We are very pleased that you have shown interest in our company. Data protection is a priority for Datalog Finance. The use of our website is possible without submission of personal data; however, if a person concerned wishes to use special services of the company via our website, processing of personal data may be necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we obtain the consent of the person concerned.

The processing of personal data, such as the name, address, e-mail address or telephone number of a data subject, must always comply with the General Data Protection Regulation (GDPR) and national data protection regulations applicable to Datalog Finance. With this data protection declaration, our company wishes to inform the general public about the nature, extent and purpose of the personal data we collect, use and process. In addition, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.

As data controller, Datalog Finance has implemented numerous technical and organizational measures to ensure the most complete protection of the personal data processed via this website. However, data transmissions over the Internet may have security gaps, so absolute protection cannot be guaranteed. For this reason, each person concerned is free to transmit personal data to us by other means, for example by telephone.

Definitions

Datalog Finance data protection declaration is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection statement must be legible and understandable to the general public, as well as to our customers and business partners. To do this, we would first like to explain the terminology used.

In this data protection statement, we use the following terms, among others:

Personal Information

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Persons concerned

The data subject represents any identified or identifiable natural person whose personal data are processed by the controller.

Transformation

Processing is any operation or set of operations carried out on personal data or personal data sets, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction.

Data transformation restriction

The data are marked only in order to limit their processing in the future.

Profiling

Profiling means any form of automated processing of personal data consisting in using personal data to evaluate certain aspects of the personality of a natural person, in particular to analyze or predict aspects concerning the performance at work of that natural person, the economic situation, health, personal preferences, interests, reliability, behaviour, place or movement.

Pseudonymization

Pseudonymisation represents the processing of personal data in such a way that personal data can no longer be attributed to a given person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Data controller

The controller is the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the law of the Union or the Member State, the controller or the specific criteria for his appointment may be provided for by Union or Member State law.

It may be a processor (a public authority, an agency or any other body) processing personal data on behalf of the controller.

Recipient

The recipient is a natural or legal person, a public authority, an agency or other body to which personal data are communicated, whether or not it is a third party. However, public authorities which may receive personal data in the context of a particular investigation in accordance with Union or Member State law shall not be regarded as recipients; the processing of this data by such public authorities shall comply with the applicable data protection rules, in accordance with the purposes of the processing.

Third parties

A third party is a natural or legal person, a public authority, an agency or a body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or the processor, are authorized to process personal data.

Consent

The data subject’s consent is any freely given, specific, informed and unambiguous indication of the data subject’s intention, by which the data subject, by a clear declaration or affirmative action, signifies his or her consent to the processing of personal data concerning him or her.

Name and address of the delegate

Responsible for processing for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union and other data protection provisions:

Datalog Finance
25 rue de Tolbiac 75013 Paris, France
Telephone: +33 1 44 08 80 10
Datalog Finance is represented by Imad Ben Mariem, CEO. For any request related to data processing, please contact privacy@datalog-finance.com.

Website: www.datalog-finance.com/en

Anyone concerned may contact our Data Protection Officer directly at any time with any questions or suggestions concerning data protection.

Cookies

The web pages of the Datalog Finance website use cookies. Cookies are text files that are stored in a computer system via an Internet browser.

Many websites and servers use cookies. Many cookies contain a cookie ID. A cookie ID is a unique identifier on a cookie. This is a character string through which web pages and servers can be assigned to the specific web browser in which the cookie was stored. This allows visited websites and servers to differentiate the individual browser from the subject of other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified using a unique cookie.

Through the use of cookies, Datalog Finance can provide users of this website with more user-friendly services that would not be possible without the installation of cookies.

By means of a cookie, the information and offers on our website can be optimized according to the user. Cookies allow us, as previously mentioned, to recognize users of our website. The purpose of this recognition is to facilitate the use of our website. The website user who uses cookies, for example, does not need to enter access data each time he accesses the website, because he is supported by the website, and the cookie is therefore stored on the user’s computer system. Another example is a cookie from a shopping cart in an online store. The online store remembers the items that a customer placed in the shopping cart via a cookie.

The person concerned can, at any time, prevent the installation of cookies through our website by means of a corresponding configuration of the Internet browser used, and can therefore permanently refuse the installation of cookies. In addition, cookies already configured can be deleted at any time via an Internet browser or other software.

Collection of data and general information

Datalog Finance website collects a series of general data and information when a person concerned or an automated system sends a request to the website. This general data and information is stored in the server log files. The data collected may be (1) the types and versions of browsers used, (2) the operating system used by the access system, (3) the website from which an access system accesses our website (called referrer), (4) the web pages, (5) the date and time of access to the Website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the access system, and (8) any other similar data and information that may be used in the event of attacks against our computer systems.

When using this general data information, Datalog Finance does not draw any conclusions about the data subject. This information is important to (1) deliver our website content properly, (2) optimize our website content and advertising (as of May 25, 2018, the date of implementation of the GDPR we do not advertise), (3) ensure the long-term viability of our computer systems and website technology, and (4) provide law enforcement authorities with the information necessary to prosecute cyber-attacks. It is for these reasons that Datalog Finance analyses the data and information collected anonymously and statistically, with the aim of increasing data protection and data security in our company and ensuring an optimal level of protection for the personal data we process. The anonymous data in the server log files are stored separately from any personal data provided by the data subject.

Possibility of contact via the website

Datalog Finance website contains information that allows quick electronic contact with our company, as well as direct communication with us, which also includes a generic e-mail address. If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data voluntarily transmitted by a data subject to the controller are kept for the purpose of processing or contact with the data subject. There is no transfer of these personal data to third parties.

Routine deletion and blocking of personal data

The controller shall process and store the personal data of the data subject only for the period necessary to achieve the storage purpose or to the extent authorized by the European legislator or other legislators in the laws or regulations to which the controller is subject.

If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, personal data are systematically blocked or deleted in accordance with legal requirements.

Rights of the data subject

Right of confirmation

Each data subject has the right, granted by the European legislator, to obtain confirmation from the controller whether or not personal data relating to him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he may, at any time, contact any employee considered to be responsible for the processing.

Right of access

Each data subject has the right, granted by the European legislator, to obtain from the controller free information on his personal data stored at any time, as well as a copy of such information. In addition, European directives and regulations grant the data subject access to the following information:

• The purposes of the treatment.
• The categories of personal data concerned.
• The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations.
• If possible, the envisaged period for which the personal data will be kept or, if this is not possible, the criteria used to determine this period.
• The existence of a right to ask the controller to rectify or erase personal data, or to limit the processing of personal data concerning the data subject, or to oppose such processing.
• The existence of the right to file a complaint with a supervisory authority.
• Where personal data are not obtained from the data subject, any information available as to their source.
• The existence of an automated decision-making process, including profiling, as referred to in Article 22(1) and (4) of the GDPR and, at least in such cases, useful information on the logic involved and on the importance and envisaged consequences of such processing for the data subject.

In addition, the data subject has the right to obtain information on the transfer of personal data to a third country or to an international organization. In such cases, the person concerned shall have the right to be informed of the appropriate safeguards relating to the transfer.

If a data subject wishes to avail himself of this right of access, he may, at any time, contact any employee considered to be the controller.

Right of rectification

Each data subject has the right, granted by the European legislator, to obtain from the controller, without undue delay, the rectification of inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing an additional declaration.

If a data subject wishes to exercise this right of rectification, he may, at any time, contact any employee of the controller.

Right to erasure (Right to forget)

Each data subject has the right, granted by the European legislator, to obtain from the controller the erasure of personal data relating to him without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies, provided that the processing is not necessary:

• Personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
• The data subject shall withdraw the consent on the basis of which the processing is based in accordance with Article 6(1)(a) of the GDPR or Article 9(2)(a) and where there are no other legal grounds for the processing.
• The data subject objects to the processing in accordance with Article 21.1 of the GDPR and there are no compelling and legitimate reasons for the processing, or the data subject objects to the processing in accordance with Article 21.2 of the GDPR.
• Personal data have been unlawfully processed.
• Personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject.
• Personal data have been collected in connection with the provision of information society services referred to in Article 8(1) of the GDPR.

If one of the reasons mentioned applies and a data subject wishes to request the deletion of personal data stored by Datalog Finance, he may, at any time, contact any employee considered as responsible for processing. A Datalog Finance employee must ensure that the deletion request is met immediately.

Where the controller has made personal data public and is required under Article 17(1) to erase personal data, the controller shall, having regard to the technology available and the cost of implementation, take reasonable measures, including technical measures, to inform the other controllers of the processing of personal data that the data subject has requested the erasure by those controllers of any link to, or any copy or replication of, those personal data, to the extent that processing is not necessary. A Datalog Finance employee will take the necessary measures in individual cases.

Right to restrict processing

Each data subject has the right, granted by the European legislator, to obtain from the controller a processing limitation where one of the following conditions applies:

• The accuracy of the personal data is contested by the data subject for a period allowing the controller to verify the accuracy of the personal data.
• The processing is unlawful and the data subject objects to the deletion of personal data and instead requests that their use be limited.
• The controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal proceedings.
• The data subject has objected to the processing operation in accordance with Article 21(1) of the GDPR pending verification that the legitimate reasons of the controller outweigh those of the data subject.

If one of the above conditions is met and a data subject wishes to request the limitation of the processing of personal data stored by Datalog Finance, he may at any time contact any employee considered as responsible for the processing. The Datalog Finance employee will organize the processing restriction.

Right to data transferability

Each data subject has the right, granted by the European legislator, to receive personal data concerning him or her, which have been provided to a controller, in a structured, commonly used and machine-readable format. He shall have the right to forward such data to another controller without hindrance on the part of the controller to whom the personal data have been disclosed, provided that the processing is based on consent in accordance with Article 6(1)(a) of the GDPR or Article 9(2)(a), of the GDPR, either in the context of a contract within the meaning of Article 6(1)(b) of the GDPR, and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his right to the transferability of data in accordance with Article 20(1) of the GDPR, the data subject has the right to have his personal data transferred directly from one controller to another, where technically possible and without prejudice to the rights and freedoms of others.

To assert the right to data transferability, the data subject may at any time contact any Datalog Finance employee.

Right of opposition

Each data subject has the right, granted by the European legislator, to object at any time, on grounds relating to his or her particular situation, to the processing of personal data relating to him or her, which is based on Article 6(1)(e) or (f) of the GDPR. This also applies to profiling on the basis of these provisions.

Datalog Finance will no longer process personal data in case of opposition, unless we can demonstrate compelling and legitimate reasons for the processing that outweigh the interests, rights and freedoms of the person concerned, or for the establishment, exercise or defense of legal rights.

If Datalog Finance processes personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him/her for direct marketing purposes. This applies to profiling insofar as it is linked to this type of direct marketing. If the data subject objects to the processing of Datalog Finance for direct marketing purposes, Datalog Finance will no longer process personal data for these purposes.

Furthermore, the data subject has the right, on grounds relating to his/her particular situation, to object to the processing of personal data concerning him/her by Datalog Finance for scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.

To exercise their right to object, the person concerned may contact any Datalog Finance employee. In addition, the data subject is free, in the context of the use of information society services and Directive 2002/58/EC, to use his right of objection by automated means using technical specifications.

Automated individual decision making, including profiling

Each data subject has the right, granted by the European legislator, not to be the subject of a decision based solely on automatic processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar manner, provided that the decision (1) is not necessary for the conclusion or performance of a contract between the data subject and a data controller, or (2) is not authorized by the law of the Union or the Member State to which the controller is subject and that such decision (1) is not necessary for the conclusion or performance of a contract between the data subject and a controller, or (2) is not authorized by the law of the Union or the Member State to which the controller is subject.

If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and a controller, or (2) if it is based on the explicit consent of the data subject, Datalog Finance implements appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, at least the right to obtain human intervention from the controller, to express his or her point of view and to challenge the decision.

If the person concerned wishes to exercise the rights relating to automated individual decision making, he may, at any time, contact any Datalog Finance employee.

Right to withdraw consent to data protection

Each data subject has the right, granted by the European legislator, to withdraw his consent to the processing of his personal data at any time.

If the data subject wishes to exercise his right to withdraw his consent, he may, at any time, contact any Datalog Finance employee.

Data protection in the context of a recruitment procedure

The controller collects and processes candidates’ personal data in the context of a recruitment procedure. Processing may also be carried out electronically. This is notably the case when an applicant submits to the controller the relevant documents for his/her application by e-mail or by means of an online form on the website. If the controller concludes an employment contract with an applicant, the data transmitted will be kept for the purpose of processing the employment relationship in accordance with legal requirements. If the controller does not conclude an employment contract with the applicant, the documents of the application shall be automatically erased two months after the notification of the refusal decision, provided that no other legitimate interest of the controller opposes the erasure. Another legitimate interest in this relationship is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).

Data protection provisions regarding the application and use of Google Analytics (with anonymization function)

On this website, the controller has integrated the Google Analytics component (with the anonymization function). Google Analytics is a web analytics service. Web analytics is the collection and analysis of data on the behaviour of website visitors. A web analytics service collects, among other things, data on the website from which a person originates (the so-called referrer), the subpages visited or the frequency and duration of consultation of a subpage. Web analysis is mainly used to optimize a website and to carry out a cost-benefit analysis (return on investment) of advertising on the Internet (as of May 25 2018, Datalog Finance has never used advertising linked to an advertising network likely to broadcast its brand on Adwords, Adsense, display, etc.).

The operator of the Google Analytics component is Google Inc. 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

For web analysis through Google Analytics, the controller uses the “Anonymize” application. Thanks to this application, the IP address of the Internet connection of the person concerned is abbreviated by Google and made anonymous when accessing our websites from a member state of the European Union or from another contracting state to the European Economic Area Agreement.

The purpose of Google Analytics is to analyze traffic to our website.

Google uses the data and information collected, among other things, to evaluate the use of our website and to provide online reports, which show website activity on our websites, and to provide us with other services relating to the use of our website.

Google Analytics places a cookie on the person’s computer system. The definition of cookies is explained above. With the setting of the cookie, Google is activated to analyze the use of our website. For each call to an individual page on this website, which is operated by the controller and in which a Google Analytics component has been integrated, the web browser of the information system of the person concerned automatically transmits data via Google Analytics for the purpose of online advertising and commission payments to Google. During this technical procedure, Google acquires knowledge of personal information, such as the IP address of the person concerned, which is used by Google, among other things, to understand the origin of visitors and clicks, and then create commission payments.

The cookie is used to store personal information, such as the time of access, the location from which access was made and the frequency of visits to our website by the person concerned. Whenever you visit our website, this personal data, including the IP address of the Internet access used by the person concerned, will be transmitted to Google in the United States. This personal data will therefore be stored by Google in the United States. Google may transfer this personal data collected through the technical process to third parties.

As stated above, the person concerned can prevent the installation of cookies via our website at any time by means of a corresponding setting on the web browser used and thus permanently refuse the installation of cookies. Such an adjustment of the web browser used would also prevent Google Analytics from setting a cookie in the data subject’s computer system. In addition, cookies already used by Google Analytics can be deleted at any time via a web browser or other software.

In addition, the data subject has the opportunity to object to the collection of data generated by Google Analytics, which is linked to the use of this website, and to the processing of data by Google and the ability to object to such collection. To do so, the person concerned must download an additional browser under the link https://tools.google.com/dlpage/gaoptout and install it. This browser add-on tells Google Analytics via JavaScript that data and information about web page visits cannot be transmitted to Google Analytics. The installation of browser extensions is considered an objection by Google. If the data subject’s computer system is subsequently deleted, formatted or newly installed, the data subject must reinstall browser extensions to disable Google Analytics. If the browser extension has been uninstalled by the person concerned or any other person that is attributable to their area of responsibility, or is disabled, it is possible to perform the reinstallation or reactivation of browser extensions.

Further information on Google’s data protection policy can be found at https://www.google.com/intl/en/policies/privacy/ and at http://www.google.com/analytics/terms/us.html. Google Analytics is explained in more detail at https://www.google.com/analytics/.

Data protection provisions regarding the use and application of Google My Business

On this website, the controller has integrated the Google My Business button as a component. Google My Business is a social network. A social network is a social meeting place on the Internet, an online community, which generally allows users to communicate with each other and interact in a virtual space. A social network can serve as a platform for the exchange of opinions and experiences, or enable the Internet community to provide personal or business information. Google My Business allows users to include private profile creation, photo uploading and network creation through friend requests.

Google My Business operating company is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The Internet browser of the information system of the person concerned automatically downloads a display of the corresponding Google My Business button from Google via the Google My Business button corresponding to each call to one of the individual pages of this website, which is operated by the controller and on which a Google My Business button has been integrated, the Internet browser of the information system of the person concerned automatically downloads a display of the Google My Business button component from Google. As part of this technical procedure, Google is informed about the specific subpage of our website that has been visited by the person concerned. More detailed information about Google My Business is available at https://policies.google.com/privacy?hl=en.

If the person concerned is at the same time connected to Google My Business, Google recognizes with each call to our website by the person concerned and for the duration of his stay on our website which specific pages on our website have been visited by the person concerned. This information is collected using the Google My Business button and Google associates it with the Google My Business account associated with the person concerned.

If the person concerned clicks on the Google My Business button on our website and gives a Google My Business 1 recommendation, Google assigns this information to the person’s personal Google My Business user account and stores the personal data.

Google will retain the data subject’s Google My Business1 recommendation and make it publicly available in accordance with the data subject’s agreed terms and conditions. Thereafter, a Google My Business1 recommendation by the person concerned on this website as well as other personal data, such as the Google My Business account name used by the person concerned and the stored photo, which may be processed on other Google services, such as Google search engine results, the Google account of the person concerned or in other places, for example on Internet pages, or in connection with advertisements.

Google may also link your visit to this website to other personal data stored on Google. Google stores this personal information in order to improve or optimize its various services.

Google My Business receives information via the Google My Business button that the person concerned has visited our website, if the person concerned is connected to Google My Business at the time of making a request to our website. This happens regardless of whether or not the person clicks the Google My Business button.

If the data subject does not wish to transmit personal data to Google, he or she can prevent this by logging out of his or her Google My Business account before calling our website.

Further information and Google’s data protection policy can be found at https://www.google.com/intl/en/policies/privacy/. Further Google references on the Google My Business 1 button can be obtained at https://policies.google.com/privacy?hl=en.

NB: the paragraphs in this section are present for information purposes, in case Datalog Finance decides to install such a component on its website, which is not the case today. Indeed, a simple sharing link is proposed, and not a systematic interaction between our site and the API of this third party.

Data protection provisions regarding the application and use of LinkedIn

On this website, the controller has integrated LinkedIn Corporation components on this website. LinkedIn is a web-based social network that allows users with existing business contacts to connect and establish new business contacts. More than 400 million registered people in over 200 countries use LinkedIn. LinkedIn is currently the largest business contact platform and one of the most visited websites in the world.

LinkedIn’s operating company is LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. For privacy matters outside the UNITED STATES, LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Wilton Place, Dublin 2, Ireland, is responsible.

Whenever a call is made to one of the individual pages of this website, which is operated by the controller and on which a LinkedIn component (LinkedIn plug-in) has been integrated, the Internet browser of the data subject’s computer system is automatically prompted to download a display of the corresponding LinkedIn component. More information about the LinkedIn plug-in can be found at https://developer.linkedin.com/plugins. During this technical procedure, LinkedIn becomes aware of the specific subpage of our website that has been visited by the person concerned.

If the person concerned is connected to LinkedIn at the same time, LinkedIn detects on each call to our website by the subject of the data – and for the duration of their stay on our website – which specific subpage of our website has been visited by the person concerned. This information is collected through the LinkedIn component and is associated with the LinkedIn account of the person concerned. If the person concerned clicks on one of the LinkedIn buttons integrated on our website, LinkedIn assigns this information to the personal LinkedIn user account of the person concerned and stores the personal data.

LinkedIn receives via its component information indicating that the person concerned has visited our website, provided that the person concerned is connected to LinkedIn at the time of the call on our website. This happens regardless of whether the person clicks the LinkedIn button or not. If such transmission of information to LinkedIn is not desirable for the person concerned, he can prevent it by logging out of his LinkedIn account before using our website.

LinkedIn offers under https://www.linkedin.com/psettings/guest-controls the possibility to unsubscribe from e-mails, SMS and targeted advertisements, as well as the possibility to manage the advertising parameters. LinkedIn also uses third-party products such as Eire, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and Lotame. The installation of such cookies can be refused under https://www.linkedin.com/legal/cookie-policy. The privacy policy applicable to LinkedIn is available at https://www.linkedin.com/legal/privacy-policy. Cookie LinkedIn’s policy is available at https://www.linkedin.com/legal/cookie-policy.

NB: the paragraphs in this section are present for information purposes, in case Datalog Finance decides to install such a component on its website, which is not the case today. Indeed, a simple sharing link is proposed, and not a systematic interaction between our site and the API of this third party.

Data protection provisions concerning the application and use of Twitter

On this website, the controller has integrated Twitter components. Twitter is a multilingual microblogging service, accessible to the public, on which users can publish and broadcast “tweets”, for example short messages, limited to 280 characters. These short messages are available to everyone, including those who are not connected to Twitter. Tweets are also displayed to the followers of the user in question. Followers are other Twitter users who follow a user’s tweets. In addition, Twitter allows you to address a wide audience via hashtags, links or retweets.

Twitter’s operating company is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

Whenever a call is made to one of the individual pages of this website, which is operated by the controller and on which a Twitter component (Twitter button) has been integrated, the Internet browser of the information system of the person concerned is automatically invited to download a display of the corresponding Twitter component. More information about Twitter buttons is available at https://about.twitter.com/de/resources/buttons. During this technical procedure, Twitter becomes aware of the specific subpage of our Web site that has been visited by the person concerned. The purpose of integrating the Twitter component is to retransmit the content of this Web site to allow our users to present this Web page to the digital world and increase the number of our visitors.

If the person concerned is connected to Twitter at the same time, Twitter detects the specific subpage of our web page that has been visited by the person concerned for each request on our web site made by the person concerned and for the duration of his visit to our web site. This information is collected through the Twitter component and is associated with the respective account of the person concerned. If the person concerned clicks on one of the Twitter buttons integrated on our website, Twitter assigns this information to the personal user account of the person concerned and also stores the personal data.

Twitter receives information indicating that the person concerned has visited our website, provided that the person concerned is connected to Twitter at the time of sending request on our website. This happens regardless of whether the person clicks on the Twitter component or not. If such transmission of information to Twitter is not desirable for the person concerned, he/she can prevent it by logging out of his/her Twitter account before using our website.

The applicable data protection provisions of Twitter can be found at https://twitter.com/privacy?lang=en.

NB: the paragraphs in this section are present for information purposes, in case Datalog Finance decides to install such a component on its website, which is not the case today. Indeed, a simple sharing link is proposed, and not a systematic interaction between our site and the API of this third party.

Legal basis of the processing operation

Article 6 (1) of the GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract in which the data subject is one of the parties involved, as is the case, for example, where the processing is necessary for the supply of goods or the provision of any other service, the processing shall be based on Article 6(1)(a) of the GDPR. The same applies to the processing necessary for the execution of pre-contractual measures, for example in the case of requests for information concerning our products or services. Our company is subject to a legal obligation by which the processing of personal data is necessary, as for the fulfilment of tax obligations, the processing is based on art. 6(1) of the GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor was injured in our company and his name, age, health insurance data or other vital information should be passed on to a doctor, hospital or other third party. Treatment would then be based on art. 6(1) of the GDPR. Finally, the processing operations could be based on Article 6(1)(a) of the GDPR. This legal basis is used for processing operations which are not covered by any of the legal bases mentioned, if the processing is necessary for the legitimate interests pursued by our company or by a third party, except where those interests are harmed by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. These processing operations are particularly authorized because they have been expressly mentioned by the European legislator. It considered that a legitimate interest could be presumed if the data subject is a customer of the controller (Article 47, second sentence of the GDPR).

Legitimate interests pursued by the controller or by a third party

Where the processing of personal data is based on Article 6(1)(a) of the GDPR, our legitimate interest is to conduct our business for the benefit of all our employees and shareholders.

Period for which personal data will be kept

The criterion used to determine the retention period of personal data is the corresponding legal retention period. After the expiry of this period, the corresponding data are systematically deleted, as long as they are no longer necessary for the execution of the contract or the initiation of a contract.

Provision of personal data as a legal or contractual requirement; obligation to conclude a contract; obligation of the data subject to provide personal data; possible consequences of failure to provide such data.

We specify that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual provisions (e.g. information on the contractual partner). In some cases, it may be necessary to conclude a contract under which the data subject provides us with personal data that must be further processed by us. The person concerned is, for example, obliged to provide us with personal data when our company signs a contract with him/her.

A refusal to disclose personal data would mean that the contract with the data subject could not be concluded. Before personal data are provided by the data subject, he must contact any employee. The employee shall specify to the data subject whether the provision of personal data is required by law or contract or whether it is necessary for its conclusion, whether there is an obligation to provide the personal data and the consequences of withholding the personal data.

Existence of an automated decision-making process

As a responsible company, we do not use automatic decision making or profiling.

Datalog Finance Customer Data Privacy Policy (GDPR)

The following paragraphs, if they have no contractual value, allow us to define a framework inherent to the relations between the customer and the subcontractor that we are on the regulatory part related to the protection of personal data.

As a subcontractor, Datalog Finance processes personal data only on documented instructions from the controller (the customer), including with regard to transfers of personal data to a third country. Datalog Finance ensures that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.

We take all security measures required, and we respect the conditions defined in case of recruitment of another subcontractor. We have also taken steps to train internal staff to comply with these regulations.

Datalog Finance takes into account the nature of the processing, and helps the controller, through appropriate technical and organizational measures, as far as possible, to fulfil his obligation to respond to the requests submitted by the data subjects in order to exercise their rights.

We are also committed to:

1. Help the controller to ensure compliance with the obligations laid down.
2. Delete all personal data or return them to the controller at the end of the processing service, and destroy existing copies, unless Union law or the law of the Member State requires the retention of personal data.
3. Make available to the controller all the information necessary to demonstrate compliance with his obligations and to allow audits to be carried out (Article 28).
4. To appoint a DPO (Data Protection Officer) under the same conditions as the controller.
5. As a subcontractor, we are bound by specific obligations in terms of security, confidentiality and accountability.
6. In particular, we have an obligation to advise the data controller (the customer) on compliance with certain obligations of the Regulation (PIA, loopholes, security, data destruction, contribution to audits).
7. Assess the risks inherent to the processing (according to the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks for the data subjects).
8. Implement, based on our risk analysis, appropriate technical and organisational measures to ensure a level of security appropriate to the risk, such as pseudonymisation/anonymisation and encryption of personal data.
9. Carry out a data protection impact assessment where a processing operation is likely to expose individuals to a high risk with regard to their rights and freedoms, in particular those using new technologies, in order to assess, in particular, the origin, nature, scope, context, specificity and gravity of that risk (Article 35).
10. Provide sufficient guarantees, including specialist knowledge, reliability and resources, for the implementation of technical and organisational measures that will meet the requirements of the Regulation, including processing security.
11. Assess the risks inherent to the processing (according to the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks for the data subjects).
12. Implement appropriate technical and organisational measures, based on risk analysis, to ensure a level of security appropriate to the risk, such as pseudonymisation and encryption of personal data.
13. Carry out a data protection impact assessment where a processing operation is likely to expose individuals to a high risk with regard to their rights and freedoms, in particular those using new technologies, in order to assess, in particular, the origin, nature, scope, context, specificity and gravity of that risk (Article 35).

We also undertake to keep a written record of all categories of data processing activities carried out on behalf of the controller, including:

• The name and contact details of the other processors and of each controller on whose behalf the processor is acting.
• Where applicable, the names and contact details of the Data Protection Officer; the categories of processing operations carried out on behalf of each controller.
• Where appropriate, transfers of personal data to a third country or international organization.
• A general description of the technical and organizational security measures.

We are at our customers’ disposal to provide sufficient guarantees, in particular in terms of specialized knowledge, reliability and resources, for the implementation of technical and organizational measures that will meet the requirements of the Regulation, including processing security.

We are fully aware that in the event that a person suffers material or moral damage as a result of a breach of the Regulation, he/she may claim compensation for the damage suffered from the controller or the processor. As a subcontractor we can be exempt from liability if we prove that we are not responsible for the fact that caused the damage.