CERIENCE, SAS, whose registered office is located at RTE DE LA MENITRE BEAUFORT EN VALLEE, 9250 BEAUFORT-EN-ANJOU France, registered under number RCS Angers B 822478152, a subsidiary of the TERRENA group (hereinafter CERIENCE), processes Personal Data (as defined below) in the course of its activity, acting both on its own behalf and on behalf of its subsidiaries.
- This Personal Data Protection Policy (the “Policy”) describes how CERIENCE collects, uses, and processes your personal data, in compliance with applicable regulations. CERIENCE values your privacy and is committed to protecting and safeguarding your data confidentiality rights.
- This Policy applies to the personal data that we may collect from our clients, suppliers, and service providers in connection with the performance of all types of commercial contracts. It also applies to the personal data of users of our various websites, people applying for our job offers, and any other individuals we are legitimately required to contact in the course of CERIENCE Group activities.
- Within the framework of the applicable regulations on the protection of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Law No. 78-17 of 6 January 1978 on information technology, files and freedoms, as amended (together hereinafter the “Personal Data Regulations”), the company responsible for your personal data is CERIENCE.
- CERIENCE may amend this Policy. Please regularly visit this page to review any changes we may publish.
- If you disagree with certain aspects of our Policy, you have legal rights that will be indicated to you where necessary.
- CERIENCE subsidiaries may also collect and process Personal Data. This Policy applies to CERIENCE subsidiaries as well.
Table of Contents
- Introduction
- Definitions
- Collection of Personal Data
- Protection of Children’s Personal Data
- Purposes of Personal Data Collection
- Recipients of Personal Data
- Transfer of Personal Data outside the European Union
- Security of Personal Data
- Data Rights
- Facilitated Contact for Exercising Rights
- Policy Updates
1 Introduction
The personal data protection policy is based on the non-exhaustive principles listed below:
- Comply with optional standards and the recommendations of the French Data Protection Authority (CNIL) and the French National Cybersecurity Agency (ANSSI), while meeting CERIENCE’s operational needs;
- Apply data protection rules from the design stage and during the implementation (“Privacy-by-design,” “Privacy-by-default”) of new products intended to process personal data and limit data collection to what is strictly necessary (“minimization”);
- Continuously monitor compliance with legal obligations and commitments made by CERIENCE throughout the lifecycle of computerized data processing;
- Ensure maximum transparency regarding data processing, except where disclosure could compromise their security;
- Strengthen individuals’ rights and facilitate their exercise.
2 Definitions
“Personal Data” or “Data of a personal nature”: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. “Data Subject”: A natural person whose personal data are processed as described in Article 4. “Data Controller”: A natural or legal person who, alone or jointly with others, determines the purposes of processing and the means used. The Data Controller is generally the Terrena entity that collected the Personal Data. If the Terrena cooperative, parent company of the Terrena Group, provides technical, administrative, marketing, or commercial assistance to this entity, the cooperative may also be considered a Data Controller. “Data Processing”: Operations performed, whether or not by automated means, on personal data, including collection, recording, use, transmission, or communication. “Processor”: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller. “Recipient”: A natural or legal person, public authority, internal or external department, or any other body that receives personal data. “TERRENA”: The Terrena cooperative company and its subsidiaries. “CERIENCE”: The CERIENCE company and its subsidiaries.
3 Collection of Personal Data
The Personal Data that CERIENCE may collect varies depending on the purpose of the processing. They are primarily intended to enable the identification of individuals in the context of their relationships with CERIENCE. In any case, the Personal Data collected will be limited to the data necessary for the purposes described in Article 5 below.
Data Subjects
The Data Subjects of the processing carried out by CERIENCE are:
- Visitors, users, and clients of its websites
- Clients (members and non-members) of SCA Terrena and its subsidiaries
- In-store clients who identify themselves using their loyalty card
- Participants in contests, lotteries, and special operations online or in-store
- Participants in surveys, polls, or panels
- Recipients of promotional or commercial prospecting operations online or offline
- Suppliers and service providers
- Applicants and employees
Collection of personal data
Data may be collected directly from Data Subjects in various ways, including:
- Contracts concluded with CERIENCE;
- Quotations in the context of pre-contractual relationships;
- Appointments;
- Paper or web forms through websites;
- Cookies stored in the web browser of the Data Subjects.
In the event of indirect data collection from third parties (e.g., purchase of files, publicly accessible sources), CERIENCE ensures that Data Subjects are informed at the first contact and at the latest within one month, unless they already possess this information. Note to visitors and users of its websites: certain features and characteristics of the websites can only be used if certain Personal Data is provided. The user is free to provide all or part of the requested Personal Data. However, if the user decides not to provide them, such a decision may prevent the satisfactory achievement of the objectives described in Article 5 below. Some services and features of our websites may not function properly and/or the user may be denied access to certain web pages. Data relating to clients (members and non-members): The data CERIENCE collects about its clients is limited. Generally, CERIENCE requires the contact details of representatives within the client or prospective company (including their name, phone number, and email and postal address) to be able to perform contracts concluded with its clients. As part of customer satisfaction surveys, CERIENCE may also hold information relating to clients’ needs or constraints, which it may then use to ensure that marketing communications are relevant and timely. CERIENCE may also hold additional information that client representatives choose to share, including through loyalty programs. In certain circumstances, when clients interact with certain CERIENCE services or departments, calls may be recorded, in accordance with applicable local laws and requirements. Data relating to suppliers and service providers: CERIENCE also collects data about its suppliers and service providers. For sound management of our business relationships, CERIENCE collects the contact details of representatives within the supplier or service provider company, such as their name, phone number, and email and postal address. CERIENCE may also hold additional information that representatives within the supplier or service provider company choose to share. Data relating to personnel management: For applicants, particularly for job offers at CERIENCE, different types of information are collected to analyze applications with respect to the proposed positions, including identity, personal contact details, professional background, diplomas, and motivations. CERIENCE also collects all information useful for proper staff management, including identity, civil status, personal contact details, professional background, diplomas, bank details, social security number, and administrative information, in accordance with legal and regulatory requirements. Data relating to users of its various websites: CERIENCE collects personal data from users of its websites to improve their usage and to manage the services provided by CERIENCE. This information includes, among others, how the websites are used, how often they are accessed, the type of browser, the location from which users visit CERIENCE’s websites, the language used, and peak visiting times.
4 Protection of Children’s Personal Data
CERIENCE products and services are intended for adults and are not designed to be marketed to minors. CERIENCE does not knowingly collect or retain Personal Data from minors, except in the context of personnel management information.
5 Purposes of Personal Data Collection
Personal Data is collected for CERIENCE’s business needs, such as fulfilling contracts concluded with its clients (members or non-members), suppliers, and other service providers or third parties, to pursue its legitimate interests, or to comply with statutory reporting obligations, as well as for the recruitment of staff and management of CERIENCE employees. CERIENCE collects and uses Personal Data for its activities, in particular to carry out the following activities:
Purposes | Legal Basis | Retention Period |
---|---|---|
Regarding website use | ||
Provide the Websites, products, and services offered on the Websites | Pre-contractual measures at the request of Users and/or Clients and/or performance of the contract | Period necessary to achieve the purpose of processing and for an additional period of five (5) years |
Respond to requests submitted via forms or using contact methods available on the websites | Performance of pre-contractual measures at the request of Users and/or Clients and/or performance of the contract | Period necessary to achieve the purpose of processing and for an additional period of five (5) years |
Regarding all clients (members and non-members) for customer relationship management | ||
Create and manage business accounts to issue quotes, manage orders, reservations, deliveries, and invoicing of products, services, and solutions | Performance of pre-contractual measures at the request of Users and/or Clients and/or performance of the contract | Five (5) years from the Client’s last activity, then archived for an additional five (5) years |
Manage inquiries, questions, and complaints | Performance of pre-contractual measures at the request of Users and/or Clients and/or performance of the contract | Five (5) years from each inquiry, question, or complaint |
Understand and profile clients, monitor relationships, improve and personalize communications, offers, and advice, carry out statistical studies | Legitimate interest | Five (5) years from the Client’s last activity, then archived for an additional five (5) years |
Use personal data as a client in order to be recognized as such for other services offered by other companies of the Terrena group | Legitimate interest | Five (5) years from the Client’s last activity, then archived for an additional five (5) years |
Provide digital tools, financial management services, and regulatory data, and ensure the security of these tools | Legitimate interest | Five (5) years from the Client’s last activity, then archived for an additional five (5) years |
Manage commercial prospecting by post and phone, or electronic prospecting for similar products and services | Legitimate interest | Three (3) years from your last activity, then destroyed |
Regarding all suppliers | ||
Manage purchasing and supply:
| Legitimate interest | Five (5) years from the Supplier’s last activity, then archived for an additional five (5) years |
Regarding marketing and prospecting | ||
Send promotions and offers, personalized or not, by electronic means | Consent | Three (3) years from the last activity |
Participation in contests, lotteries, prize draws | Performance of pre-contractual measures at your request and/or performance of the contract | Three (3) years from the closing of the relevant contest |
Regarding all applicants | ||
Analysis of applications with respect to proposed positions | Legitimate interest | 1 month if the applicant is not selected, with the possibility of CV database insertion for a maximum of 2 years |
Regarding compliance with legal and regulatory obligations, defense of rights, safeguarding interests, and anti-fraud measures, particularly in connection with general accounting and tax obligations. | ||
Accounting and taxation: Retention of invoices and other documents | Compliance with legal and regulatory obligations | Personal data processed in connection with accounting and tax obligations are retained for the duration of the current fiscal year plus one (1) year, then archived for ten (10) years |
Exercise of Users’ and/or Clients’ rights: Management of rights requests (communications, extracts of required information) | Compliance with legal and regulatory obligations | Personal data relating to rights requests are retained for three (3) or six (6) years depending on the right exercised. Where an identity document was required, it is deleted once verification is completed. |
Defense of CERIENCE rights and anti-fraud: Establishment and retention of evidence necessary to defend rights in connection with claims or actions against it by Users and/or Clients and anti-fraud measures | Legitimate interest | Personal data necessary to establish and retain evidence for defense are kept for the duration of applicable legal limitation periods, or for the duration of disputes, until a final enforceable judgment is rendered |
Public and judicial authorities: Management of requests from public or judicial authorities and communications with authorities | Legitimate interest | Personal data relating to authority requests are retained for the duration of the relevant procedure until a final enforceable judgment is rendered |
If CERIENCE processes Users’ and/or Clients’ personal data for purposes other than those listed above, CERIENCE will take any additional steps necessary to ensure legal compliance of such processing.
6 Recipients of Personal Data
To achieve the purposes described above and only to the extent necessary, the personal data we collect may be transmitted to all or some of the following recipients:
Within the Terrena Group:
- Subsidiaries of the Terrena Group responsible for the conclusion, management, and execution of contracts and orders;
- Subsidiaries of the Terrena Group responsible for marketing, customer relations, complaints, prospecting, administrative services, IT services, online advertising, or commercial prospecting;
- Subsidiaries of the Terrena Group responsible for centralized management of our customer databases;
- Any other subsidiary of the Terrena Group whose involvement is necessary for processing operations carried out in accordance with this Policy.
Outside the Terrena Group:
- Our service providers involved in all or part of the identified processing (in particular IT providers maintaining the website, partners in online advertising and personalized communications, those in charge of product delivery);
- Our partners providing services available on our website or services accessible through loyalty programs;
- Our partners selling products or services directly from our website;
- Our partners involved in the creation and distribution of commercial prospecting campaigns;
- Our partners involved in the process of delivering personalized online advertising or commercial prospecting;
- Suppliers of products and services from Terrena Group’s partner brands that may receive your personal data.
7 Transfer of Personal Data outside the European Union
CERIENCE ensures that data is stored and transferred securely. Consequently, data occasionally transferred outside the European Economic Area (EEA) (including EU member states plus Norway, Iceland, and Liechtenstein) will only be transferred to countries that comply with data protection legislation and where transfer mechanisms ensure adequate protection of your data. To ensure that personal data receives an adequate level of protection, appropriate procedures are established with third parties with whom personal data is shared, ensuring that such data is handled consistently and lawfully.
8 Security of Personal Data
The “processing” of Personal Data includes, in particular, the use, storage, recording, transfer, adaptation, analysis, modification, declaration, sharing, and destruction of Personal Data as necessary in light of the circumstances or legal requirements.
8.1 Data Security by TERRENA
TERRENA places particular importance on the security of Personal Data. TERRENA implements technical and organizational measures, taking into account the level of sensitivity of the Personal Data, in order to ensure the integrity and confidentiality of the data and to protect them against malicious intrusion, loss, alteration, or disclosure to unauthorized third parties. Whenever possible and necessary, the following measures are taken:
- Encryption;
- Anonymization;
- Pseudonymization;
- Deployment of tools ensuring the confidentiality, integrity, and availability of systems;
- Deployment of tools allowing the restoration of availability and access to your personal data in the event of a technical incident.
All Personal Data being confidential, access is restricted to employees, subcontractors, or business partners who need it in the course of performing their duties.
8.2 Data Security by Data Recipients
In the event of using applications, services, or products provided by third parties, Terrena ensures with their publishers that they comply with legal requirements and allow the protection of the data to be processed therein. Thus, in line with its commitments, Terrena carefully selects its subcontractors and service providers and requires them to:
- Ensure a level of protection for Personal Data at least equivalent to its own;
- Use Personal Data solely for the purpose of managing the services they must provide;
- Strictly comply with applicable legislation and regulations regarding confidentiality, banking secrecy, and Personal Data;
- Implement all appropriate measures to ensure the protection of Personal Data they may process;
- Define the necessary technical and organizational measures to ensure security.
If you suspect misuse, loss, or unauthorized access to your personal information, please notify us immediately.
9 Data Rights
Article 15 of the General Data Protection Regulation recognizes the right of any natural person to obtain from the Data Controller confirmation as to whether or not Personal Data concerning them are being processed, and, where that is the case, access to said data. CERIENCE has implemented appropriate Personal Data protection mechanisms to ensure that Personal Data are used in accordance with the purposes indicated above and to ensure their accuracy and updating.
Right to Object:
You may at any time object to our processing of your personal data. Your objection request will be handled promptly, and we will cease the activity to which you object. However, we reserve the right not to cease the activity in question if:
- We can demonstrate that we have legitimate and compelling grounds for processing your data that override your interests; or
- We process your data for the establishment, exercise, or defense of legal claims.
If your objection concerns direct marketing, we must comply with your objection by ceasing this activity as it relates to you.
Right to Withdraw Consent:
If we have obtained your consent to process your personal data for certain activities other than those for which no consent is required, you may withdraw this consent at any time, and we will cease the specific activity for which you had consented, unless we consider that another legal basis justifies continuing the processing of your data for that purpose, in which case we will inform you of this situation.
Access Requests:
You may at any time request confirmation of the information we hold about you, and you may request that we modify, update, or delete it. We may ask you to verify your identity and request additional information regarding your request. If we provide you with access to the information we hold about you, we will not charge you for this access unless your request is “manifestly unfounded or excessive.” If you request additional copies of this information, we may charge a reasonable administrative fee where permitted by law. Where permitted by law, we may refuse your request. If we do so, we will always provide you with reasons for this refusal.
Right to Erasure:
You have the right to request that we erase your personal data under certain circumstances. In principle, the relevant information must meet one of the following criteria:
- The data are no longer necessary to pursue the purposes for which we initially collected and/or processed them;
- You have withdrawn your consent to our processing of your data and there is no other valid reason for us to continue processing it;
- The data have been processed unlawfully;
- The data must be erased in order for us to comply with our legal obligations as Data Controller; or
- In cases where we process the data because we believe it is necessary for our legitimate interests, you object and we are unable to demonstrate compelling legitimate grounds to continue the processing.
We may refuse to comply with your request only for one of the following reasons:
- To exercise the right to freedom of expression and information;
- To comply with legal obligations;
- For reasons of public health in the public interest;
- For archiving, research, or statistical purposes; or
- To exercise or defend a legal claim.
When we respond to a valid data erasure request, we will take all appropriate practical steps to delete the relevant data.
Right to Restrict Processing:
You have the right to request that we restrict the processing of your personal data in certain circumstances. This means we may only continue to store your data and will only be able to carry out further processing in one of the following cases: (i) resolution of one of the circumstances listed below; (ii) your consent; or (iii) further processing is necessary for the establishment, exercise, or defense of legal claims, the protection of another person’s rights, or for important public interest reasons of the European Union or a Member State. The cases in which you are entitled to request restriction of the processing of your personal data are as follows:
- Where you contest the accuracy of the personal data we process about you. In this case, our processing of your personal data will be restricted while the accuracy of the data is being verified;
- Where you object to our processing of your personal data for our legitimate interests. You may request that the data be restricted while we verify our grounds for processing your personal data;
- Where your data have been processed unlawfully by us, but you prefer us to restrict their processing rather than erase them; and
- Where we no longer need to process your personal data but you require them in order to establish, exercise, or defend legal claims.
If we have disclosed your personal data to third parties, we will notify them of the restricted processing unless this proves impossible or involves disproportionate effort. Of course, we will notify you before lifting any restriction on the processing of your personal data.
Right to Rectification:
You also have the right to request that we rectify inaccurate or incomplete personal data we hold about you. If we have disclosed this personal data to third parties, we will inform them of the rectification unless this proves impossible or involves disproportionate effort. Where applicable, we will also inform you to which third parties we have disclosed this inaccurate or incomplete personal data. If we reasonably decide not to comply with your request, we will explain the reasons for our decision.
Right to Data Portability:
If you wish, you have the right to transfer your personal data from one data controller to another. In practice, this means that you are able to transfer the data to another online platform. To enable you to do so, we will provide your data in a readable format. This right to portability applies to the following data: (i) personal data we process automatically (i.e., without human intervention); (ii) personal data you provide; and (iii) personal data we process on the basis of your consent or in the performance of a contract.
Right to Define General or Specific Directives Relating to the Retention, Erasure, or Disclosure of Personal Data After the Death of a User and/or Client:
You have the option to define general or specific directives regarding how you wish your rights, guaranteed by applicable regulations, to be exercised after your death. 1. General directives concern all of your personal data and may be revoked at any time. They may be recorded with a trusted digital third party certified by the French Data Protection Authority (CNIL). Specific directives concern the processing mentioned by these directives and are recorded with us: they are subject to your specific consent and may be revoked at any time.
Right to Lodge a Complaint with a Supervisory Authority:
If, after contacting us in this regard, you believe that your rights relating to your personal data are not being respected, you may lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (3 place de Fontenoy - TSA 80715 – 75334 Paris cedex 07 - phone: +33 1 53 73 22 22 or https://www.cnil.fr/en/complaints). It is important that the personal information we hold about you is accurate and up to date. Please inform us of any changes to your personal information during the period in which we hold your data.
10 Facilitated Contact for Exercising Rights
Although CERIENCE has taken reasonable measures to protect Personal Data, no transmission or storage technology is completely infallible. However, CERIENCE is committed to ensuring the protection of Personal Data. If you have reason to believe that the security of your Personal Data has been compromised or that they have been misused, you are invited to contact CERIENCE at dataprotection[@]cerience.fr. You may exercise your rights at any time, as well as contact the Data Protection Officer at the following address:
- By mail at the following address: CERIENCE (Terrena Group), Data Protection/DPO, 7 avenue Jean Joxé, CS 20248, 49002 ANGERS, France; or
- By email at the following address: dataprotection[@]cerience.fr
11 Policy Updates
This Policy may be updated as needed by CERIENCE and according to circumstances or if required by law. We therefore invite you to regularly review any updates. CERIENCE undertakes to comply with legal or regulatory developments concerning Personal Data. As such, CERIENCE reserves the right to modify its processing and security measures at any time, and to adapt its data privacy policy accordingly.