General policy for the protection of private data applied by DEKRA in France.

V1. Established on 15/09/2021.
Note: For the purposes of this policy, the term “DEKRA France” means both the legal entity DEKRA France SAS and all other entities belonging to the DEKRA Group and subject to French law.

DEKRA France is firmly committed to a confidentiality policy aimed at protecting the personal data processed in the context of its commercial activities. Intending to share this policy with various stakeholders, DEKRA France has defined this general data protection policy, so that any natural person (whether or not they are employees or have called on DEKRA France’s expertise for the provision of services) may at any time, familiarise themselves with the commitments and practices applied by DEKRA France concerning the personal data they entrust to it. For the purposes of this policy, the term “DEKRA France” shall mean both the legal entity DEKRA France SAS and all other entities belonging to the DEKRA Group and subject to French law.

1. 1. Preliminary general and policy commitment:

DEKRA France undertakes to process data collected in accordance with the texts applicable to data protection (Act No. 78-17 of 6 January 1978 amended and the General European Regulation 2016/679 of 27 April 2016 on data protection, these two texts being referred to hereafter as the “Regulations”).

This general data protection policy is aimed at:

Beneficiaries of DEKRA France’s services,
Professionals who are partners of DEKRA France,
Natural persons who are clients or prospects of DEKRA France,
Employees of DEKRA France,
Applicants wishing to work for DEKRA France,
Visitors to the DEKRA France website.

2. For the purpose of understanding the provisions of this general policy, DEKRA France wishes to clarify the following definitions:

Processing of personal data means any operation or organised set of operations that is performed on personal data (collection, structuring, storage, alteration, disclosure, etc.).
Personal data means information which makes it possible to identify a human being (natural person), directly (for example, their first name/last name), or indirectly (for example, the person’s phone number, contract number, or username).
The Data subject is the person who can be identified by the data used within the framework of processing their personal data.
The Controller determines the purposes and means of processing personal data, in particular by determining what the data will be used for and which tools will be used to process it.
The Processor processes personal data on behalf of the controller; they sign a contract with the controller which entrusts them with certain tasks and ensures that they have the technical and organisational safeguards to allow them to process the personal data entrusted to them in accordance with the regulations.
The Recipient receives the authorised disclosure of personal data.

3. What are DEKRA France’s commitments in terms of its capacity as controller?

DEKRA France is responsible for the processing operations carried out within the framework of its professions and undertakes the following commitments within its capacity:

Personal data shall only be used for explicit, legitimate and determined purposes (objectives) in connection with its various professions, as mentioned at the time this data is collected, in accordance with Article 29 of the European Regulation.
In accordance with the principle of data minimisation, only personal data which is strictly necessary shall be collected and processed: DEKRA France thus applies the concept of privacy by default which protects data subjects against the excessive collection of data.
The data shall not be stored beyond the time period necessary for the operations for which it was collected, taking into account the nature of the operations and the requirements of the law, i.e. the legal provisions.
We do not disclose nor transfer personal data to third parties. We only disclose it to authorised recipients within the strict framework of the purposes defined in advance and as they were mentioned at the time the data was collected.
We entrust the personal data to subcontracting service providers selected on the basis of appropriate technical and organisational safeguards to ensure the protection of the data that is entrusted to them under the instructions of DEKRA France.
Data subjects shall be informed regularly and in advance, in a clear and transparent manner, of the purpose of collecting their data, the optional or mandatory nature of their responses in forms, their rights with regard to data protection including the terms and conditions for effectively exercising these rights, and the recipients of the data.
Each time the Regulations require it, the explicit, informed, active and unambiguous consent of the data subject must be obtained for the processing of their personal data.
Appropriate security measures at the logical, technical, organisational and legal levels, have been defined based on a risk analysis of the different types of processing operations carried out on the personal data concerned, and are implemented by DEKRA France, its support services and its contractually bound subcontractors, to ensure the protection of personal data.
Each time that the risks presented in relation to processing data require it, DEKRA France shall implement an assessment of the impacts on the data subject’s privacy and the protection of their personal data, in order to adopt measures that are adapted to these risks.
DEKRA France and its subcontractors are committed to developing tools and systems that comply with the Regulations to the fullest extent possible and which protect the privacy of data subjects, by incorporating compliance with these rules starting from the design and development phase.
DEKRA France and its subcontractors are committed to guarding against any possible and exceptional data breach and to taking all protective and corrective measures following a breach by informing the supervisory authority and, where appropriate, the data subjects, within the prescribed time limits.

At DEKRA France, all employees and stakeholders have been or are currently being made aware of the principles of data protection as stipulated by the Regulations, through regularly programmed training sessions adapted to their activity and responsibilities. The employees only have access to the information needed for their activity. Sensitive data are the subject of specific security clearances and checks.

4. Is there a Data Protection Officer (DPO)? What are the DPO’s duties and contact information?

DEKRA France has appointed a data protection officer to ensure compliance with the Regulations and rules described in this general data protection policy. In principle, Data Protection Correspondents are appointed at subsidiaries. DPOs may also be appointed at any given subsidiary in accordance with the risk analysis that may have been carried out.

The Data Protection Officer, when one is appointed, is responsible, in particular, for:

Preparing and keeping up to date a record of the processing activities on personal data carried out at the company and within each of the legal entities comprising the group in France,
Ensuring that the practices are compliant with the regulations and their modifications,
Raising awareness among all of DEKRA France’s teams concerning the requirements and best practices regarding personal data protection,
Ensuring that data subjects can effectively exercise their rights.

The data protection officer may be reached using the following contact particulars:

By e-mail : rgpd.southwesteurope@dekra.com

By post :

Délégué à la Protection des Données SWE
Centre d’Affaires La Boursidière – Porte H
Rue de la Boursidière
CS 60007
92357 LE PLESSIS-ROBINSON Cedex - France

5. For what purposes are the data you entrust to us used?

DEKRA France uses personal data for the following main purposes:

Managing its client portfolio and range of prospects,
Providing any of its services,
More specifically, providing online services to professionals (B2B) and private individuals (B2C) via the website, via the services of their service providers accessible from the website or in the context of mobile apps,
Human resources management and recruitment,
Management of external business contacts, including information for professionals and the general public,
Statistical analysis of its activities,
Commercial prospecting of professionals and other natural persons, subject to their consent.

The above processing operations are necessary for the performance of a contract between a data subject and DEKRA France or to pursue a legitimate interest such as fulfilling a legal obligation or informing business contacts about the activities of DEKRA France, or in some cases are based on the data subject’s explicit consent.

6. Who are the recipients of the data that you entrust to us?

For each processing operation described in the “data use” article above, DEKRA France determines the recipients of the data, depending on their missions and authorisations to receive the data and in accordance with the determined purposes. By applying the data minimisation principle, and to the extent possible, only those people determined as having a “need to know”, shall have access to the data.

7. How long will we store the data you entrust to us?

DEKRA France has determined specific rules concerning the storage period of data subjects’ personal data, to limit the storage period to that which is strictly necessary. At the end of the period determined in this manner, and depending on the case, personal data shall be subject, in accordance with the applicable Regulations, to one of the following measures:

Erasure,
Irreversible anonymisation,
Archiving.

8. What security measures do we implement to protect the data you entrust to us?

Data security refers to the measures taken to protect data from the following:

The accidental or illicit destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In order to ensure the security of personal data, DEKRA France and its subcontractors shall implement the appropriate technical and organisational measures, taking into account the state-of-the-art, costs, nature, scope, the context and purposes of processing in order to ensure a level of security that is adapted to the risks.

In particular, and whenever necessary, the following measures have been taken:

The pseudonymisation and encryption of personal data;

The deployment of resources to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems;

The deployment of resources to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

The implementation of a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of processing operations.

As a result, DEKRA France and its subcontractors have developed adapted mechanisms that comply with best industry practices and the imposed standards to ensure the protection of your personal data.
The websites and all mobile apps proposed by DEKRA France are secure, in particular for the websites reached by a “Hypertext Transfer Protocol Secure” each time this is necessary.
The pages where your personal data are collected are subject to an additional enhanced-security mechanism.

9. Your rights over the data you provide us.

Each data subject shall have the following rights:

- to access their data (right of access): data subjects may ask DEKRA France directly whether it holds any information about them and request that the list of data be communicated,

to request rectification (right of rectification): data subjects may request rectification of inaccurate information concerning them. The right to rectification supplements the right of access,

to request the deletion of their data (right to be forgotten): data subjects may request the deletion of information concerning them, for a reason provided for by the Regulations,

to request the limitation of the processing of their data (right to limitation): data subjects may obtain the limitation of the processing of their data, for a reason provided by the Regulations,

to request the portability of their data (right to portability): data subjects may request to receive the data they have provided to DEKRA France, or ask DEKRA France to transfer it to another data controller for a reason provided for in the Regulations,

To define advance guidelines relating to the fate of their data post-mortem.

The data subject may also object, for legitimate reasons, to the processing, dissemination, transmission, storage or hosting of data pertaining to them.
For more information on the meaning of these rights, the CNIL has created a section dedicated to understanding them: https://www.cnil.fr/en/infographic-more-rights-your-personal-data.
To exercise these rights, the data subject may contact DEKRA France’s data protection officer:

By e-mail : rgpd.southwesteurope@dekra.com

By post :

Délégué à la Protection des Données SWE

To facilitate these steps and in particular to reduce their processing time, DEKRA France invites all data subjects, when sending a request to exercise their rights, to:

Indicate which right(s) they wish to exercise,

Clearly indicate their last name / first names / contact details to be used to receive replies,

Attach a copy of their ID.

10. We operate strictly within the limits of the consent that you give us.

All personal data processing is carried out by DEKRA France in accordance with the consent given by the data subjects. In certain cases outlined in the Regulations, the explicit consent, otherwise referred to as the express consent of the person, is required.
Each time that the explicit consent of the person is required by the Regulations, it shall be obtained in advance by DEKRA France and data subjects may withdraw their consent at any time by contacting the DEKRA France controller or DPO.

11. Your right to file a complaint with the CNIL.

Each data subject has the right to lodge a complaint with a data protection supervisory authority.
In France, this authority is the CNIL:

Website: https://www.cnil.en/

Telephone: +33(0)1 53 73 22 22

Postal address:

CNIL

12. Are your data transferred outside of the European Union?

In principle, DEKRA France does not transfer personal data outside of the European Union.When such data transfers outside of the EU are essential to the quality of the services sold by DEKRA, these shall be specified in our General Terms and Conditions of Sale, along with the partners to whom this data is transferred and the country in which they are located.
In such cases, DEKRA undertakes to have the said partner sign an agreement for the transfer of data outside of the EU beforehand, in compliance with the requirements of the Regulations.

13. What is our Cookie policy?

Cookies are pieces of data stored on the terminal equipment of an internet user which allows a website to send information to the user’s browser, and in turn allows this browser to send information back to the original website (for example a session ID, language choice or date). Please be informed that, during your visits to our websites, cookies may be installed on your navigation software. To learn more about cookies, including how to manage and block them, refer to the “Cookies” section of these websites.

14. Changes to our personal data protection policy

This data protection policy is subject to change. In case of changes to the elements included in this policy, DEKRA France undertakes to update the policy and to inform the data subjects prior to the implementation of the new version.

Date of publication of this General policy: 15 September 2021