Personal data policy
In the context of their contractual relationship, Company and its customers responsible for processing (hereinafter jointly referred to as “the Parties”) undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “the RGPD”).
Each of the Parties undertakes, in particular, concerning the processing of personal data for which it is responsible to respect the rights of the persons concerned (in particular the right to information, access, rectification and deletion of data). The Customer, who remains solely responsible for the choice of the Service, ensures that the Service has the characteristics and conditions required to be able to carry out the processing of personal data envisaged in the context of the use of the Service, taking into account the regulations in force.
1. Data ownership and controller
The Customer remains the owner of the data that he processes by means of the Services proposed by the Company. In accordance with the provisions of the RGPD, he remains the only person responsible for the processing.
2. Data localization
The Customer Data is located in one or more sites in France, unless otherwise stipulated in the Legal Notice available on the site https://app.pilot-learning.eu.
As soon as the Personal Data are:
- collected by the Customer outside the Country of location of the data before being transferred there under the Service, and/or
- transferred by the Customer, or by the Company on the Customer’s instruction, outside the Country of location of the data,
it is the Customer’s responsibility to ensure that the collection, processing and/or transfer of Personal Data in the Country of location of the data are authorized by the applicable local laws or, failing that, and when legally possible, to frame these transfers by adequate legal tools.
When the Country of localization of the data is France, Company commits itself not to transfer the sites where the Customer Data are located outside France without the prior agreement of the Customer.
3. Obligation of the Client responsible for processing
The Customer must clearly communicate to the Company all useful information regarding the purposes of the envisaged processing and take into account any relevant observations of the Company, which is bound by an obligation to advise, in the context of any reasonable request.
As the data controller, the Client undertakes to:
- promptly provide/document in writing, including in electronic form, any instructions regarding the processing of data by the Company
- ensure, beforehand and throughout the processing, that the Company complies with the obligations set out in the RGPD
- supervise the processing, including carrying out audits and inspections of the Company, if necessary and at its own expense.
4. Obligation of the Company, on behalf of the Customer
The Company is committed to:
4.1. process the data only for the sole purpose(s) for which it is outsourced,
4.2. process the data in accordance with the documented instructions of the Client, the controller.
If the Company considers that an instruction constitutes a breach of the GDPR or any other provision of Union or Member State law relating to data protection, it shall immediately inform the Customer. In addition, if the Company is required to transfer data to a third country or international organization under Union or Member State law to which it is subject, the Company shall inform the data controller of this legal obligation prior to processing, unless the relevant law prohibits such information on important public interest grounds,
4.3. to guarantee the confidentiality of personal data processed within the framework of the Contract signed by the Customer,
4.4. ensure that the persons authorized to process personal data under the Contract entered into by the Customer:
- are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality
- receive the necessary training on the protection of personal data
4.5. take into account the principles of data protection by design and data protection by default in its tools, products, applications or services.
the Company may use a sub-processor (hereinafter, “the sub-processor”) to carry out specific processing activities. In this case, it shall inform the controller in advance and in writing of any changes envisaged regarding the addition or replacement of further processors. This information shall clearly indicate the processing activities processed, the identity and contact details of the processor and the dates of the subcontract. The controller shall have a minimum of 7 (seven) working days from the date of receipt of this information to present its objections. Such sub-processing may only be carried out if the controller has not raised any objections within the agreed period.
The subsequent processor is required to comply with the obligations of this Personal Data Policy on behalf of and in accordance with the instructions of the controller. It is the responsibility of the original processor to ensure that the subsequent processor provides the same sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the EU Data Protection Regulation. If the sub-processor fails to fulfil its data protection obligations, the original processor shall remain fully responsible to the controller for the performance of the other processor’s obligations.
4.6. Right to information of data subjects.
It is the responsibility of the data controller to provide information to the data subjects of the processing operations at the time of collection of the data.
4.7. Exercise of the rights of individuals.
To the extent possible, the Company shall assist the data controller in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to restrict processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
When data subjects exercise requests to the processor to exercise their rights, the processor must send these requests upon receipt by email to email@example.com
The Data Protection Officer (DPO) appointed by the Company is Mr Walter Dubois.
4.8. Notification of personal data breaches
The Company shall notify the data controller of any personal data breach within a maximum of 24 (twenty- four) hours after becoming aware of it and by e-mail. This notification shall be accompanied by any useful documentation to enable the data controller, if necessary, to notify this breach to the competent supervisory authority.
4.9. Assistance of the processor in the compliance of the controller with its obligations.
The Company brings its assistance, within the limits of the means at its disposal, for any reasonable request of the data controller for the realization of impact analyses relating to the data protection. Walt’Air Solutions brings its assistance, within the limits of the means at its disposal, for any reasonable request of the data controller for the realization of the preliminary consultation of the control authority.
4.10. Safety measures
The Companies is committed to implementing, where possible, the following appropriate security measures:
- pseudonymisation and encryption of personal data ;
- the means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
- the means of restoring the availability of and access to personal data in a timely manner in the event of a physical or technical in the event of a physical or technical incident;
- a procedure to regularly test, analyse and evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing
The Company undertakes to implement the reasonably appropriate security measures provided by the state of the art as specified by the recommendations of the CNIL and the ANSSI.
4.11. Data Fate
At the end of the services related to the processing of this data, the Company undertakes, at the choice of the Parties:
- destroy all personal data or
- to make available free of charge (up to a limit of 60 days) to the Client responsible for processing on a secure computer directory accessible remotely on authentication all personal data in their latest hosted version (“dump”), to the exclusion of any other previous version, or
- to make available free of charge (within a limit of 60 days) to the subcontractor designated by the Customer responsible for processing on a secure computer directory accessible remotely upon authentication the personal data in their latest hosted version (“dump”), to the exclusion of any other previous version
The return must be accompanied by the destruction of all existing copies in the information systems of the subcontractor (if any). Once destroyed, the Company will justify in writing, in electronic form, the destruction.
Any request exceeding this perimeter (for example request for supply of “snapshot” of the data, conservation beyond 60 days) will be likely to be the subject of an invoicing, after estimate communicated beforehand by Walt’ Air Solutions.
4.12. Register of categories of processing activities
The Company represents that it maintains a written record of all categories of processing activities performed on behalf of the Customer including:
- the name and contact details of the controller on whose behalf it is acting, of any subcontractors and, where appropriate, of the data protection officer;
- the categories of processing operations carried out on behalf of the controller;
- where applicable, transfers of personal data to a third country or to an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documents attesting to the existence of appropriate safeguards
- as far as possible, a general description of the technical and organisational security measures, including inter alia, as appropriate :
- pseudonymisation and encryption of personal data;
- means to ensure the continued confidentiality, integrity, availability and resilience of the processing systems and services;
- means to restore the availability of and access to personal data within appropriate time limits in the event of a physical or technical incident;
- a procedure to regularly test, analyse and evaluate the effectiveness of the technical and organisational measures to ensure the security of processing.
The Compagy shall make available, if necessary in electronic form, to the Customer data controller the documentation necessary to demonstrate compliance with all its obligations and to enable and assist in audits, including inspections, by the data controller or another auditor appointed by the data controller.
The Company implements all means and procedures reasonably appropriate to ensure the integrity, confidentiality and security of the data processed. In particular the Company will not transfer or communicate to third parties the data processed by the Service.
The Company proposes to the Customer a possibility of export/portability of the data. Any request for portability which would exceed (for example reprocessing of the data, conservation beyond 60 days after cancellation) the perimeter of a reasonable request will be likely to be the subject of an invoicing, after estimate communicated beforehand by the Company.
5. Collection of personal data in connection with the Service provided
As part of the subscription to the services offered by the Company and during the provision of these services, the Company collects the following categories of data:
- i. Identification data: IP address (with source port) of the service subscription request, name of the training organisation, postal address and e-mail address, telephone number, intra-Community VAT number, surname, first name of the contact person.
- ii. Billing and/or payment data: bank details, means of payment, credit card reference via Stripe
- iii. Customer relationship monitoring data: assistance requests, correspondence with the Customer.
The Company uses these data for the needs of the execution and the management of the Contract subscribed by the Customer, the security of the account of the Customer, as well as to satisfy the legal obligations as regards identification of the creators of contents on Internet. The banking coordinates of the Customer will be used by the Company for the invoicing, the payment and the recovery of any sum due and resulting from a contract concluded with the Company.
This includes the management of the Customer account and the contractual relationship, the installation, maintenance, provision and management of the subscribed service, the provision of assistance and the processing of requests, the invoicing of the service, the management of complaints and disputes and collection procedures, also through third parties. These data are kept for the time necessary to manage the contract and/or for the legal period. Without these data, the Company could not execute the services subscribed by the Customer and guarantee him a high level of data protection.
The Company can also use these data when it has a legitimate interest. These data will thus allow the Company to evaluate the performance of the services delivered to the Customer in order to improve them and to develop new ones, as well as to carry out actions of development of customer loyalty, canvassing, survey and promotion.
The data provided by the Customer may also be used to ensure the security of the the Company network and to prevent possible fraud or in the context of mergers, sales of assets or transfers of all or part of its business, by transferring the Customer’s personal data to the third party or parties involved in the transaction as part of the transaction.
This data will be kept for the time necessary to achieve these purposes and for a maximum period of 24 (twenty four) months from the end of the contractual relationship concerning direct marketing.
The Company may also use this data to comply with its legal obligations (including anti-fraud laws, money laundering laws and provisions regarding late or non-payment by the Customer) and/or to respond to requests from the French public and governmental authorities in the exercise of their missions conferred by the laws and regulations in force.
The Customer can at any time access his data, rectify them, ask for their deletion, oppose to a treatment for legitimate reasons because of his particular situation or exercise his right to the portability of your data, via the console of management of online account or by postal mail by proving his identity to: EI Walter Dubois – Data processing and Freedoms – rue du Poncelet 02450 FESMY LE SART – France. You can contact our Data Protection Officer at any time at the following address: firstname.lastname@example.org The Data Protection Officer (DPO) appointed by the Company is Mr Walter Dubois.
The data that the Company needs for the purpose for which they were collected, necessary for compliance with a legal obligation and / or the establishment, exercise or defense of legal rights may not be deleted.
By contacting the the Company Data Protection Officer, the Customer can also define directives concerning the fate of your personal data after his death.
In case of complaint to which the Company would not have given a satisfactory answer, the Customer has the faculty to address to the National Commission of Data processing and Freedoms (CNIL) in charge of the respect of the obligations as regards personal data.
Pilot-Learning – August 2022