Law No. 78-17 of January 6, 1978 amended by Law No. 2004-801 of August 6, 2004 and Law No. 2016-1321 of October 7, 2016 relating to information technology, files and freedoms defines the conditions under which personal data processing may be carried out.
For this purpose, this document defines for our stakeholders:
1. The conditions of access and the rules for the use of the optimal computer resources to be put in place,
2. The measures taken by Newenergy and NewEnergy eve to ensure the security of personal data within the framework of the General Data Protection Regulation (RGPD),
3. The rights to information, opposition, verification, correction, correction, correction, copying, portability or deletion of personal data.
The purpose of this paragraph is to make users aware of the risks associated with the use of resources in terms of the integrity and confidentiality of the information processed. These risks require compliance with certain safety and good conduct rules. The recklessness, negligence or malice of a user can, in fact, have serious consequences such as to lead to the leak, destruction or degradation of customer data.
These recommendations apply to any user (any person authorized to access the client's computer tools and to use them: employees, interns, temporary workers, service providers, subcontractors, etc.) of your computer system for the exercise of their professional activities.
• The private use of these tools should be strictly prohibited.
• Newenergy and NewEnergy eve recommend that this paragraph be disseminated to all users by means of a memo systematically issued to all newcomers.
Each user has access to the computer tools necessary for the exercise of their professional activity under the conditions defined below.
Users are subject to the duty of reserve and are required to maintain the confidentiality of the data they are brought to know in the course of their duties.
All users undertake to respect the following safety rules:
• Report to the IT manager, or to the service manager, any violation or attempted violation of their network account and, in general, any malfunction,
• Never entrust your username/password,
• Never ask a colleague or collaborator for their username/password,
• Do not hide your true identity,
• Do not usurp the identity of others,
• Do not change the settings of the workstation,
• Do not install software without permission. Do not copy, modify, destroy software owned by the customer,
• Lock your computer as soon as you leave your workstation,
• Do not access, attempt to access, delete or modify information that does not belong to him,
• Submit to the agreement of your supervisor any request for copying data on an external medium and respect the rules defined by the regulations in force.
In addition, it should be remembered that visitors should not have access to the computer network without the prior agreement of the service manager. External actors must undertake to ensure that these rules are respected by their own employees and subcontractors.
Therefore, contracts signed between the customer and any third party having access to data, computer programs or other means must include a clause recalling this obligation.
Newenergy and NewEnergy eve, taking the protection of the personal data of their stakeholders very seriously, have achieved full compliance with the RGPD. These are formalized and are made available to the CNIL and to all stakeholders who request them.
Newenergy and NewEnergy eve have appointed a personal data protection officer (DPO): Ms. Laura BARNABO (Newenergy: n° DPO-540 and NewEnergy eve No. DPO-541).
Telephone: 04.90.39.21.33
Email: laurabarnabo@new-energy.fr
The mission of the latter is to ensure compliance with the provisions of Law No. 78-17 of 6 January 1978 as amended.
It must be consulted by the data controller prior to any new data integration.
It lists in registers the list of all the processing of personal data of Newenergy and NewEnergy eve as they are implemented.
The private use of computer tools is strictly prohibited.
A confidentiality charter relating to Data Protection is signed by each user and any modification to it is published by service note.
Internal communication actions are organized regularly in order to inform users of recommended practices.
We have defined technical and organizational measures to protect your data appropriately according to their nature, extent of processing and accessibility.
Details of the protective measures applied are available upon request.
Newenergy and NewEnergy eve have completed full compliance and maintain detailed records of each of its practices.
To do this, various documents are available to the CNIL or have been sent to each of the stakeholders of Newenergy and NewEnergy eve :
1. A comprehensive audit relating to the processing of its data, including the register of subcontractors and service providers,
2. This document relating to the processing of personal data of stakeholders,
3. A personal data protection policy for each stakeholder,
4. A total of 18 registers complying with the legislation in force,
5. Three work tools necessary for monitoring requests, evaluating subcontractors and deleting data.
Have also been updated with the addition of mentions and/or actions taken by Newenergy and NewEnergy eve :
1. Service contracts,
2. The General Terms and Conditions of Sale.
Newenergy and NewEnergy eve, in order to carry out their missions successfully, must collect a certain amount of personal data concerning their stakeholders.
In accordance with the principle of minimization, Newenergy and NewEnergy eve can only collect directly from you the data necessary for the purposes for which they are processed.
The collection of this data is required by the concluded contract or in order to conclude a contract.
This data is automatically deleted after the completion of the relationships that link you to one or other of the structures according to deadlines defined by regulations.
Your personal data is processed by authorized personnel at Newenergy and NewEnergy eve.
All of their employees are subject to a confidentiality clause and only the Management has access to all of your personal data. No data leaves French territory.
Subcontractors may also be responsible for processing them in the greatest respect of the General Data Protection Regulation (RGPD).
Newenergy and NewEnergy eve take care of carrying out all the necessary compliance checks before entrusting personal data to third parties in order to ensure their RGPD compliance.
The details of the subcontractors having access to your data are available on request, as well as the details of the controls carried out by Newenergy and NewEnergy eve.
Within the framework of the laws mentioned above, the CNIL has defined a certain number of rights that each legal or natural person has. Newenergy and Newenergy eve returns them to you below so that you are informed.
You can exercise your rights at any time by contacting the DPO at Newenergy and NewEnergy eve.
On this occasion, you will have to provide your name, first name, email address, email address, telephone number and stamp in order to authenticate your request and see that the request was not made without your knowledge.
Your personal data may be retained or deleted after your death in accordance with the Regulations. You have the right to instruct Newenergy or to NewEnergy eve to communicate this data to a third party that you have previously designated.
In case of dissatisfaction, you have the option of contacting the Commission Nationale de l'Informatique et des
Libertés (CNIL) at the following address:
CNIL
3 Place de Fontenoy
TSA 8071575334 Paris Cedex 07
Any data concerning you will be automatically deleted in accordance with the retention periods defined by regulation.
Details of the storage periods are available on request.
You have easy access to information
Information should be concise, legible, and easily accessible. It is written as clearly, precisely and simply as possible. A user does not need to be an expert to read the privacy policy of a social network or a bank. In the same way, if an organization targets children or vulnerable people, it must offer appropriate information.
Before collecting your data, an organization must therefore be transparent and allow you to have:
1. Why is it collecting your data?
2. How will he use them?
3. How to control your data and exercise your rights?
One reading is enough to get a good overview of how your data will be used.
An organization must offer you an information notice on the protection of your data. This page must be accessible from the home page of the organization's site under a clear title (“confidentiality policy”, “privacy page”, or “personal data”). In particular, it should inform you about:
• The contact details of the organization's data protection officer or of a contact on issues related to the protection of personal data,
• The use that will be made of your data,
• What authorizes the organization to process your data
, • Third parties who will have access to your data
• The duration of conservation of your data,
• The procedures for accessing your rights and the possibility of filing a complaint with the CNIL,
• The legal basis for data processing (That is, what legally authorizes the processing: this may be the consent of the persons concerned, compliance with an obligation provided for in a text, the execution of a contract, etc.).
Depending on the case:
1. The existence of automated decision-making or profiling, information useful for understanding the algorithm and its logic, as well as the consequences for the person concerned.
2. The fact that the data is required by regulations, by a contract or in order to conclude a contract,
3. The right to withdraw consent at any time
And in the case of indirect collection carried out by a commercial partner:
4. The categories of data collected,
5. The source of the data, including whether this source is accessible to the public.
You can object, at any time, to an organization using some of your data, whether they are in a file or whether they are transmitted, stored or disseminated.
In your request, explain what data you want to be deleted and why “due to your particular situation”.
You can exercise your request for the right to object by various means and without providing supporting documents: electronically (Form, email address, online account, etc.) or by post.
What to do in case of refusal or lack of response?
The organization must prove that legitimate and compelling reasons require it to continue processing your data despite your request, or justify that your data is necessary for the establishment, exercise or defense of legal rights.
If you exercise your right to object:
- To no longer receive commercial prospecting:
The organization must delete your email address from its prospecting database as soon as possible.
- To see personal information removed from a database
The organization has one (1) month to respond to you.
In the event of an unsatisfactory response or lack of response within one (1) month, you can contact the CNIL.
What are the limits of the law?
The right to object is not a right to the simple and permanent deletion of all your data or the account attached to you. For example, only a breach of contract allows the deletion of an account with your mobile operator or an e-commerce site.
If your opposition request does not concern prospecting, the organization may justify its refusal on the grounds that:
- There are legitimate and compelling reasons for processing the data or that they are necessary for the establishment, exercise or defense of legal rights,
- You agreed. In this case you must withdraw this consent and not oppose,
- A contract binds you with the organization,
- A legal obligation requires him to process your data,
- The processing is necessary to protect the vital interests of the person concerned or of another natural person.
You can ask an organization if it has data about you (Website, store, bank...) and ask that they be given to you to verify the content.
Exercising the right of access allows you to know if data concerning you is being processed and to obtain communication of it in an understandable format. It also makes it possible to check the accuracy of the data and, if necessary, to have them rectified or deleted
.The organization from which you are requesting your “right of access” must be in a position to send you a copy of the data it holds about you and to inquire about:
- The purposes of using this data, - The categories of data collected,
- The recipients or categories of recipients who were able to access this data,
- The data retention period or the criteria that determine this duration,
- The existence of other rights (right of rectification, deletion, limitation, opposition),
- The possibility of contacting the CNIL,
- Any information relating to the source of the data collected if they were not directly collected from you,
- The existence of automated decision-making, including in the case of profiling, and the underlying logic, importance and consequences for you of such a decision.
The request must be made using the same methods as those described above.
The organization may ask you to attach any document to prove your identity (Identity document...). This makes it possible to avoid identity theft. On the other hand, it cannot ask you for supporting documents that would be abusive and disproportionate to your request.
Access to this right is free. In some cases, you may be required to pay reasonable fees for processing your file, for example if you request an additional copy.
What to do in case of refusal or lack of response?
The organization must respond to you as soon as possible and at the latest within one (1) month, which may be extended to three (3) months depending on the complexity of the request or the number of requests that the organization has received. In the latter case, the organization must inform you of the reasons for this extension within one (1) month.
If the organization does not respond within one (1) month or does not inform you of an extension of time, you can send a complaint to the CNIL with the elements attesting to your prior steps.
What are the limits of the right of access?
Some files are particularly framed.
For certain police files or files concerning State security, the Law does not allow an individual to directly access the information contained in the file. However, he will be able to access it indirectly through the intermediary of the CNIL.
If the organization considers that your request is unfounded or excessive, it may not act on it provided that it is in a position to prove that your request is “unfounded” or “excessive.” The rights or freedoms of others are also limits: the exercise of your right of access should not interfere with:
- To the law of third parties. Only your data can be communicated under the right of access,
- To intellectual property: for example copyright, when it protects software,
- In business secrecy,
- Etc...
You can request the correction of inaccurate or incomplete information about you. This prevents an organization from using or disseminating erroneous information about you.
You can exercise your request for the right to rectification free of charge by various means: by electronic means (Form, email address, download button, etc.) or by post.
The organization may ask you for information to confirm your identity, in case of reasonable doubts about it (copy of an identity document...). If you want to complete your data, you may be asked to provide a statement or additional information. The organization should not ask you for supporting documents that would be abusive or disproportionate to your request.
What to do in case of refusal or lack of response?
The organization must respond to you as soon as possible and at the latest within one (1) month, which may be extended to three (3) months depending on the complexity of the request or the number of requests that the organization has received. In the latter case, the organization must inform you of the reasons for this extension within one (1) month.
If the organization does not respond within one (1) month or does not inform you of an extension of time, you can send a complaint to the CNIL with the elements attesting to your prior steps.
What are the limits of the right of access?
The right to rectification does not apply to literary, artistic and journalistic treatments.
It is exercised differently for police, gendarmerie, intelligence, FICOBA files. With regard to these files - subject to the right of indirect access via the CNIL - you cannot request correction from the services concerned. A CNIL magistrate is responsible for making the necessary corrections concerning you.
With regard to the correction of data of deceased persons, the heirs may require the organization to take into consideration the death or to provide the necessary updates.
Whether it is an annoying photo on a website or information collected by an organization that you consider useless, you can get it deleted if at least one of these situations corresponds to your case:
Your data is used for prospecting purposes,
The data is not or no longer necessary for the purposes for which they were originally collected or processed,
- You withdraw your consent to the use of your data,
- Your data is being processed illegally (Publication of pirated data...),
- Your data was collected when you were a minor in the context of the information society (Blog, forum, social network, website...),
- Your data must be deleted to comply with a legal obligation,
- You have opposed the processing of your data and the person responsible for the file has no legitimate or compelling reason for not following up on this request.
You can exercise your right to erasure by various means
By electronic means (Form, email address, download button, etc.) or by post, for example.
It is very important to specify exactly what data you want to erase. Indeed, the exercise of this right does not lead to the simple and final deletion of all the data concerning you that is held by the organization. For example, a request to delete your photo on a site will not result in the deletion of your account. Likewise, a request to delete your account will not result in the deletion of invoices and other accounting documents relating to your purchases, for which a legal retention obligation exists.
The organization may ask you to attach a copy of your ID or any other document that can prove your identity, but not supporting documents that are abusive or disproportionate to your request.
What to do in case of refusal or lack of response?
The person responsible for the file has the right to delete it as soon as possible, and at the latest within one (1) month, which may be extended to three (3) months taking into account the complexity of the request. In the latter case, the organization must inform you of the reasons for this extension. In the event of an unsatisfactory response or lack of response within one (1) month, you can contact the CNIL.
What are the limits of the right of access?
The right to erasure is excluded in a limited number of cases. It should not go against:
- The exercise of the right to freedom of expression and information,
- Compliance with a legal obligation (Ex. invoice retention period = 10 years),
- The use of your data if they concern a public interest in the field of health,
- Their use for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes,
- The establishment, exercise or defense of rights in court.
With the right to data portability, you can request to retrieve the data you have provided to a platform, for personal use or to transmit them to a third party of your choice. This new right aims to strengthen the control of your personal data and to allow you to take advantage of their power as well.
The methodology
On your customer area or on information pages concerning your rights and the data use policy, you must find practical and concrete information allowing you to exercise your right to portability.
To exercise this right with NewEnergy or NewEnergy eve, simply send a written request to the DPO who will export your data and send it to you via a secure platform.
Exportable data/formats
Only data collected with your agreement or under a contract are concerned! The right to portability concerns, for example, information that you have declared (e.g. contact details, like,...) but also data drawn from your activity (purchase history, data recorded by a smartwatch, etc.). Conversely, video surveillance images, your tax return, and your badge holder data are not affected by the right to portability. The same goes for data that is derived, calculated, or inferred from the information you provided. For example your rating on an online sales site by other users, your categorization into marketing segments, your loan simulation or your credit risk analysis result.
This data must be provided in a “structured, commonly used and machine-readable” format. This means that the organization must offer you data formats adapted to the type of data concerned, by giving priority to open, interoperable formats. For example, your contact data or address books can be provided in “vCard” (or VCF) format, or your location data in .JSON format. More generically, open formats such as CSV or JSON will in many cases be adapted to portability. On the other hand, data provided in a format that is difficult to process (for example an image or a PDF) or a proprietary format whose use involves the acquisition of software or a paid license will a principle not be suitable formats.
What to do in case of opposition?
1. Identify the organization then go to the information page reserved for exercising your rights on the organization's website (“confidentiality policy”, “privacy policy”, “legal notice”, etc.).
2. Ask for details on whether or not there is a device for exercising your right to portability.
3. In case of refusal or absence of satisfactory response, you can file a complaint with the CNIL by not forgetting to attach the evidence of your approach to the organization (screenshot, email response, etc.)
What are the limits of the right of access?
Remember that if some data is not portable, and therefore not reusable, it is still likely to be given to you in a “human-readable” format as part of the right of access. For example, your bank should be able to indicate your credit risk analysis to you as part of a request for a right of access, even if it does not have to provide you with this data in a format that meets the requirements of the right to portability (for example, by sending it to you in a written document, in pdf or in web format) .It only applies if your data is processed automatically (paper files are therefore not concerned) and on the basis for your prior consent or for the execution of a contract concluded with you.
The exercise of the right to portability must not affect the rights and freedoms of third parties, whose data would be found in the data transmitted following a request for portability. For example, your telephone operator can send you a list of your contacts, which naturally includes the data of your interlocutors. On the other hand, the new operator to whom you send this list will not be able to use the data of your interlocutors for prospecting.
