Privacy policy & cookies

This page describes how Cegid processes the personal data collected from data subjects (clients, leads, etc.).

If you have any questions regarding this policy, please contact [email protected]

Privacy policy

Last updated: January 2023

1. Introduction

The aim of this privacy policy is to introduce the rules related to the protection of personal data that Cegid Group (hereinafter “Cegid”) agrees to respect as data controller and data processor, for all personal data covered by this policy. These rules were drafted pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter “GDPR”) on the protection of individuals with regards to processing of personal data and on the free movement of such data, and repealing Directive 95/46/CE.

This document is subject to change where necessary in order to implement the obligations imposed by personal data protection legislation. We encourage you to periodically review this privacy policy on our dedicated page: https://www.cegid.com/global/privacy-policy/

The concepts related to personal data protection used in this document have the meaning given in the GDPR, notably in accordance with article 4 of the GDPR.

 

2. General principles on personal data protection

When Cegid acts as a data controller

Pursuant to article 5 of the GDPR, Cegid ensures that personal data are:

  • processed lawfully, fairly and in a transparent manner
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary for the purposes for which the data are processed
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

When Cegid acts as a data processor

Pursuant to article 28 of the GDPR, Cegid ensures that:

  • the purposes of the processing are described in the contract signed between Cegid and the client
  • the client’s personal data are processed solely for the purpose for which they were originally collected based on their instructions, in accordance with the terms of the contract
  • the deletion of personal data is carried out at the end the of contractual relationship and under the conditions laid down in the contract, unless the applicable law requires the preservation of personal data.

 

3. Purpose and legal basis of personal data processing

When Cegid acts as data controller

For internal needs, Cegid collects personal data for purposes such as:

  • management of customer contacts and leads (sending marketing, product or Group information, satisfying customers and leads, producing statistics, etc.)
  • management of commercial contracts (fulfilling orders, billing, debt recovery, etc.)
  • management of Cegid’s staff, recruitment and careers (evaluating and contacting candidates, etc.)
  • creation and administration of user accounts
  • development and management of services to which the client has subscribed (recording calls to the helpdesk, etc.).

Depending on these different purposes, Cegid ensures that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract
  • processing is necessary for compliance with a legal obligation to which Cegid is subject
  • processing is necessary for the purposes of the legitimate interests pursued by Cegid, except where such interests are overridden by the interests, fundamental rights and freedoms of the data subject.

When Cegid acts as data processor

Cegid may need to access and process personal data provided by its clients in order to provide offerings and services to which the customer subscribes.

This access and processing are governed by a contract containing specific clauses for data protection signed between Cegid and the client.

Cegid processes personal data only on behalf of the client based on their documented instructions, in accordance with the provisions of the contract.

 

4. Security and notification of personal data breaches

Cegid has taken technical and organisational measures to ensure a level of security appropriate to the risks.

Cegid’s Information Security Management System is certified ISO 27001 for the following scope: “Application hosting services in a Cloud environment, containing data provided by the clients”.

This certification ensures that a certified security policy is applied to Cegid’s processes and workflow throughout the duration of the SaaS service provided to the client.

More generally, all employees of Cegid are subject to an IT security charter appended to the internal policy to ensure an appropriate level of security.

Pursuant to articles 33 and 34 of the GDPR, personal data breaches shall be notified:

  • to the French supervisory authority (CNIL) and, if necessary, to data subjects affected by the breach, when Cegid acts as a data controller
  • to its clients affected by the breach in accordance with the contract signed between Cegid and its clients, when Cegid acts as a data processor

 

5. Data subject’s rights

When Cegid acts as a data controller

Under the conditions set forth in articles 15 and 22 of the GDPR, data subjects have the right to:

  • access their personal data processed by Cegid
  • request the rectification, erasure or restriction of processing of personal data carried out by Cegid
  • in certain circumstances, object to the processing of their personal data
  • request the portability of personal data
  • withdraw their consent when it is the legal basis of the processing
  • give instructions regarding the handling of their personal data after their death (pursuant to Law no. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties).

All requests related to these rights may be made by filling out the form available on the following page: https://www.cegid.com/global/privacy-policy/

Cegid reserves the right to ask for clarifications in relation to any request and to verify the identity of the requester.

An “Unsubscribe” link is also available in our marketing emails.

In any event, Cegid recommends contacting the CNIL for more information about data protection regulations, the rights of data subjects and the possibility of lodging a complaint with this authority: https://www.cnil.fr/

When Cegid acts as data processor

In the event Cegid receives a request from a data subject whose data is processed in the course of performing the contract between Cegid and the client, Cegid will communicate this request to the client at the earliest opportunity upon its receipt and, taking into account the nature of the processing and the terms of the contract, will take appropriate technical and organisational measures to assist the client with fulfilling its obligation to respond to these requests, insofar as this is possible.

The client remains nevertheless responsible for replying to the data subject concerned.

 

6. Information to be given to the data subject

When Cegid acts as a data controller

When collecting personal data, Cegid undertakes to provide data subjects with at least the following information, to the extent possible and regardless of the processing carried out:

  • the contact information of the controller and its Data Protection Officer
  • the purposes of the processing and its legal basis
  • the recipients
  • transfers of data outside the EU, if applicable
  • the length of time the data will be kept
  • the possibility to request the exercise of any available rights pursuant to the applicable regulations
  • the right to submit a complaint with the supervisory authority

Cegid may also receive personal data (name, company, phone, email address) from external sources such as lead providers.

Such data is used only to:

  • update, develop and analyse its client/lead database
  • generate leads
  • provide information relating to the appropriate Cegid products and services.

When Cegid acts as data processor

Pursuant to article 13 of the GDPR, the controller has the responsibility to inform data subjects.
In accordance with the terms of the contract, Cegid provides clients acting as data controllers with any information that might help them enforce article 13 of the GDPR.

 

7. Transfers outside the European Union

Personal data may be processed outside European Union. As a consequence, pursuant to data protection legislation, Cegid cannot transfer personal data, without implementing the appropriate safeguards according to article 46 of the GDPR, outside:

  • the European Union, or
  • the European Economic Area, or
  • countries recognised by the European Commission as having an adequate level of security.

 

8. Data recipients

Cegid may share personal data with third parties solely under the conditions of this document and/or the applicable contract.

Services provider

Cegid may share personal data with third parties who provide services, including:

  • on Cegid’s behalf, as part of the performance of the client contract (hosting, consulting, subcontracting, etc.) and in accordance with its terms
  • to help Cegid fulfil the financial and administrative conditions of the contract (debt recovery, invoicing, etc.)
  • to send marketing communications on behalf of Cegid.

Commercial or distributor Cegid partners

Cegid has developed a network of partners (distributors, publishers, etc.) for several of its offerings in order to help it deliver and develop its products.

Depending on which product is or may be of interest to the contact, Cegid may need to share this contact’s information with an appropriate partner.

Subsidiaries of Cegid Group

Cegid may share personal data with the subsidiaries of Cegid Group for the purposes that are described in this privacy policy, if necessary for its implementation (signing a contract, applying for a position in a subsidiary outside France, etc.).

Public authorities

In certain situations, Cegid may be required to disclose personal data in response to a request by a public authority, a subpoena, or any other lawful request pursuant to the applicable legislation.
In such cases, Cegid will disclose the necessary data, particularly when it believes in good faith that disclosure is necessary to protect your rights, ensure your safety or the safety of others, investigate fraud, or meet a legal requirement.

For more information about the recipients, please contact [email protected]

 

9. Cooperation of Cegid with its clients and with the supervisory authority

In accordance with article 28 of the GDPR and its contractual commitments, Cegid undertakes to reasonably cooperate with its clients in order to help them meet their obligations pursuant to articles 32 to 36 of the GDPR.

More generally, Cegid agrees to cooperate with the French supervisory authority (CNIL) where necessary and to reasonably consider its recommendations.

 

10. Privacy by design regarding products and services

If Cegid plans to develop a new service or offering, Cegid, in its capacity as a software publisher, will make every effort to introduce “privacy by design” principles from the beginning of the project, thereby helping its clients comply with the applicable regulations using specific features and resources.

 

11. Cegid staff awareness

All new Cegid employees must take an awareness training concerning personal data protection.

More generally, Cegid will make every effort to offer its employees regular awareness training regarding personal data protection.

Awareness training or more specific trainings may be conducted for employees working on a regular basis with personal data.

 

12. Governance of personal data protection

To manage personal data protection, Cegid has a dedicated governance structure in place.

A Data Protection Officer (DPO) has been appointed to the CNIL to oversee this governance.

 

13. Records of processing activities

Pursuant to article 30 of the GDPR, Cegid maintains two records of personal data processing:

  • a record describing the processing carried out as data controller
  • a record describing the processing carried out on behalf of its clients acting as data controllers, based on their instructions

These records are made available to the CNIL upon request.

 

14. Contractual policy

Pursuant to article 28 of the GDPR, Cegid has incorporated the new mandatory contractual stipulations into all contracts concerned.

Accordingly, specific contractual clauses on data protection pursuant to the applicable regulations have been added to:

  • client contracts (GTC/GTU)
  • contracts between Cegid and its own data processors

 

15 Contact

If you have any inquiries regarding this privacy policy or wish to contact our Data Protection Officer, please send an email to the following address:[email protected]

Personal data collected as part of a commercial relationship with Cegid

In order to provide the required service and manage its commercial relationships, Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: Surname, name, email address, telephone number, position and company name.

These personal data are processed by Cegid SAS to manage its commercial relationships and provide the required service or product. Unless prohibited by law, the personal data collected for these purposes are processed for at most five years after the end of the commercial relationship.

Cegid may disclose some of your data to third parties, including for the purposes of debt recovery or for commercial communications by a limited number of Cegid partners.
For more information about these partners, please contact [email protected].

Cegid or its partners may also send you commercial communications.
These promotions are sent based on our legitimate interest in sending you communications related to your business activities. You may unsubscribe at any time by clicking on the link available in all our communications.
The personal data collected for this purpose are processed for at most three years after the end of the commercial relationship or the last communication sent by the subject concerned.

You may also exercise your rights in accordance with this policy by filling out the “Data subject’s rights” form below.

Personal data collected through the forms provided on Cegid.com

Depending on the nature of the form, Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), may collect the following personal data: Surname, name, email address, telephone number, position and company name.

These personal data are processed by Cegid SAS in order to respond to your request, manage its client/lead files and commercial communications, and produce statistics.

The personal data collected for this purpose are retained for at most three years after the last communication sent by the subject concerned.

Cegid SAS’s subsidiaries and partners may be the recipients of these personal data for the purposes described above. Partners may be distributors of Cegid products that are likely to be of interest to the contact.

Cegid SAS, its subsidiaries and its partners may transfer the data to third countries only if it is necessary for these purposes. In each case, Cegid implements the necessary safeguards to secure these transfers.
Commercial communications are sent based on our legitimate interest in sending you communications related to your business activities. You may unsubscribe at any time by clicking on the link available in all our communications.

You may also exercise your rights in accordance with this policy by filling out the “Data subject’s rights” form below.

Personal data collected in the course of providing Cegid SaaS services

In order to provide the required service, Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: Surname, name, email address, telephone number, position, company name, usage data (log).

These personal data are processed in accordance with Cegid SAS’s legitimate interests, for the purposes of traceability and data security, as well as user account management, security, traceability and communications related to Cegid offerings.

The data are retained for as long as the service is used, with the exception of logs, which are retained for at most one year.

You may exercise your rights in accordance with this policy by filling out the “Data subject’s rights” form below.

When third-party products are contracted through one of Cegid’s offerings, the relevant commercial partners may process these same data. In this case, processing terms are defined by the relevant partner.

Personal data processed and/or collected within the context of helpdesk calls (”Customer Care”)

In the case of helpdesk calls (“Customer Care”), Cegid may listen to and/or record calls between the operator and the client for the purposes of:

  • Evaluating the quality of service provided by the operator to the client. In this case, recordings are retained for 6 months, while the analysis report may be retained for up to one year.;
  • Retaining evidence in the event of litigation. In this case, recordings are retained for 5 years.

In the event that your call will be recorded and listened to, a voice message will inform you in advance.
You may exercise your rights in accordance with this policy. More specifically:

  • If you would like to exercise your right to oppose any recording and/or listening in on your call, you can inform the operator. If you would like to exercise this right after the call, you can complete the “Data subject’s rights” form below on this page. Please be sure to specify your request.
  • For other rights, including access rights, you may submit a request by completing the “Data subject’s rights” form below. Please be sure to specify your request.

In each case, Cegid collects the following personal data for the purposes of tracking Customer Care requests: surname, first name, contact details (email address, telephone number), position.

After processing their request, a satisfaction survey may also be sent to the requester to evaluate the service provided, in furtherance of our legitimate interests.

Depending on the product and the countries in which this survey is provided, subsidiaries of Cegid SAS may be recipients of these data.

Cegid SAS, its subsidiaries and its partners may transfer these data to third countries only if it is necessary for these purposes.

You may also exercise your rights in accordance with this policy by filling out the “Data subject’s rights” form below.

Personal data processed in the context of intra-group relations with Talentsoft SA

Cegid SAS is a recipient of the personal data processed by its subsidiary Talentsoft SA. Then, Cegid SAS and Talentsoft SA process these data as joint controllers.

An arrangement has been signed between them in order to reflect their respective roles and relationships with data subjects.

In case of the merger (or any equivalent transaction), Cegid SAS will be regarded as the new processor of data initially processed by Talentsoft SA. De facto, the Cegid’s privacy policy will apply.

Cookies policy

The Web servers of Cegid Group websites automatically collect from the users of Cegid group sites (hereinafter referred to as “the sites”), the information relating to the use of the sites (as well as certain other information such as browser type and the operating system or IP addresses).
Cegid group websites may use cookies, small text files sent and stored on your computer that allow web servers to recognize users’ habits, facilitate their access to Cegid group sites, and allow the sites to compile global data that will improve the sites and their content.Cookies do not damage the computers or files. The cookies themselves cannot be used to discover the identity of the user.

The law states that we may only store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.

This site uses different types of cookies. Some cookies are placed by third-party services that appear on our pages.
At any time, you may change or withdraw your consent on our Privacy Policy page. www.cegid.com
Your consent applies to the following area: www.cegid.com

How to manage your cookies on your browser?

You have several options to delete the cookies.

Indeed, if most browsers are set by default and accept the installation of cookies, you have the option, if you wish, to choose to accept all the cookies, or reject them systematically or choose the ones you accept according to the issuer.
You can also set your browser to accept or refuse cookies on a case-by-case basis prior to their installation. You can also regularly delete cookies from your device via your browser.

For the management of cookies and your choices, the configuration of each browser is different. It is described in the help menu of your browser, which will allow you to know how to change your configuration on cookies.

However, if you set your browser to refuse the cookies or refuse the installation of a cookie, such deactivation could prevent the use of certain features of the Cegid group sites or prevent the access certain services, for which we cannot be held responsible.

We thank the users of the site to inform us of any omissions, errors, or corrections, by using our contact form.

Data subject’s rights

In accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (« GDPR »), you have the right of access, rectification, data portability, restriction of processing, object and to erasure (“right to be forgotten”) concerning your personal data processing by Cegid.

To exercise your right, please complete the following form.

To lodge a complaint, please visit the website of your national supervisory authority