Last updated: 8 September 2020
We aim to protect your personal data as fully as possible in accordance with the rules, procedures, recommendations and good practice set out in relevant legal and regulatory provisions at both the European and local levels, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on personal data protection (known as the “GDPR”), which came into force on 25 May 2018.
This Privacy and Personal Data Protection Policy (hereinafter, the “Personal Data Policy”) explains what we do to protect personal data. It describes how your data is processed and the precautions taken to protect it, as well as reminding you of your rights and how you can assert them.
The Data Controller is: Sofrigam, 1 rue de l'Union, CS20137, 92565 Rueil-Malmaison Cedex, France.
Hereinafter, the company will be referred to as “Sofrigam” or “Us” or “Our Company”.
To be as transparent as possible about how we manage personal data, we have decided to produce a single document summarising all the personal data processing carried out by Our Company.
We collect both identifying and non-identifying personal data, as well as electronic identification data about the device used to access the Sofrigam.com website (hereinafter, the “Website”).
Subject to the choices you have made, we may collect the data you provide when you visit our cookie-using Website, contact Us by any means (email, telephone, contact form, etc.), fill in a form or questionnaire, create a customer account in “My Account”, review one of our products, subscribe to the newsletter, request a callback, or share a product page with friends.
We may collect your first name, surname, email address, postal address, company name and, if necessary, your telephone number, IP address, connection and browsing data, order history, preferences and interests, products viewed, delivery issues or complaints. This list is non-exhaustive as what we collect depends on your interaction with Us.
Regarding payment and processing for product orders, user banking data is collected and stored by Sofrigam’s payment provider (name of provider).
Sofrigam and the Sofrigam Group use personal data to market and promote products and services. Data is only used within the strict limits defined by current legislation.
No sensitive personal data is collected or used. This includes details about racial or ethnic origins; political, philosophical or religion beliefs; union membership; health or sex life.
To ensure your data is managed as scrupulously as possible, only share information that is complete, correct, up to date and does not prejudice the interests or rights of third parties.
This data allows Us to identify the device used to access the Website. It is generally not enough to identify an individual User.
Personal data collected by Sofrigam is treated as confidential. It is only used for the purposes of ensuring our systems and management processes are properly administered, facilitating our relationship with you, and possibly marketing activities.
The purposes of the processing we carry out are summarised in the table below:
|Purposes||Data retention period||Details|
|Managing the customer relationship (customer account, sending emails)||
3 years after the most recent contact
|We process the data needed to create your customer account and give you information following contact with our management service or a complaint.|
|Subscribing to our newsletter and issuing digital communications||3 years after the most recent contact||
If you subscribe to our newsletter, we can send you communications about our latest news.
You can object to receiving our communications at any time by following the instructions in any of our messages.
|Analysing Website User behaviour and targeted advertising||
3 years after the most recent contactt
Except for cookies and other trackers: 13 months
|Certain information about how you browse our Website, the sections you visit and your order history may be collected to determine your preferences. The aim is to send you communications that suit your profile and interests.|
|Browsing the Website and optimising the User experience||The maximum browsing session is 13 months||
Some cookies also indicate how the Website is being used and performing so that we make our services more intuitive.
|Preventing fraud||3 years after an incident or report||We are obliged to use the relevant protocols to prevent any fraud attempts and ensure that payments are secure.|
We use the legal basis set out below to be able to process personal data:
To manage purchases, customer personal data processing is based on Sofrigam’s legal obligations in the context of our relationship with customers.
For creating customer accounts, sending newsletters and communications tailored to Users, and analysing Website performance and User behaviour, personal data processing is based on your consent.
You can inform Us that you no longer want Us to process your personal data at any time. You can withdraw your consent by contacting Sofrigam’s Data Protection Officer (DPO):
By email: firstname.lastname@example.org
By post: SOFRIGAM, 1 rue de l'Union, CS20137, 92565 Rueil-Malmaison Cedex, France
We will then delete your personal data as soon as possible, unless a legal obligation forces Us to do otherwise. We will inform you if this is the case.
To prevent fraud, detect bugs and optimise the online browsing experience, our personal data processing is based on Sofrigam’s legitimate interest.
Some of our services may be used by minors without Us being aware. If information is collected about a minor or someone who is unauthorised in the eyes of the law, the minor/unauthorised person’s legal representative can contact Sofrigam to have this personal data immediately erased, rectified or amended in accordance with Article 8 of the Personal Data Policy.
Your personal data may be shared with the following recipient categories:
Every Website page uses “cookies” or trackers. These are now used universally by websites and enable companies to collect certain (mostly technical) information and identify users. Cookies are generally described as files generated by a website and stored on your browser to record your browsing activity. Most cookies store the cookie’s domain name of origin, lifespan and a random unique number.
You are told when you visit the Website that a cookie may be installed on your browser (either automatically for functional cookies needed for the Website to work or based on your choices). The cookie is stored on your device’s hard drive. It can be accessed by our tool when you next visit our Website. The maximum period Sofrigam will store this information for is thirteen (13) months, in accordance with recommendations from France’s data protection authority, the CNIL.
Please note that if your browser is set up to reject all cookies, you may have technical issues and find your browsing experience impaired. You may not be able to carry out all the operations available, including accessing some of the features designed to facilitate your browsing experience on our Website.
Audience analysis tool
Your personal data is retained for the period required for processing, and, unless there is an explicit or legally permitted exclusion, for a maximum of three (3) years after it is collected or our most recent contact with you. Electronic identifying data (cookies) is retained for thirteen (13) months after it is collected. Any personal data relating to a request to exercise your rights under the GDPR is retained for one (1) year as proof.
In accordance with the above legal exceptions, your personal data may be retained as proof in line with current legal and regulatory provisions (including those in France's Civil Code, Consumer Code and Social Security Code).
Sofrigam is scrupulously vigilant and takes appropriate technical measures, including those recommended by the CNIL, to reduce the risk of security incidents involving personal data and their consequences for data subjects. These consequences may involve anything from mere inconvenience to misappropriation, intrusion, disclosure or tampering, which can cause serious harm. Sofrigam has therefore introduced various mechanisms to minimise these risks, including best-practice technical tools, to keep information secure. Information about these technical measures can be provided on request to correspondents and contacts with a legitimate interest, subject to the usual confidentiality and security rules. The measures envisaged include information barriers, firewalls, access control protocols, cryptography, etc. Sofrigam guarantees that, at the very least, data access is controlled and restricted to individuals who are authorised to know about or access it because of their role and who have been specially trained in data protection issues. If processing poses a risk, extra security measures are introduced.
However, the User recognises and accepts that although Sofrigam uses these mechanisms and professionals who are experts in these measures, it cannot eliminate all the risks surrounding Website functioning, such as malicious attacks on it by particularly well-equipped units. Sofrigam must therefore draw your attention to any risks that may arise in extreme circumstances, despite the precautions taken, regarding a one-off loss or a breach of confidentiality affecting data travelling across networks. Sofrigam has set up a specialist monitoring team of its technicians and representatives from internal services that may be exposed to these risks, plus qualified external consultants. This team stays abreast of developments, particularly regarding recommendations from the CNIL, the new European Data Protection Board (EDPB) and the National Cybersecurity Agency of France (ANSSI). Sofrigam also has a Crisis Management Committee ready to take all the necessary technical and legal measures and issue the notifications legally required as quickly as possible and within the timeframes required by law to protect data subjects’ interests.
In accordance with the General Data Protection Regulation, you have the following specific rights:
Right of access (Art. 15 of the GDPR): you have the right to access the personal data about you collected by Sofrigam and to check:
- that processing carried out is in line with the purposes set out in this Personal Data Policy,
- that the categories of personal data concerned by processing are limited to those expressly mentioned in the Personal Data Policy,
- that the recipients to whom the data is disclosed are those mentioned in the Personal Data Policy.
Right to rectification (Art. 16 of the GDPR): you have the right to obtain from Sofrigam without undue delay the rectification of inaccurate personal data we hold and complete personal data that is incomplete.
Right to erasure (Art. 17 of the GDPR): you can require the erasure of personal data about you that is inaccurate, incomplete, vague, or out of date, or where its collection, use, sharing or storage are unnecessary or illegal.
We will look into your request and respond within one (1) month. If it is especially complex or we are receiving more requests than usual, we may inform you that your request will be delayed for two (2) months and provide justification. We will always respond within three (3) months.
Right to restriction of processing (Art. 18 of the GDPR): you can ask Sofrigam to restrict the processing of your personal data where permitted by applicable texts: - You contest the accuracy of the personal data we hold about you; or
- You believe our processing of your personal data is unlawful; or
- We must retain your personal data for the establishment, exercise or defence of legal claims.
Right to portability (Art. 20 of the GDPR): you have the right to receive personal data about you in a structured, commonly used and machine-readable format, and to transmit the data to another Data Controller where processing is based on consent or a contract and is carried out by automated means.
Right to object (Art. 21 of the GDPR): you have the right to object to the processing of personal data about you in certain situations, such as the deletion of a customer account. However, if your request does not concern processing for marketing purposes, Sofrigam can block it with compelling legitimate grounds to retain the data.
Automated individual decision-making (Art. 22 of the GDPR): you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you and can complain to supervisory authorities (the CNIL for France; remember that you may eventually have to take your complaint to the authority in the Member State where your habitual residence or place of work are located, or where the violation occurred).
You can exercise all the rights and prerogatives set out in the above texts at any time by emailing email@example.com or writing to Sofrigam, 1 rue de l’Union, 92565 Rueil-Malmaison Cedex - France with your full name, email address and, if possible, your customer reference.
Please note that rights are strictly individual and can only be exercised by the data subject regarding their own information. In accordance with current legislation, your request should include an address for the response to be sent to and a photocopy of proof of identity.
Sofrigam reserves the right to amend this Personal Data Policy at any time.
Changes come into force when they are uploaded and will be highlighted at the top of the page.
If our Personal Data Policy changes significantly (e.g. data collection purposes are amended), you will be informed. You will be asked to consent to the change so that we can continue to carry out the processing to which you have consented.
The User should therefore check the Personal Data Policy frequently to become aware of any changes.
If you have any questions about this Privacy and Personal Data Protection Policy, you can contact Us at any time by emailing firstname.lastname@example.org or writing to: Sofrigam 1 rue de l’Union, 92565 Rueil-Malmaison Cedex - France.
For more information about personal data protection in general, or you believe that Sofrigam has not followed up sufficiently on your questions or rights, please visit the CNIL website: www.cnil.fr.