1. SCOPE OF APPLICATION
Clestra is committed to complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and with the Data Protection Act of 20 June 2018.
Access to personal data is strictly limited to employees and agents of the company, authorized to process them by virtue of their functions such as:
- the person responsible for the treatment,
- the departments in charge of marketing,
- the departments in charge of IT security,
- the department in charge of sales and purchasing, delivery and ordering,
- subcontractors involved in delivery, assembly and sales operations
- the legal department
- the financial department
- any authority legally authorized to access the personal data in question
Clestra implements a processing of personal data that has the purpose of sale and delivery, construction and assemblies removable partitions and any purchase aimed at the success of this destination. The personal information collected via the quotations are recorded in a customer file and mainly used for the good management of the relations with the supplier/customer and the treatment of the orders.
The information requested at the time of the order is necessary to
- be able to contact the supplier/customer,
- commercial prospecting if necessary,
- ensure the execution of our services,
- the establishment of the invoice (legal obligation),
- meet our legal obligations,
- the delivery of the ordered goods, without which the order cannot be placed.
No automated decisions or profiling is implemented through the ordering process.
2. OBLIGATIONS OF CLESTRA
Clestra is committed to :
- process Personal Data referred by the supplier/customer in the course of its business only to the extent necessary for its business.
- not to access or use Personal Data for any purpose other than those necessary for the performance of its business.
- implement technical and organizational measures to ensure the security of Personal Data within the framework of the Service,
- ensure that Clestra employees authorized to process Personal Data are subject to an obligation of confidentiality and receive appropriate training concerning the protection of Personal Data,
- inform the Supplier/Customer if, in its opinion and based on the information available to it, any of CLESTRA’s instructions violate the provisions of the GDPR or other provisions of the European Union or of a Member State of the European Union on the protection of personal data,
- in the case of requests received from a competent authority relating to Personal Data, to inform the supplier/customer (unless prohibited by applicable laws or by order of a competent authority), and to limit the disclosure of the data to what the authority has expressly requested.
Clestra undertakes to implement the following technical and organizational security measures:
- physical security measures to prevent unauthorized persons from accessing the infrastructure in which the provider/client data is stored,
- identity and access controls through an authentication system and password policy,
- an access management system that restricts access to the premises to those who need access in order to perform their duties and responsibilities,
- security personnel responsible for monitoring the physical security of De Clestra’s premises,
- a system that physically and/or logically isolates suppliers/customers from each other,
- user and administrator authentication processes and measures to protect access to administrative functions,
- processes and follow-up measures for actions carried out on its information system.
3. BREACHES OF PERSONAL DATA PROTECTION
If CLESTRA becomes aware of an incident affecting the Data Controller’s Personal Data (unauthorized access, loss, disclosure or alteration of data), CLESTRA shall inform the Supplier/Customer as soon as possible.
The notification must
- describe the nature of the incident,
- describe the likely consequences of the incident,
- describe the actions taken or proposed by CLESTRA in response to the incident; and
- clarify who is the contact person at CLESTRA.
4. LOCATION AND TRANSFER OF PERSONAL DATA
Subject to the foregoing provision relating to the location of data centers, CLESTRA Affiliates located in the European Union, Canada and any other country recognized by the European Union as providing an adequate level of protection for Personal Data (“EU Member States”) may use the data centers of CLESTRA Affiliates for the purpose of processing Personal Data.In the event of an “adequacy decision“), they are authorized to process the Personal Data only in the context of the performance of the future contract, and in particular, in the context of the management of Incidents. The list of Affiliated Companies likely to participate in the execution of contracts is communicated on the site in the section “where to find us” then “subsidiary and representation”.
In the event that Personal Data processed hereunder is transferred outside the European Union to a country that is not subject to an Adequacy Decision, a data transfer agreement that complies with the standard contractual clauses adopted by the European Commission or, at CLESTRA’s discretion, any other protection measure recognized as sufficient by the European Commission shall be implemented.
The Data Controller must complete all necessary formalities and obtain all necessary authorizations (including, where applicable, from data subjects and competent data protection authorities) to transfer personal data.
5. SUBCONTRACTING
Subject to the provisions of the “Location and Transfer of Personal Data” clause above,CLESTRA may engage another processor to process Personal Data in the course of carrying out its business (“Subsequent Processor”).
Supplier/Customer expressly authorizes CLESTRA to engage its Affiliates as subsequent Subcontractors. A list of CLESTRA’s Affiliates that are Subsequent Subcontractors is available on CLESTRA’s website. CLESTRA agrees to notify Supplier/Customer within thirty (30) days prior to bringing in a new Affiliate as a subsequent Subcontractor.
Subject to the provisions of the applicable Terms of Service to the contrary, CLESTRA shall not, without the prior consent of Supplier/Customer, engage a Subsequent Subcontractor that is not an Affiliate of CLESTRA (“Third Party Subsequent Subcontractor”).
Clestra shall ensure that the subsequent Subcontractor is, at a minimum, able to fulfil the obligations incumbent upon CLESTRA concerning the processing of Personal Data. To this end, CLESTRA shall enter into an agreement with the Subsequent Subcontractor.
Clestra undertakes not to sell, transfer or give access to third parties without the prior consent of the supplier/client, unless forced to do so by a legitimate reason (legal obligation, fight against fraud or abuse, exercise of rights of defence, etc.)
Notwithstanding the foregoing, CLESTRA is expressly authorized to engage third party providers (such as energy providers, network providers, network interconnection point or data center operators, hardware and software providers, carriers, technical providers, security companies), without the need to inform or obtain prior authorization from the provider/customer, provided that such third party providers do not have access to Personal Data.
6. OBLIGATIONS OF THE SUPPLIER/CLIENT AND THE CONTROLLER
For the processing of Personal Data, the Supplier/Customer shall provide CLESTRA in writing with
– any relevant instructions and
– any information necessary for the creation of the register of the processor’s processing activities. The Supplier/Customer shall remain solely responsible for processing the information and instructions provided to CLESTRA.
The Data Controller is responsible for ensuring that:
- the processing of the Personal Data of the Data Controller in the context of the performance of the service to an appropriate legal basis such as:
- the consent of the supplier/customer or buyer
- the proper execution of the future contract
- a legal obligation.
- all required procedures and formalities have been completed,
- the data subject is informed about the processing of his or her Personal Data in a concise, transparent, intelligible and easily accessible manner, using clear and simple language, as required by the GDPR,
- data subjects are informed and have the possibility at any time to easily exercise their data rights under the GDPR directly with the supplier/customer or the Controller.
The Supplier/Customer is responsible for implementing appropriate technical and organizational measures to ensure the security of resources, systems, applications and operations that are outside the scope of CLESTRA’s responsibility.
7. RIGHTS OF THE PERSONS CONCERNED
The Data Controller is fully responsible for informing data subjects of their rights and for ensuring that these rights are respected. In accordance with the law “informatique et libertés” and the regulation n 2016/679/EU of 27 April 2016 the supplier/customer benefits from the rights of access, rectification, erasure, limitation or portability.
CLESTRA has a duty to cooperate and assist, to the extent reasonably necessary, in responding to requests from data subjects. Such cooperation and reasonable assistance may include
- communicate to the supplier/client any request received directly from the person concerned within the limits of business secrecy
- enable the Data Controller to design and deploy the technical and organizational measures necessary to meet the data subjects’ requests. The Data Controller is solely responsible for the responses to these requests.
Supplier/Customer acknowledges and agrees that, in the event that such cooperation and assistance requires significant resources on the part of CLESTRA, Supplier/Customer may be charged for such cooperation and assistance upon prior notification and agreement.
8. DELETION AND RETURN OF PERSONAL DATA
The supplier/customer may request the deletion or return of personal data except in the cases of :
- Business secret
- The intervention of a third party
- The legal prescription period (5 years)
9. COMPETENT AUTHORITY AND COMPLAINT
Notwithstanding the foregoing, the Provider/Customer shall be entitled to respond to requests from the relevant supervisory authority provided that any disclosure of information shall be strictly limited to what is requested by such authority. In such event, and unless prohibited by applicable law, Supplier/Customer shall first consult with CLESTRA regarding any required disclosure.
10. COMMERCIAL PRESCRIPTION
The data will be kept during the execution of the future contract and the following 10 years.
Clestra may keep data for a longer period of time in the context of a legal or regulatory obligation.
For any questions or requests concerning your personal data, you can contact Damien Lambert Personal Data Delegate by email
d.lambert@clestra.com