PERSONAL DATA PROTECTION PRIVACY
The purpose of this document is to present the technical and organizational measures in place through COMMANDERS ACT to ensure the protection of personal data and compliance with the legal and regulatory requirements applicable to the protection of personal data and the rights of individuals.
- Account: Refers to the account of the Data Controller, accessible on the Platform, allowing a User to use the Services.
- Agreement: Refers to the contract or terms and conditions accepted by the Data Controller to benefit from the provision of the Services.
- Data Controller: Refers to any client of COMMANDERS ACT who has subscribed to the Services.
- Hosting Providers: Refers to the subcontractors of COMMANDERS ACT in charge to ensure the hosting of the Platform.
- IT Policy: Refers to the document applicable to each User concerning the rules of access and use of the Platform.
- Personal Data: Refers to any information relating to an identified or identifiable individual. Is deemed to be an “identifiable individual ” a person who can be identified, directly or indirectly, in particular by reference to an ID, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to its physical, physiological, genetic, psychic, economic, cultural or social identity.
- Platform: Refers to all IT and / or telecommunications equipment used by COMMANDERS ACT for the provision of the Services, the provision of the Solution and the storage of Personal Data. Hosting of the Platform is outsourced to Hosting Providers.
- Regulation: Refers to all legal and regulatory texts applicable in France and in the European Union regarding the protection of Personal Data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 applicable to from May 25, 2018.
- Services: Refers to the Services provided by COMMANDERS ACT and involving the hosting of Personal Data. The Services involved are Data Privacy, Tag Commander, Data Commander, Fuse Commander and Mix Commander.
- User: Refers to anyone with access to the Platform via a username and password.
3. SECURITY OF PROCESSING
Each User must authenticate himself on the Platform by means of:
- A login composed of a personal email address,
- A personal and confidential password to access the Account.
The password of the User is composed of at least ten characters among which must appear at least four several types of characters (uppercase, lowercase letters, numbers and special characters), in accordance with the recommendations of the French Data Protection Authority. This authentication device ensures traceability and access to Personal Data under conditions of security and confidentiality in accordance with the provisions of the Regulations and applicable recommendations of the French Data Protection Authority.
This authentication device ensures traceability and access to Personal Data under conditions of security and confidentiality in accordance with the provisions of the Regulations and applicable recommendations of the French Data Protection Authority.
Each User has personally committed, within the framework of the IT Policy, to take any useful measure to ensure the complete confidentiality of his password and has undertaken not to communicate, assign or make available, to a third party his password and his ID.
A technical device encourages User to change his password regularly, every 3 months, in accordance with the recommendations of the French Data Protection Authority.
A technical device protects authentication against attacks, which consists of programmatically testing all possible password combinations.
In the event of any suspicion of use by an unauthorized third party of its authentication elements, the User may change his password immediately.
COMMANDERS ACT undertakes to notify the Data Controller of any breach of the password of a User assigned to his Account within a period not exceeding 72 hours from the date of the finding of the breach.
In this case, the password of the User will be modified at the next login to the Account.
The Personal Data processed within the framework of the Services are the subject to a procedure of pseudonymisation consisting of replacing the information relating to the Personal Data by an encrypted value.
COMMANDERS ACT reminds that:
- The pseudonymisation measure is a security measure that is not irreversible like an anonymization measure,
- Each individual concerned is therefore always likely to be identified indirectly by the Data Controller.
Personal Data processed as part of the Services is encrypted using the CTR AES 256 algorithm with random initialization vector.
3.4. OTHER SECURITY DEVICES
COMMANDERS ACT implements the following additional security measures to protect Personal Data collected and processed as part of the Services
- HTTPS connection,
- Set up an Account lockout system in the event of 20 unsuccessful login attempts within 1 minute,
- Traceability of connection sessions,
- Management of a matrix regarding access rights to the Platform.
3.5. SECURED HOSTING
COMMANDERS ACT outsources the hosting of the Platform and Personal Data to ISO / IEC 27001 certified Hosting Providers.
The hosting of the Platform is strictly partitioned, compared to other hosting platforms, by setting up:
- a VPN connection between the Platform and the users’ workstations.
- a last generation firewall,
- a rigorous filtering rules on incoming and outgoing traffic,
- an active monitoring of telecommunication equipment.
4. DURATION FOR PERSONAL DATA STORAGE
Personal Data collected and processed within the framework of the Services subscribed by the Data Controller is kept for the duration of the contractual relationship between the Data Controller and COMMANDERS ACT related to each Service concerned.
In case of termination of a Service or termination of any contractual relationship, for any reason whatsoever, Personal Data are returned to the Data Controller and then deleted from the Platform irreversibly within a maximum period of 90 days.
5.1. GENERAL TRACEABILITY DEVICE
As part of all of its Services, COMMANDERS ACT implements the following traceability system:
- Any action to change the settings in the COMMANDERS ACT Service is logged. These logs are time stamped and identify the User behind these changes.
- These logs are accessible in the interface for the Service Tag Commander and on request for the other Services.
5.2. DEVICE FOR TRACEABILITY OF CONSENT FOR DATA PRIVACY SERVICE
As part of the Data Privacy Service, COMMANDERS ACT ensures the traceability of the consent given by each person to the Data Controller in order to guarantee the evidence of such consent.
This traceability allows to know the date and the time of the consent and any possible suppression of this consent via the Data Privacy Service.
This traceability is performed as follows:
- Collection of the consent sent by the Data Privacy Service
- Storage of this consent in database. The stored data are:
- COMMANDERS ACT ID
- Selected categories
The proof of the consent of each person is kept in the conditions referred to in the article “Duration for Personal Data Storage”.
The data Controller is informed that, when ordering the Services, the hosting of the Platform and Personal Data is subcontracted to:
- The Oxalide company for server outsourcing, 25 Boulevard de Strasbourg, 75010 Paris
- The Equinix company in two data centers located at 114 Rue Ambroise Croizat, 93200 SaintDenis
COMMANDERS ACT has entered into a hosting services agreement with these Hosting Providers in the appendix of which are the terms of this document, terms which have been expressly accepted by each of its Hosting Provider.
COMMANDERS ACT informs that under this hosting services agreement:
- A notification procedure has been implemented to deal with requests from the Data Controller and data subjects concerning Personal Data,
- An audit procedure has been implemented to allow COMMANDERS ACT to provide information relating to the protection of Personal Data, in case of request from a local Data Protection Authority (such as the CNIL) or the Data Controller.
In accordance with the Regulations, COMMANDERS ACT undertakes to inform the Data Controller of any changes regarding the addition or replacement of the Hosting Providers and any other subcontractors.
7. Customers using our tracking solutions
Aéroport de Lyon
AGOS DUCATO S.P.A
AIR FRANCE DBBL
Alviero Martini S.P.A
AXA GROUP SOLUTIONS SAS
BNP PARIBAS REAL ESTATE
Caisse Fédérale de Crédit Mutuel
CREAM DELLA CREAM SWITZERLAND
Crédit Industriel et commercial (CIC)
Crédit Mutuel Nord Europe
CROIX ROUGE FRANCAISE
CTS EVENTIM AG & Co.KgaA
CWT DISTRIBUTION – HAVAS VOYAGES
Decathlon Italia S.r.l.
DECATHLON SPORTSPEZIALVERTRIEBS GMBH
DIGITAL LOLA COMMERCE, S.A.U.
ECOMMERCE OUTSOOURCING SRL (TERASHOP)
EMPIRIK – Trigano
ENGIE – Entreprises et Collectivités
ENGIE ITALIA S.p.A
EURO DISNEY ASSOCIES SCA
Europ Assistance France
EUROPCAR INTERNATIONAL SASU
Fédération Française de Tennis
GAME ON LINE
GIE AG2R REUNICA
GIE Aviva France
GIE BNP PARIBAS CARDIF
GIE McDONALD’S FORCE
Groupe Carrefour – CSI SAS
HANES FRANCE SAS
KAUFMAN ET BROAD EUROPE
KLM account Payable , SPL/AP
La Banque Postale
La Française Finance Services
La Redoute Belgique
LABORATOIRE DE DERMOSCOMETIQUE ACTIVE DR PIERRE RICAUD
LEADING LUXURY GROUP SRL
MEDIASET PREMIUM SPA
MIROGLIO FASHION SRL
Monte Carlo Société des bains de mer
NATURE & decouvertes
Pages Jaunes Solutions numériques et média Limitée
RIUSA II SA
SAS PLAN B
Sebdo le point
SUSHI SHOP MANAGEMENT
TICKET FOR THE MOON
UNIGRO / SAINT BRICE SA
UNIVERSAL MUSIC France
Yoox Net-A-Porter Group
Yves Rocher France