GDPR – Hiventy Group Personal Data Protection Policy

Purpose of the Personal Data Protection Policy

The HIVENTY group specializes in providing technical services for audiovisual, film and multimedia companies. In the normal course of its business, Hiventy may collect certain necessary personal data.
To ensure transparency, Hiventy has adopted a Personal Data Protection Policy regarding the personal data it collects, in accordance with Regulation (EU) 2016/679 of April 27, 2016 and French Act no. 78-17 of January 6, 1978 on Data Processing, Data Files and Individual Liberties.

This Personal Data Protection Policy applies to the following:

– Current and prospective Hiventy clients
– Hiventy service providers and suppliers
– Hiventy employees
– Hiventy job applicants
– Hiventy website visitors.

Definitions

To ensure proper understanding of the provisions of this Personal Data Protection Policy, the following definitions shall apply:

– “Processing” means any operation or organized set of operations which is performed on personal data, such as collection, structuring, storage, alteration, disclosure by transmission, etc.
– “Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identification number or to one or more factors specific to the identity of that natural person.
– “Non-personal data” means information that does not allow a person to be identified.
– “Data subject” means an identifiable natural person.
– “Controller” means the person or entity which determines the means of the processing of personal data.
– “Processor” means the person or entity which processes personal data on behalf of the controller, which entrusts it with certain tasks and ensures that it has the technical and organizational measures in place to process the personal data in accordance with the Regulation.
– “Recipient” means the person or entity to which personal data are disclosed.

Data controller commitments

As the controller of data processed in the normal course of its business, Hiventy shall:

– Use personal data only for specified, explicit and legitimate purposes compatible with its business.
– Follow the data minimization principle by only collecting and processing data as is strictly necessary.
– Not retain data beyond the time necessary to the purposes for which they were collected, taking into account the nature of the operations and any legal requirements.
– Not disclose or supply personal data to any third parties.
– Only entrust personal data to selected processors with appropriate technical and organizational measures to ensure the protection of the data entrusted to them.
– Define appropriate logistical, technical, organizational and legal data protection measures based on a risk analysis of the different applicable families of personal data processing used by Hiventy, its support services and processors to ensure the protection of personal data.
– Perform, whenever made necessary by the risks presented by data processing, an analysis of privacy and personal data protection impacts on data subjects in order to take the appropriate measures to mitigate such risks.

Insofar as possible, Hiventy and its processors shall design tools and systems that comply with the Regulation and protect the privacy of data subjects, by integrating compliance as early as the design and development stage.

Hiventy and its processors shall monitor any potential and exceptional breach of data privacy and take protective and corrective measures following such a breach by promptly informing the French National Commission for Data Protection and Liberties (CNIL) and data subjects, as needed.

All relevant employees and actors are aware or in the process of being made aware of the data protection principles contained in the Regulation, through regularly scheduled training tailored to their position and responsibilities. Employees have access only to the information necessary to carry out their duties. Access to sensitive data is limited to authorized persons.

Purpose

Hiventy uses personal data for the following main purposes:

– Performance of services in the course of its business
– Management of human resources and recruitment
– Management of external professional contacts
– Provision of online services to professionals (B2B) via web platforms
– Disclosure of information on the company’s business via social media
– Commercial solicitation of professionals and other natural persons, with their consent.

The above uses of personal data shall be necessary to the performance of a contract between a data subject and Hiventy or in order to pursue a legitimate interest such as meeting a legal obligation or informing professional contacts about Hiventy’s business, or in some cases may be based on the data subject’s explicit consent.

Designation of a Data Protection Officer

Hiventy has designated a Data Protection Officer (DPO) to ensure compliance with the Regulation and rules described in this Personal Data Protection Policy.

The Data Protection Officer shall:

– Establish and keep a register of processing operations performed upon personal data in the company and in each of the company’s legal entities in France
– Monitor compliance with the Regulation and subsequent amendments
– Inform all Hiventy employees of personal data protection requirements and best practices
– Ensure the effective exercise of data subjects’ rights.

The Data Protection Officer may be contacted by email at rpgd@hiventy.com.

Personal data retention period

Hiventy has determined specific rules concerning the personal data retention period in order to limit retention to only as long as strictly necessary. These rules depend on the type of application and legal retention periods. At the end of the determined period, as appropriate and in accordance with the applicable Regulation, personal data shall be deleted, irreversibly anonymized, or archived.

Transfer of data outside the European Union

As a matter of principle, Hiventy does not transfer personal data outside the European Union.

Security measures

Security measures are taken to protect data from destruction, loss, alteration, unauthorized disclosure of personal data that is transferred, retained or processed, and accidental or illicit unauthorized access to such data. To ensure the security of personal data, Hiventy and its processors shall implement the appropriate technical and organizational measures, in light of existing knowledge and the cost, nature, scope, context and purpose of the data processing in order to ensure a level of security commensurate with the risks.

In particular and whenever necessary, the following measures shall be implemented:

– Encryption of personal data
– Measures to ensure the continuous confidentiality, integrity, availability and resilience of processing systems and operations
– Measures to promptly restore the availability and accessing of personal data in the event of a physical or technical incident
– Procedures to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure data processing security.

To this end, Hiventy and its processors have developed suitable measures that comply with the highest industrial standards and norms to protect your personal data. All Hiventy websites and mobile applications are secured, including by Hypertext Transfer Protocol Secure (HTTPS) when necessary. Pages where your personal data are collected include additional heightened security measures.

Security breach notifications

Hiventy shall inform all companies affected by personal data security breaches affecting the privacy of data subjects within 48 hours.

Data subject rights and conflict resolution

Every data subject has the following rights:

– Right of access: The data subject may ask Hiventy directly if it possesses any of the subject’s personal data and may ask to be provided with a list of such data.
– Right of rectification: The data subject may request the rectification of inaccurate personal data. The right of rectification is an extension of the right of access.
– Right of erasure: The data subject may request the erasure of personal data for a reason provided in the Regulation.
– Right of restriction: The data subject may restrict processing of personal data for a reason provided in the Regulation.
– Right to data portability: The data subject may ask to receive the data provided to Hiventy or ask Hiventy to transfer them to another controller for a reason provided in the Regulation.
– To define advance directives for what to do with personal data after their death.

The data subject may also refuse, for legitimate reason, that his or her personal data be processed, disclosed, transferred, retained or hosted. For more information on the meaning of these rights, the CNIL has created a page to help you understand your rights (in French), at https://www.cnil.fr/fr/comprendre-vos-droits. To exercise his or her rights, the data subject may contact the Hiventy Data Protection Officer by email at rgpd@hiventy.com.

Pesonal Data Protection Policy effective date and revision

This Personal Data Protection Policy is effective as of January 2019.

This Personal Data Protection Policy may be amended. If the information in this policy changes, Hiventy shall amend the policy and inform data subjects before making any changes that could impact their personal data.