A woman's face with pictograms representing the protection of personal data

Data protection policy

We want to work with you, our customers, partners, service providers, suppliers and trainees, in complete confidence. This policy therefore sets out what we do with the personal data of individuals in our capacity as data controller.

This document tells you what personal data we collect and that you provide to us, why we do so, when we disclose it to third parties, how we store and secure it, and how you can exercise your rights to your data.

If you have any questions about this policy, please contact our Data Protection Officer (DPO) at dpo@apave.com.

Why do we collect and use personal data?

We collect personal data directly from you or through your employer or an authorized person in order to :

  • ensure the performance of a contract or the general terms and conditions of an Apave online service (follow-up of the contract, preparation and performance of the intervention and service; quality control) ;
  • to comply with our legal or regulatory obligations;
  • to fulfill specific purposes after obtaining your explicit and positive consent;
  • our legitimate interests, such as tailoring our offers to your needs, and ensuring the security of our information system.

A few examples: we may send you, via your e-mail address, a reminder to renew your accreditation or certification; we may inform you of new applications or services available for your sector of activity.

In addition, if you contact us, we will keep a record of your request to enable us to process it as efficiently as possible.

 

What personal data do you provide or do we collect?

When you contact us, or ask us to contact you for the services that interest you, you agree to provide us with the following personal data: surname, first name, e-mail address, telephone number, information shared by yourself, such as your job title, activity, cookies.

 

In order to provide our services, we collect personal and professional identification data such as surname, first name, business telephone number, date of birth (trainees and professional training), business e-mail address, signature, job title, photograph where applicable; data concerning technical skills; financial data linked to invoicing.

 

We also use personal data generated following training: attendance sheet, date of certificate issue, training evaluation, authorizations and titles. Once you have completed a training course, we inform you of the need to renew your qualification in order to help you maintain it.

When you wish to access the online services to which you have subscribed, you provide the following personal data: surname, first name, professional e-mail address, professional telephone number.

 

We also store your consent to receive information, such as the news you subscribe to, as well as your withdrawal of consent to processing to which you had previously consented.

 

To meet a specific purpose, we may collect health data, particularly in the field of radiation and certain training courses. Further details will be provided where necessary.

 

When do we pass on your personal data to third parties?

We only pass on your personal data to third parties in the following cases:

  • To internal Apave Group departments in charge of carrying out the purposes.
  • For external processing purposes : we transmit this data to trusted persons who process it on our behalf, according to our instructions, in compliance with the RGPD and in compliance with any other appropriate security and confidentiality measures. In particular, we use service providers to ensure data backup and hosting.
  • For legal or regulatory reasons : we may share personal data to comply with legal, regulatory and administrative obligations, to detect, prevent or deal with fraudulent activities, security breaches or any technical problems, or during external evaluations and audits by authorities (or their representatives).

 

How do we store and secure your personal data?

We implement the necessary and appropriate organizational and technical security measures against any unauthorized access, modification, disclosure or destruction of the data we store. The Information System Security Policy (ISSP) can be sent to you for further details of these measures.

These measures include the following:

  • Collect only the data necessary for the specified, explicit and legitimate purposes declared.
  • Apave employees, subcontractors, service providers and contacts who need access to personal data to perform their roles, functions and responsibilities :
    • are authorized and have access strictly reserved to them ;
    • are sensitized and/or trained, depending on their roles, functions and responsibilities;
    • have signed a confidentiality agreement and have been informed of the risks and penalties for breaching this obligation.
  • We encrypt data when necessary.
  • We carry out internal audits and audits of our suppliers handling personal data on behalf of Apave.

When we use subcontractors to carry out specific processing activities, we ensure that these subcontractors comply with the same obligations and present sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing of personal data meets the requirements of the regulations in force. We will then formally conclude an agreement for the outsourcing of personal data.

 

We store personal data for the duration of the business relationship, then archive or delete it. In certain cases, we reserve the right to retain data for a longer period, in particular to prevent possible litigation and to meet our legal and regulatory obligations.

 

In the case of data processed with consent, we delete it as soon as consent is withdrawn.

 

We do not transfer personal data outside the European Union. In the event that we are required to do so for the purposes of a contract, we undertake to put in place appropriate safeguards and to obtain prior authorization for the transfer. In any case, we remain responsible for our commitments regarding personal data.

 

How can you exercise your rights regarding personal data?

In accordance with the law transposing the General Regulation on the protection of personal data, you have rights that we are obliged to respect:

  • A right to information about the processing of your data in a clear, fair and transparent manner;
  • A right of access to your personal data: you have the right to obtain from us confirmation as to whether or not your data is being processed, the purposes for which it is being processed, the recipient of the data, any transfer of the data and a copy of the data;
  • A right to rectify inaccurate or incomplete data: you can obtain from us the rectification of your data if it proves to be erroneous or inaccurate;
  • A right to object to certain processing operations, in particular those aimed at commercial prospecting;
  • A right to withdraw consent to data processing, without the effects of such withdrawal being retroactive;
  • A right to erase data that has been unlawfully processed: you have the right to be forgotten only if the processing of your data does not concern the performance of the contract and you have cancelled the contract;
  • A right to portability, enabling you to receive your data in a usable format so that it can be transferred to another service provider. Data portability applies only to data that you have supplied to us, and only if processing is based on consent or contract;
  • A right to restrict processing;
  • A right to give instructions concerning the storage, deletion and communication of your data after your death.

To exercise your rights, simply contact the DPO at dpo@apave.com, or by post to Apave for the attention of the DPO at 191 rue de Vaugirard 75738 Paris cedex 15. You can also lodge a complaint with a Data Protection Supervisory Authority, in France the CNIL.

 

How do we deal with personal data breaches?

We take data breaches very seriously.

In the event of a breach of your personal data that could pose a risk to your rights and freedoms, Apave's DPO will notify the CNIL of the breach as soon as possible, and if possible no later than 72 hours after becoming aware of it. Apave will also inform the person concerned, as soon as possible in accordance with the provisions of Article 34 of the RGPD.

 

Review and update of our data protection policy

We undertake to process personal data in accordance with the legal provisions in force.

 

This policy will be reviewed in line with changes in the texts. You will be regularly informed of any such updates.

 

(Updated on 20/11/2019)