Personal Data Protection Charter – Confidentiality Policy
(Last updated : December 2021)
Foreword
Aware of the importance of ensuring the confidentiality of personal data, this document describes how Business France, as data controller, is fully committed to comply with the Personal Data Protection Regulation (Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016).
Business France has designated a Data Protection Officer whose contact details are as follows: https://dpo.businessfrance.fr/
A – Framework for the use of data
Below, Business France presents its collective data, its purposes and its basis.
What categories of data do we collect? | For what purpose do we collect these data? | On what basis do we treat your data? |
Name, first name, e-mail, mobile phone, function, company / organization, country, image |
Use of contact data Implementation of a messaging system for the website contact page |
Consent |
Name, first name, e-mail, mobile phone, function, company / organization, country, image | Create and publish content to online catalog, threads, profiles pages, blogs and other services where users can publish their information | Consent |
Name, first name, e-mail, mobile phone, function, company / organization, country, image | To communicate with clients et visitors by e-mail, telephone and/or mobile devices within the framework of the event | Legitimate interest of Business France to inform on its offers and services |
B – Storage time for the data
We keep your personal data for the necessary period with respect to applicable legislation and regulations, or for a period defined with regard to our operational constraints, such as our accounting, an efficient management of the client relationship, as well as to enforce any legal rights or to respond to requests by our line ministries.
Client data are kept for five years in the active database and five years in the intermediate database from the end of the contractual phase.
Data on prospective clients or partners are kept for three years from when they are collected or from our last contact with you.
C – Access to and transfer of data
C-1 Access to data
The personal data that Business France collects, and those that Business France obtains subsequently, are intended for Business France in its capacity as data controller, including its offices and representations abroad, some of which are located outside the European Union, and for the French public program members Team France Export (French administrative regions, French Chambers of Commerce and Industry and Bpifrance) and Team France Invest (Regional Development Agency, local authorities, ANCT and decentralized services) supporting the international development of the French economy.
Business France ensures that only authorized persons have access to this data. Business France service providers and French public program members supporting the international development of the French economy may be recipients of this data to perform the services for which they are entrusted. Some personal data may be sent to third parties or to legally authorized authorities in order to meet Business France’s legal, regulatory or contractual obligations.
Personal data may be subject to a convergence, a mutualization or a sharing between all Business France entities. Personal data may be communicated to these entities for the purposes referred to in A- Framework for the use of data. These operations are carried out on the basis of instruments that comply with applicable regulations and are capable of ensuring that clients, prospects or partners’ rights are protected and respected.
C-2 Transfer of data
Business France transfers personal data to its offices and partners in the European Union and outside the European Union.
Each of these transfers is governed by legal instruments that comply with the applicable legal framework:
– Switzerland and Japan benefit from an adequacy decision, which means that they offer personal data of clients, prospects or partners a level of protection equivalent to the one which is applied on the European Union territory.
– Transfers made to other countries (Cameroon, Canada, United States of America, Taiwan, Turkey, India, Australia, China, South Africa) are covered by the following appropriate safeguards: contractual clauses of the European Commission type.
D- User rights
A client, prospect or partner (private individual) can exercise their rights justifying their identity by email here or by post to the following address:
Data Protection Officer,
Business France,
77 boulevard Saint-Jacques
75014 Paris FRANCE
To do so, the claimant has to clearly indicate its surname and first name, and the address to which he wants the reply to be sent.
As a principle, the claimant can exercise freely all their rights. However, concerning the right of information, Business France will not have to answer it if the clients, prospect or partner already has the information requested.
Business France will inform them if it cannot answer the requests.
The failure to provide information or modification of data can have consequences in the process of certain demands for the execution of contractual relations.
The request concerning the exercise of the rights of the client, prospect or partner will be store for monitoring purposes.
Right to information:
The client, prospect or partner acknowledges that the present Charter provides them with information about the purposes, legal framework, interests, recipients or categories of recipients with whom their personal data were shared, and the possibility of a data transfer to a third country.
In addition to this information, and with the aim of ensuring fair and transparent processing of data, they further acknowledge that they have received additional information concerning:
– The period for which their personal data will be kept.
– The existence of the rights which are granted to them and the terms and conditions to exercise them.
If Business France decides to process data for purposes other than those indicated, all information relating to those new purposes will be communicated to them.
Right to access to and rectification of data:
The client, prospect or partner has the right to access and rectify their personal data here – or by writing to the Data Protection Officer at Business France 77 Boulevard Saint-Jacques, 75014 Paris, France.
In this respect, the client, prospect or partner has the confirmation as to whether or not their personal data are being processed and where this is the case, access to their data and the following information:
– The purposes of the processing.
– The categories of personal data concerned.
– The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries.
– Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
– The existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data, or to object to such processing.
– The right to lodge a complaint with a supervisory authority.
– Where the personal data are not collected from the data subjects, any available information relative to their source.
– The existence of automated decision-making, including profiling, and in this case meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The client, prospect or partner can ask Business France to, as the case may be, rectify or complete their personal data that are inaccurate, incomplete, equivocal or expired.
Right to erasure and to data restriction – right to object to data processing:
The client, prospect or partner can ask Business France to erase their personal data where one of the following grounds applies:
– The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
– The client, prospect or partner withdraws the consent they have previously provided.
– The client, prospect or partner object to the processing of their personal data and there is no legal reason for such processing.
– The processing of personal data does not comply with the provisions of the applicable legislation and regulations.
Nevertheless, the exercise of this right will not be possible when the retention of the personal data is necessary for compliance with statutory or regulatory provisions and in particular for example for the establishment, exercise or defense of legal claims.
The client, prospect or partner may request restriction of processing of their personal data in the cases provided for by law and regulation.
The client, prospect or partner has the right to object to the processing of their personal data when the processing is based on the legitimate interest of the controller, or on a necessary mission of public interest, or on the exercise of official authority.
Other rights:
The client, prospect or partner has the right to portability of their personal data. The data on which this right can be exercised are:
– Only their personal data, which excludes anonymized personal data or data that does not concern them.
– Declarative personal data and personal operational data.
– Personal data which do not adversely affect the rights and freedoms of others, such as those protected by trade secrets.
This right is limited to processing based on consent or contract, as well as to personal data that the client, prospect or partner has personally generated. This right does not include derived or inferred data, which are personal data created by Business France.
When the data processing carried out is based on the client, prospect or partner’s consent, they may withdraw it at any time. Business France will then stop processing the personal data, but this will have no impact on the previous transactions.
The client, prospect or partner has the right to lodge a complaint with the French Data Protection Authority (CNIL) on French territory without prejudice to any administrative or judicial remedy.
The client, prospect or partner can give instructions in relation to the storage, erasure and communication of their personal data after their death to a certified trusted third party in charge of enforcing the wishes of the deceased in compliance with the applicable legal framework.
The client, prospect or partner’s personal data are communicated to Business France as part of the services performed and purchasing procedures set out in the framework of Business France’s public service mission, defined by Decree no. 2014-1571 of December 22, 2014 related to the agency Business France.
In this context, if client, prospect or partner refuses to provide Business France with their personal data, which would be essential for the performance of the services, partnership, this refusal will result in an impossibility to perform the service or the partnership.
E – Data hosting
Business France has taken the physical, technical and organizational measures necessary to ensure the security, integrity, availability and confidentiality of your personal data, in particular to protect them against destruction, loss, theft, accidental destruction, alteration or non-authorized access.
The data collected and used by Business France for a third party are hosted in France (NB: due to data replication or load balancing reasons, personal encrypted data may be temporarily replicated in another country within the European Union).