The purpose of this document is to present the rules relating to the protection of personal data in the capacity of data controller and subcontractor that SAS EXPATEO (hereinafter “EXPATEO”) undertakes to respect.
These rules result in particular from the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter “GDPR”) on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
This document is subject to constant evolution, in particular when necessary to meet the obligations of the legislation on the protection of personal data.
The notions or terms concerning the protection of personal data used in this document have the same meaning as that given by the RGPD, in particular in Article 4 of the RGPD.
I) Compliance with the general principles of personal data protection
A - As a data controller
In accordance with Article 5 of the GDPR, EXPATEO guarantees that personal data are processed in a lawful, fair and transparent manner.
EXPATEO also guarantees that personal data are collected for specified, explicit and legitimate purposes and are not further processed in a way that is incompatible with these purposes;
EXPATEO also guarantees that personal data is processed in an adequate, relevant and limited manner with regard to the purposes for which it is processed;
EXPATEO undertakes to ensure that the data processed is accurate and, if necessary, kept up to date and stored for a period not exceeding that necessary for the purposes for which it is processed;
Finally, EXPATEO guarantees that personal data are processed in such a way as to ensure appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures that are adapted to the risks.
B - As a subcontractor
In accordance with the provisions of Article 28 of the RGPD, EXPATEO, in its capacity as a processor, guarantees on the one hand that the purposes of the processing are stipulated and described in the contract signed between EXPATEO and its client; and that, on the other hand, the processing carried out on the personal data of its client is carried out solely for the determined purposes and on its instructions under the conditions stipulated in the contract;
In its capacity as a subcontractor, EXPATEO also guarantees that the deletion of personal data is undertaken at the end of the contract and under the conditions stipulated in the contract, unless the applicable law requires such retention.
II) Purpose and legal basis of personal data processing
A - As a data controller
EXPATEO collects personal data for the following purposes:
- Management of recruitment;
- Management of payroll and gratuities;
- Management of administrative and legal declarations;
- Management of the employment contract;
- Management of prospects;
- Management of partners;
- Financial and accounting management;
- Management of the promotion of EXPATEO;
- Management of communication with third parties;
- Management of the automated database;
- Management of user accounts;
- Management of the processing of requests
According to the different purposes listed above, EXPATEO ensures that one of the following conditions is met :
- Prior obtaining of the consent of the natural person whose data is collected for one or more purposes;
- Necessity of the collection and processing of personal data for the performance of a contract to which a natural person is a party or for the performance of pre-contractual measures taken at the request of the latter;
- Necessity of the collection and processing of personal data for the purpose of a legal obligation to which EXPATEO is subject;
- Necessity of the collection and processing of personal data to safeguard the vital interests of a natural person;
- Necessity of the collection and processing of personal data for the purposes of the legitimate interests pursued by EXPATEO, unless the interests or the fundamental rights and freedoms of the natural person concerned prevail.
B - As a subcontractor
As a subcontractor, EXPATEO may have to access and process the personal data entrusted by its customers within the strict framework of the realization of the offers and services subscribed.
This access and processing are governed by a contract containing specific data protection clauses signed between EXPATEO and its customer.
EXPATEO processes personal data only on behalf of and on the documented instructions of its customer in accordance with the provisions of this contract.
III) Security and data breach notification
EXPATEO guarantees the implementation of a security policy applied to the processes and workflows of EXPATEO during the whole life cycle of the SaaS service delivered to the customer.
More generally, it is important to specify that the employees and collaborators of EXPATEO are subjected to an Information Security Policy, an Incident Management Policy and internal regulations allowing to ensure an adapted level of security.
Pursuant to Articles 33 and 34 of the GDPR, any personal data breach of which the DPO becomes aware will be notified:
By the DPO, when EXPATEO acts as a data controller, to the French supervisory authority (CNIL), if necessary and to the individuals impacted by the said breach;
By the DPO, when EXPATEO acts as a processor, to the customers affected by the said breach under the terms of the contract between EXPATEO and its customers.
IV) Law of persons
A - In the event that EXPATEO acts as a data controller
In accordance with the provisions of Articles 15 and 22 of the GDPR, individuals have the right to :
- Access their personal data processed by EXPATEO;
- Request the correction, deletion or limitation of the processing of their personal data by EXPATEO;
- Under certain conditions, to object to the processing of their personal data;
- Request the portability of personal data;
- Where consent is the legal basis for processing, to withdraw their consent.
Requests related to these rights can be made by contacting the EXPATEO DPO department at email@example.com.
EXPATEO reserves the right to ask for details on any request and to provide proof of the identity of the applicant.
B - In the event that EXPATEO acts as a subcontractor
In the event that EXPATEO receives a request from a natural person concerned by the processing of his or her personal data in the context of the performance of the contract between EXPATEO and its customer, EXPATEO undertakes to communicate this request to its customer as soon as possible after its receipt and, taking into account the nature of the processing and under the conditions set out in the contract, will assist its customer, by means of appropriate technical and organizational measures, to the fullest extent possible, to fulfill its obligation to comply with these requests.
However, the customer remains responsible for the response to the natural person concerned.
V) Information for individuals
A - EXPATEO acting as data controller
When collecting personal data and in accordance with the regulations in force EXPATEO undertakes to provide the natural persons concerned with at least the following information, as far as possible and whatever the processing carried out :
- The contact details of the data controller; -the purposes of the processing;
- The recipients; -the transfers outside the EU if applicable;
- The retention period;
- The possibility to request the exercise of the rights that can be exercised in accordance with the applicable regulations;
- The right to lodge a complaint with the supervisory authority.
B - EXPATEO acting as a subcontractor
In accordance with Article 13 of the GDPR, the responsibility to inform natural persons lies with the data controller.
In this sense and according to the conditions provided for in the contract, EXPATEO provides its customers acting in the capacity of data controller with any information enabling it to comply with Article 13 of the GDPR.
VI) Development of a new service or a new offer
In the event of the development of a new service or a new offer, EXPATEO, in its capacity as publisher, will make its best efforts to introduce the principles of personal data protection from the design of the project.
VII) Register of treatments
In accordance with Article 30 of the RDPR, EXPATEO maintains two registers of personal data processing :
- A register describing the processing carried out in its capacity as data controller;
- A register describing, where applicable, the processing carried out on behalf of and on the instructions of its data controller customers. These registers are made available to the CNIL upon request.
VIII) Personal data collected on the forms on the Expateo.com website
Through the contact form on its website, SAS EXPATEO, responsible for processing, located at 97 Allée Théodore MONOD in BIDART (France) is likely to collect the following personal data :
- First name,
- Email address,
- Phone number,
- Function and company.
These personal data are processed by EXPATEO SAS only for the purpose of managing its customer and prospect file and for commercial communication.
IX) Personal data collected in the context of the operation of SaaS EXPATEO offers
In order to provide the subscribed service, SAS EXPATEO, located 97 Allée Théodore MONOD in BIDART (France), is likely to collect and process on behalf of its customers, the following personal data:
- First name,
- Email address,
- Phone number,
- Physical address
- Criminal record
- Economic and financial information
- Information on personal life
- Health information
- Information on location
These personal data are processed by EXPATEO SAS for the purpose of managing the user account and providing the requested service. The retention periods are contractually defined.
The activities on the platform (connection and use) are also recorded by EXPATEO (log). These data are recorded only for purposes of traceability and data security and are kept for a period in accordance with the contractual stipulations.
If you have any questions about this policy, you can send your request to the following e-mail address : firstname.lastname@example.org
When you visit our sites, information relating to your computer’s navigation may be recorded by programs, in particular in files known as “cookies”.
This information page is therefore intended to inform you about what a cookie is, why and how we use them and how you can accept or refuse their use. In this notice, the term “we” or “us” refers to the company EXPATEO.
What is a cookie?
A cookie is a small text file, stored by a website’s server in the browser of your computer, phone or other device when you visit that site.
A cookie contains several pieces of information:
- The name of the server that deposited it
- An identifier in the form of a unique number
- Possibly an expiration date.
What cookies are present on our sites?
Cookies are essential to the operation of our sites. We use the following cookies :
- Strictly necessary cookies
The purpose of these cookies is to make navigation on our websites more fluid while allowing optimal use of the various functions. The refusal or deletion of these essential cookies may prevent the proper functioning of our sites.
- Functional cookies
Functional cookies are intended to facilitate the operation of our websites, to make their use more pleasant for the visitor by collecting information relating to his navigation on the site in order to provide a personalized service. These are, for example, cookies that remember your preferences.
These cookies allow us to offer you content and advertising tailored to your needs.
- Third-party cookies
Who uses the information collected by cookies?
The information collected by our cookies is used exclusively by EXPATEO with the exception of the information contained in third-party cookies, which are used and managed by external entities in order to satisfy requests for improvement of our services and of the visitor’s experience while browsing our sites. Third-party cookies are used primarily to obtain access statistics and to guarantee payment for transactions made on our sites.
How to accept or refuse the deposit of cookies on your computer?
The recording of a cookie in your computer is subject to your will. Thanks to the settings of your browser or via the cookie management console on our website, you can accept or refuse the installation of cookies on your computer at any time, simply and free of charge.