XCOM’S PERSONAL DATA CHARTER
XCOM is a BTB event organiser specialising in IT with offices in France and Morocco. As such, it collects and processes a large amount of personal data on its own behalf and on behalf of its customers and business partners.
XCOM is committed to ensuring that its systems and practices comply with the European Data Protection Regulation.
The purpose of this personal data charter is to describe the principles implemented by XCOM in order to comply with the Regulation and to protect the privacy of individuals whose data is processed.
It also specifies the general framework for the processing of personal data carried out within XCOM and, in this respect, aims to provide the persons concerned with the information necessary to ensure full compliance with the regulations in force.
1. How is the data collected?
XCOM collects, through its activities, data, some of which enable natural persons to be identified or made identifiable.
1.1. The legal basis of the collection
The legislation lists the legal bases for the collection of personal data, otherwise the legitimate justifications for collecting data. These legal bases are explained and/or recalled in the context of the collections carried out by XCOM.
In this respect, XCOM may collect personal data based on :
♦ the consent of the person concerned;
N.B.: in France, the CNIL recognises two exceptions to prior consent for electronic canvassing detailed in a fact sheet on electronic canvassing dated October 2016:
– in relations between professionals, the prior consent of the person concerned is not required for commercial solicitations sent to the professional e-mail address as long as these solicitations are related to the profession of the person in question. This tolerance is called the « BtoB exception ». As XCOM’s activities are mainly carried out between professionals, collections are often made following prior information.
– Prior consent is also not required for any solicitation sent to a data subject for services/products similar to those that that person would have already acquired from the same organisation.
♦ the performance of obligations under a contract ;
N.B.: The collection of personal data of our customers and users is necessary in order to carry out the terms of the contract (e.g. subscription, subscription to an online service – free or paying,….) and to ensure the provision of the subscribed service or product acquired by the natural person concerned. Thus, in this context, the consent of the person is not necessary since the processing carried out is linked to the execution of the contract.
♦ the legitimate interest¹ of the data controller ;
N.B.: In certain circumstances, the very nature of the service provided by XCOM involves the collection of personal data of its customers and users and the transmission of this information to designated third parties (e.g. matchmaking services). These processing operations linked to the legitimate interest of the data controller in this hypothesis are considered to be a reasonable expectation on the part of the person concerned with regard to the description of the service provided. Of course, XCOM constantly assesses whether its legitimate interest is not outweighed by the interest of the data subject or by the respect of his fundamental rights and freedoms.
♦ a legal obligation making processing compulsory.
N.B.: The regulatory context of an activity may make certain data processing and transfer compulsory: e.g. for invoicing of products or services, training activities (attendance sheet), etc…
1.2. Collection methods :
1.2.1. collection through forms
Accessing, using, downloading, purchasing or subscribing to certain services or products implies the collection of personal data concerning the prospective customer or user. In these hypotheses, when filling in paper or electronic forms, people transmit information concerning them. These forms systematically specify :
– the name of the data controller,
– the purposes associated with the collection carried out,
– if the collection is made necessary by the subscription of the service concerned or by the purchase of the product envisaged,
– any other holdings envisaged and the legal basis for the collection carried out;
– a reference to the relevant pages of this charter on how natural persons can exercise their rights, the contact details of the DPO, the rules on the length of time the data is kept, the procedures for lodging complaints with the supervisory authority, etc…
1.2.2. collection via cookies
The term « cookies » is to be taken in the broadest sense: all traces deposited and/or read, for example, when consulting a website, reading an e-mail, installing or using software or a mobile application.
Cookies based on a file that may be stored on the user’s computer during navigation are intended in particular to simplify navigation on the sites (automatic authentication, personalisation of certain information, etc.) or to personalise the advertising appearing during user navigation.
Instructions for setting up your browser are given in Appendix 2 of this charter.
In addition, other cookies are deposited by companies outside XCOM in order to collect navigation data from users when they browse different sites. XCOM works with some of these companies.
To help users detect the cookies that may be installed on their computers, certain sites such as YourOnlineChoices offer tools to list and configure your cookies.
XCOM’s sites mainly use the following cookies:
Audience measurement cookies :
– Google Analytics
Social network cookies :
– For Linkedin
In accordance with the legal provisions in force, before depositing or reading a cookie on a user’s computer, XCOM :
– informs Internet users of the purpose of cookies
– obtain their consent where consent is required;
– indicates to users the means to refuse them.
Cookies and tracers that are strictly necessary for the provision of a service expressly requested by the user do not require the prior consent of users. Thus, for example, the following tracers do not require users’ consent:
– shopping cart » cookies for a merchant site ;
– session identifier » cookies, for the duration of a session, or persistent cookies limited to a few hours in some cases;
– authentication cookies;
– session cookies created by a multimedia player;
– load balancing session cookies;
– certain audience measurement analysis solutions (analytics);
– persistent cookies for customising the user interface (choice of language or presentation).
All other cookies require prior information and a request for consent, for example:
– Cookies linked to advertising operations;
– social network cookies generated by social network share buttons when they collect personal data without the consent of the persons concerned;
– certain audience measurement cookies.
In accordance with the recommendations of the CNIL, the collection of consent is done by the appearance of a visible banner on the website which must contain the following information:
– the precise purposes of the cookies used;
– the possibility of opposing these cookies and changing the parameters by clicking on a link « find out more and set up cookies » present in the banner (with a reference to this paragraph and to Appendix 1 below);
– the fact that continuing to browse the site means that you agree to the placing of cookies on your terminal.
In general, if the user shares his computer with other people, he must ensure that he deletes the cookies installed on his computer via the settings of his browser.
1.2.3. collection by telephone
XCOM performs certain services by telephone and on this occasion may collect personal data. Whenever possible, telephone contact is confirmed by sending an e-mail, allowing the person concerned to keep a written record of the conversation and to be able to exercise his or her rights at any time.
1.2.4. Indirect collection
XCOM may obtain personal data from third parties (see chapter 5). In such a case, XCOM:
– shall enter into a contract with the third party in accordance with the provisions of the Regulation;
– notifies individuals of the transfer of their data to XCOM under the conditions defined by the Regulation ;
– indicates in its files the source of the data in order to ensure its traceability;
– informs data subjects of how to exercise their rights.
2. What types of information are collected?
Some of the information collected constitutes « Personal Data », i.e. data relating to persons who can be identified.
In accordance with the legislation in force, XCOM has adopted the principle of minimisation in the collection and only collects data that is strictly necessary for the objective pursued and explained to the individuals concerned, leaving them free to exercise their rights.
The personal data that may be requested, depending on the nature of the services or products provided, are as follows:
– Your name and contact details, including your e-mail and postal addresses,
– your function,
– your telephone and fax numbers,
if necessary for certain products and services :
– computer equipment used during navigation,
– information relating to your professional background (CV, professional training, awards, etc.), your location data,
– your connection and navigation data (IP addresses, logs) etc….
2. What is the purpose of the data collected?
2.1. Use of collected data
XCOM may use the personal data in its possession in order to :
– send commercial information relating to its products, promotions, offers and other information relating to its products or services adapted to the centres of interest of the persons concerned;
– transmit information on the products and offers of third parties – XCOM’s customers or commercial partners – in relation to the function and/or with regard to an identified interest in relation to the activity of the person concerned or that of the organisation to which he or she belongs;
– publish paid directories of professionals and decision-makers in order to offer them products and offers in relation to their functions and/or with regard to an identified interest in the activity of the person concerned or that of the organisation to which he or she belongs.
This personal data will be used by XCOM within the framework of its activities relating to the promotion of its own products and services as well as canvassing on behalf of third parties. They will only be used within the strict limits defined by the legislation in force.
2.2 Methods of sending information
Depending on the contact details that have been collected, XCOM and its partners will be able to transmit information by the following means:
– Text message sent to an individual (SMS or MMS, notification, email, and/or any other form of electronic message) ;
– Message via social networks;
– Telephone ;
– Postal mail ;
– Web promotional banner;
– Internet search engine.
2.3 Objectives of the collection
The purpose of the collection is systematically indicated when it is carried out directly by XCOM and recalled at the time of data transfer when the collection has been carried out by a third party.
XCOM is likely to use the personal data of an individual in particular for the following purposes:
– In order to record it on its websites and/or information systems and to manage the delivery and invoicing of services/products provided by XCOM (including the processing of all research or requests for information concerning us or its products or services).
E.g.: processing of orders or registration
– In order to be in a position to fulfil its obligations under the terms of any contract binding it to the person concerned and in the management of such a contract :
E.g.: management of user access identifiers for software, access badges for trade fairs, forums etc.
– In order to comply with the legal obligations incumbent upon it;
E.g.: management of participation in a training session: keeping an attendance sheet.
– For the purpose of monitoring, critically reviewing and improving its product and service offering;
– For the purpose of analysing connection and navigation data in order to deduce a navigation behaviour and/or to adapt the contents offered according to the affinities observed;
– In order to keep files for internal administrative use (customer complaints, loyalty etc…);
– For the purposes of commercial prospecting on its own behalf or on behalf of its commercial partners and advertisers, under the conditions defined below in the above section « Use of collected data »;
– For the purposes of participation in contests, lotteries or promotions.
3. How and for how long is the data stored?
Processing actions are carried out on the data contained in XCOM’s databases, applying strict control rules, in accordance with the state of the art technology and the recommendations of the competent control authority.
3.1. Storage of personal data
XCOM takes all useful precautions to preserve the security and confidentiality of Personal Data and in particular to prevent it from being distorted, damaged or accessed by unauthorised third parties.
The recommendations of the Commission Nationale Informatique et Liberté are taken into account in security management for the entire Group.
3.2. data retention period and archiving
The shelf life depends on the activity concerned, the nature of the contact (customer or prospect) and the uses of the sector.
♦ XCOM keeps certain mandatory documents (invoices etc…) for the legal retention period.
♦ The retention period for personal data is set by default for XCOM for a period of 5 years.
♦ Some data is kept for a shorter retention period:
– Cookies expire thirteen months after their last update.
– Prospect data is deleted after a period of 3 years without response to any solicitation.
– Candidates’ CVs are kept for a period of 2 years.
♦ The duration is sometimes linked to the relevance or necessity of its processing: customer data is kept for the duration of the business relationship or data in directories is kept for the duration of the mandates of the persons concerned.
4. Who are the third parties having access to the personal data collected?
4.1. Within the XCOM company
XCOM is made up of several companies located in the European Union or not and likely to receive personal data from another subsidiary of the group, within the framework of its functional organisation².
By way of example, certain processing is carried out by one of the staff members of another subsidiary of the group in order to provide commercial assistance, market research or services to the client, as well as for account management, the supply of products or services provided now or in the future, or participation in competitions, lotteries or promotions.
The marketing and production of certain XCOM products and services are in some cases carried out transversally between several entities of the group, as the sharing of resources may involve the operation of files between several entities in a relationship of sub-contracting or co-responsibility for processing. Any transfer outside the European Union within the group is governed by a contract containing standard contractual clauses (see chapter 7 below).
4.2. Outside XCOM
XCOM is likely to transfer the personal data it collects to various third parties such as :
– customers / partners who have subscribed to a service that may involve the collection of personal data from users, in particular in the context of a request for contact or in the context of the creation of a canvassing file;
– service providers, subcontractors and suppliers in order to provide services on its behalf (for example: technical services, payment services, identity verification, analytical solution providers, chat, services);
– other companies, financial organisations or law enforcement agencies/departments for the prevention or detection of fraud, where such disclosure is necessary to preserve XCOM’s rights;
– in cases where the law so provides or at the formal request of an authority (in particular in the context of legal proceedings), public, para-public or private bodies in the context of a public service mission;
– in the event of a merger, acquisition, dissolution or sale of all or part of its assets. The persons concerned will be informed by email and/or by a prominent message on XCOM’s website(s) of any change of ownership or concerning the use of personal data and the choices available to them.
4.3. Working arrangements with third parties
In the event that personal data is transferred to a third party for any reason (e.g.: a sub-contracting service, services carried out for a customer), XCOM applies the conditions defined by the legislation in force, in particular the information of the persons concerned by this transfer.
XCOM ensures that appropriate contractual stipulations between XCOM and the third party concerned guarantee that the latter :
– Will only use personal data for the purpose specified by it and in accordance with the objectives defined in the framework of this charter,
– And will have taken appropriate security measures to prevent unauthorised or unlawful processing of personal data, accidental loss or destruction of, or damage to, personal data.
5. Who to contact for information?
XCOM has adapted its organisation in order to meet the requirements of the European Data Protection Regulation and to provide any person with information on the personal data concerning them collected and on the processing carried out on this data.
5.1 exercising the rights of access, opposition, rectification and deletion
Any request related to the exercise of your rights should be sent to email@example.com. This request must include as much information as possible so that it can be processed upon receipt within a maximum period of two months: for example, people must specify the e-mail address requested and for which they are sending the request in order to facilitate searches.
5.2 exercising the right to oblivion
Any request concerning personal data appearing in an article from a medium published by XCOM must be sent to the following address: firstname.lastname@example.org. This request must indicate the reasons for the request. Once the deletion of data has been processed, any request for the dereferencing of an article in a search engine must be addressed directly to the said search engine by the person concerned.
5.3 data portability
Any request related to data portability should be sent to email@example.com who will answer you on the feasibility of such a request.
5.4 The appointment of a Data Protection Officer (DPO) and recourse to the supervisory authority
In order to complete this system, XCOM has appointed a Data Protection Officer who can be contacted at the following address firstname.lastname@example.org for any questions or difficulties relating to the processing of personal data.
Anyone may contact the Commission Nationale Informatique et Liberté (CNIL) directly.
6. Is data transferred outside the EU?
If XCOM communicates Personal Data to one of its subsidiaries or to a third party located outside the European Union, measures are taken to ensure that such data will benefit from the same level of protection as that imposed by the European Union in terms of data protection.
In this respect, XCOM will ensure that the processing is carried out in accordance with this charter and that it is governed by the standard contractual clauses of the European Commission, which guarantee a sufficient level of protection of the private life and fundamental rights of individuals.
7. Are there specific treatment modalities?
XCOM is likely to combine information concerning companies with information entrusted by individuals under the conditions and for the purposes defined in this charter.
The profiling methods used within XCOM consist of manual or automated cross-referencing between company files and our XCOM contact databases (surname, first name, position, email address, etc.), based on objective criteria (size, sector, IT equipment, etc.).
As part of its recruitment policy, XCOM collects and stores personal data on potential candidates.
XCOM collects the information necessary to search for the most suitable profiles for the positions to be filled in compliance with the law and the rights and freedoms of individuals. XCOM will not pass on a person’s CV with contact details to a third party without his or her agreement.
Candidates who wish to modify or delete their personal data from our databases may at any time send an e-mail to email@example.com with the subject line « personal data ».
Candidates must ensure that they have the consent of the persons referred to be contacted by XCOM.
9. How will you be informed of updates to this charter?
The most important updates may be the subject of a notice on XCOM’s corporate website www.xcom.fr at the latest when the said changes come into force.
APPENDIX 1: the companies of the XCOM group
XCOM – 9 rue du Petit Rhône
13470 Carnoux in Provence, France
Tel : +33 4 42 70 00 66
XCOM EVENTS – Casanearshore Shore 1
20,000 Casablanca, Morocco
ANNEX 2: Browser settings
If the browser is configured to refuse all cookies, access to all or part of the site may be blocked.
In order to manage cookies as closely as possible to users’ expectations, the browser must be configured taking into account the purpose of the cookies.
– Microsoft Internet Explorer
– Microsoft Edge
– Apple Safari
– Google Chrome
– Mozilla Firefox
1.1 Recital (47) of Regulation 2016/679: The legitimate interests of a controller (…) may constitute a legal basis for processing unless the interests or fundamental rights and freedoms of the data subject prevail, having regard to the reasonable expectations of data subjects based on their relationship with the controller. Such a legitimate interest could, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller (…). (…) The processing of personal data for the purposes of canvassing may be considered to be carried out in response to a legitimate interest.
2.2 Recital (48) of Regulation 2016/679: Controllers which are part of a group of undertakings or establishments affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of personal data relating to customers or employees.