Personal Data Policy

Introduction

WARNING is aware of the importance to process the personal data, according to provisions set out in the Regulation (EU) 2016/679 Of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data,(hereinafter referred to as the “General Data Protection Regulation” or “GDPR”) and repealing the European Directive 95/46/EC.

Therefore, the present Policy is enable to give all information to the data subjects (visitors and users of the Warning’s website) related to the personal data processing carried out by WARNING, in order to comply with its transparency obligation set out in the GDPR.

Definitions

In order to be the most transparent as possible about the information communicated by WARNING to its visitors and users of its website, you will find below all necessary definitions for the good understanding of the present policy :

• Personal data : means all information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to such data. For example, a name, an identification number, location data, or even an online identifier are considered as personal data.
• Data processing : means any operation or set of operations which is performed on personal data or on sets of personal data. For example, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction are considered as personal data processing.
• Controller : means the natural or legal person which determines the purposes and means of the processing of personal data.
• Processor or data processor : means all the natural or legal person which processes personal data on behalf of the controller, under the instructions, purposes and means set out by the Controller.

Article 1 – The Controller

WARNING, Firm with a capital of 2 000 000 € having its registered office at 56 Avenue du 11 Novembre 1918 – Immeuble les Cèdres – 69160 TASSIN LA DEMI LUNE, and being registered at the Business and Companies Registry of LYON under the number 391 494 143, is acting as the Controller for all data processing carried out with the personal data collected on the website.

Article 2 – Legal basis and purposes of the processing

WARNING website carries out several personal data processing with the purpose to ensure the communication and the exchange of information with the Warning’s clients and for the good execution of the services.

Therefore, the legal basis used for the personal data processing realized by WARNING are : the data subject’s consent, the legitimate interest pursued by the controller and the compliance with a legal obligation.

The personal data processing below are based on your consent :

• To answer all written requests sent by the online contact form
• To answer all application form sent by the online career page

The personal data processing below are based on the compliance with a legal obligation :

• To comply with the security and fiscal legal obligation.

The personal data processing below are based on the legitimate interest of WARNING:

• Customer relationship management
• Measuring the website audience (with « Google Analytics » tool)
• Behavioural analysis and targeting of website visitors

Article 3 – Categories of personal data collected

The personal data processed by WARNING are mainly collected by the forms accessible on our website, or when the visitor creates a “candidate account” (cf Personal Data Candidates Policy for more information), except the data related to the internet connexion of the visitors (IP address) which ones are saved automatically by computer server on our server logs and by the Google Inc’s systems.

WARNING undertakes to comply with the data minimisation principle set out in the article 5.1 of the GDPR, which one consists in collecting just the limited and relevant data needed for the processing. Therefore, the personal data collected by WARNING are the following :

Data in connexion with the identification of the data subject	-Name -Last Name -Civility -Text and comments
Data in connexion with the contact of the data subject	-Email address -Phone number
Technical data	-IP Address -Navigation data -Connexion data (logs)

Article 4 – The recipients of the personal data collected on the website

The recipients of the personal data collected by the accessible forms on the WARNING’s website, are the employees authorized by WARNING to process your request inside the firm. WARNING guarantees that all its employees are trained to respectfully process personal data, according to the legal obligations set out by the GDPR.

Except for the IP address and the information related to the visitors’ connexions processed by Google Inc (located in the USA) acting as a controller itself, the personal data collected through WARNING’s website is processed only for internal use, and is not subject  of any communication, cession or disclosure to third parties other than the ones granted by WARNING to its data subcontractors.

Article 5 – The data subcontracting

WARNING may hire subcontractors for the good execution of its services (for example : IT service providers, etc…)

WARNING guarantees its users and visitors of its website, the compliance of its subcontractors with the legal obligations set out in the GDPR, in connexion with the personal data protection. Then, WARNING ensures previously and during all the contractual relationship, its subcontractors will respect the security technical and organizational measures required for the data processing set up by WARNING.

In order to be compliant with the requirements of the GDPR, WARNING ensures to enter into a contract related to the personal data processing with its subcontractors, in which ones WARNING will define and remind the obligations of the subcontractors.

Then, you will find below the subcontractors list acting on behalf of WARNING :

• CYLLENE (IT service provider)
• HEXAGRAM ( IT service provider)
• KIOSKEMPLOI (provider of the application GestMax, used by Warning in order to manage application forms received on its website in response to its job offers)
• COMADEQUAT (communication agency)

For your information, Google Inc is acting, no as a subcontractor of WARNING, but in its quality of Controller. Furthermore information, please consult the Google Confidentiality Policy available here https://policies.google.com/privacy

Article 6 – Transfer of personal data outside of European Union

WARNING does not proceed any personal data transfer, outside of European Union.  The personal data collected by WARNING is hosted within the European Union.

If WARNING has to transfer personal data outside of European Union, WARNING undertakes to take all necessary provisions for ensuring the protection of such personal data, in connexion with the European applicable legislation.

Article 7 – the storage period

According to the limitation principle of storage periods set out by the GDPR, the personal data collected and processed by WARNING are retained only the time necessary for the purpose of the data processing.

Categories of personal data	Storage period
Data related to the visitors and users of the Warning Website	Time necessary and required for processing the request sent by the visitors/user, then 2 years since the last visit on the Warning’s Website
Data related to the candidate applications sent	2 years since the last intervention of the candidate, unless the candidate expresses its opposition.
Technical data (logs)	6 months since the consent given by the visitors/users of the website, unless otherwise prescribed by law
Cookies	13 months since the consent given by the visitors/users of the website, about the use of cookies

WARNIG guarantees the confidentiality of the information recorded on the website. The addresses and the nominative data of the registered users do not appear on the website.

At the end, WARNING undertakes to delete and cancel immediately the collected data when the user of the website ask for it on the WARNING’s website or by the email address RGPD@warning.fr or by the following address :

To Data Protection Officer
Law department
34, Avenue du 8 Mai 1945
92390 – Villeneuve la Garenne France

Concerning the storage period for the personal data collected by our measuring audience tool called “Google Analytics”, we invite you to consult the confidentiality charter of Google Inc here : https://policies.google.com/privacy

Article 8 – the exercise of data subject’s rights

According to the national French law n°78-17 named “Loi Informatique et Libertés” of the 6th January 1978, and the General Data Protection Regulation (hereinafter referred to as the “GDPR”), you have the following rights mentioned below due to the personal data processing :

• The right of access and the right of copy :

You can ask for the confirmation that your personal data is or is not processed, to the Controller. And, when your personal data is processed, you have a right of review on such personal data. In such case, WARNING shall provide a copy of the personal data processed. WARNING is entitled to require a payment for the reasonable expenses based on the administrative costs for any additional excessive copying request from you.

• The right to rectification :

You can ask for the rectification of your personal data that may be inaccurate, to the Controller, as soon as possible. You have the right to obtain that all your incomplete personal data to be completed, including by providing an additional declaration.

• The right to erasure:

You can ask for the erasure of your personal data, as soon as possible, to the Controller.

• The right to restriction of processing:

You can ask, to the Controller, for the limitation of the use of your personal data made by him, when :

• • You contest the accuracy of your personal data. Such limitation of the processing will be applied the time necessary for WARNING to check the accuracy of your personal data.
  • The processing is unlawful and you want WARNING to limit its use of your personal data, instead of the erasure of your personal data.
  • WARNING does not need any more your personal data for the data processing, but you consider that your personal data still being necessary for the establishment, for the exercise or for the defence of your legal rights.
  • You are against the personal data processing (in connexion with your right to object). That limitation of personal data processing will be applied the time necessary for WARNING to check if its legitimate interests pursued prevail on the interests asserted by you.

• The right to object :

This right consists in expressing your opposition, on grounds relating to your particular situation, at any time to processing of personal data concerning you, when such processing is based on the legitimate interest of WARNING, or when the processing is realized in order to do prospection or profiling.

• The right to data portability :

This right consists in receiving the personal data you provided to WARING, in a structured, commonly used and machine-readable format, or to transmit those data to another controller without hindrance from WARNING to which the personal data have been provided, when the following conditions are gathered :

• • The processing is based on your consent, or on a contract
  • The processing is carried out by automated means
• The right to lodge a complaint with the competent supervisory authority :

This right consists in lodge a complaint with the French supervisory authority (CNIL) directly on its website (available here https://www.cnil.fr/fr/plaintes ) or on the following address : CNIL – Service des Plaintes – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.

You can exercise such rights by sending an email to RGPD@warning.fr or by postal address :

To the Data Protection Officer
Service Juridique,
WARNING
34, Avenue du 8 Mai 1945
92390 – Villeneuve la Garenne France

Nevertheless, WARNING is entitled to verify your identity before any access to personal data or before any correction.

Article 9 – the security measures

WARNING undertakes to apply all the security technical and organizational measures necessary for ensuring the protection of the personal data collected, and to avoid so any personal data breach.

For your information, WARNING set up a security system for its establishments (with alarms and CCTV, restricted access requiring authentication, an access and badges control and/or fingerprint of the authorized employees ) and a security system for its IT systems (with antivirus software, network firewall, firewalls, ….)

Article 10 – Actualization and modification of the Personal Data Policy

In order to comply with the legislative and regulatory evolutions related to personal data protection, the present policy may be modified and actualized by WARNING at any time. Therefore, the last version of the present policy will prevail on another versions.

Article 11 – More information

If you have any question related to the personal data protection, we invite you to contact :

• Contact the WARNING’s Data Protection Officer (DPO) with the following email : RGPD@warning.fr
• Or consult the CNIL’s website here : https://www.cnil.fr/

***