Privacy and Personal Data Protection Policy

Introduction

The protection of your personal data (hereinafter "Data") is a priority for NetSyst SAS. The company implements appropriate technical and organisational measures to ensure that the processing of your Data is carried out under secure conditions, in compliance with the General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).

This document describes how NetSyst SAS ensures the compliance of its processing activities and the measures it deploys to ensure that your rights as a data subject are effectively respected.

Terms used in this document with a capital letter (Processing, Data, Data Subject, Controller, Processor, Transfer) refer to the definitions set out in the GDPR.

NetSyst SAS may use cookies or similar technologies to ensure the proper functioning of its services and to tailor the offering presented to you.

Data controller

NetSyst SAS, a French company with registered office at 33, rue de la République, 69002 Lyon, acts as the controller of the Data.

Data Protection Officer (DPO)

NetSyst SAS has appointed a Data Protection Officer (DPO), a dedicated contact for any question relating to the protection of Data. The DPO contributes to integrating GDPR requirements into the processing activities carried out, trains employees and handles requests to exercise your rights. Clients may contact him for support or to liaise with their own DPO.

Principles applicable to the processing of data

The collection and processing of Data by NetSyst SAS are carried out transparently and in compliance with the applicable legal framework.

Purposes of processing

Your Data is used in particular to:

• maintain a smooth relationship with you and appropriate follow-up for clients, partners and prospects;
• allow you to communicate with us and monitor the performance of services (requests, incidents, etc.);
• respond to enquiries made via forms or contact channels on the website;
• offer you surveys (satisfaction) or studies (market), subject to your consent;
• send you commercial communications, news or event invitations when you have consented;
• strengthen the security and performance of the website;
• process applications submitted to NetSyst SAS;
• fulfil obligations arising from contracts concluded with you;
• promote the conclusion or development of partnerships.

Legal bases

Each processing activity is based on one of the grounds provided for by the GDPR:

• the legitimate interest of NetSyst SAS in processing your requests and maintaining a commercial relationship or quality follow-up;
• your consent, for prospecting or the use of certain cookies;
• a legal or regulatory obligation to which NetSyst SAS is subject.

Categories of data concerned

The Data processed is strictly necessary for the purposes pursued (minimisation principle). It may include in particular:

• identity data (surname, first name, contact details);
• elements relating to personal life (contact details, interests mentioned for example in a CV);
• professional information (position, employer, sector);
• connection or location data (in particular deduced from the IP address).

NetSyst SAS endeavours to keep this Data up to date throughout the duration of the processing.

The provision of certain Data may be mandatory to benefit from a service; their absence may restrict or prevent the provision of that service.

Retention periods

Your Data is only retained for the duration required by the purpose of the processing and, where applicable, by applicable legal and regulatory texts.

• For clients and partners: retention for the contractual period, then in accordance with applicable legal requirements;
• For prospects: retention for 3 years from the last contact with NetSyst SAS;
• For applicants: retention of application data for 2 years from the application or last exchange with our teams, unless recruited;
• For evidential purposes (e.g. tickets, emails): possible retention for up to 6 years after the end of the contract, within the limits provided for by the GDPR.

These periods may be extended in the event of a dispute, a request from a competent authority or any other case provided for by law.

Recipients of data

Access to Data is reserved for authorised persons within the framework of an access management policy. NetSyst SAS sets the applicable access and confidentiality rules.

The following may have access to your information:

• the internal departments of NetSyst SAS and, where applicable, group companies that require it;
• persons in charge of administering the tools used for these processing activities;
• sub-contractors possibly engaged by NetSyst SAS;
• in the context of services, the client's teams and partners designated by the client;
• supervisory authorities or authorised auditors, when they act in that capacity.

Security measures

NetSyst SAS implements proportionate technical and organisational security measures to protect your Data against unauthorised access, loss, modification or disclosure.

An Information Systems Security Officer (CISO) is designated to manage information security, support teams and raise employee awareness. They may be contacted in the context of client relations (advice, dialogue with the client's CISO, etc.).

Your rights

Under the GDPR and the French Data Protection Act, you have in particular the rights of access, rectification, erasure, restriction of processing, objection and complaint to the CNIL (https://www.cnil.fr). Where applicable, you may also exercise a right to data portability, withdraw your consent or determine the fate of your data after your death.

This policy constitutes the information provided to data subjects.

To exercise your rights or for any question:

• by post: NetSyst SAS DPO - 33, rue de la République - 69002 LYON;
• by email: dpo@netsyst.fr.

A proof of identity may be requested in the event of doubt. Contact details may also be requested in order to send you the response.

NetSyst SAS undertakes to respond within a maximum period of one month from receipt of the request. This period may be extended to three months in the event of a complex request or a high number of requests.

In the event of a dispute, you may contact the CNIL (3 place de Fontenoy - TSA 80715 - 75334 Paris Cedex 07), by post or via the online form. You may also take legal action against NetSyst SAS if you consider that the processing of your data infringes the rights you hold under the GDPR.

Evolution of this policy

The version in force is the one whose date appears at the head of the document. NetSyst SAS reserves the right to amend this policy to align it with regulations or the evolution of its business. Any new version replaces the previous one. Continuing to use the services of NetSyst SAS after a new version comes into force constitutes acceptance of that version.