Personal data protection policy — Cynoia
Last update: November 1st, 2023
Version 1.0
*This policy shall be reviewed annually or each time when the changes in our data processing occur.
1. Scope and definitions:
1.1. Scope:
This Personal Data Protection Policy (the “Policy”) describes Cynoia SAS internal rules for personal data processing and protection. The Policy applies to all Cynoia SAS group entities, including Cynoia SAS and all other subsidiaries of the group, employees and contractors of the entities (“we”, “us”, “our”, “Cynoia”). The management of each entity is ultimately responsible for the implementation of this policy, as well as to ensure, at entity level, there are adequate and effective procedures in place for its implementation and ongoing monitoring of its adherence. For the purposes of this Policy, employees and contractors are jointly referred to as the “employees”.
1.2. Privacy manager:
Privacy Manager is an employee of Cynoia responsible for personal data protection compliance within Cynoia (the “Privacy Manager”). The Privacy Manager is in charge of performing the obligations imposed by this Policy and supervising other employees, who subject to this Policy, regarding their adherence to this Policy. The Privacy Manager must be involved in all projects at an early stage in order to take personal data protection aspects into account as early as the planning phase.
The designated Privacy Manager at Cynoia SAS is Ayoub RABEH.
1.3. Definitions:
1.3.1. Competent Supervisory Authority:
Means a public authority that is responsible for regulating and supervising personal data protection with regards to activities of Cynoia.
1.3.2. Data Breach:
Means a breach of the security and/or confidentiality leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. This includes but is not limited to e-mails sent to an incorrect or disclosed list of recipients, an unlawful publication of the Personal Data, loss or theft of physical records, and unauthorized access to personal information.
1.3.3. Data Controller:
Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines (make a decision) the purposes and means of the processing of Personal Data.
1.3.4. Data Processor:
Means a natural or legal person, public authority, agency or other body which processes the Personal Data on behalf of the data controller.
1.3.5. Data Protection Laws:
Mean any laws and legal rules on personal data use and protection applicable to the activities of Cynoia, including, but not limited to the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
1.3.6. Data Subject Request (DSR):
Means any request from the Data Subject and concerning their personal data and/or data subject rights.
1.3.7. Data Subject:
Means a natural person, whose Personal Data we process. Data Subjects include but are not limited to users, website visitors, employees, contractors, and partners of Cynoia.
1.3.8. Personal Data:
Means any information relating to an identified or identifiable Data Subject; a Data Subject can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or the combination of factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
1.3.9. Processing:
Means any operation or set of operations which is performed by Cynoia on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.3.10. Standard Contractual Clauses:
Means the European Commission Decision of February, 5 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU).
1.3.11. Third Party:
Means a natural or legal person, who accesses the Personal Data for further processing and is not an employee, member or corporate affiliate of Cynoia. This definition does not apply to natural persons, who provide services to Cynoia as contractors on a regular basis.
1.3.12. User:
Means a Data Subject who uses our services provided on Cynoia website.
2. Data Processing Principles:
2.1.
Cynoia’s processing activities must be in line with the principles specified in this Section. The Privacy Manager must make sure that Cynoia’s compliance documentation, as well as data processing activities, are compliant with the data protection principles.
2.2.
We must process the Personal Data in accordance with the following principles:
2.2. 1.
Lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency). We shall always have a legal ground for the processing (described in Section 3 of this Policy), collect the amount of data adequate to the purpose and legal grounds, and we make sure the Data Subjects are aware of the processing;
2.2. 2.
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation). We must not process the Personal Data for the purposes not specified in our compliance documentation without obtaining specific approval of the Privacy Manager;
2.2.3.
Adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization). We always make sure the data we collect is not excessive and limited by the strict necessity;
2.2.4.
Accurate and, where necessary, kept up to date (accuracy). We endeavor to delete inaccurate or false data about Data Subjects and make sure we update the data. Data Subjects can ask us for a correction of the Personal Data;
2.2.5.
Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed (storage period limitation). The storage periods must be limited as prescribed by Data Protection Laws and this Policy;
2.2.6.
Process in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures (confidentiality, integrity, and availability).
2.3. Accountability:
2.3. 1.
We shall be able to demonstrate our compliance with Data Protection Laws (accountability principle). In particular, we must ensure and document all relevant procedures, efforts, internal and external consultations on personal data protection including:
the fact of appointing a person responsible for Cynoia’s data protection compliance;
where necessary, a record of a Data Processing Impact Assessment;
developed and implemented notices, policies, and procedures, such as Privacy Notice, this policy or Data Breach response procedure;
the fact of staff training on compliance with Data Protection laws;
assessment, implementation, and testing organizational and technical data protection measures.
2.3. 2.
The Privacy Manager must maintain Cynoia’s Records of processing activities, which is an accountability document that describes personal data processing activities of Cynoia, prepared in accordance with Art. 30 of the GDPR (the “Records of processing activities”). The Records of processing activities must maintain, at least, the following information about each processing activity:
contact details of Cynoia, the EU Representative, and, where applicable, of the Data Protection Officer;
name of the activity, its purposes and legal basis along with, where applicable, the legitimate interests of Cynoia;
data subjects and personal data categories concerned;
data retention periods;
general description of applicable security measures;
recipients, including joint controllers, processors, and contractors involved, as well as the fact of the international data transfer with the safeguards applied to the transfer;
where applicable, a reference to the Data Processing Impact Assessment;
where applicable, a reference to the record of the data breach occurred involving the personal data;
if Cynoia acts as a data processor, the information to be provided includes the names and contact details of controllers, name and contact details of controller's representative (if applicable), categories of processing (activities), names of third countries or international organizations that personal data are transferred to (if applicable), safeguards for exceptional transfers of personal data to third countries or international organizations (if applicable), and general description of technical and organizational security measures.
3. Access to personal data. Legal grounds and purposes:
3.1. Legal grounds:
3.1. 1.
Each processing activity must have one of the lawful grounds specified in this Section to process the Personal Data. If we do not have any of the described, we cannot collect or further process the Personal Data.
3.1.2.
If Cynoia is intended to use personal data for other purposes than those specified in the Records of processing activities, the Privacy Manager must evaluate, determine, and, if necessary, collect/record the appropriate legal basis for it.
3.1.3.
Performance of the contract. Where Cynoia has a contract with the Data Subject, e.g. website’s Terms of Use or the employment contract, and the contract requires the provision of personal data from the Data Subject, the applicable legal ground will be the performance of the contract.
3.1.4.
Consent. To process the personal data based on the consent, we must obtain the consent before the Processing and keep the evidence of the consent with the records of Data Subject’s Personal Data. The Privacy Manager must make sure that the consent collected from Data Subjects meet the requirements of Data Protection Laws and this Policy. In particular, the Privacy Manager must make sure that:
the Data Subject must be free to give or refuse to give consent.
the consent is in the form of an active indication from the Data Subject, i.e., the consent checkbox must not be pre-ticked for the user.
the request for the consent clearly articulates the purposes of the processing, and other information specified in Subsection 6.2 is available to the Data Subject.
the Data Subject must be free to give one’s consent or to revoke it.
3.1.5.
Legitimate interests. We have the right to use personal data in our ‘legitimate interests’. The interests can include the purposes that are justified by the nature of our business activities, such as the marketing analysis of personal data. For Cynoia to use legitimate interests as a legal ground for the processing, the Privacy Manager must make sure that:
the legitimate interest in the processing is clearly defined and recorded in the records of processing activities;
any envisaged risks to Data Subject rights and interests are spotted. The examples of the risks can be found in Subsection 7.2.;
the Data Subjects have reasonable expectations about the processing, and additional protective measures to address the risks are taken;
subject to the conditions of Subsection 6.7 (Right to object against the processing), the Data Subject is provided with the opportunity to opt-out from the processing for the described legitimate interests.
If at least one of the above conditions is not met by Cynoia, the Privacy Manager must choose and propose a different legal ground for the processing, such as consent
3.1.6.
Legal Compliance and Public Interest. Besides the grounds specified afore, we might be requested by the laws of the European Union or laws of the EU Member State to process Personal Data of our Users. For example, we can be required to collect, analyze, and monitor the information of Users to comply with financial or labor laws.
Whenever we have such an obligation, we must make sure that:
we process personal data strictly in accordance with relevant legal requirements;
we do not use or store the collected Personal Data for other purposes than legal compliance;
the Data Subjects are properly and timely informed about our obligations, scope, and conditions of personal data processing.
Important: Where Cynoia has the law requirements of another country to process personal data, the Privacy Manager must propose using another legal ground for the processing under Data Protection Laws, such as legitimate interests or consent.
3.2. Access to personal data
3.2.1.
The employees must have access to the personal data on a “need-to-know” basis. The data can be accessed only if it is strictly necessary to perform one of the activities specified in the Records of processing activities. The employees and contractors shall have access to the Personal Data only if they have the necessary credentials for it.
3.2.2.
Heads of the departments within Cynoia are responsible for their employees’ access and processing of personal data. The heads must maintain the list of employees that are entitled to access and process personal data. The Privacy Manager shall have the right to review the list and, where necessary, request the amendments to meet the requirements of this Policy.
3.2.3.
Heads of the departments within Cynoia must ensure that the employees under their supervision are aware of the Data Protection Laws and comply with the rules set in this Policy. To make sure our employees are able to comply with the data protection requirements, we must provide them with adequate data protection training.
3.2.4.
All employees accessing personal data shall keep strict confidentiality regarding the data they access. The employees that access personal data must use only those means (software, premises, etc.) for the processing that were prescribed by Cynoia. The data must not be disclosed or otherwise made available out of the management instructions.
3.2.5.
The employees within their competence must assist Cynoia’s representatives, including the Privacy Manager, in any efforts regarding compliance with Data Protection Laws and/or this Policy.
3.2.6.
When an employee detects or believes there is suspicious activity, data breach, non-compliance with Data Protection Laws and/or this Policy, or a DSR was not routed to the competent department within Cynoia, the employee must report such activity to the Privacy Manager.
3.2.7.
Employees that are unsure about whether they can legitimately process or disclose Personal Data must seek advice from the Privacy Manager before taking any action.
3.2.8.
Any occasional access to personal data for activities not specified in the Records of processing activities is prohibited. If there is a strict necessity for immediate access, the Privacy Manager must approve the access first.
4. Third Parties:
4.1.
Before sharing personal data with any person outside of Cynoia, the Privacy Manager must ensure that this Third Party has an adequate data protection level and provide sufficient data protection guarantees in accordance with Data Protection Laws, including, but not limited to the processorship requirements (Art. 28 of the GDPR) and international transfers compliance (Section 5 of the GDPR). Where necessary, the Privacy Manager must make sure that Cynoia enters into the appropriate data protection contract with the third party.
4.2.
An employee can share personal data with third parties only if and to the extent that was directly prescribed by the manager and specified in the Records of processing activities.
4.3.
If we are required to delete, change, or stop the processing of the Personal Data, we must ensure that the Third Parties, with whom we shared the Personal Data, will fulfill these obligations accordingly.
4.4.
Whenever Cynoia is engaged as a data processor on behalf of another entity, the Privacy Manager must make sure Cynoia complies with the processorship obligation. In particular, the appropriate data processing agreement in accordance with the Data Protection Laws must be in place. The Privacy Manager must supervise the compliance with data processing instructions from the controller, including regarding the scope of processing activities, involvement of sub-processors, international transfers, storage, and further disposal of processed personal data. The personal data processed under the processor role must not be processed for any other purposes than specified in the relevant instructions, agreement or other legal act regulating the relationships with the controller.
5. International Transfers:
5.1.
If we have the employees, contractors, corporate affiliates, or Data Processors outside of the EEA, and we transfer Personal Data to them for the processing, the Privacy Manager must make sure Cynoia takes all necessary and appropriate safeguards in accordance with Data Protection Laws.
5.2.
The Privacy Manager must assess the safeguards available and propose to the Cynoia’s management the appropriate safeguard for each international transfer. The following regimes apply to the transfers of Personal Data outside of the EU:
where the European Commission decides that the country has an adequate level of personal data protection, the transfer does not require taking additional safeguards. The full list of adequate jurisdictions can be found on the relevant page of the European Commission’s website1
to transfer Personal Data to our contractors or partners (Data Processors or Controllers) in other third countries, we must conclude Standard Contractual Clauses with that party. The draft version along with the guidance can be found on the relevant page of the European Commission’s website2
if we have a corporate affiliate or an entity in other countries, we may choose to adopt Binding Corporate Rules in accordance with Article 47 of the GDPR or an approved code of conduct pursuant to Article 40 of the GDPR;
we also can transfer Personal Data to entities that have an approved certification in accordance with Article 42 of the GDPR, which certifies an appropriate level of company’s data protection.
5.3.
As a part of the information obligations, Cynoia must inform the Data Subjects that their Personal Data is being transferred to other countries, as well as provide them with the information about the safeguards used for the transfer. The information obligation is to be performed in accordance with Subsection 6.2.
5.4.
In the exceptional cases (the “Derogation”), where we cannot apply the safeguards mentioned afore and we need to transfer Personal Data, we must take an explicit consent (active statement) from the Data Subject or it must be strictly necessary for the performance of the contract between us and the Data Subject, or other derogation conditions apply in accordance with the Data Protection Laws. The Privacy Manager must pre-approve any Derogation transfers and document the approved Derogations, as well as the rationale for them.