Crédit Mutuel Innovation makes respecting privacy and protecting personal data a priority.
This document sets out its commitment to implementing appropriate technical and organisational measures when collecting and using personal data relating to natural persons acting on behalf of a legal entity (legal representative, employee, etc.) or data relating to natural persons passed on to us within the framework of our business activities (hereinafter the "data subjects") and over the course of our relationship in order to ensure that personal data is used responsibly.
All natural persons whose personal data is given to us should be informed in particular of their rights. This personal data protection policy may be passed on to the data subjects in order to tell them how their data is treated by Crédit Mutuel Innovation.
In this policy, where we refer to personal data as "your data", this concerns data relating to the natural persons concerned.
Crédit Mutuel Innovation undertakes to respect all obligations resulting from regulations applicable to the treatment of personal data, especially :
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable since 25 May 2018 (hereinafter the "General Data Protection Regulation" or "GDPR");
- The French data protection act n°78-17 of 6 January 1978 as amended;
- Opinions and recommendations of the supervisory authorities, the Working Party on the Protection of Individuals with regard to the protection of personal data (the "Article 29 Working Party") or the European Data Protection Committee.
Personal data is also protected by professional secrecy, by which we are bound.
1. Definitions
« Personal data » : means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, telephone number, postal address, e-mail address, identification number, location data.
« Processing of personal data » : any operation performed on personal data such as collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, combination, restriction, erasure or destruction.
« Data Controller » : the natural or legal person, public or private, or department which, alone or jointly with others, determines the purposes and means of the processing of personal data.
« Subcontractor » : the natural or legal person, public or private, or department which processes personal data on behalf of the controller.
2. Data Protection Officer
Crédit Mutuel Innovation has appointed a Data Protection Officer. The Data Protection Officer is a specialist in personal data protection and is responsible for informing and advising the data controller, ensuring that applicable regulations are respected and in particular ensuring that personal rights are respected (see paragraph 9 below). The Data Protection Officer is also the main point of contact for the Commission Nationale de l'Informatique et des Libertés (CNIL).
3. Personal data collected
The personal data we collect or hold is strictly necessary for our business activities in order to allow us to assist you in your various projects.
We are required to collect:
- Data relating to identity such as first name(s), last name(s), date and place of birth.
- Data relating to contact details such as postal address, business e-mail address, telephone number(s).
- Identification and authentication data such as a specimen signature.
- Data relating to the person's professional situation such as employment held.
Data may be collected directly from the data subjects or from the following sources (non-exhaustive list):
- Publications or databases such as the Journal Officiel or the Bulletin Officiel des Annonces Civiles et Commerciales.
- Anti-fraud agencies.
- Websites and social media concerning data you have made public.
- Patronages.
- Use of prospective client records.
4. Purposes of data processing
Crédit Mutuel Innovation processes data for specified, explicit and legitimate purposes.
Personal data is processed for the following purposes:
- knowledge of natural persons (director or other representatives of legal entities),
- routing inter-company communications to the representative concerned,
- communicating information relating to our business activities, in particular by e-mail, mobile phone alerts, letter, SMS or telephone calls. You can inform us at any time if you no longer wish to receive business communications. If you ask to no longer receive communications or if you would like to begin receiving these communications again, we keep an IT trail of these requests as evidence.
- execution of the contract binding us to the legal entity.
5. Legal framework for data processing
We ensure that all our data processing is done in accordance with the legal framework in terms of:
- Execution of a contract entered into or to be entered into or to provide you with precontractual information;
- Meeting our legal and regulatory obligations;
- Responding to our mutual legitimate interests.
6. Recipients of personal data collected and processed
Your personal data is only given to authorised and specific recipients.
These recipients may have access to your data within the limitations necessary to achieve the purposes described above.
Recipients may be:
- Our institution as data controller;
- Our authorised staff from the sales network and sales department;
- Institutions and companies that are part of the group to which we belong and our partners;
- Service providers and subcontractors providing services on our behalf;
- Guarantors;
- Brokers and insurance providers;
- Duly authorised legal and/or administrative authorities;
- Regulated professions (e.g. notaries, lawyers, bailiffs).
7. Keeping your personal data (data relating to executives will be subject to the same regime as data relating to legal entities in terms of retention)
Your personal data is kept for the entire duration of our relationship. It may be kept beyond the period of the relationship, in particular in order to allow us to comply with applicable regulations, assert our rights or defend our interests.
Your data may be archived for a longer period for the management of claims and/or disputes, in order to meet our regulatory obligations or to satisfy requests from duly authorised legal or administrative authorities.
As regards the companies in our portfolio, depending on the type of company and applicable legislation, data may be kept for up to 10 years after the end of the relationship or transaction. Your personal data is therefore kept for the time needed to achieve the purposes for which it is collected and processed. It will be destroyed safely or anonymised.
If personal data is collected for a number of purposes, it is kept until the end of the longest retention or archiving period.
8. Transferring personal data outside the European Union
Your personal data may be transferred in certain cases and for strictly limited purposes to a country outside the European Union. We shall ensure that it is protected:
- By the existence of an adequacy decision by the European Commission that recognises an adequate level of protection for the recipient country;
- If the level of protection has not been recognised as equivalent by the European Commission, we rely on the adoption of appropriate guarantees such as standard contractual clauses approved by the European Commission.
9. Your rights
You have rights concerning the collection and processing of your personal data, which may be exercised in accordance with the terms set out by applicable regulations, namely:
- The right to be informed in an understandable and easily accessible manner of the purposes of data processing and how long the data will be kept for as specified above;
- The right to access your data;
- The right to amend your data or have your data modified if it is inaccurate or incomplete;
- The right to delete your data unless we have legal or legitimate reasons to keep it;
- The right to object to processing if this is based on the legitimate interests of the data controller;
- The right to object, in relation to any processing and free of charge, without having to state a reason for your request, to your data being used for business prospecting purposes intended for the legal entity.
- The right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy TSA 80715 75334 PARIS CEDEX 07 or on the website www.cnil.fr/fr/plaintes.
You may exercise one of the above rights by writing to the following address: DATA PROTECTION OFFICER, 63 chemin Antoine Pardon, 69814 TASSIN CEDEX.
10. Safety of your personal data
We implement technical and organisational measures to protect your data, in particular adopting appropriate physical, logical and organisational safety measures, encryption and anonymisation in order to guarantee the confidentiality and integrity of your data and avoid any unauthorised access.
11. Understanding and managing use of our cookies
Our personal data protection policy shall be updated regularly to take account of legislative and regulatory changes.
We invite you to familiarise yourself with the latest version made available on our websites.