of others, investigate cases of fraud or meet a legal requirement.

To learn more about the recipients, contact us at [email protected].

 

9. Cegid’s cooperation with its customers and the supervisory authority

In accordance with Article 28 of the GDPR and in compliance with its contractual commitments, Cegid is committed to cooperating with its customers in order to help them meet their obligations.

In general, Cegid undertakes to cooperate with the French supervisory authority (CNIL) when necessary and to take into account its recommendations.

 

10. Privacy by design in products and services

When Cegid plans to develop a new service or a new offer, Cegid, in its capacity as publisher, introduces the principles of personal data protection (“privacy by design”) from the beginning of this project and thus helps Cegid’s customers to comply with the requirements of the applicable regulations through specific functionalities and means.

 

11. Raising awareness among Cegid staff

All new employees at Cegid must follow an awareness of the protection of personal data.

More generally, Cegid makes every effort to offer all its employees regular awareness of the challenges of personal data protection.

More specific awareness-raising or training can be carried out for employees who are required to handle personal data on a regular basis.

 

12. Governance of the protection of personal data

In order to manage the protection of personal data, Cegid has set up a dedicated governance system.

A Data Protection Officer, or Data Protection Officer (DPO) has been appointed to the CNIL. The latter manages this governance.

 

13. Processing records

Pursuant to Article 30 of the GDPR, Cegid maintains two registers of personal data processing:

• a register describing the processing carried out in its capacity as data controller;
• a register describing the processing carried out on behalf of and on the instructions of its customers responsible for processing.

These registers are made available to the CNIL on request.

 

14. Contractual Policy

Cegid has taken into account the new mandatory contractual obligations pursuant to Article 28 of the GDPR in all the contracts impacted.Thus, contractual clauses specific to data protection and in accordance with the applicable regulations have been introduced in:

• customer contracts (T&Cs/T&Cs);
• contracts between Cegid and its own processors.

 

15. Contact

If you have any questions about this policy or contact our Data Protection Officer, you can send your request to the following email address: [email protected]

Personal data collected in the context of the commercial relationship with Cegid

In order to provide the subscribed service and to manage its commercial relationship, Cegid SAS, data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: Surname, first name, email address, telephone number, position, company, training followed.

This data is processed for the purposes of managing its commercial relationship and providing the service or product subscribed to and/or managing training courses (including those carried out by Cegid Academy). It may also be used to send surveys, satisfaction studies or to compile statistics. For these purposes, Cegid may be the recipient of data collected by other companies of the Cegid Group.

Unless otherwise provided by law, the personal data collected for these purposes is processed for a maximum period of five years from the end of the business relationship. Responses to satisfaction surveys are kept for up to four rolling years.

Cegid may communicate some of your data to companies in the Cegid group, third-party organizations or partners in order to, in particular:

• Carry out collection operations,
• Assess the quality of the contact data provided,
• Evaluate the effectiveness of social media campaigns (LinkedIn),
• Carry out solvency checks and meet its duty of vigilance,
• Carry out commercial communications,
• Facilitate contact and commercial follow-up.
• To learn more about these partners, contact [email protected].

Cegid or its partners may also send you commercial communications.These mailings are made on the basis of legitimate interests in sending you communications related to your professional assignments, or where applicable with your consent. You can object to this at any time by clicking on the unsubscribe method indicated in all communications. The personal data collected for this purpose are processed for a maximum period of three years from the end of the business relationship or the last exchange at the initiative of the person concerned.

You can also exercise your rights in accordance with this policy by completing the “Rights of individuals” form below.

 

Personal data collected on the site’s forms Cegid.com or obtained from third-party sources

Cegid SAS, data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), may collect the following personal data: Surname, first name, email address, telephone number, position, company. This data may be collected by online forms or through third-party sources such as third-party providers in order to respond to your request as well as to manage the customer and prospect file, commercial communications and to produce statistics. These purposes are achieved on the basis of Cegid’s legitimate interests or consent when required by applicable law.

You can object to or withdraw your consent at any time to the sending of commercial communications by clicking on the unsubscribe method indicated in all communications.

The personal data collected for this purpose is deleted after three years if you no longer show interest in Cegid’s products or services, in particular if you do not respond to the emails received.

The subsidiaries of Cegid SAS and its partners may be recipients of the same personal data for the purposes described above. The partners may be distributors of Cegid offers that may be of interest to the contact.

Cegid SAS, its subsidiaries and partners may transfer this data to a third country only if this is necessary for the achievement of the purposes. In all cases, Cegid implements the necessary guarantees to supervise these transfers.

You can also exercise your rights in accordance with this policy by completing the “Rights of individuals” form below.

 

Data processed when you use the guest network (guest wifi)

By connecting to the guest network within Cegid premises, you agree that Cegid SAS may process your information in order to provide you with internet access. As such, Cegid may collect connection information such as the IP address or the identity of the device (for more information refer to article R10-13 CPCE).

The legal bases for processing are:

• For the provision of the service: consent
• For the retention of traffic data: legal obligation provided for in article. 34-1 CPCE.

Your data may be communicated to entities of the Cegid group as well as to external service providers in charge of implementing the processing or to authorized third parties in the event of requests by the competent authorities.

Your personal data is kept for a maximum of one year from the date of collection.You can exercise your rights in accordance with this policy by completing the “Rights of individuals” form below.

 

Personal data collected in the context of the operation of Cegid SaaS offers and customer portals

In order to provide the subscribed service, Cegid SAS, data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: Last name, first name, email address, telephone number, position, company, data on the use of the solution by users (log) as well as the data entered.

Unless expressly excluded by the contractual relationship, such personal data may be processed in the legitimate interest of Cegid, for the purposes of:

• traceability of actions on the SaaS platform and data
• Producing statistics
• Analysis of individual or aggregated data collected to better understand product usage and provide tailored features or product improvements
• SaaS Platform and Data Security
• Management of the contractual relationship
• User account management
• sending communication about Cegid offers

The data is not kept beyond the duration of use of the service. Notwithstanding, the logs are kept for a maximum period of one year from the date of collection You can exercise your rights in accordance with this policy by completing the “Rights of individuals” form below.

Following the contracting of a third-party product based on a Cegid offer, the commercial partners concerned are likely to process the same data. In this case, the processing conditions are defined by the partner.

The methods of data processing carried out within the framework of Cegid Account are detailed on the service portal.

Personal data processed and/or collected for support (“Customer Care”)

As part of its interactions with the Customer Care service, Cegid SAS, the data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: Surname, first name, email address, telephone number, position, company, content of exchanges. Cegid may also listen to and/or record calls made between the operator and the customer.

This data is processed for the purposes of:

• Ticket management
• Customer satisfaction evaluation
• Evaluation by Cegid of the quality of the call between the customer by the operator. The recordings are then kept for a maximum of 6 months, the analysis report of a recording can be kept for one year;

• Preservation of evidence in the event of a dispute. The data is then kept for 5 years.

In case of listening and/or recording of calls, you will be informed in advance. You can exercise your rights in accordance with this policy, and in particular:

• If you wish to exercise your right to object to the listening and/or recording of your call, you can inform the operator. If you wish to exercise this right after the call, you can complete the “Rights of individuals” form below on this page specifying your request.
• For other rights, in particular access, you can make a request by completing the “Rights of individuals” form below specifying your request.

In the legitimate interest of Cegid, a satisfaction survey may also be sent to the applicant after the processing of his request in order to evaluate the service provided.

When you use an AI solution that facilitates the consideration of support requests, the data can be processed by a Cegid partner specializing in artificial intelligence.

Cegid SAS and its subsidiaries may transfer this data to a third country only if this is necessary for the achievement of the purposes. Data transfers outside the European Union, in particular to Cegid Atlas in Morocco, are governed by the European Commission’s model clauses.

You can also exercise your rights in accordance with this policy by completing the “Rights of individuals” form below.

 

Personal data processed in connection with the provision of the Invoice & Financing service and related services

Personal information is processed by Cegid SAS in the context of:

• the signing and management of the financing contract;
• the solvency analysis of the persons concerned by the services.

The categories of data processed are:

• Identification data
• Financial data

This information can be obtained from professional data providers.

Your data may be communicated to Cegid SAS and its subsidiaries as well as to external service providers in charge of implementing the processing or to authorized third parties in the event of requests by the competent authorities.

Your personal data is kept for the following periods:

• Data required for the management of financing contracts: a period of 10 years after the final closing of the contract.
• Data required for solvency analysis: a rolling 10-year term after the final closing of the contract.

Your personal data may be transferred to countries outside the European Union for the purposes detailed above. These transfers are subject to a specific legal framework so that this data is covered by an adequate level of protection.

 

Product Improvement and Artificial Intelligence

Cegid acting as data controller, and in compliance with its legal and contractual commitments, may use the data generated in the context of the use of its products, sites and/or services for the purpose of improving its products or creating new features, including those related to artificial intelligence technologies.

This processing is carried out on the basis of Cegid’s legitimate interests as a service provider. The data processed is that available in the product or service concerned by the technology but is limited in accordance with the principle of minimization. It is not communicated to third parties outside the subsidiaries of the Cegid group, its stakeholders or its service providers.

Retention periods are determined on a case-by-case basis in accordance with the principle of limiting retention periods. Unless otherwise specified when using the service, prompts may be stored for up to three months. If they are stored for a longer period of time, they are anonymised. If you have any specific questions about retention periods, you can contact the Data Protection Officer via the form for exercising rights.

For artificial intelligence technologies, Cegid uses the main market models and/or internal models. When using a market model, Cegid ensures that the implementation respects the rights of individuals.

You have the right to access, rectify, delete, limit and oppose. Cegid may ask you for additional information in order to be able to identify you when the system does not collect directly identifying data.

For more information on this subject and to exercise your rights, you can write to Cegid’s DPO at [email protected]

 

Personal data processed by Cegid in the context of intra-group relations with EBP

Cegid SAS and its subsidiary EBP carry out data processing as joint data controllers, in particular in the context of personnel management, customer relations and their user account, as well as the development of new products or services.

An agreement has been signed between these two entities to reflect their respective roles and their relationships with the data subjects.

For any request on the main lines of the agreement or on the exercise of rights, you can contact the Cegid DPO at [email protected].

 

Cookie management

Trackers are deposited during the visit to the cegid.com site.

When you first arrive on the site, a banner offers you to accept, refuse or configure (or “personalize your choice”) the trackers that are deposited on your browser according to its category.

You can change your choices by clicking on the “Cookie” button at the bottom left of your screen.

Information on the categories of trackers is provided by clicking on the “Cookie settings” button in the banner as well as the third-party providers concerned.

The lifespan of cookies is a maximum of 13 months and the data collected by cookies for 25 months.