1. Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the “GDPR”) sets out the legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
Within the scope of our business activity, we have to process personal data.
For a proper understanding of this policy, it is specified that:
- the “data controller” is the company UbiCast;
- “processor”’: signifies any natural or legal person who processes personal data on behalf of UbiCast;
- “data subjects”: signifies UbiCast’s clients and/or contacts;
- “data recipients”: signifies any natural or legal persons who receive personal data from UbiCast. Data recipients can therefore be UbiCast’s staff as well as outside organisations (partners, exhibitors, banks, practitioners, etc.).
Article 12 of the GDPR requires that data subjects must be informed about their rights in a concise, transparent, intelligible and easily accessible form.
2. Object
The purpose of this policy is to meet UbiCast's obligation to provide information in accordance with Article 12 of the GDPR and to formalise the rights and obligations of its clients and contacts with respect to the processing of their personal data.
3. Scope
This policy shall apply within the context of setting up all personal data processing that relates to UbiCast's clients and contacts.
UbiCast shall make every effort to ensure that data is processed within a specific, internal governance framework. That being said, this policy only applies to the processing for which UbiCast is the data controller and does not therefore apply to any processing that is not created or operated outside the rules of governance set by UbiCast (“uncontrolled” or "shadow IT" processing).
The processing of personal data can be managed directly by UbiCast or through a processor specifically designated by UbiCast. This policy is independent of any other document that may apply within the contractual relationship between UbiCast and its clients or contacts.
4. General principles & data collection
No processing is carried out within UbiCast concerning client and contact data if it does not involve personal data collected by or for its solutions or processed in relation to its solutions and if it does not comply with the general principles of the GDPR.
The purposes for which UbiCast processes data are the following:
| Management of contractual relationships | Any steps taken by UbiCast to process the orders placed by the client and to perform the agreements. |
| Management of UbiCast’s website | Any steps relating to the management and smooth running of UbiCast’s websites (partner portal, support, ubicast.tv, initial contact, etc.). |
| Management of commercial prospection | Any steps relating to the commercial prospection of clients and contacts by UbiCast. |
| Accounting and tax management | Any steps relating to accounting and tax management, in particular the processing of invoices. |
| Management of online contacts | Any steps relating to the management of online contacts. |
| Management of maintenance and telephone support | Any steps necessary to provide support through electronic means and telephone support for clients and contacts. |
| Reception and switchboard management | Any steps relating to the management of UbiCast’s reception and switchboard. |
| Management of social media | Any social selling process. This includes the collection of data related to subscriptions, posts, likes, replies and forwards, comments, opinions, etc. |
| Event management | Any steps necessary for the organisation of events by UbiCast. |
| Cookies | Management of the cookies used to manage the website. |
This list is intended to be as exhaustive as possible; any new purpose, modification or deletion of an existing processing operation will be brought to the attention of clients and contacts through an amendment to this policy.
Types of data collected
| Non-technical data (depending on the purpose) |
|
| Technical data (depending on the purpose) |
|
Source of the data
The data relating to UbiCast’s clients and contacts is usually collected directly from them (direct collection). Data collection can also be indirect, via specialist companies or via UbiCasts’s partners and suppliers. In that case, UbiCast takes great care to ensure the quality of the data it receives.
Purposes and legal basis
Depending on the case, UbiCast processes your data for the following purposes:
- management of subscriptions to the solutions provided by UbiCast and of requests to unsubscribe;
- managing the newsletter;
- customer relationship management (CRM);
- contact management (GRP);
- managing websites operated by UbiCast;
- managing user accounts on UbiCast’s website;
- cookie management;
- accounting and invoicing management;
- event organisation;
- management of meetings and assemblies;
- managing reports of behaviour contrary to this policy;
- data retention in relation to legal security obligations;
- improvement of the solutions and satisfaction surveys;
- audience acquisition;
- statistics.
These purposes are based both on the existing contractual relationship between UbiCast and its clients and prospects and on its legitimate interest in possessing data about its users and contacts.
Data recipients – Authorisation and Traceability
UbiCast shall ensure that the data is only accessible to authorised internal and external recipients.
| Internal recipients | External recipients |
|
|
Internal recipients at UbiCast who receive the personal data of clients and contacts are subject to an obligation of confidentiality. UbiCast shall decide which recipient is allowed to have access to what data, in accordance with an authorisation policy. Furthermore, personal data may be communicated to any authority that is legally authorised to receive it. In such a case, UbiCast is not responsible for the conditions under which the staff employed by those authorities access and use the data.
Period of retention
The period of data retention is defined by UbiCast in light of any legal and contractual constraints on it or, failing that, depending on its needs, in particular in accordance with the following principles:
| Processing | Retention period |
| Data relating to clients | For the duration of the contractual relationship with the company, plus 3 years for animation and prospection purposes, without prejudice to retention obligations or statutory limitation periods. |
| Data relating to website users | For the time needed to carry out the services provided by the company and 1 year after the last intervention. Cookies: 365 days maximum |
| Data relating to prospects | 3 years from the date of their collection by the company or the last contact from the prospect |
| Technical data collected during connection to the website | 180 days |
| Data relating to invoicing | 10 years as from the date the invoice was issued. |
At the end of the fixed time periods, the data is either deleted or kept after being anonymized, in particular for statistical purposes. The data may be kept for pre-litigation and litigation purposes.
Clients and contacts are reminded that the deletion or anonymization of data is irreversible and that UbiCast will no longer be able to restore the data afterwards.
5. Right of confirmation and right of access
Clients and contacts have the right to request confirmation from UbiCast as to whether or not their data is being processed.
Clients and contacts also have a right of access, which is conditional upon the following rules being respected:
- the request must be made by the data subject him/herself and be accompanied by a copy of an up-to-date identity document;
- the request must be made in writing to the following address: UbiCast - Data Protection Officer, 198 Avenue de France, 75013 Paris, France or to the email address dpo@ubicast.eu.
Clients and contacts have the right to request from UbiCast a copy of their personal data that is being processed. However, in the event of a request for an additional copy, UbiCast shall be entitled to charge the clients and contacts for the cost thereof.
If clients and contacts submit their request for a copy of the data by electronic means, the requested information will be provided in a commonly used electronic form, unless otherwise requested.
Clients and contacts are informed that this right of access cannot concern confidential information or data, or data that is prohibited by law from being disclosed.
The right of access must not be exercised in an abusive manner, i.e. regularly for the sole purpose of disrupting the solution concerned.
6. Management of the rights of data subjects
Right of rectification
UbiCast satisfies update requests:
- automatically for online changes to fields that technically or legally can be updated;
- upon written request from the data subject himself/herself, who must prove his/her identity.
Right to erasure
Clients’ and contacts’ right to erasure will not apply in cases where the processing is carried out to comply with a legal obligation.
Apart from that circumstance, clients and contacts may request the erasure of their data in the following limited cases:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing;
- the data subject objects to processing that is necessary for purposes of the legitimate interests being pursued by UbiCast and there are no overriding legitimate grounds for the processing;
- the data subject objects to the processing of his/her personal data for the purpose of marketing, including profiling;
- the processing of the personal data is unlawful.
Pursuant to personal data protection legislation, clients and contacts are informed that this is an individual right that may only be exercised by the data subject in relation to his/her own information: for security reasons, the solution concerned will therefore have to verify the identity of clients and prospects in order to avoid disclosing any confidential information about them to another person.
Right to restriction of processing
Clients and contacts are informed that this right is not intended to apply insofar as the processing carried out by UbiCast is lawful and that all personal data collected is necessary for the performance of its services.
Right of data portability
UbiCast accepts data portability in the specific case where the data has been provided by the clients and contacts themselves, for online solutions offered by UbiCast itself and for purposes based solely on the data subject’s consent. In that case, the data will be provided in a structured, commonly used and machine-readable format.
7. Automated individual decision-making
UbiCast does not make automated individual decisions.
8. Post-mortem rights
Clients and contacts are informed that they have the right to give instructions concerning the retention, deletion and communication of their data post-mortem. The transmission of specific post-mortem instructions and the exercise of their rights can be made by email to dpo@ubicast.eu or by post to the following address: UbiCast - Data Protection Officer, 198 Avenue de France, 75013 Paris, France, accompanied by a copy of a signed identity document.
9. The optional or mandatory nature of answers
On each personal data collection form, clients and contacts are informed by an asterisk about the mandatory or optional nature of the answers. In the case of mandatory answers, UbiCast explains to clients and contacts the consequences of failing to answer.
10. Right of use
Clients and contacts grant UbiCast the right to use and process their personal data for the purposes set forth above. However, enriched data that is the fruit of UbiCast's processing and analysis work, otherwise known as the enriched data, remains the exclusive property of UbiCast (use analysis, statistics, etc.).
11. Processor
UbiCast informs its clients and contacts that it may involve any processor of its choice within the scope of processing their personal data.
In such a case, UbiCast shall ensure that the processor respects its obligations under the GDPR.
UbiCast undertakes to enter into a written agreement with all its data processors and requires those processors to comply with the same data protection obligations as it must comply with itself. Furthermore, UbiCast reserves the right to carry out an audit of its processors in order to ensure compliance with the GDPR.
12. Security
It is UbiCast's responsibility to define and implement the technical security measures, hardware or software, that it deems appropriate to combat the accidental or unlawful destruction, loss, alteration or disclosure of data.
These measures mainly include:
- management of authorisations for data access;
- internal backups;
- identification process;
- use of secure protocols (TLS, SSH);
- backup encryption.
13. Data breach
In the event of a personal data breach, UbiCast undertakes to notify the CNIL in accordance with the requirements of the GDPR.
If the breach poses a high risk to clients and contacts and the data has not been protected, UbiCast shall:
- notify the clients and contacts concerned;
- provide the clients and contacts concerned with the necessary information and recommendations.
14. Cross-border data flows
UbiCast reserves the right to engage in cross-border flows. In that regard, UbiCast shall ensure that these flows fall within the framework of the GDPR, either because the data moves to acceptable countries, or by organising them through binding legal instruments.
15. Data Protection Officer (DPO)
UbiCast has appointed a Data Protection Officer (DPO).
The contact details of the Data Protection Officer are:
- Email address: dpo@ubicast.eu ;
In the event of new processing of personal data, UbiCast will first refer the matter to the Data Protection Officer.
If clients and contacts wish to obtain specific information or ask a specific question, they may refer the matter to the Data Protection Officer, who will give them an answer within a reasonable period of time depending on the question asked or the information required. In the event of problems with the processing of personal data, clients and contacts may contact the appointed Data Protection Officer.
16. Records of processing activity
In its capacity as data controller, UbiCast undertakes to keep up-to-date records of all its data processing activities.
Those records are a document or application listing all the processing operations carried out by UbiCast, as data controller.
UbiCast undertakes to provide the supervisory authority, upon first request, with the information to allow it to verify compliance of the processing with the data protection regulations in force.
17. Right to make a complaint to the CNIL
Clients and contacts concerned about the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of their personal data does not comply with European data protection regulations, at the following address:
CNIL – Service des plaintes
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
18. Changes
This policy document may be modified or amended at any time in the event of changes in legislation or case law, or CNIL decisions and recommendations, or practices. Any new version of this policy will be brought to the attention of clients and contacts by any means defined by UbiCast, including by electronic means (e.g., by email or online).
19. Further information
For further information, you can contact the following department: dpo@ubicast.eu.
For any other, more general information on the protection of personal data, you can visit the CNIL’s website at the following address: www.cnil.fr.
