NOTICE REGARDING THE PROCESSING OF PERSONAL DATA BY THE COMPANY THE VENDOM COMPANY
DEFINITIONS
*General Data Protection Regulation (GDPR): It is a European regulatory text that establishes rules regarding the protection of individuals with regard to the processing of personal data and rules on the free movement of such data. It entered into force on May 25, 2018.
The GDPR protects the fundamental rights and freedoms of individuals, particularly their right to the protection of personal data.
*Personal data: It refers to "any information relating to an identified or identifiable natural person."
A person can be identified:
Directly (e.g., name, first name);
Indirectly (e.g., through an identifier (customer number), a telephone number, biometric data, several specific elements related to their physical, physiological, genetic, psychological, economic, cultural, or social identity, as well as their voice or image).
The identification of a natural person can be carried out:
Based on a single piece of data (e.g., social security number, DNA);
Based on the cross-referencing of a set of data (e.g., a woman living at a certain address, born on a specific day, subscribed to a particular magazine, and being a member of a certain association).
*Processing of personal data: It refers to an operation or set of operations carried out on personal data, regardless of the method used (collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, communication by transmission, dissemination, or any other form of making available, alignment).
Processing of personal data is not necessarily computerized: paper files are also covered and must be protected under the same conditions.
Processing of data must have a purpose, an objective, which means that you cannot collect or process personal data simply on the off chance that it might be useful to you someday. Each processing of data must have a purpose, which must be legal and legitimate in relation to your professional activity.
PREAMBLE
The company THE VENDOM COMPANY processes a significant amount of personal data on a daily basis as part of its business management, particularly through its websites www.thevendomcompany.com and www.vendomtalents.com.
In this context, THE VENDOM COMPANY is considered a "Data Controller" within the meaning of Article 4 of the GDPR. As such, it is subject to various obligations regarding the processing of personal data (Article 5 GDPR).
Furthermore, the GDPR requires it to inform individuals whose data is collected about the processing of their data (Articles 12, 13, 14, and 34 GDPR).
Therefore, the purpose of this information notice is to inform you about how the personal data you provide to THE VENDOM COMPANY is collected and processed.
1- WHAT DATA MAY BE COLLECTED?
1.1 THE VENDOM COMPANY collects the following personal data:
Identification data: your name, first name, gender, postal and email addresses, phone numbers, date and place of birth, nationality, social security number, professional contact details, photographs...
Data about your personal life/professional life;
Banking information...
1.2 What are the purposes of processing your personal data?
Regarding candidates: recruitment management and the creation of a CV database;
Regarding partners: management of business activities;
Regarding website visitors: website management, sending newsletters...
1.3 On what legal basis?
The GDPR allows THE VENDOM COMPANY to collect your personal data when:
(i) This processing is necessary to fulfill its legal obligations as a partner, recruiter;
(ii) You consent to the processing of this data.
1.4 Who can access your data?
Internally:
The recruitment team of THE VENDOM COMPANY.
Externally:
Partners of THE VENDOM COMPANY;
For candidates, any companies whose contact information is available on the following link: https://www.vendomtalents.com/fr/entreprises
1.5 Where are your data hosted?
Your data is stored and hosted on the servers of TROA, our hosting provider located at 18 rue Marceau, 34000 Montpellier, France.
1.6 How long are your data retained?
Data related to candidates: for a maximum of two years after the candidate's application is rejected. Alternatively, this data may be subject to intermediate archiving to comply with a legal obligation or administrative interest;
Data regarding partners: for three years from the end of the business relationship.
2- WHAT ARE YOUR RIGHTS?
You have the following rights, which you can exercise by contacting the Data Protection Officer (DPO) of THE VENDOM COMPANY, whose email address is: stephane.lefort@thevendomcompany.com.
2.1 Right of access to your data (Article 15 of the GDPR)
You can request to know if THE VENDOM COMPANY processes personal data about you and the details of their processing.
2.2 Right to rectification of data (Article 16 of the GDPR)
You have the right to request that THE VENDOM COMPANY correct your data when it is incorrect and/or incomplete. This right also includes the right to complete the data through additional statements or notifications.
2.3 Right to erasure of data (Article 17 of the GDPR)
You have the right to request the deletion of your personal data, for example when:
This personal data is no longer necessary for the purposes of processing;
You have revoked your consent to the processing of your data (does not apply in the presence of another legal provision authorizing the data processing);
You have objected to the processing of data based on "legitimate interests" (erasure should not occur if there are overriding legitimate grounds for the processing);
Your data has been processed unlawfully.
This right to erasure of personal data does not apply when the processing of personal data is necessary to comply with a legal obligation.
2.4 Right to restriction of data processing (Article 18 of the GDPR)
You have the right to request the restriction of the processing of your personal data in the following cases:
When you have contested the accuracy of your personal data, you can request that we do not use your data during the verification phase of accuracy;
In case of unlawful processing of data, instead of deletion of your data, you can demand the restriction of their use;
If you need your personal data to assert, exercise, or defend legal claims, and we no longer need the data, you can request us to restrict the processing solely for the purposes of exercising the right;
If you have objected to data processing, and it has not yet been determined whether our interests in processing outweigh yours, you can demand that your data not be used for other purposes during the examination period.
2.5 Right to data portability (Article 20 of the GDPR)
You have the right to request that we transmit the data you have provided to us in a structured, commonly used, and machine-readable format (for example, in PDF or Excel format).
You can also request that we transmit this data directly to another company (designated by you), to the extent technically feasible.
Reminder: This right does not apply to data collected and processed on a basis other than your consent or the performance of a contract.
If you exercise your right to data portability, you also have the right to erasure of the data in accordance with Article 17 of the GDPR.
2.6 Right to object (Article 21 of the GDPR)
If your data is processed for public interest tasks or legitimate interests, you have the right to object to their processing. To do so, you must inform us of the reasons for your objection, taking into account your specific situation. This may include specific family circumstances or interests that require protection.
In the case of objection, we must refrain from any further processing of your data for the purposes stated in section 4.1, unless:
There are compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or
The processing is necessary for the establishment, exercise, or defense of legal claims.
2.7 Prohibition of automated decisions (Article 22 of the GDPR)
Decisions we make that have legal effects on you or significantly affect you (e.g., the decision to select you or not for internal mobility) must not be based solely on automated processing of your personal data.
This prohibition does not apply if the automated decision:
Is necessary for the conclusion or performance of a contract with you;
Is authorized by law, subject to appropriate measures to safeguard your rights, freedoms, and legitimate interests; or
Is made with your explicit consent.
2.9 Defense of your rights
In case of a complaint, you can contact the competent supervisory authority at any time. For THE VENDOM COMPANY, the competent supervisory authority is the CNIL.
You also have the right to judicial remedies (Article 78 of the GDPR) against a supervisory authority. Similarly, you can seek judicial remedies (Article 79 of the GDPR) against THE VENDOM COMPANY.
3- WHAT ARE THE RIGHTS/RESPONSIBILITIES OF THE VENDOM COMPANY?
THE VENDOM COMPANY must allow you to access your personal data. To do so:
If necessary, it may verify the identity of the person making the request (principle: no identification document required unless there is reasonable doubt).
If necessary, it may inquire about the specific data the request pertains to.
It must verify that the request does not concern a third party (for example, it is not possible to request access to data regarding one's spouse; an employee of a company cannot obtain data relating to a colleague).
It must respond to your request within the following timeframes:
Maximum of 1 month for a simple request.
Maximum of 3 months for a complex request (e.g., if a person requests a copy of all their data).
Maximum of 8 days for health data.
Regardless of the situation, the person must be informed of the outcome within a maximum of one month.
In certain cases, THE VENDOM COMPANY may refuse to respond to access requests, but it must justify this decision.
THE VENDOM COMPANY is not obligated to respond to access requests if:
They are manifestly unfounded or excessive, particularly due to their repetitive nature (e.g., multiple and frequent requests for a copy already provided).
The data is no longer retained/has been erased, in which case access is not possible (e.g., recordings made by a video surveillance system are typically retained for a maximum of 30 days and are destroyed at the end of this period).
