Personal data privacy policy

1 – Preamble

Onepoint, a simplified joint-stock company with a capital of 1,365,740 euros, whose registered office is located at 29 rue des Sablons 75116 Paris, registered with the Paris Trade and Companies Register under number 440 697 712, represented by David R. Layani in his capacity as Chairman (“onepoint” or “we”) publishes the www.groupeonepoint.com website (the “Site”) which presents its products and/or services.

Aware of the importance of ensuring the confidentiality of the personal data transmitted to it and the privacy of the persons concerned, onepoint undertakes, within the framework of its activities and in accordance with the legislation in force in the United States of America, Canada, France and Europe (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016), to ensure the protection,  the confidentiality and security of personal data, as well as respect for privacy.

By the term “personal data” (or “personal data”), we mean any information relating to an identified or identifiable natural person. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This does not include data for which the identity has been removed (anonymous data).

This external privacy policy (“Privacy Policy”) describes the way in which onepoint, its subcontractors and any partners, collect and process the personal data of Site Visitors (or also referred to as “Users”, in particular within our T&Cs), as well as of its customers and prospects concerning onepoint products and/or services, its suppliers,  visitors to the premises, candidates, partners and more generally with regard to any person whose data it may be required to possess, in accordance with the General Data Protection Regulation (“GDPR”).

It also describes the legal bases we rely on to process personal data, who we share it with, and how it is stored.

Onepoint is the data controller. This means that we decide how we store and use personal data about you. We are required by the GDPR to provide you with all of the information contained in the Privacy Policy.

It is therefore important that you read this Privacy Policy, together with any other information we may provide on specific occasions when we are collecting or processing your personal data, so that you are aware of how and why we use that data.

2 – How is your personal data collected?

The data we collect or hold about you may come from a variety of sources. Some of it has been collected directly from you during your use of the Site, or from your company using the Site or customer or prospect of our onepoint products and/or services. Others may have been collected in compliance with applicable regulations in the past. Also within the framework of the applicable regulations, we may also collect information about you when you interact with us, for example when you call us, when you use our mobile applications, when you visit us at our premises or participate in certain events that we organize (meetups, conferences, meetings, etc.), when you participate in competitions that we organize,  or when you use certain social networks (Twitter, Facebook, LinkedIn, etc.). Some data may come from publicly available sources (e.g. the press and websites or applications of all kinds, including social networks) or from external companies.

Our site does not provide for automated decision-making.

3 – Type of personal data, purposes and legal bases

Below you will find an overview of the different categories of persons concerned by this Privacy Policy as well as:

  • Type of personal data about you, which we use and store;
  • Purposes for which such personal data is collected;
  • Legal bases on which the processing is based.

Onepoint also processes your data to comply with legal or regulatory requirements. For this purpose, Onepont seeks to:

  • Retain data required to be able to meet legal obligations
  • Manage data requests from authorized authorities

3.1 – Types of data subjects:

SITE USERS / VISITORS

Type of personal data

  • Last name, first name, if you contact us
  • Email address, if you contact us
  • Data relating to browsing on the Site through cookies (in particular IP address, technical data relating to equipment and browser, preferences, audience statistics)
  • Any information you may have included in the contact form, including other information requested within this form: title, telephone number (optional), company, subject of your request according to the drop-down list provided.

The mandatory data in the contact form, and your identity and contact details if you contact us by email, are necessary for us to process your request.

Purpose & legal basis for data processing

  • Confirm receipt, process and respond to any request or questions made through the Site
    Our legitimate interest: management of requests from visitors to the Site
  • Sending commercial communications about our products or services (such as newsletters relating to onepoint news, promotional offers and quality surveys to assess customer satisfaction), by phone or email.
    Your Consent
  • Enabling the proper functioning of our Site
    Our legitimate interest: management of customer service, handling questions and requests, managing requests relating to the rights of individuals, enabling the resolution of disputes: in performance of the contract that binds us through the T&Cs or pre-contractual measures taken at your request
  • To allow you to access or use our Site
    Our legitimate interest: cookies that are strictly necessary for the provision of the service you have expressly requested
  • Store information about your preferences, and allow us to customize our Site based on the choices you make (cookies)
    Your consent (cookies)
  • Prepare reports or compile statistics in order to improve the performance of our Site, goods and services (cookies)
    Your consent (cookies)
  • To manage requests relating to the rights of individuals, including any questions about how we collect, store and use your personal data, or any request for you to obtain a copy of the data we hold about you
    In accordance with our legal obligations

3.2 – Types of data subjects:

CANDIDATES FOR A POSITION IN EUROPE, US AND CANADA

Type of personal data

  • Surname, first name
  • Telephone contact information
  • Email address
  • City, Country
  • Any information you may have included on your resume

Purpose & legal basis for processing

  • Manage our recruitment program
    Our legitimate interest: management of the recruitment programme
  • Make a decision about your recruitment and let you know about that decision
    Our legitimate interest: recruitment decision
  • Conduct statistical analysis and market research
    Our legitimate interest: knowing our market to develop our business
  • Sending commercial communications about our products or services (such as newsletters relating to onepoint news, invitations to our events, promotional offers and quality surveys to assess the satisfaction of candidates), by telephone or email.
    Your consent: to develop our business
  • To manage requests relating to the rights of individuals, including any questions about how we collect, store and use your personal data, or any request for you to obtain a copy of the data we hold about you
    In accordance with our legal obligations

3.3 – Types of data subjects:

CLIENTS / PROSPECTS

Type of personal data

  • Surname, first name
  • Telephone contact information
  • Business email address
  • Business mailing address
  • Function
  • Hierarchy
  • Organization Name
  • Accounts and history of actions
  • Any information you may have included in the contact form, if you have contacted us through the Site

The mandatory data in the contact form on our Site is mandatory for us to process your request.

The other types of data above are also mandatory. Otherwise, we will not be able to enter into a contract with you or respond to your request.

Purpose & legal basis for processing

  • To provide relevant goods or services (including confirming and processing orders, requests or questions in relation to a contract, managing your account with us, invoicing, collecting payments and collecting any outstanding payments)
    In performance of a contract we have entered into with you
  • Sending non-commercial communications relating to an order or complaint, when you are one of our customers for onepoint products or services.
    In performance of a contract we have entered into with you
  • Sending commercial communications about our products or services (such as newsletters relating to onepoint news, promotional offers and quality surveys to assess customer satisfaction), by phone or email.
    Your consent: to develop our business
    We may also send you communications on the basis of our legitimate interest in developing our business when you are one of our customers for similar products or services.
  • Manage and monitor compliance with internal procedures, for the detection and prevention of fraud, other criminal offences and for risk management purposes
    Compliance with a legal obligation and our legitimate interest
  • Manage your queries or issues about our products and services
    Our legitimate interest: customer service management
  • Conduct statistical analysis and market research
    Our legitimate interest: knowing our market to develop our business
  • To manage requests relating to the rights of individuals, including any questions about how we collect, store and use your personal data, or any request for you to obtain a copy of the data we hold about you
    In accordance with our legal obligations

This policy does not apply to the processing of personal data carried out in the context of the provision of services by Onepoint on behalf of a client. Onepoint will comply with the contractual provisions negotiated between the parties as well as the instructions of the data controller.

3.4 – Types of data subjects:

SUPPLIERS

Type of personal data

  • Surname, first name
  • Date of birth
  • Place of birth
  • Telephone contact information
  • Business email address
  • Business mailing address
  • Function
  • Accounts and history of actions
  • Organization Name
  • SIREN number/ Company registration number
  • Bank details (RIB / IBAN)

Purpose & legal basis for processing

  • To enable us to receive and manage your products and services (including auditing suppliers and tracking quality and logistics incidents)
    In performance of a contract we have with you or your employer
  • Sending non-commercial communications relating to an order or a complaint
    In performance of a contract we have entered into with you
  • Manage and monitor compliance with internal procedures, for the detection and prevention of fraud, other criminal offences and for risk management purposes
    Compliance with a legal obligation and our legitimate interest
  • Manage your queries or issues about our products and services
    Our legitimate interest: customer service management
  • Conduct statistical analysis and market research
    Our legitimate interest: to know our market to develop our business
  • To manage requests relating to the rights of individuals, including any questions about how we collect, store and use your personal data, or any request for you to obtain a copy of the data we hold about you
    In accordance with our legal obligations

3.5 – Types of data subjects:

VISITORS TO THE ONEPOINT PREMISES

Type of personal data

  • Surname, first name
  • Business email address
  • Organization Name
  • Function
  • Video protection recordings
  • Photograph-type image recording, video capture and live video

Purpose & legal basis for processing

  • To provide you with our goods or services
    In performance of a contract we have with you or your employer
  • Marketing communications to different audiences about our products or services (all printed, digital, international, full or excerpted media)
    Our legitimate interest: to develop our business
  • Sending commercial communications about our products or services (such as newsletters relating to onepoint news, promotional offers and invitations to future events).
    Your consent: to develop our business
  • Manage and monitor compliance with internal procedures, for the detection and prevention of fraud, other criminal offences and for risk management purposes
    Compliance with a legal obligation and our legitimate interest
  • Manage your queries or issues about our products and services
    Our legitimate interest: customer service management
  • Conduct statistical analysis and market research
    Our legitimate interest: to know our market to develop our business
  • Collect images as part of video surveillance (at building entrances and exits, emergency exits and traffic lanes, as well as in areas where valuable goods are stored).
    Our legitimate interest: To ensure the safety of goods and people, as an establishment open to the public
  • To manage requests relating to the rights of individuals, including any questions about how we collect, store and use your personal data, or any request for you to obtain a copy of the data we hold about you
    In accordance with our legal obligations

4 – If you fail to provide personal data

If you choose not to provide the personal data we request, we may not be able to provide you with the products and/or services you have requested or fulfill the purposes for which we have requested the personal data that may be strictly necessary for the processing operations in place.

5 – What are the flows of personal data

5.1 – How do we share your data?

We may share your personal data with the companies that make up the Onepoint Group. Access to your personal data is strictly limited to authorized Onepoint employees who are authorized by virtue of their duties and bound by an obligation of confidentiality.

We will share your personal data with third parties where required to do so by law, where it is necessary to manage the contractual relationship, we have with you or where we have another legitimate interest in doing so.

We may be required to communicate your personal data at the request of an administrative authority (tax authorities, CNIL, etc.), and/or judicial authorities (response to a judgment, order, court injunction), at simple request or if required by law, in order to protect our rights, property and/or safety and/or those of third parties.

We may share personal data with companies that help combat and investigate fraud.

We may also communicate your personal data in the context of the fight against money laundering and terrorist financing, with the implementation of a monitoring of contracts and/or operations that may lead to the drafting of a suspicious transaction report or an asset freezing measure.

We may transfer your personal data to service providers not affiliated with the Onepoint Group, such as:

  • Banks and insurance companies;
  • Providers of IT systems and support to our business, including providers of delivery, email archiving, backup and disaster recovery services, and cybersecurity, hosting and maintenance services;
  • Marketing and advertising service providers.

We will also disclose your personal data to third parties:

  • If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • If onepoint or substantially all of its assets are acquired by a third party, in which case personal data held by onepoint will be one of the transferred assets;
  • If we have a duty to disclose or share your personal data in order to comply with any legal obligation, lawful request from government or law enforcement authorities and if it may be necessary to meet national security or law enforcement requirements or to prevent illegal activity.

The third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal data for the specific purposes we have identified. We will always make every effort to ensure that third parties with whom we share your personal data are subject to confidentiality and security obligations in accordance with this Privacy Policy and applicable laws. We only allow them to process your personal data for specific purposes and in accordance with our instructions.

Except as expressly stated above, we will never share, sell or rent your personal data to any third party without notifying you and/or obtaining your consent. If you have given us your consent for us to use your information in a particular way, but you later change your mind, you must contact us and we will stop doing so.

5.2 – External service providers

As part of our activities, in particular recruitment, training and communication, we use the services of online solution publishers, not affiliated with the Onepoint Group.

Thus, you may be required to voluntarily communicate some of your personal data directly on their platform, for example, through subscription to a newsletter or the creation of a personal user account.

For this processing, the service providers act as Data Controller. For more information, we invite you to read their own privacy policy.

6 – Data processing outside the European Union

Onepoint does not transfer Personal Data outside the EEA to countries that have not been subject to an adequacy decision by the European Commission within the meaning of Article 45 of the GDPR, or without the European Commission’s standard contractual clauses having been concluded, accompanied by the appropriate measures.

For the North American market, some personal information may be transferred to the European Union for marketing and business operations. However, our headquarter is a subject of the European Regulation on Data Protection (GDPR) that remains the most stringent regulation on data protection and privacy.

7 – Cookies

The term cookie covers all trackers that allow access to information stored on a visitor’s terminal equipment (web beacons, pixels, etc.).

Through cookies, we can collect your connection data (e.g. IP address, geographical location, type and version of your internet browser, operating system, information about your visits and use of our site, etc.).

This helps us to improve your browsing experience and the functionality of the site.

For more information on cookies, please refer to our Cookie Policy, accessible www.groupeonepoint.com/politique-de-cookies/ .

8 – How long we keep your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including to satisfy any legal or accounting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from the unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, as well as applicable legal requirements.

Processing & retention period

Data relating to users and visitors to the site

  • Claim, questions, complaints: 3 years following a claim, question or complaint that has been closed.
  • Cookies : 6 months from their collection, unless you give us your consent to their use at the end of this period.

Customer data

  • For the duration of the contractual relationship with onepoint, increased by 3 years, without prejudice to retention obligations or limitation periods.

Lead data

  • We store your information for a maximum of 3 years from the last contact from you.

Supplier data

  • We store your information for a period of time that is proportionate to the purpose for which we process it and for a maximum period of 3 years from the end of our business relationship.

Applicant data

  • Non-selected candidates: in the event of a negative outcome to an application, we will inform you if we wish to keep your recruitment file, in order to give you the opportunity to request its destruction. If you do not request the destruction of your file, we will automatically delete your file 2 years after our last contact with you.
  • Selected candidates: In the event of a successful outcome to an application, the onepoint staff privacy policy applies.

Onepoint premises visitor data

  • We store your information for a maximum of 3 years from your last visit.

Video protection

  • 30 days from their registration.

Bank details

  • We store your information for a period of time that is proportionate to the purpose for which we process it and for a maximum period of 3 years from the end of our business relationship.

After the established deadlines, the data is either deleted or preserved after being anonymised, especially for statistical purposes. It may be retained in case of pre-litigation and litigation. It should be noted that the deletion or the anonymisation are irreversible operations, and that Onepoint is no longer able, thereafter, to restore them.

9 – Rights of data subjects

As a data subject, you have various rights. These rights are not absolute, and each of these rights is subject to certain conditions in accordance with the GDPR and applicable national laws.

  • The right of access – you have the right to obtain confirmation from us as to whether or not your personal data is being processed by us, as well as certain other information (similar to that provided in this Privacy Policy) about how it is being used. You also have the right to access your personal data, by requesting a copy of the personal data concerning you. This allows you to know and verify that we are using your information in accordance with data protection laws. We may refuse to provide information where doing so may reveal personal data about another person or adversely affect another person’s rights.
  • The right to rectification – you can ask us to take steps to correct your personal data if it is inaccurate or incomplete (for example, if we have the wrong name or address).
  • The right to erasure – also known as the “right to be forgotten”, this right allows you, in simple terms, to request the erasure or deletion of your personal data when, for example, there is no compelling reason for us to continue using it or its use is unlawful. However, this is not a general right to erasure and there are some exceptions, for example when we need to use the information to defend a legal claim or to be able to comply with a legal obligation.
  • The right to restrict processing – you have the right to “block” or prevent further use of your personal data when we are evaluating a request for rectification or as an alternative to erasure. Where processing is restricted, we may still retain your personal data, but we may not use it further.
  • The right to data portability – you have the right to obtain and re-use certain personal data for your own purposes in different companies (which are separate data controllers). This only applies to personal data that you have provided to us, that we process with your consent and for the purpose of fulfilling the contract, which are processed by automated means. In this case, we will provide you with a copy of your data in a structured, commonly used and machine-readable format or (where technically feasible) we may transmit your data directly to another controller.
  • The right to object – you have the right to object to certain types of processing, for reasons relating to your particular situation, at any time, insofar as such processing takes place for the purposes of legitimate interests pursued by onepoint. We will be permitted to continue processing personal data if we can demonstrate that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or if we need it for the establishment, exercise or defence of legal claims. If you object to the processing of your personal data for direct marketing purposes, we will no longer process your personal data for such purposes.
  • The right to withdraw your consent – where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time. However, such withdrawal does not affect the lawfulness of the processing that took place prior to such withdrawal.
  • The right to provide us with instructions on the use of your personal data after your death – you have the right to provide us with instructions on the management (e.g. retention, erasure and disclosure) of your data after your death. You can change or revoke your instructions at any time.

NB: The list of provided rights may not be applicable in full for all jurisdictions. Some rights may be subject of exemptions by the national legislation, in particular, for US and for Canada.

10 – Exercising rights

We have appointed Claire DESSUREAULT as Data Protection Officer of the Onepoint Group. If you have any questions about this Privacy Policy, how we process your personal data or if you wish to exercise any of your rights, please contact Claire DESSUREAULT at the following address: dpo@groupeonepoint.com.

If you are not satisfied with our response to your complaint or if you believe that the processing of your personal data does not comply with applicable data protection laws, you may lodge a complaint with the relevant data protection supervisory authority. The Commission Informatique et Libertés (CNIL) is the data protection authority in France.

All requests will be considered within the time limits set out in applicable law. Please note, however, that some personal data may be exempt from such requests in certain circumstances, including if onepoint needs to continue to process your personal data for its legitimate interests or to comply with a legal obligation.

Exercising your right of access (or any other right) will not incur any fees. Sometimes we will not be able to comply with your request if it is manifestly unfounded or excessive.

We may need to request specific information from you to help us confirm your identity and ensure your right to access that information (or exercise your other rights). This is an appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.

11 – How is the data protected?

Onepoint ensures that data is processed securely and confidentially, including when certain operations are carried out by subcontractors. To this end, appropriate technical and organizational measures are put in place to prevent the loss, misuse, unauthorized access, alteration and deletion of your personal data. These measures are adapted according to the level of sensitivity of the data processed and according to the level of risk presented by the processing or its implementation. We have procedures in place to deal with any suspected data security breach and will notify you and any relevant supervisory authority of a suspected breach where we are legally required to do so.

Unfortunately, the security of data transfers over the Internet or data storage systems cannot be 100 % guaranteed. If you have reason to believe that your interaction with us is no longer secure (for example, if you believe that the security of an account you have with us has been compromised), please notify us immediately by contacting us using the contact information above.

12 – Third-Party Sites

The Onepoint website may contain links to other websites operated by third parties. Please note that this Privacy Policy applies only to personal data collected by onepoint. We are not responsible for any personal data that third parties may collect, store and use on their own websites. We recommend that you carefully read the privacy policy of each website you visit.

In addition, the Onepoint Group is not responsible for hypertext links to its own site, which third-party websites may include even if the onepoint Group has authorized the third-party publisher of the said third-party site to place such a link.

13 – Changes to this Privacy Policy

Onepoint is free to modify this Privacy Policy periodically to reflect the evolution of our practices in this area. When we modify this Privacy Policy, we also change the “Last Updated” date at the top of the first page. We encourage you to periodically review this Privacy Policy to be updated on how onepoint protects your data.

14 – Specific application of this Privacy Policy in USA and Canada

This Privacy Policy has a global outreach covering the activities of onepoint worldwide.  In case of some discrepancies of applicable Privacy legislation with EU GDPR for certain territories some exemptions are applied on the global Onepoint Privacy Policy.

For example, US and Canada Privacy Acts provides no obligations on the following:

  • implement the Records of Processing Activities;
  • proceed with Data Protection Impact Assessment for risk analysis;
  • exercice the extensive list of rights provided by GDPR.