Privacy policy & cookies

Last updated: January 2023

1. Introduction

The aim of this privacy policy is to introduce the rules related to the protection of personal data that Cegid Group (hereinafter “Cegid”) agrees to respect as data controller and data processor, for all personal data covered by this policy. These rules were drafted pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter “GDPR”) on the protection of individuals with regards to processing of personal data and on the free movement of such data, and repealing Directive 95/46/CE.

This document is subject to change where necessary in order to implement the obligations imposed by personal data protection legislation. We encourage you to periodically review this privacy policy on our dedicated page: https://www.cegid.com/global/privacy-policy/

The concepts related to personal data protection used in this document have the meaning given in the GDPR, notably in accordance with article 4 of the GDPR.

2. General principles on personal data protection

When Cegid acts as a data controller

Pursuant to article 5 of the GDPR, Cegid ensures that personal data are:

• processed lawfully, fairly and in a transparent manner
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• accurate and, where necessary, kept up to date
• kept for no longer than is necessary for the purposes for which the data are processed
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

When Cegid acts as a data processor

Pursuant to article 28 of the GDPR, Cegid ensures that:

• the purposes of the processing are described in the contract signed between Cegid and the client
• the client’s personal data are processed solely for the purpose for which they were originally collected based on their instructions, in accordance with the terms of the contract
• the deletion of personal data is carried out at the end the of contractual relationship and under the conditions laid down in the contract, unless the applicable law requires the preservation of personal data.

3. Purpose and legal basis of personal data processing

When Cegid acts as data controller

For internal needs, Cegid collects personal data for purposes such as:

• management of customer contacts and leads (sending marketing, product or Group information, satisfying customers and leads, producing statistics, etc.)
• management of commercial contracts (fulfilling orders, billing, debt recovery, etc.)
• management of Cegid’s staff, recruitment and careers (evaluating and contacting candidates, etc.)
• creation and administration of user accounts
• development and management of services to which the client has subscribed (recording calls to the helpdesk, etc.).

Depending on these different purposes, Cegid ensures that at least one of the following applies:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract
• processing is necessary for compliance with a legal obligation to which Cegid is subject
• processing is necessary for the purposes of the legitimate interests pursued by Cegid, except where such interests are overridden by the interests, fundamental rights and freedoms of the data subject.

Purposes not detailed in this section are provided in the dedicated notices presented to the data subjects concerned at the time of personal data collection.

When Cegid acts as data processor

Cegid may need to access and process personal data provided by its clients in order to provide offerings and services to which the customer subscribes.

This access and processing are governed by a contract containing specific clauses for data protection signed between Cegid and the client.

Cegid processes personal data only on behalf of the client based on their documented instructions, in accordance with the provisions of the contract.

4. Security and notification of personal data breaches

Cegid has taken technical and organisational measures to ensure a level of security appropriate to the risks.

Cegid’s Information Security Management System is certified ISO 27001 for the following scope: “Application hosting services in a Cloud environment, containing data provided by the clients”.

This certification ensures that a certified security policy is applied to Cegid’s processes and workflow throughout the duration of the SaaS service provided to the client.

More generally, all employees of Cegid are subject to an IT security charter appended to the internal policy to ensure an appropriate level of security.

Pursuant to articles 33 and 34 of the GDPR, personal data breaches shall be notified:

• to the French supervisory authority (CNIL) and, if necessary, to data subjects affected by the breach, when Cegid acts as a data controller
• to its clients affected by the breach in accordance with the contract signed between Cegid and its clients, when Cegid acts as a data processor

5. Data subject’s rights

When Cegid acts as a data controller

Under the conditions set forth in articles 15 and 22 of the GDPR, data subjects have the right to:

• access their personal data processed by Cegid
• request the rectification, erasure or restriction of processing of personal data carried out by Cegid
• in certain circumstances, object to the processing of their personal data
• request the portability of personal data
• withdraw their consent when it is the legal basis of the processing
• give instructions regarding the handling of their personal data after their death (pursuant to Law no. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties).

All requests related to these rights may be made by filling out the form available on the following page: https://www.cegid.com/global/privacy-policy/

Cegid reserves the right to ask for clarifications in relation to any request and to verify the identity of the requester.

An “Unsubscribe” link is also available in our marketing emails.

In any event, Cegid recommends contacting the CNIL for more information about data protection regulations, the rights of data subjects and the possibility of lodging a complaint with this authority: https://www.cnil.fr/

When Cegid acts as data processor

In the event Cegid receives a request from a data subject whose data is processed in the course of performing the contract between Cegid and the client, Cegid will communicate this request to the client at the earliest opportunity upon its receipt and, taking into account the nature of the processing and the terms of the contract, will take appropriate technical and organisational measures to assist the client with fulfilling its obligation to respond to these requests, insofar as this is possible.

The client remains nevertheless responsible for replying to the data subject concerned.

6. Information to be given to the data subject

When Cegid acts as a data controller

Cegid undertakes to provide data subjects with at least the following information, to the extent possible and regardless of the processing carried out:

• the contact information of the controller and its Data Protection Officer
• the purposes of the processing and its legal basis
• the recipients
• transfers of data outside the EU, if applicable
• the length of time the data will be kept
• the possibility to request the exercise of any available rights pursuant to the applicable regulations
• the right to submit a complaint with the supervisory authority (notably the CNIL).

When Cegid acts as data processor

Pursuant to article 13 of the GDPR, the controller has the responsibility to inform data subjects.

In accordance with the terms of the contract, Cegid provides clients acting as data controllers with any information that might help them enforce article 13 of the GDPR.

7. Transfers outside the European Union

Personal data may be processed outside European Union. As a consequence, pursuant to data protection legislation, Cegid cannot transfer personal data, without implementing the appropriate safeguards according to article 46 of the GDPR, outside:

• the European Union, or
• the European Economic Area, or
• countries recognised by the European Commission as having an adequate level of security.

8. Data recipients

Cegid may share personal data with third parties solely under the conditions of this document and/or the applicable contract.

Services provider

Cegid may share personal data with third parties who provide services, including:

• on Cegid’s behalf, as part of the performance of the client contract (hosting, consulting, subcontracting, etc.) and in accordance with its terms ;
• to help Cegid fulfil the financial and administrative conditions of the contract (debt recovery, invoicing, etc.) ;
• to send marketing communications on behalf of Cegid ;
• support in the development of new products or services.

Commercial or distributor Cegid partners

Cegid has developed a network of partners (distributors, publishers, etc.) for several of its offerings in order to help it deliver and develop its products.

Depending on which product is or may be of interest to the contact, Cegid may need to share this contact’s information with an appropriate partner.

Subsidiaries of Cegid Group

Cegid may share personal data with the subsidiaries of Cegid Group for the purposes that are described in this privacy policy, if necessary for its implementation (signing a contract, applying for a position in a subsidiary outside France, etc.).

Public authorities

In certain situations, Cegid may be required to disclose personal data in response to a request by a public authority, a subpoena, or any other lawful request pursuant to the applicable legislation.
In such cases, Cegid will disclose the necessary data, particularly when it believes in good faith that disclosure is necessary to protect your rights, ensure your safety or the safety of others, investigate fraud, or meet a legal requirement.

For more information about the recipients, please contact [email protected]

9. Cooperation of Cegid with its clients and with the supervisory authority

In accordance with article 28 of the GDPR and its contractual commitments, Cegid undertakes to reasonably cooperate with its clients in order to help them meet their obligations pursuant to articles 32 to 36 of the GDPR.

More generally, Cegid agrees to cooperate with the French supervisory authority (CNIL) where necessary and to reasonably consider its recommendations.

10. Privacy by design regarding products and services

If Cegid plans to develop a new service or offering, Cegid, in its capacity as a software publisher, will make every effort to introduce “privacy by design” principles from the beginning of the project, thereby helping its clients comply with the applicable regulations using specific features and resources.

11. Cegid staff awareness

All new Cegid employees must take an awareness training concerning personal data protection.

More generally, Cegid will make every effort to offer its employees regular awareness training regarding personal data protection.

Awareness training or more specific trainings may be conducted for employees working on a regular basis with personal data.

12. Governance of personal data protection

To manage personal data protection, Cegid has a dedicated governance structure in place.

A Data Protection Officer (DPO) has been appointed to the CNIL to oversee this governance.

13. Records of processing activities

Pursuant to article 30 of the GDPR, Cegid maintains two records of personal data processing:

• a record describing the processing carried out as data controller
• a record describing the processing carried out on behalf of its clients acting as data controllers, based on their instructions

These records are made available to the CNIL upon request.

14. Contractual policy

Pursuant to article 28 of the GDPR, Cegid has incorporated the new mandatory contractual stipulations into all contracts concerned.

Accordingly, specific contractual clauses on data protection pursuant to the applicable regulations have been added to:

• client contracts (GTC/GTU)
• contracts between Cegid and its own data processors

15. Contact

If you have any inquiries regarding this privacy policy or wish to contact our Data Protection Officer, please send an email to the following address:[email protected]

In order to provide the required service and manage its commercial relationships, Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: Surname, name, email address, telephone number, position and company name.
This data is processed for the purpose of managing its business relationship, providing the subscribed service or product, and sending surveys or satisfaction studies

Unless prohibited by law, the personal data collected for these purposes are processed for at most five years after the end of the commercial relationship.

Cegid may disclose some of your data to third parties, including for the purposes of debt recovery, to assess the quality of the provided contact data or for commercial communications by a limited number of Cegid partners.
For more information about these partners, please contact [email protected].

Cegid or its partners may also send you commercial communications.
These promotions are sent based on our legitimate interest in sending you communications related to your business activities. You may unsubscribe at any time by clicking on the unsubscribe option available in all our communications.
The personal data collected for this purpose are processed for at most three years after the end of the commercial relationship or the last communication sent by the subject concerned.

You may also exercise your rights in accordance with this policy by filling out the “Data subject’s rights” form below.

Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), may collect the following personal data: Surname, name, email address, telephone number, position and company name. This data may be collected through online forms or via third-party sources such as third-party providers.

These personal data are processed by Cegid SAS in order to respond to your request, manage its client/lead files and commercial communications, and produce statistics. These purposes are carried out based on Cegid’s legitimate interests or on consent when it is requested from you, depending on your country.
You can object to or withdraw your consent at any time for receiving commercial communications by clicking on the unsubscribe option provided in all communications.

The personal data collected for this purpose are retained for at most three years after the last communication sent by the subject concerned.

Cegid SAS’s subsidiaries and partners may be the recipients of these personal data for the purposes described above. Partners may be distributors of Cegid products that are likely to be of interest to the contact.

Cegid SAS, its subsidiaries and its partners may transfer the data to third countries only if it is necessary for these purposes. In each case, Cegid implements the necessary safeguards to secure these transfers.

You may also exercise your rights in accordance with this policy by filling out the “Data subject’s rights” form below.

In order to provide the required service, Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: Surname, name, email address, telephone number, position, company name, usage data (log).

These personal data are processed in accordance with Cegid’s legitimate interests, for the purposes of :

• Traceability of actions on the SaaS platform and data
• Generation of statistics
• Analysis of individual or aggregated data collected during product use
• Security of the SaaS platform and data
• Management of the contractual relationship
• User account management
• Sending communications about Cegid offerings

The data are retained for as long as the service is used, with the exception of logs, which are retained for at most one year.

You may exercise your rights in accordance with this policy by filling out the “Data subject’s rights” form below.

When third-party products are contracted through one of Cegid’s offerings, the relevant commercial partners may process these same data. In this case, processing terms are defined by the relevant partner.

In the case of helpdesk calls (“Customer Care”), Cegid may listen to and/or record calls between the operator and the client for the purposes of:

• Evaluating the quality of service provided by the operator to the client. In this case, recordings are retained for 6 months, while the analysis report may be retained for up to one year.
• Retaining evidence in the event of litigation. In this case, recordings are retained for 5 years.

In the event that your call will be recorded and listened to, a voice message will inform you in advance.

You may exercise your rights in accordance with this policy. More specifically:

• If you would like to exercise your right to oppose any recording and/or listening in on your call, you can inform the operator. If you would like to exercise this right after the call, you can complete the “Data subject’s rights” form below on this page. Please be sure to specify your request.
• For other rights, including access rights, you may submit a request by completing the “Data subject’s rights” form below. Please be sure to specify your request.

In each case, Cegid collects the following personal data for the purposes of tracking Customer Care requests: surname, first name, contact details (email address, telephone number), position.

After processing their request, a satisfaction survey may also be sent to the requester to evaluate the service provided, in furtherance of our legitimate interests.

Depending on the product and the countries in which this survey is provided, subsidiaries of Cegid SAS may be recipients of these data.

Cegid SAS, its subsidiaries and its partners may transfer these data to third countries only if it is necessary for these purposes.

You may also exercise your rights in accordance with this policy by filling out the “Data subject’s rights” form below.

Personal information is processed by Cegid SAS in the context of:

• The signing and management of the financing contract;
• The creditworthiness analysis of individuals concerned by the services.

The categories of data processed are:

• Identification data
• Financial data

This information may be obtained from professional data providers.

Your data may be communicated to Cegid SAS and its subsidiaries, as well as to external service providers responsible for implementing the processing, or to authorized third parties in the case of requests by competent authorities.

Your personal data is retained for the following durations:

• Data necessary for the management of financing contracts: a duration of 10 years after the final closure of the contract.
• Data necessary for creditworthiness analysis: a rolling duration of 10 years after the final closure of the contract.

Your personal data may be transferred to countries outside the European Union for the purposes detailed above. These transfers are subject to specific legal frameworks to ensure that these data are covered by an adequate level of protection.

Cegid, acting as the data controller and in compliance with its contractual commitments, may process data generated in the context of the use of its products, websites, and/or services for the purpose of improving them or creating new features, including those related to artificial intelligence technologies.

These processes are carried out based on Cegid’s legitimate interests as a service provider. The data processed are those available in the product or service concerned by the technology and may be limited in accordance with the principle of data minimization. They are not disclosed to third parties.

Retention periods are determined on a case-by-case basis in compliance with the principle of limitation of retention periods. For specific questions regarding retention periods, you can contact the DPO via the rights exercise form available on this page.

For artificial intelligence technologies, Cegid uses major market models and/or internal models. When using a market model, Cegid ensures implementation that respects individuals’ rights.

You have the right to access, rectify, erase, restrict, and object. Cegid may request additional information to identify you when the system does not collect directly identifiable data.

For more information on this subject and to exercise your rights, you can contact Cegid’s DPO at [email protected].

Cegid SAS may place cookies during visits to the cegid.com website with your consent or based on legitimate interest. Your data may be communicated to the subsidiaries of the data controller, as well as to external service providers responsible for implementing the processing or to authorised third parties in the case of requests by competent authorities.

Your personal data is retained for a maximum of 25 months.

Your personal data may be transferred to countries outside the European Union for the purposes detailed above. These transfers are subject to specific legal frameworks to ensure that these data are covered by an adequate level of protection.

In compliance with applicable regulations on the protection of personal data, you have the right to access, rectify, erase, and the right to object to and restrict all data concerning you. When processing is based on consent, you can also withdraw this consent at any time.

These rights can be exercised by writing to our Data Protection Officer by sending your request to [email protected]. You may exercise your right to appeal to the competent data protection authority (CNIL) at any time.