ALTIOS is a leading global advisory firm specialized in international expansion and cross-border investment for SMEs and MidCap companies.
ALTIOS is specialized in international advisory as well as new business development
As part of the activities entrusted to us, including internationalization support and payroll management solution, we pay the utmost attention to the processing of personal data both of our clients and of employees and users of our services in general, in accordance with the General Data Protection Regulations.
Within this policy, the following terms have the following meanings and related terms should be interpreted accordingly:
“Personal data” means any information enabling the direct or indirect identification of a natural person ALTIOS and/or a service provider process as “Data controller” or “Data processor” (Subcontractor).
“Hardware” means any hardware, system, equipment, tools communicated, owned by ALTIOS or transferred or made accessible to ALTIOS by its contractor.
“Regulation” means, for the purposes of this document, all the laws and regulations applicable in France with regard to the protection of personal data, that is to say, aimed at the protection of the fundamental freedoms and rights of individuals and, in particular, their right to privacy with regard to the processing of their personal data and in particular the European Data Protection Regulation No. 2016/679 (“GDPR”) and the French Data Protection Act of 6 January 1978 as amended.
“Data subject”, “Data controller”, “Joint Data Controller”, “Processor”, “processing”, “supervisory authority”, “personal data breach”, “Data Protection Impact Assessment”(DPIA) retain the meaning assigned to them in the aforementioned Regulations.
2. GENERAL PRINCIPLES
As part of the execution of the Contract, ALTIOS is required to know and process personal data.
ALTIOS undertakes to comply with its legal obligations under the applicable law and the aforementioned Regulations, and to allow its contractor to comply with the applicable law and the Regulations.
ALTIOS shall carry out all the formalities required by the regulations, or any other legal or regulatory provision applicable to the protection of privacy and personal data, with the competent authorities.
ALTIOS adopts the technical and organizational security and confidentiality measures adapted to the risks and in accordance with the state of the art, and to provide mechanisms for managing authorizations, making it possible to limit access to DCPs to only those who have to know about them.
In any event, ALTIOS and its contractors are each responsible for the breaches of their obligations as regards themselves.
In no case may they be held responsible for a breach committed by the other party, any solidarity being excluded.
When ALTIOS acts as a Data processor (or subcontractor), it may not be held liable for any damage caused by the processing of personal data, unless it has not complied with its legal or contractual obligations and if it acted contrary to the Data controller’s instructions.
ALTIOS guarantees its Data controller against any claim and/or proceeding, whatever its form, subject matter and nature, made by any third party and invoking a Data breach, exclusively related to a breach by ALTIOS of its obligations hereunder, and/or one of its subcontractors (subsequent data processor)
ALTIOS undertakes to intervene, at its own expense, in any amicable or judicial proceedings brought against one of its Data controller and due to a breach by ALTIOS itself and/or one of its subcontractors (subsequent data processor) .
Media containing personal data and transmitted to ALTIOS by the Data Controller remain the property of the Data Controller. Media containing personal data collected by ALTIOS remain the property of ALTIOS.
ALTIOS undertakes to keep the personal data processed within the framework of its Contract, only within the time limit necessary for processing, plus the statutory limitation periods during which the information will be archived for any accounting complaint, tax or judicial.
ALTIOS undertakes to:
- Do not use the personal data for purposes other than the execution of the Contract
- Do not disseminate, communicate, sell, assign, license or otherwise provide personal data to third parties (with the exception of counsel, auditors, representatives, managers)
- Do not make personal data a commercial operation.
3. PROCESSING OF PERSONAL DATA BY ALTIOS
3.1 The general obligations of ALTIOS
ALTIOS undertakes to:
– Process the personal data in strict compliance with the relevant Regulations;
– Ensure that this information is kept confidential by its employees who need to know about it;
– Process data within the European Economic Area or a country considered adequate by the European Commission or offering sufficient guarantees in terms of security and data protection and, if the data are transferred abroad, obtain the necessary guarantees for their processing, in accordance with the GDPR;
– Inform the Data Subjects about the processing carried out and their rights;
– Respond to the requests of the Data subjects;
– Notify the data subjects of any data breach that may have consequences on their rights and freedoms;
– Provide the documents to demonstrate compliance with the Regulations on request of the Data Controller.
3.2 Modality of the data processing
The processing of personal data provided or collected is carried out with procedures and measures appropriate to protect security of data, in terms of integrity, confidentiality and accessibility, in compliance with the provisions of the applicable law. Such processing will be carried out through hard copy, electronic and IT means, and will be limited to the data which is necessary for the purposes detailed here below.
ALTIOS mainly use the IT tools Microsoft and Sage.
3.3 Purposes and Legal base of the processing.
ALTIOS processes the Data in order to allow the negotiation, the establishment and the execution of the agreements binding the parties, in order to comply with the related obligations arising from applicable law, and to enable the exercise of ALTIOS rights in front with the relevant authorities.
The processing of the Customer Data for the abovementioned purposes is necessary for the establishment and performance of the contractual relationship between the ALTIOS and his Contractors, as well as for the respect of legal obligations resulting therefrom.
The provision of the Contractor Data for the abovementioned purposes is a sine qua non condition for the conclusion and execution of the contract with ALTIOS. Failure to provide such data would make the contractual relationship with ALTIOS impossible.
3.4 Types of processing
As a result of its professional expertise, ALTIOS may act as a joint data-controller or data-processer, depending on its autonomy in the context of its mission, the type and extent of the mission entrusted.
The following processing may be performed in particular:
- Accounting management
- Payroll Management solution
- The fight against money laundering and terrorism
- The transfer of mandate
Management of pre-litigation or litigation arising in the context of the execution of the Contract between the contractor and ALTIOS.
3.5 Type of processed data
In order to carry out the aforementioned processing, and within the framework of the stated purposes, ALTIOS might be data Controller or might process throught a data-processor:
- The identification data (surname, first name, identity document, image, badges with biometric identification or not…), contact data (email address, postal address, telephone number, etc.) of the candidates, employees of the Customer company or their own, employees of partner companies;
- Data from prospects and their employees;
- Data from suppliers and other service providers
- Data related to the privacy of individuals (family situation, salaries, positions, special requests, …);
- Economic and financial data (remuneration, etc.);
- Data collected for reporting purposes…
3.6 Data Retention period of Data
The Personal Data of the data subjects will be retained for the time strictly necessary of the performance of the contract, and for a period of five (5) additional years from the end of the contract binding the parties to comply with the legal obligations provided by the applicable law or to ensure the possibility of the exercise or the defense of a right in court.
In accordance with the Regulation, accounting data is retained for ten (10) years.
3.7 Subjects which may become aware of Data or which could be recipient of Data
Contractor’s Data will be processed by the subjects authorized to carry out the relevant processing by ALTIOS. Furthermore, the data may be communicated to, and processed by, all those subjects to which such communication is necessary for the completion of the contract binding the parties and the purposes, and the completion the relevant data processing, and in particular to the following recipients:
- ALTIOS employees involved in the performance of the contracts of provision of services;
- Other companies of the network;
- Service providers of ALTIOS;
- Consultants, partners and professionals;
- Insurance companies.
Administrative and/or judicial authorities, on requisition.
4. DATA PROCESSOR AND SUBSEQUENT DATA PROCESSING
If ALTIOS is Data Controller, or Data processor and need to hire a Data processor or a Sub-Data processor, he shall inform his Data Controller of the name and contact details of this Data processor or a Sub-Data processor and of his function, unless there is a definite urgency. If the Data Controller wishes to object to the proposed subcontracting, he must provide information within the month and propose another. Otherwise it shall be deemed to accept it.
In accordance with the Regulations, ALTIOS ensures that each of its subcontractors guarantees at least the same level of Data protection as that contained in this policy and complies with the Regulations.
Each of the subcontractors undertakes to ensure at least the same level of Data protection as that contained in this policy and to comply with the Regulations.
In addition, ALTIOS ensures that its personnel and those of its subcontractors respect the confidentiality of the information they access.
If the applicable laws to which ALTIOS is subject, in France or abroad, require otherwise. ALTIOS shall then, to the extent permitted by applicable laws, inform his Contractor of this legal requirement before processing such personal data.
In accordance with Article 35 of the European Data Protection Regulation, ALTIOS undertakes to assist his Contractor in carrying out an Data Privacy impact assessment, in the event that the processing required by the Contract is likely to generate a high risk for the rights and freedoms of individuals.
If a treatment presents high risks for individuals, ALTIOS undertakes to follow the Data Privacy impact assessment procedure in front of the French administrative authority, the CNIL.
5. RIGHTS OF DATA SUBJECTS
With reference to the processing of the Data carried out by ALTIOS, the data subject of the aforementioned data processing has the right to exercise at any time the following rights, provided by the Regulation (EU) 2016/679:
- The right to obtain the confirmation that his/her personal data are or aren’t processed and, if they are, the right of access to such personal data and the right to obtain a copy of it.
- The right to obtain the rectification of his/her personal data and if applicable, to have them completed, when such data are incomplete.
- The right to obtain the erasure of personal data concerning the data subject, under the conditions provided by the applicable law.
- The right to obtain the restriction of the
- processing under the conditions provided by the applicable law.
- The right to lodge a complaint before the CNIL located 3 rue de Fontenoy, TSA 80715-75334 PARIS CEDEX 077, or the competent data protection authority.
- The right to receive the personal data in a structured, commonly used and machine-readable format and to transmit those data to another controller, under the conditions provided by the law.
- The right to set guidelines for the data processing concerning him after his death.
ALTIOS will answer to the data subject’s request within one month, following the reception of the demand.
Where necessary, its contractors are asked to assist ALTIOS in the replies given to the persons concerned wishing to exercise their right of access, opposition, rectification, erasure, limitation of processing, the portability of the data or to send directives concerning the post-mortem data processing. The contractors shall cooperate with ALTIOS in the implementation of these rights.
Any data subject may exercise their rights with the ALTIOS Data Protection Officer at the following addresses:
By Posted Mail :
If ALTIOS France is concerned :
DPO ALTIOS – Metronomy Park 3, 2 rue Jacques Brel 44800 Saint-Herblain (France)
If ALTIOS INTERNATIONAL is concerned :
DPO ALTIOS- 22 Rue de la Pépinière, 75008 Paris, France
By Email : firstname.lastname@example.org
A proof of identity is required in order to preserve the confidentiality of personal data.
If despite all our efforts the data subject considers our response unsatisfactory, it is recalled that he/she has a right of complaint in front of the French control Authority, the CNIL, by letter to the following address: CNIL- 3 Place de Fontenoy – TSA 80717- 75334 PARIS CEDEX 07, or on the Website: https://www.cnil.fr/fr/plaintes
6. IT SAFETY
6.1 IT Organization
ALTIOS shall take all necessary and appropriate technical and organizational measures to ensure the confidentiality, security, availability and integrity of Personal Data and Materials, both its own and those made available by its contractors.
ALTIOS shall take all reasonable measures to ensure the reliability of any employee, agent or service provider who may have access to the Personal data processed for the performance of the contract and, in particular, that it respects the confidentiality of the information it must know.
ALTIOS has adopted an Information Security Program which incorporates appropriate and proportionate administrative, technical and physical safeguards, such as:
– Pseudonymization, insofar as this measure is proportionate to the means and risks and that the ALTIOS IT tools allow it, and/or the encryption of the processed data,
– Means of ensuring the confidentiality, integrity, availability and ongoing resilience of the data and equipment;
– means to restore availability and access to the data and equipment within a reasonable time in the event of a technical or physical incident;
– A process designed to test, evaluate and estimate the effectiveness of technical and organizational measures to ensure the security of data processing;
– Active physical and digital archiving.
ALTIOS undertakes to regularly audit and review the Information Security Program in order to ensure its continued effectiveness and to determine whether adjustments are necessary in light of the circumstances, including technological changes, regulatory, industry practices or threats and risks likely to affect data and Material.
ALTIOS undertakes to answer as soon as possible to any request for information on its Information Security Program.
6.2 Data Breach
As soon as an incident occurs or as soon as ALTIOS has suspicions about an incident related to a security breach or any other breach under the provisions relating to the processing of personal data, by or against him, ALTIOS undertakes to:
– Inform the data subjects or supervisory authority, regarding the severity and the consequences of the Data Breach.
– Do as soon as possible to minimize the impact or any other damage that the breach is likely to cause to the data subject, and to prevent, as far as possible, the occurrence of similar breaches in the future.
ALTIOS allows its Clients to carry out compliance audits in relation to the processing of personal data, including inspections, to the extent that this Audit is notified fifteen (15) days in advance at ALTIOS and during normal working hours.
7. DATA TRANSFER TO THIRD COUNTRIES
The transfer of Personal Data to countries located outside the European Union will be carried out if and as necessary for the performance of the contractual relationship, or for the implementation of measures taken at the request of the data subject prior to entering into the contract, or as long as the transfer is necessary to ascertain, exercise or defend a right before judicial authorities, or if the data subject has explicitly provided the consent to the transfer, or to protect his/her vital interests, where he/she is physically or legally incapable of giving consent.
In the event of additional transfers of personal Data, ALTIOS will carry out such transfers only:
- towards Third Countries, or one or more specific sectors within a Third Country or international organizations for which benefiting from a decision of adequacy of the European Commission;
- if the recipient of the data has obtained an appropriate certification or has adhered to a specific code of conduct ensuring that the processing of personal data is carried out with safeguards which are appropriate and equivalent to those under EU law; or
- if the Data processor implemented appropriate safeguards to protect personal data, by concluding contracts including the so-called Model Clauses, as prepared by the European Commission or prepared by the national Data Protection Authority and approved by the European Commission.
- The data subject may obtain a copy of the guarantees implemented by ALTIOS by sending an email with an identity document and an email contact address at the following address: email@example.com
8. PERSONAL DATA DELETION
ALTIOS stop to process the personal data carried out under subcontracting at the end of the contractual relationship.
ALTIOS stops processing as soon as possible and either destroys the processed data, or returns the media containing it to its contractor, according to the option determined, and removes the concerned data from its systems.
ALTIOS shall retain the Personal Data provided by the Contractor only to the extent required by applicable law and shall ensure that such data is only processed for the purpose or purposes specified in the applicable law requiring or necessitating their retention.
ALTIOS undertakes to keep the processed data only within the time limit necessary for processing, plus the statutory limitation periods during which the information will be archived for any accounting, tax or judicial complaint.
9. WEB SITE
In order to guarantee the quality of its services and to ensure the highest possible quality of its website, the company ALTIOS, may be required to process personal data of the User when browsing the website www.ALTIOS.com or www.ALTIOS.fr;
For any information about the rights of the data subject and to exercise them, as well as for any issue related to the processing of personal data, the Data Protection Officer can be contacted by sending an email to firstname.lastname@example.org