1. DEFINITION

This personal data protection charter informs you of WINNERSCORE’s commitments when personal information concerning you is collected via its website and the use that WINNERSCORE makes of it.

2. PREAMBLE

The present charter (hereinafter the “Charter”) provides a framework for the Processing of Personal Data in the context of WINNERSCORE ‘s relations with its partners.

WINNERSCORE, concerned with the protection of Personal Data, undertakes to comply with the regulations in force applicable to the Processing of Personal Data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “RGPD”) as well as any applicable national regulations (hereinafter the “Regulations”).

All WINNERSCORE partners undertake to read and take full cognizance of all the commitments listed in the present Charter, as well as to respect all its principles and accept that failure to do so may be considered as a serious breach of their contractual obligations.

All partners undertake to inform all their direct partners and strongly encourage them to follow these same principles and rules of good conduct.

3. DATA PROCESSING PRINCIPLES

In the context of its business relationships with its partners, WINNERSCORE makes every effort to be in permanent compliance with the essential principles of the RGPD and assures all of its partners that the Personal Data communicated to it is processed in a lawful, fair and transparent manner.

Personal data is collected for specific, explicit and legitimate purposes and WINNERSCORE undertakes not to process it for purposes incompatible with these purposes.

WINNERSCORE   respects the principle of Data minimization, in accordance with Article 5-c of the RGPD stipulating that only Personal Data that is adequate, relevant and limited to what is necessary with regard to the purposes hereinafter defined shall be processed.

4. PURPOSES AND LEGAL BASIS OF DATA PROCESSING BY WINNERSCORE

FOR ANY SPECIFIC PROCESSING, NOTABLY IN CONNECTION WITH SECURITY (VIDEO SURVEILLANCE, BADGES, ETC.) OR WITH THE USE OF IT RESOURCES MADE AVAILABLE TO A BUSINESS PARTNER BY WINNERSCORE (SOFTWARE, HARDWARE, ETC.), THE PERSONS CONCERNED WILL RECEIVE A SPECIFIC NOTICE INFORMING THEM OF THE WAY IN WHICH THEIR PERSONAL DATA IS PROCESSED.

5. PERSONAL DATA PROCESSED

In the context of our business relations with our partners, the latter may communicate to WINNERSCORE the Data of the persons concerned, including the Data of their employees, as listed in the table above. For more information about the processing of your data, please consult the data protection policy of the partner concerned.

6. MAIL TO

WINNERSCORE   undertakes to maintain the confidentiality and security of your personal Data in accordance with the regulations in force and to verify that each Recipient complies with appropriate security and confidentiality guarantees.

Within WINNERSCORE entities, the recipients who may receive your personal data are :

– The authorized personnel within WINNERSCORE to process the Data;
– Auditors (statutory auditors, chartered accountants) ;
– External companies contractually bound to perform a contract ;
– Public and financial bodies, exclusively to meet legal obligations;

– In the event of a dispute, the Personal Data may be transmitted, where applicable, to persons working to resolve the conflict; to court officers and public officials as part of their debt recovery mission or for any other legal action; to judicial or administrative jurisdictions to establish, exercise or defend the rights of WINNERSCORE. to the judicial or administrative courts in execution of an enforceable court decision against WINNERSCORE ; to any individual or legal entity in execution of an enforceable court decision against WINNERSCORE.

Authorized service providers may also have access to your Personal Data as part of the services they provide in connection with the software solutions or IT resources used to process your Personal Data (maintenance, support, hosting, security and control of IT resources, etc.).

7. SHELF LIFE

The length of time we keep your personal data is determined by the legal and regulatory retention periods and by the type of data concerned.

By way of illustration, the retention periods for the main documents relating to the Economic Partners are as follows:

WINNERSCORE   WILL NOT RETAIN PERSONAL DATA IN A FORM THAT PERMITS IDENTIFICATION OF THE DATA SUBJECTS FOR ANY LONGER THAN IS NECESSARY FOR THE PURPOSE FOR WHICH THE DATA WAS ORIGINALLY COLLECTED.

WINNERSCORE may store Data for longer periods if the Personal Data is processed for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, subject to the application of appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject.

8. SECURITY AND CONFIDENTIALITY

WINNERSCORE   implements all technical and organizational measures that it deems appropriate, in accordance with Article 32 of the RGPD in order to guarantee the security and confidentiality of your Personal Data.

We verify that each Recipient complies with appropriate security and confidentiality guarantees. WINNERSCORE makes its employees aware of the importance of personal data security. For more information about the security of your Personal Data, please contact our Data Protection Officer (DPO).

9. TRANSFER OF DATA TO A THIRD COUNTRY

In the event of the transfer of your Personal Data to a recipient located in a State that is not a member of the European Community, appropriate safeguards will be put in place, in accordance with the provisions of the RGPD and WINNERSCORE will inform you by any means.

Transfers of Personal Data within WINNERSCORE entities not covered by an adequacy decision of the European Commission are generally covered by the signature of standard contractual clauses.

WINNERSCORE has implemented a Data transfer policy. For further information, please contact our DPO.

10. RIGHTS OF PERSONS CONCERNED

In accordance with the law, you can access your personal data and ask for it to be corrected or deleted. You also have the right to object, the right to limit the Processing of your Personal Data and the right to the portability of your Personal Data, where applicable. You can find out all about these rights and how to exercise them by sending your questions and/or requests to our Data Protection Officer (DPO) by :

• Mail to COLLAB 365 – 2 Rue Averroes, 93000 Bobigny, with “Personal data” in the subject line.
• Mail to contact@collab365.fr, you also have the right to lodge a complaint with the CNIL as supervisory authority, whose current address is: 3 Place de Fontenay, 75007 Paris.

11.BUSINESS PARTNERS’ COMMITMENT TO WINNERSCORE

Any partner carrying out Processing of Personal Data as a Subcontractor within the meaning of the RGPD on behalf of WINNERSCORE or as a subsequent Subcontractor on behalf of one of its customers undertakes to:

– Sign the Personal Data Processing contract proposed by WINNERSCORE, in order to comply with the provisions of Article 28 of the RGPD.

– Complying with regulations

– Process Data solely for the purpose(s) defined by the Data Controller

– Process the Data in accordance with the Data Controller’s documented instructions – If the Business Partner considers that an instruction constitutes a breach of the regulations, it shall inform the Data Controller immediately – If the Business Partner is required to transfer Data to a third country or to an international organization, by virtue of Union law or the law of the Member State to which it is subject, it shall inform the Data Controller of this legal obligation prior to Processing, unless the law concerned prohibits such information for important reasons of public interest

– Guaranteeing the confidentiality and security of processed Data

– Ensure that the persons authorized to process the Data undertake to respect the confidentiality of the Data and receive the necessary training in Data protection.

– Take into account, with regard to its tools, products, applications or services, the principles of data protection by design and data protection by default.

– Insofar as possible, the Economic Partner shall assist the Data Controller in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to the restriction of Processing, right to Data portability, right not to be subject to an automated individual decision.

– If the data subjects make requests to the Economic Partner to exercise their rights, the Economic Partner will notify the Data Controller of these requests in writing as soon as they are received.

– The Business Partner shall immediately notify the Data Controller in writing of any Data breach after becoming aware of it. This notification is accompanied by all the documentation required to enable the Data Controller, if necessary, to notify the breach to the competent supervisory authority.

– If necessary, the Economic Partner will provide the necessary assistance (i) the carrying out by the Data Controller of impact analyses relating to Data protection, and (ii) the data controller has carried out prior consultation with the supervisory authority

– The Economic Partner undertakes to implement the appropriate technical and organizational measures in accordance with the RGPD and to communicate them on first request

– On completion of the services, the Business Partner undertakes, at the option of the Data Controller, to (i) destroy all Data; or (ii) return all Data to the address provided. In the event of return of the Data, the Economic Partner shall destroy all existing copies in its possession and shall inform the Data Controller of such destruction.

– The Economic Partner communicates to the Data Controller the name and contact details of its Data Protection Officer, if it has appointed one in accordance with Article37 of the RGPD

– The Business Partner shall not recruit another Subcontractor without the prior written consent of the Data Controller and/or the Subcontractor, if a subsequent Subcontractor. If it is agreed that a subsequent Subcontractor will carry out specific Processing activities on its behalf, the same Data protection obligations as those set out in the contract signed with the Data Controller will be contractually imposed on such subsequent Subcontractor, in particular as regards presenting sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the RGPD. The Economic Partner remains fully responsible for the subsequent Subcontractor’s performance of its Data protection obligations.

– The Economic Partner undertakes to process the Data only within the European Union. If the Business Partner is authorized by the Data Controller to transfer Data outside the European Union to a country that is not adequate according to the European Commission, the Business Partner undertakes to implement appropriate safeguards for such transfer and to inform the Data Controller of the appropriate safeguards taken.

– The Economic Partner guarantees to assist the Data Controller and the Subcontractor, if it is a Subsequent Subcontractor in keeping its register of all categories of Processing activities.

– The Economic Partner provides WINNERSCORE with the documentation necessary to demonstrate compliance with all its obligations.

– The Economic Partner accepts that the Data Controller and/or the Subcontractor, if it is a subsequent Subcontractor, may carry out audits, including inspections, by itself or a third-party auditor it has commissioned and guarantees its contribution to such audits or inspections.

12. CLAUSE NULLITY

If one or more stipulations of the present Charter are held to be invalid or declared as such in application of a law or other legislative text or following a final decision of a competent jurisdiction, the other stipulations will retain all their force and scope.

13. CHARTER EVOLUTION

The Charter may be modified by WINNERSCORE’s management in order to take into account the recommendations of the CNIL (French Data Protection Authority), changes in the law, case law, computer techniques and, more generally, any changes in information and communication technologies.