January 30, 2024
“OPENSEE SAS”, a French simplified joint stock company with a capital of €20 000,00 whose registered office is located at 21 boulevard Saint Germain 75005 Paris (France), registered on the Paris Trade and Companies Register under number 811 474 709 and represented by Mr Stephane RIO in his capacity of CEO, processes personal data as part of its business activities. Here in after “OPENSEE SAS”
The purpose of this Policy is to set out the technical and organizational measures taken by OPENSEE SAS to ensure a high and sustainable level of protection for processed data, to document its compliance with the French Data Protection Law and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR Regulation” or “Regulation (EU) 2016/679”), and Data protection Act 2018, and any successor legislation or other directly applicable EU regulation relating to data protection and privacy for as long as, and to the extent that, EU law has legal effect in the UK), and to provide information to data subjects on the way in which OPENSEE SAS processes personal data and the means at their disposal to control such data processing.
Agreement: means any agreement between a DATA SUBJECT and OPENSEE SAS under which OPENSEE SAS collects, retains and processes the Data Subject’s Personal Data, such as an employment contract, a service contract or OPENSEE SAS’s general terms and conditions.
Personal data: within the meaning of Regulation (EU) 2016/679 of 27 April 2016 (see in particular Article 4) “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Collected data: roles, surnames, first names, postal addresses, e-mail addresses, telephone numbers, login and password details, university, qualifications, information on family situation, type of organization, name of organization, job title, financial data, bank details, IP address and any other personal data that may be relevant to the specific purposes.
Sensitive data: within the meaning of Regulation (EU) 2016/679 (see in particular recital 51) all data that are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin. Such personal data should not be processed, unless processing is allowed in specific cases set out in the GDPR Regulation.
Purposes of collecting personal data: personal data are collected fairly and lawfully for specified, explicit and legitimate purposes and are not further processed in a manner that is incompatible with those purposes.
They are accurate, complete and, if necessary, updated in light of the purposes for which they are collected. They are kept in a form that permits identification of DATA SUBJECTS for no longer than is necessary for the purposes for which the personal data are collected and processed.
The data are collected and processed for the purposes of OPENSEE SAS’s business activities, in particular in connection with OPENSEE SAS’s business relationships and the provision of services in accordance with its General Terms and Conditions, available at www.opensee.io. In addition, OPENSEE SAS processes personal data for the following purposes: identifying needs with a view to providing more appropriate services; managing OPENSEE SAS’s marketing activities; processing applications and any other purposes relating to its business.
Data Subject: an identified or identifiable natural person to whom the personal data processed by OPENSEE SAS relate.
Policy: means this document, which applies to all customers, users of the Websites, employees and service providers of OPENSEE SAS.
Controller: within the meaning of Regulation (EU) 2016/679, “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Consent: the consent of the data subject which must be a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of Personal Data relating to them.
Data Controller: the person that decides how and why to collect and use the data. This will usually be an organisation, but can be an individual (eg a sole trader). If you are an employee acting on behalf of your employer, the employer would be the Data Controller. The Data Controller must make sure that the processing of that data complies with data protection law. (Source ico.org.uk)
Data Protection Law: all legislation and regulations in force from time to time regulating the use of Personal Data and the privacy of electronic communications including, but not limited to, EU Regulation 2016/679 General Data Protection Regulation (“GDPR”), the Data Protection Act 2018, and any successor legislation or other directly applicable EU regulation relating to data protection and privacy for as long as, and to the extent that, EU law has legal effect in the UK)
Data Processing: any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. A Data Processor will only carry out processing to the direct instruction of a Data Controller (i.e. processing will not include decision- making).
Encryption or encrypted data: The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text;
GDPR: the General Data Protection Regulation (the “GDPR”) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of Personal Data outside the EU and EEA areas. The primary aim of the “GDPR” is to give control to individuals over their Personal Data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
PII (Personally Identifiable Information): any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for deanonymising previously anonymous data can be considered PII.
Services: means all services provided under the conditions set out in the Agreement.
Processor: within the meaning of Regulation (EU) 2016/679, “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Third Party: within the meaning of Regulation (EU) 2016/679, “a natural or legal person, public authority, agency or body other than the DATA SUBJECT, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.”
Processing: within the meaning of Regulation (EU) 2016/679, “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Transfer of personal data: transfer of data from an OPENSEE SAS entity to another entity or to a third party located inside or outside the European Economic Area.
This POLICY applies from 1st march 2021.
The POLICY applies where OPENSEE SAS is the CONTROLLER and processes personal data on its own behalf.
Before any processing of personal data, OPENSEE SAS must ensure that such processing is based on a specified, explicit and legitimate purpose for which the personal data are processed.
When processing personal data, OPENSEE SAS must ensure that the PROCESSING has a legal basis.
If the PROCESSING is carried out pursuant to an agreement, it is then considered to be lawful.
If the PROCESSING is not carried out pursuant to an agreement, OPENSEE SAS must demonstrate that the PROCESSING has a legitimate purpose. The PROCESSING must have a legitimate purpose for OPENSEE SAS connected to its main business activity and must not prejudice the privacy of the DATA SUBJECTS.
If the PROCESSING does not meet the above conditions, OPENSEE SAS may request the prior consent of the DATA SUBJECTS under the following conditions, all of which must be met:
The processing of personal data must be strictly necessary for the initial purpose of the processing.
OPENSEE SAS may carry out further processing operations on the collected data provided that those processing operations are compatible with the purposes for which the data were originally collected (scientific research, statistics, etc.).
During the data’s life cycle, OPENSEE SAS must ensure that the data are accurate and up-to-date.
DATA SUBJECTS may exercise their right of rectification to update their personal data.
OPENSEE SAS must ensure that the data are not stored for longer than necessary for the processing purposes.
OPENSEE SAS has security measures in place to secure its IT environment against unauthorised or unlawful PROCESSING and against accidental loss, destruction or damage.
OPENSEE SAS deals with sensitive personal data in limited circumstances.
In these limited cases, treatment is only permitted if any of the following conditions is met:
The Personal Data collected in connection with the SERVICES shall be stored for the entire duration of the contractual relationship between OPENSEE SAS and the DATA SUBJECT.
In the event that the SERVICES and any contractual relationship are terminated for any reason whatsoever, the PERSONAL DATA shall be returned to the DATA SUBJECT and/or irreversibly deleted within the maximum periods permitted by applicable regulations.
In the event that OPENSEE SAS determines that there has been unauthorized or unlawful processing or access, or that the personal data for which it is responsible may potentially be, or have been, used or disclosed, OPENSEE SAS will shall determine whether the breach should be reported to the competent supervisory authority in accordance with the procedure to be applied by OPENSEE SAS in the event of a Personal Data breach.
OPENSEE SAS may use third parties for its own purposes or in connection with the SERVICES.
When OPENSEE SAS uses a third party as a PROCESSOR, it shall ensure that the third party:
Transfers of personal data from a OPENSEE SAS entity acting as CONTROLLER to another OPENSEE entity located in the European Economic Area acting as Controller are governed by a data processing agreement or by specific provisions inserted into the Agreement.
Transfers of personal data from a OPENSEE SAS entity acting as CONTROLLER to another OPENSEE entity located outside the European Economic Area acting as CONTROLLER or as a PROCESSOR are subject to the provisions of this POLICY.
Transfers of personal data by an OPENSEE entity acting as CONTROLLER to a third party located outside the European Economic Area are governed through the adoption of standard contractual clauses.
DATA SUBJECTS may ensure that this data protection policy is applied by OPENSEE SAS.
If data subjects consider that OPENSEE SAS has breached this policy, they will need to follow the procedure described in this document.
If the dispute is unable to be resolved out of court, DATA SUBJECTS may bring legal proceedings.
DATA SUBJECTS have the following rights:
If the data processing is necessary for exercising the right of freedom of expression and information;
If the data processing is necessary to comply with a legal obligation;
If the data processing is necessary on public interest grounds in the area of public health;
If the data processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes;
If the data processing is necessary for the establishment, exercise or defense of legal claims.
If a user has comments or questions about these rules, they can be emailed to OPENSEE SAS at email@example.com.
Data subjects will be required to submit complaints in accordance with this complaint’s procedure.
OPENSEE SAS undertakes to deal with these complaints within a reasonable period of time and, in any event, within one month of receiving the complaint.
This procedure shall also apply to requests by DATA SUBJECTS to exercise their rights to access, update and delete their personal data.
For any information or to exercise your rights concerning the processing of your personal data by OPENSEE SAS, you may contact our Data Protection Officer (DPO) by sending an email to: firstname.lastname@example.org.
Or by sending a signed letter together with a copy of an identity document to the following address: 112 avenue Kléber, 75116 Paris (FRANCE)
OPENSEE SAS adopts data protection restrictions at the start of any new project to ensure that the privacy of DATA SUBJECTS is respected as soon as a product or service is designed.
The principles and obligations set out in this policy will be incorporated as soon as a project is designed.
In order to ensure respect for privacy by design and by default, OPENSEE SAS ensures that:
OPENSEE SAS monitors that its data processing operations comply with prevailing regulations.
To that end, OPENSEE SAS may, in certain specific cases, carry out a privacy impact assessment to:
OPENSEE SAS undertakes to keep a register of processing activities.
OPENSEE SAS is responsible for ensuring that any new processing is recorded in the register with relevant background information on the processing.
OPENSEE SAS undertakes to maintain a good relationship with the data protection authorities. To that end, OPENSEE SAS shall cooperate with and agree to be audited by the data protection authorities and follow their advice on matters of which these authorities may be aware.
OPENSEE SAS shall decide which data protection authorities have jurisdiction over each processing operation it carries out.
If data protection authorities carry out an audit at any of the OPENSEE SAS sites, the Group Data Protection Officer shall be informed as soon as possible.
OPENSEE’s websites may contain cookies that collect personal data in order to improve the interactivity of the website and enable it to provide services.
A cookie is a small text file, usually consisting of letters and numbers, sent to your browser on your computer’s hard drive, via our Opensee.io website. It may be permanent (used at the time of subsequent website visits) or temporary (disappears when the user leaves the website).
OPENSEE SAS uses technical cookies that are required for the website to function properly. These cookies, also called session cookies, enable the website to recognize identified users on different pages.
A cookie does not identify the user, but it records information on browsing on our website for statistical purposes.
These cookies are stored on a user’s hard disk for thirty days.
Third Party cookies:
You may block cookies by changing your browser’s settings.
Refusing cookies may prevent you from accessing certain features of the website
OPENSEE Group is committed to continuously assessing the compliance of the group’s structures with this data protection policy.
The assessment program will define the procedures for carrying out the checks, the expected scope of these checks and the team responsible therefore.